Hello All
For voting for presentation slots in doodle…I notice that there are 2-3 entries for some people… its going to confuse the total. There is a delete/edit entry at the bottom of page. If you could go there and delete redundant entries and edit the original entry that has your selection, that would be nice.
I happened to notice this today and thought would suggest.
Appreciate if you could do it.
Thanks
Hi all,
I will be presenting the paper about building secure mashups using object oriented technology called OMash
http://www.cs.ucdavis.edu/~hchen/paper/ccs08.pdf
though the problem faced in this research work is similar to the previous 3 papers, the solution provided aims at covering both provider - integrator communication and provider - provider communication. The research also has a broad scope of satisfying all the trust relationships and backward compatability with SOP.
some interesting points to think about would be
-> how useful is the backward compatability to SOP
->what would happen if some websites decide not to follow the model and some do?
->how would an attacker find loopholes in this model.
and some more
-thanks
Hello
I will be presenting the paper on SMash which is an implementation by IBM to answer the problem of secure cross domain mashups. There is an additional paper written by the authors called a research report which goes into some more detail on the implementation. It is linked on this web page below
Also there is an updated version of the conference paper we are reading. There only difference I can see with the updated version is that they add a few paragraphs addressing a criticism of their link integrity given by Barth et al in Securing Frame Communication in Browsers
IBM has donated SMash to the Open Ajax Alliance which has not yet integrated it into their Open Ajax Hub but the source code and some demos can be found here:
http://openajaxallianc.svn.sourceforge.net/viewvc/openajaxallianc/hub/trunk/sandbox/smash/src/
Thanks
These include discussions upto the Chrome paper.
Here is a link to the conference paper on MashupOS as discussed in class on Wednesday, which goes into more detail on the <sandbox> and <opensandbox> elements:
Protection and Communication Abstractions for Web Browsers in MashupOS
Helen J. Wang, Xiaofeng Fan, Jon Howell, and Collin Jackson
In Proc. of the 21st ACM Symposium on Operating Systems Principles (SOSP 2007)
Hi all,
I will be presenting the technical report - “The Multi-Principal OS Construction of the Gazelle Web Browser” on 03/09/09.
Gazelle, a secure web browser from Microsoft & University researchers, is constructed as a multi-principal web browser aims at providing better security than Google’s Chrome, Mozilla’s Firefox or Microsoft’s own Internet Explorer! Gazelle has new security features that address UI redressing attacks, block race condition attacks where attackers create a Web page to get you to click a certain area which could lead to an attack. In addition to that, Gazelle sandboxes plug-ins so they remain isolated.
We will discuss in detail the Gazelle Architecture, how does it differ from current browsers, how does the Gazelle architecture help in thwarting different attacks, and pros and cons of this new architecture.
- Sunil
http://www.breitbart.com/article.php?id=CNG.ecb943cdf559874f1a53793c5f03723d.1041&show_article=1
Hello All,
My name is Prithvi Bisht and I will present the paper titled “Analyzing Websites for User-Visible Security Design Flaws” on Wednesday, 4 March.
The main question asked in this paper is “Do legitimate websites assist in making secure decisions?”
a. What flaws (design level) exist that facilitate attacks like Phishing, Social engineering?
b. How these flaws can be removed?
This paper presents a survey of financial websites for security relevant flaws and recommends several remedies. In the class we will take an in-depth look at the design flaws, perform security and usability analysis of the recommendations, and discuss issues/solutions for designing secure web applications.
Note: An equally important question “Do users make secure decisions” is covered in prior works like the following –
[1] Why Phishing Works – R. Dhamija et al., SICHI 2006
[2] The emperor’s new security indicators: An evaluation of website authentication and the effect of role playing on usability studies – S. Schechter et al., IEEE S&P 2007
The HTTP origin header that was proposed as a defense to CSRF attack has now been submitted for review to the IETF. Here is an interesting criticism to the proposed method in the IETF discussion forum:
http://lists.w3.org/Archives/Public/ietf-http-wg/2009JanMar/0037.html
Hi,
I am Himanshu Sharma and will be presenting this paper in class on Monday 03/02.
Purpose of the paper: Questioning and Detection of webpage integrity on the way from server to client browser, by using Web tripwires.
Web Tripwires: Client side JavaScript code that detects any change in the HTML Source Code.
It addresses the following issues:
- Why we need web tripwires.
- Who can cause the changes to web pages in transit.
- Purpose behind those changes.
- Bugs/ Vulnerabilities generated because of the changes
The paper proposes 5 web tripwire designs based on JavaScript with their pros and cons. It also compares the costs associated between tripwires and HTTPS.
The researchers have also published an open source toolkit for publishers to use with their websites, with the ability to make certain policy decisions. It uses the best of the 5 techniques implemented by the researchers - ” XHR on Self”.
The paper’s language is easy and descriptive and i hope the discussion on Monday will be beneficial for all in understanding it.
| M | T | W | T | F | S | S |
|---|---|---|---|---|---|---|
| « Apr | ||||||
| 1 | ||||||
| 2 | 3 | 4 | 5 | 6 | 7 | 8 |
| 9 | 10 | 11 | 12 | 13 | 14 | 15 |
| 16 | 17 | 18 | 19 | 20 | 21 | 22 |
| 23 | 24 | 25 | 26 | 27 | 28 | 29 |
| 30 | ||||||