Deian Stefan : 2011 Security Workshop


Monday, April 11, 2011
Location: Fisher Conference Center, Arrillaga Alumni Center

"A Haskell and Information Flow Control Approach to Safe Execution of Untrusted Web Applications"
11:45am - 12:15pm


Web sites increasingly provide user data to third-party applications. In order to install these apps, users must grant the apps permission to access and often modify profile, network, and feed contents. Current user authorization methods are cumbersome and very coarse grained, usually resulting in the user granting the app excess privileges. Furthermore, app misbehavior (whether deliberate or not) can lead to sensitive user data being leaked. Addressing the need for alternative, secure, methods to developing web-application, we present HAILS. HAILS is a new web framework that leverages Decentralized Information Flow Control to allow for the creation of secure web sites from mutually distrustful code. In addition to a labeled web server, the framework includes a type-safe and labeled database (DB) interface model, which we use to automatically label information. Our automatic labeling approach is considerably more scalable, less error-prone, and as expressive as traditional expert-labeled systems. In this talk we compare HAILS with other web frameworks by evaluating its performance and developing a small Facebook-like web site that supports the integration of third-party (possibly malicious) apps.


Deian Stefan is a first-year Ph.D. candidate in the Computer Science Department at Stanford University. His research interests include system and programming language security. Prior to joining Stanford, he worked on applications of FPGAs and GPUs to cryptographic and cryptanalysis algorithms.