Devdatta Akhawe of the University of California, Berkeley, will give an ECE Faculty Candidate Seminar at 10 a.m. Monday, April 7, in CSL Auditorium (B02).
The title will be, "Towards a Secure Client-side for the Web Platform."
With the tremendous growth in cloud-based services, the web platform is now easily the most widely used application platform. In this talk, Akhawe will present work done at Berkeley toward developing a secure client-side for web applications. He will discuss three directions: secure protocols, secure applications, and secure user experience.
First, he will present work on providing a formal foundation for web security protocols. We formalize the typical web attacker model and identify broadly applicable security goals. We also identify an abstraction of the web platform that is amenable to automated analysis yet able to express subtle attacks missed by humans. Using a model checker, we automatically identified a previously unknown flaw in a widely used Kerberos-like authentication protocol for the web.
Second, Akhawe will present work on improving assurance in client-side web applications. We identify pervasive over-privileging in client-side web applications and present a new architecture that relies on privilege separation to mitigate vulnerabilities. Our design uses standard primitives and enables a 6x to 10000x reduction in the trusted computing base with less than 13 lines modified.
Lastly, he will present the results of a large-scale measurement study to empirically assess whether browser security warnings are as ineffective as popular opinion suggests. We used Mozilla Firefox and Google Chrome's in-browser telemetry to observe over 25 million warning impressions in situ. Our results demonstrate that security warnings can be effective in practice; security practitioners should not dismiss the goal of communicating security information to end users.
Devdatta is a graduate student at UC Berkeley interested in security of software, with a primary focus on web application security. He is part of Dawn Song's research group at UC Berkeley. Devdatta is also an invited expert on the W3C's Web Application Security Working Group. More details, including how to pronounce his name, are on his homepage: devd.me