With the tremendous growth in cloud-based services, the web platform is now easily the most widely used application platform. In this talk, I will present our work towards developing a secure client-side for web applications. I will discuss three directions: secure protocols, secure applications and secure user experience. First, we present work on providing a formal foundation for web security protocols. We formalize the typical web attacker model and identify two broadly applicable security goals. We also identify an abstraction of the web platform that is amenable to automated analysis yet able to express subtle attacks missed by humans. Using a model checker, our work automatically identified a previously unknown flaw in a widely used Kerberos-like authentication protocol for the web.
Second, we present work on improving assurance in client-side web applications. We identify pervasive over-privileging in client-side web applications and present a new architecture that relies on privilege separation to mitigate vulnerabilities. Our design uses standard primitives and enables a 6x to 10000x reduction in the trusted computing base with only 13 lines modified.
Lastly, we present the results of a large-scale measurement study to empirically asses whether browser security warnings are as ineffective as popular opinion suggests. We used Mozilla Firefox and Google Chrome’s in-browser telemetry to observe over 25 million warning impressions in situ. Our results demonstrate that security warnings can be effective in practice; security experts and system architects should not dismiss the goal of communicating security information to end users.and secure interaction design to achieve this vision.
Devdatta is a graduate student interested in computer security working on security of software, primarily focused on web application security. He is part of Dawn Song’s research group at UC Berkeley. Devdatta is also an invited expert on the W3C’s Web Application Security Working Group. More details, including how to pronounce his name, are on his homepage: devd.me