Bill Zeller will present his research seminar/general
exam on Monday May 12
at 2PM in Room 402. The members of his committee
are: Ed Felten (advisor),
Brian Kernighan, and Andrew Appel. Everyone is
invited to attend his talk, and
those faculty wishing to remain for the oral exam following
are welcome to do so.
His abstract and reading list follow
below.
---------------------------------------
Abstract:
Cross-Site Request Forgery (CSRF) attacks
occur when a malicious web site causes a user's web browser to perform an
unwanted action on a trusted site. These attacks have been called the "sleeping
giant" of web-based vulnerabilities, because many sites on the Internet fail to
protect against them and because they have been largely ignored by the web
development and security communities. We present four serious CSRF
vulnerabilities we have discovered on four major sites, including what we
believe is the first published attack involving a financial institution. These
vulnerabilities allow an attacker to transfer money out of user bank accounts,
harvest user email addresses, violate user privacy and compromise user accounts.
We recommend server-side changes (which we have implemented) that are able to
completely protect a site from CSRF attacks. We also describe the features a
server-side solution should have (the lack of which has caused CSRF protections
to unnecessarily break typical web browsing behavior). Additionally, we have
implemented a client-side browser plugin that can protect users from certain
types of CSRF attacks even if a site has not taken steps to protect
itself.
Books:
- Practical Cryptography: Ferguson,
Schneier
- Security Engineering:
Anderson
Papers
- [Anupam, Mayer] Security of Web
Browser Scripting Languages: Vulnerabilities, Attacks, and
Remedies
http://delivery.acm.org/10.1145/1270000/1267564/p15-anupam.pdf?key1=1267564&key2=7559754021&coll=GUIDE&dl=GUIDE&CFID=57632849&CFTOKEN=53175682
- [Fu, Sit, Smith, Feamster] Dos and Don'ts of Client Authentication on the
Web
http://pdos.csail.mit.edu/papers/webauth:sec10.pdf
- [Krannig] Towards Web Security Using
PLASMA
http://delivery.acm.org/10.1145/1270000/1267563/p14-krannig.pdf?key1=1267563&key2=0389754021&coll=GUIDE&dl=GUIDE&CFID=57633385&CFTOKEN=26863737
- [Moore, Voelker, Savage] Inferring Internet Denial-of-Service
Activity
http://www.caida.org/publications/papers/2001/BackScatter/usenixsecurity01.pdf
- [Huang, Yu, Christian Hang, Tsai, Lee, Kuo] Securing Web Application Code by
Static Analysis and Runtime Protection
http://www.cs.ucsb.edu/~yuf/paper/WWW04.pdf
- [Bortz, Boneh, Nandy] Exposing Private Information by Timing Web
Applications
http://crypto.stanford.edu/~abortz/papers/timingweb.pdf
- [Boyd, Keromytis] SQLrand: Preventing SQL Injection
Attacks
http://www1.cs.columbia.edu/~angelos/Papers/sqlrand.pdf
- [Chou, Ledesma, Teraguchi, Boneh, Mitchell] Client-side defense against
web-based identity theft
http://crypto.stanford.edu/SpoofGuard/webspoof.pdf
- [Xie, Aiken] Static Detection of Security Vulnerabilities in Scripting
Languages
http://theory.stanford.edu/~aiken/publications/papers/usenix06.pdf
- [Vogt, Nentwich, Jovanovic, Kirda, Kruegel, Vigna] Cross-Site Scripting
Prevention with Dynamic Data Tainting and Static
Analysis
http://www.seclab.tuwien.ac.at/papers/xss_prevention.pdf
- [Ye, Smith] Trusted Paths for Browsers
http://delivery.acm.org/10.1145/1070000/1065546/p153-ye.pdf?key1=1065546&key2=3080854021&coll=GUIDE&dl=GUIDE&CFID=57635236&CFTOKEN=42774008