Skip to main content
Department of Information Technology

Securing Web Applications across Tiers

Speaker:
Musard Balliu, KTH

Date and Time
December 13 2019, 10:15 - 11:00

Location
Polacksbacken, room 4306

Abstract
Modern web applications are complex entities amalgamating different languages, components, and platforms. These rich features span the application tiers and components, some from third parties, and require substantial efforts to ensure that the insecurity of a single component does not render the entire system insecure. Securing web applications requires tracking information across the client, the server, and the underlying database, since securing each component in isolation may still result in an overall insecure system.

In this talk, we will discuss (combinations of) two technologies for achieving end-to-end security in web applications: static security analysis and runtime security monitors. The former utilizes homogeneous meta-programming to provide a uniform language for programming different components in a secure manner. For the latter approach, we will present a novel security monitor that relies on precise dependency tracking across the applications and the database, leveraging such database theory concepts as disclosure lattices and query determinacy. Finally, we discuss ongoing work of applying these techniques to automated exploit generation for XSS vulnerabilities and object injection vulnerabilities.

Bio
Musard Balliu (http://www.csc.kth.se/~musard) is an Assistant Professor at the School of Electrical Engineering and Computer Science at KTH Royal Institute of Technology in Stockholm, Sweden. His research interests lie at the intersection of computer security, programming languages, formal methods and software engineering. Musard Balliu's research ranges from foundations to practice of security and privacy with main focus on language-based security and its applications to the Web and IoT domain.

Back to the seminar page

Updated  2019-12-05 13:08:22 by Philipp Rümmer.