Annie Liu will present her General Exam on May 13, 2015 at 3pm in CS 302. The members of her committee are Mike Freedman (adviser), Nick Feamster, and Ed Felten. Everyone is invited to attend her talk, and those faculty wishing to remain for the oral exam following are welcome to do so. Her abstract and reading list follow below. Abstract Modern web applications handle user-specific, often sensitive, information. Unfortunately, protecting user data is notoriously difficult today---web frameworks do not provide a way for declaring and enforcing application-specific security policies. In response, developers often specify and enforce security policy in an ad-hoc fashion. Recent headlines alone serve to highlight that this is not working---web applications are plagued by privacy leaks. To solve the problem, we present ESpectro, a new framework for building least-privileged Node.js applications. ESpectro provides developers with libraries for compartmentalizing applications and declaring high-level security policies. ESpectro then enforces these policies on application code by employing application-level virtualization. By analyzing a blog web application, I will show how Espectro will change the programming model of developers and how it will help preventing privacy leakage. Reading list
A Decentralized Model for IFC. Andrew Myers, Barbara Liskov SOSP'97
Secure Web Applications via Automatic Partitioning. Stephen Chong, et al. SOSP'07
TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. William Enck, et al. OSDI'10
Automating Isolation and Least Privilege in Web Services. Aaron Blankstein, Michael J. Freedman. SP'14
Hails: Protecting Data Privacy in Untrusted Web Applications. Daniel B. Giffin, et al. OSDI'12
Protecting Users by Confining JavaScript with COWL. Deian Stefan, et al. OSDI'14
Authentication in the Taos operating system. Edward Wobber, et al. Transactions on Computer Systems, 1994.
Nexus: An Operating System for Trustworthy Computing. Alan Shieh, et al. SOSP'05
Traps and Pitfalls: Practical Problem in System Call Interposition Based Security Tools. Tal Garfinkel. Network and Distributed Systems Security Symposium, 2003.
Security Engineering, Ross Anderson (http://www.cl.cam.ac.uk/~rja14/book.html) ***********************