Eric Lam : 2010 Security Workshop


Friday, April 30, 2010
Location: Fisher Conference Center, Arrillaga Alumni Center

"Defending Web Security: Finding and fixing vulnerabilities in web security mechanisms"


We identify previously unknown attacks in several web security mechanisms and propose counter-measures to the attacks. The mechanisms we have studied include HTML5 Forms, Referer validation, and a Kerberos-based single sign-on system. These attacks are identified using a model of the web platform that we have developed, which is implemented in an executable form in the Alloy language. This modeling approach not only enables us to discover new security attacks, but also serves to verify the security of the updated system with our proposed fix, up to a certain size of the model.


Eric Lam is a 2nd year Ph.D. candidate in the Computer Science Department at Stanford University. His research interests include web security and application of formal verification to security systems.