/
pubs.json
220 lines (220 loc) · 21.3 KB
/
pubs.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
{
"authors": {
"abarth": {
"name": "Adam Barth",
"homepage": "http://www.adambarth.com"
},
"cgordon": {
"name": "Colin Gordon",
"homepage": "https://www.cs.drexel.edu/~csgordon/"
},
"daw": {
"name": "David Wagner",
"homepage": "https://www.eecs.berkeley.edu/~daw/"
},
"dawnsong": {
"name": "Dawn Song",
"homepage": "https://www.eecs.berkeley.edu/~dawnsong/"
},
"devdatta": {
"name": "Devdatta Akhawe",
"homepage": "https://devd.me/"
},
"felt": {
"name": "Adrienne Felt",
"homepage": "https://adrifelt.github.io/"
},
"freddyb": {
"name": "Frederik Braun",
"homepage": "https://frederik-braun.com/"
},
"francoism": {
"name": "François Marier",
"homepage": "https://fmarier.org/"
},
"jchen": {
"name": "Juan Chen",
"homepage": ""
},
"jww": {
"name": "Joel Weinberger"
},
"livshits": {
"name": "Ben Livshits",
"homepage": "https://research.microsoft.com/en-us/um/people/livshits/"
},
"lmeyerov": {
"name": "Leo Meyerovich",
"homepage": "https://lmeyerov.github.io/"
},
"mfinifter": {
"name": "Matthew Finifter",
"homepage": "https://mfinifter.github.io/"
},
"saxena": {
"name": "Prateek Saxena",
"homepage": "https://www.comp.nus.edu.sg/~prateeks/"
},
"schlesinger": {
"name": "Cole Schlesinger",
"homepage": "https://www.cs.princeton.edu/~cschlesi/"
},
"shriram": {
"name": "Shriram Krishnamurthi",
"homepage": "https://cs.brown.edu/~sk/"
},
"swamy": {
"name": "Nikhil Swamy",
"homepage": "https://research.microsoft.com/en-us/people/nswamy/"
}
},
"papers": [
{
"title": "Composition with Consistent Updates for Abstract State Machines",
"pdf": "papers/2007/gordon-meyerovich-weinberger-krishnamurthi.pdf",
"authors": [ "cgordon", "lmeyerov", "jww", "shriram" ],
"conference": "In Proc. of the International ASM Workshop, 2007",
"citeseer": "http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.87.4909",
"proceedings": "gordon07asm",
"textitle": "Composition with Consistent Updates for Abstract State Machines",
"booktitle": "Proc. of the International ASM Workshop, 2007",
"year": "2007",
"abstract": "Abstract State Machines (ASMs) offer a formalism for describing state transitions over relational structures. This makes them promising for modeling system features such as access control, especially in an environment where the policy's outcome depends on the evolving state of the system. The current notions of modularity for ASMs, however, provide insufficiently strong guarantees of consistency in the face of parallel update requests. We present a real-world context that illustrates this problem, discuss desirable properties for composition in this context, describe an operator that exhibits these properties, formalize its meaning, and outline its implementation strategy."
},
{
"title": "Cross-Origin JavaScript Capability Leaks: Detection, Exploitation, and Defense",
"pdf": "papers/2009/barth-weinberger-song.pdf",
"authors": [ "abarth", "jww", "dawnsong" ],
"conference": "In Proc. of USENIX Security Symposium, 2009.",
"citeseer": "http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.153.1883",
"notes": "Visit the [project page](http://webblaze.cs.berkeley.edu/2009/heapgraph/) for code and more information.",
"presentation": "USENIX presentation [slides](files/2009/barth-weinberger-song-presentation.pdf) (with notes).",
"proceedings": "barth09heapgraph",
"textitle": "Cross-Origin {JavaScript} Capability Leaks: {Detection}, Exploitation, and Defense",
"booktitle": "Proc. of the 18th USENIX Security Symposium (USENIX Security 2009)",
"year": "2009",
"abstract": "We identify a class of Web browser implementation vulnerabilities, cross-origin JavaScript capability leaks, which occur when the browser leaks a Java Script pointer from one security origin to another. We devise an algorithm for detecting these vulnerabilities by monitoring the \"points-to\"; relation of the JavaScript heap. Our algorithm finds a number of new vulnerabilities in the open-source WebKit browser engine used by Safari. We propose an approach to mitigate this class of vulnerabilities by adding access control checks to browser JavaScript engines. These access control checks are backwards-compatible because they do not alter semantics of the Web platform. Through an application of the inline cache, we implement these checks with an overhead of 1–2% on industry-standard benchmarks."
},
{
"title": "Preventing Capability Leaks in Secure JavaScript Subests",
"pdf": "papers/2010/finifter-weinberger-barth.pdf",
"authors": [ "mfinifter", "jww", "abarth" ],
"conference": "In Proc. of Network and Distributed System Security Symposium (NDSS), 2010",
"citeseer": "http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.154.8237",
"notes": "Visit the [project page](http://webblaze.cs.berkeley.edu/2010/blancura/) for code and more information.",
"proceedings": "finifter10jssafesubsets",
"textitle": "Preventing Capability Leaks in Secure {JavaScript} Subsets",
"booktitle": "Proc. of Network and Distributed System Security Symposium, 2010",
"year": "2010",
"abstract": "Publishers wish to sandbox third-party advertisements to protect themselves from malicious advertisements. One promising approach, used by ADsafe, Dojo Secure, and Jacaranda, sandboxes advertisements by statically verifying that their JavaScript conforms to a safe subset of the language. These systems blacklist known-dangerous properties that would let advertisements escape the sandbox. Unfortunately, this approach does not prevent advertisements from accessing new methods added to the built-in prototype objects by the hosting page. In this paper, we design an algorithm to detect these methods and use our tool to determine experimentally that one-third of the Alexa US top 100 web sites would be exploitable by an ADsafe-verified advertisement. We propose an improved statically verified JavaScript subset that whitelists known-safe properties using namespaces. Our approach maintains the expressiveness and performance of static verification while improving security."
},
{
"title": "Diesel: Applying Privilege Separation to Database Access",
"pdf": "papers/2011/felt-finifter-weinberger-wagner.pdf",
"authors": [ "felt", "mfinifter", "jww", "daw" ],
"conference": "In Proc. of ACM Symposium on Information, Computer and Communications Security (ASIACCS), 2011",
"extended": "papers/2010/felt-finifter-weinberger-wagner-tech.pdf",
"citeseer": "http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.204.7581",
"proceedings": "felt11diesel",
"textitle": "Diesel: Applying Privilege Separation to Database Access",
"booktitle": "Proc. of ACM Symposium on Information, Computer and Communications Security (ASIACCS), 2011",
"year": "2011",
"abstract": "Database-backed applications typically grant complete database access to every part of the application. In this scenario, a flaw in one module can expose data that the module never uses for legitimate purposes. Drawing parallels to traditional privilege separation, we argue that database data should be subject to limitations such that each section of code receives access to only the data it needs. We call this data separation. Data separation defends against SQL-based errors including buggy queries and SQL injection attacks and facilitates code review, since a module's policy makes the extent of its database access explicit to programmers and code reviewers. We construct a system called Diesel, which implements data separation by intercepting database queries and applying modules' restrictions to the queries. We evaluate Diesel on three widely-used applications: Drupal, JForum, and WordPress."
},
{
"title": "Towards Client-side HTML Security Policies",
"pdf": "papers/2011/weinberger-barth-song.pdf",
"authors": [ "jww", "abarth", "dawnsong" ],
"conference": "In Proc. of the Workshop on Hot Topics in Security (HotSec), 2011",
"presentation": "HotSec presentation [slides](files/2011/weinberger-barth-song-presentation.ppt) (with notes).",
"citeseer": "http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.228.808",
"proceedings": "weinberger11policies",
"textitle": "Towards Client-side {HTML} Security Policies",
"booktitle": "Proc. of 6th USENIX Workshop on Hot Topics in Security",
"year": "2011",
"abstract": "With the proliferation of content rich web applications, content injection has become an increasing problem. Cross site scripting is the most prominent example of this. Many systems have been designed to mitigate content injection and cross site scripting. Notable examples are BEEP, BLUEPRINT, and Content Security Policy, which can be grouped as HTML security policies. We evaluate these systems, including the first empirical evaluation of Content Security Policy on real applications. We propose that HTML security policies should be the defense of choice in web applications going forward. We argue, however, that current systems are insufficient for the needs of web applications, and research needs to be done to determine the set of properties an HTML security policy system should have. We propose several ideas for research going forward in this area."
},
{
"title": "A Systematic Analysis of XSS Sanitization in Web Application Frameworks",
"pdf": "papers/2011/weinberger-saxena-akhawe-etc.pdf",
"authors": [ "jww", "saxena", "devdatta", "mfinifter", "dawnsong" ],
"conference": "In Proc. of 16th European Symposium on Research in Computer Security (ESORICS), 2011",
"presentation": "ESORICS presentation [slides](files/2011/weinberger-saxena-akhawe-etc-presentation.pptx) (with notes).",
"citeseer": "http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.225.7340",
"proceedings": "weinberger11sanitize",
"textitle": "A Systematic Analysis of {XSS} Sanitization in Web Application Frameworks",
"booktitle": "Proc. of 16th European Symposium on Research in Computer Security (ESORICS)",
"year": "2011",
"abstract": "While most research on XSS defense has focused on techniques for securing existing applications and re-architecting browser mechanisms, sanitization remains the industry-standard defense mechanism. By streamlining and automating XSS sanitization, web application frameworks stand in a good position to stop XSS but have received little research attention. In order to drive research on web frameworks, we systematically study the security of the XSS sanitization abstractions frameworks provide. We develop a novel model of the web browser and characterize the challenges of XSS sanitization. Based on the model, we systematically evaluate the XSS abstractions in 14 major commercially-used web frameworks. We find that frameworks often do not address critical parts of the XSS conundrum. We perform an empirical analysis of 8 large web applications to extract the requirements of sanitization primitives from the perspective of real-world applications. Our study shows that there is a wide gap between the abstractions provided by frameworks and the requirements of applications."
},
{
"title": "Verifying Higher-order Programs with the Dijkstra Monad",
"pdf": "papers/2013/swamy-weinberger-schlesinger-chen-livshits.pdf",
"authors": [ "swamy", "jww", "schlesinger", "jchen", "livshits" ],
"conference": "In Proc. of Programming Language Design and Implementation (PLDI), 2013",
"citeseer": "http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.310.4136",
"proceedings": "swamy-weinberger-dijkstra",
"textitle": "Verifying Higher-order Programs with the Dijkstra Monad",
"booktitle": "Proc. of 34th Programming Language Design and Implementation (PLDI)",
"year": "2013",
"abstract": "Modern programming languages, ranging from Haskell and ML, to JavaScript, C# and Java, all make extensive use of higher-order state. This paper advocates a new verification methodology for higher-order stateful programs, based on a new monad of predicate transformers called the Dijkstra monad. Using the Dijkstra monad has a number of benefits. First, the monad naturally yields a weakest pre-condition calculus. Second, the computed specifications are structurally simpler in several ways, e.g., single-state post-conditions are sufficient (rather than the more complex two-state post-conditions). Finally, the monad can easily be varied to handle features like exceptions and heap invariants, while retaining the same type inference algorithm. We implement the Dijkstra monad and its type inference algorithm for the F\\* programming language. Our most extensive case study evaluates the Dijkstra monad and its F\\* implementation by using it to verify JavaScript programs. Specifically, we describe a tool chain that translates programs in a subset of JavaScript decorated with assertions and loop invariants to F\\*. Once in F\\*, our type inference algorithm computes verification conditions and automatically discharges their proofs using an SMT solver. We use our tools to prove that a core model of the JavaScript runtime in F\\* respects various invariants and that a suite of JavaScript source programs are free of runtime errors."
},
{
"title": "A Week to Remember: The Impact of Browser Warning Storage Policies",
"pdf": "papers/2016/weinberger-felt.pdf",
"authors": [ "jww", "felt" ],
"conference": "SOUPS, 2016",
"presentation": "SOUPS presentation by Adrienne Felt [slides](https://docs.google.com/presentation/d/1axXw-uO2JOAntYJP3BR8Ng7fCbN7LHbwg0b0nN-Ws98/pub?start=true&loop=false&delayms=3000&slide=id.g1501f84207_0_562)",
"proceedings": "weinberger-felt",
"textitle": "A Week to Remember: The Impact of Browser Warning Storage Policies",
"booktitle": "Proc. of 12th Symposium on Usable Privacy and Security (SOUPS",
"year": "2016",
"abstract": "When someone decides to ignore an HTTPS error warning, how long should the browser remember that decision? If they return to the website in five minutes, an hour, a day, or a week, should the browser show them the warning again or respect their previous decision? There is no clear industry consensus, with eight major browsers exhibiting four different HTTPS error exception storage policies. Ideally, a browser would not ask someone about the same warning over and over again. If a user believes the warning is a false alarm, repeated warnings undermine the browser’s trustworthiness without providing a security benefit. However, some people might change their mind, and we do not want one security mistake to become permanent. We evaluated six storage policies with a large-scale, multimonth field experiment. We found substantial differences between the policies and that one of the storage policies achieved more of our goals than the rest. Google Chrome 45 adopted our proposal, and it has proved successful since deployed. Subsequently, we ran Mechanical Turk and Google Consumer Surveys to learn about user expectations for warnings. Respondents generally lacked knowledge about Chrome’s new storage policy, but we remain satisfied with our proposal due to the behavioral benefits we have observed in the field."
}
],
"techs": [
{
"title": "ASM Relational Transducer Security Policies",
"pdf": "papers/2006/meyerovich-weinberger-gordon-krishnamurthi-tech.pdf",
"authors": [ "lmeyerov", "jww", "cgordon", "shriram" ],
"conference": "Brown University Technical Report CS-06-12, 2006",
"proceedings": "Meyerovich:CS-05-12",
"textitle": "{ASM} Relational Transducer Security Policies",
"institution": "CS Department, Brown University",
"year": "2006",
"url": "http://www.cs.brown.edu/research/pubs/techreports/reports/CS-06-12.html",
"number": "CS-06-12",
"abstract": "We present a model of the security policy for the Web-based Continue conference management tool. The policy model and properties are written as ASM Relational Transducers, which we extend with a module system in order to simplify the handling of conflicting updates. We assume prior familiarity with the security policy concerns surrounding Continue. First, we review the ASM Relational Transducer modeling and property language. Then we describe the basic structure of our policy implementation and demonstrate the ability to model useful properties in the original core ASM language. We exploring the use of the unmodified modeling language in a security policy context and describe typical ASM Relational Transducer complexity concerns and how these minimally impact our implementation. Next, we discuss difficulties encountered in representing our policy and properties in the standard ASM language, including our implementation in the appendices. Following the description of adapting ASMs for use in security modeling, we introduce policy modules and a composition operator to overcome the difficulty of programming in the original language known as the consistent update problem. Finally, we describe a reduction from our extended language to the original language, and prove it satisfies our required correctness property."
},
{
"title": "Monadic Refinement Types for Verifying JavaScript Programs",
"pdf": "papers/2012/swamy-weinberger-chen-livshits-schlesinger.pdf",
"authors": [ "swamy", "jww", "jchen", "livshits", "schlesinger" ],
"conference": "Microsoft Research Technical Report, 2012",
"proceedings": "Swamy-Weinberger:tech2012",
"textitle": "Monadic Refinement Types for Verifying JavaScript Programs",
"institution": "Microsoft Research",
"year": "2012",
"url": "https://research.microsoft.com/en-us/um/people/nswamy/papers/js2fs-icfp12-submitted-version.pdf",
"abstract": "Researchers have developed several special-purpose type systems and program logics to analyze JavaScript and other dynamically typed programming languages. Still, no prior system can precisely reason about both higher-order programs and mutable state; each system comes with its own delicate soundness proof (when such proofs are provided at all); and tools based on these theories (when they exist) are a significant implementation burden.\n\n This paper shows that JavaScript programs can be verified using a general-purpose verification tool---in our case, F\\*, a dependently typed dialect of ML. Our methodology consists of a few steps. First, we extend prior work on LambdaJS (Guha et al.) by translating JavaScript programs to F\\*. Within F\\*, we type pure JavaScript terms using a refinement of the type dyn, an algebraic datatype for dynamically typed values, where the refinement recovers more precise type information. Stateful expressions are typed using the Hoare state monad. Relying on a general-purpose weakest pre-condition calculus for this monad, we obtain higher-order verification conditions for JavaScript programs that can be discharged (via a novel encoding) by an off-the-shelf automated theorem prover. Our approach enjoys a fully mechanized proof of soundness, by virtue of the soundness of F\\*.\n\n We report on experiments that apply our tool chain to verify a collection of web browser extensions for the absence of JavaScript runtime errors. We conclude that, despite commonly held misgivings about JavaScript, automated verification for a sizable subset of the language is feasible. Our work opens the door to applying a wealth of research in automated program verification techniques to JavaScript programs."
},
{
"title": "Thesis: Analysis and Enforcement of Web Application Security Policies",
"pdf": "papers/2012/weinberger-thesis.pdf",
"authors": [ "jww" ],
"conference": "University of California, Berkeley, Thesis, 2012",
"proceedings": "weinberger:thesis2012",
"textitle": "Analysis and Enforcement of Web Application Security Policies",
"institution": "University of California, Berkeley",
"year": "2012",
"url": "https://www.eecs.berkeley.edu/Pubs/TechRpts/2012/EECS-2012-232.pdf",
"abstract": "Web applications are generally more exposed to untrusted user content than traditional applications. Thus, web applications face a variety of new and unique threats, especially that of content injection. One method for preventing these types of attacks is web application security policies. These policies specify the behavior or structure of the web application. The goal of this work is twofold. First, we aim to understand how security policies and their systems are currently applied to web applications. Second, we aim to advance the mechanisms used to apply policies to web applications. We focus on the first part through two studies, examining two classes of current web application security policies. We focus on the second part by studying and working towards two new ways of applying policies. These areas will advance the state of the art in understanding and building web application security policies and provide a foundation for future work in securing web applications."
},
{
"title": "Subresource Integrity (W3C Specification)",
"pdf": "https://www.w3.org/TR/SRI/",
"authors": [ "devdatta", "freddyb", "francoism", "jww" ],
"nobibtex": true
}
]
}