Stanford Security Lunch
Fall 2014


Food selections are now posted here.

September 24, 2014 Organizational meeting

Organizational meeting:  Sign up to give a talk!

October 1, 2014 Protecting Users by Confining JavaScript with COWL

Speaker:  Deian Stefan

Abstract:  Modern web applications are conglomerations of JavaScript written by multiple authors: application developers routinely incorporate code from third-party libraries, and mashup applications synthesize data and code hosted at different sites. In current browsers, a web application's developer and user must trust third-party code in libraries not to leak the user's sensitive information from within applications. Even worse, in the status quo, the only way to implement some mashups is for the user to give her login credentials for one site to the operator of another site. Fundamentally, today's browser security model trades privacy for flexibility because it lacks a sufficient mechanism for confining untrusted code. We present COWL, a robust JavaScript confinement system for modern web browsers. COWL introduces label-based mandatory access control to browsing contexts in a way that is fully backwardcompatible with legacy web content. We use a series of case-study applications to motivate COWL's design and demonstrate how COWL allows both the inclusion of untrusted scripts in applications and the building of mashups that combine sensitive information from multiple mutually distrusting origins, all while protecting users' privacy. Measurements of two COWL implementations, one in Firefox and one in Chromium, demonstrate a virtually imperceptible increase in page-load latency.

October 8, 2014 Security at LinkedIn

Speaker:  David Freeman (LinkedIn)

Abstract:  David leads the Security Data Science team at LinkedIn, where he works on creating automated methods for detecting and preventing fraud and abuse. Before joining LinkedIn, David was a post-doc in Dan's group here at Stanford. David's research interests related to cryptographic applications of number theory and arithmetic geometry.

October 15, 2014 Rethinking the Adoption of Hash Signatures

Speaker:  Burt Kaliski (Verisign)

Abstract:  Hash function-based digital signature schemes – in particular, the classic Merkle tree signature scheme – are among the earliest forms of public-key cryptography. However, perhaps due to their large signature size, or perhaps to their lack of a corresponding asymmetric encryption scheme, hash signatures have not entered the mainstream over the past three decades. The current emphasis on post-quantum cryptography provides a strong motivation for their adoption, but will that be enough? In addition to the promise of long-term resilience, it may also be necessary to demonstrate some near-term advantages of hash signatures over conventional approaches. This talk will describe some of those advantages, as a basis for a more general discussion on what other advantages may be needed to move hash signatures into the mainstream.

October 22, 2014 CDNs Considered Harmful

Speaker:  Amit Levy

Location:  New location this week only! Gates Library (Gates 211).

Abstract:  Content Distribution Networks like CloudFlare and Amazon CloudFront are bringing the performance benefits of CDNs to the mainstream. Importantly, besides caching website assets at edge locations, CDNs also serve as the termination for SSL. However, no longer bound by vast corporate agreements and expensive contracts, these "consumer" CDNs present new security tradeoffs and challenge our notion of "end-to-end" security on the web. I'll highlight some of the differences in process and trust between the old and new model and describe a system we are working on to address emerging concerns.

October 29, 2014 TBA

Speaker:  Joe Zimmerman

November 5, 2014 TBA

Speaker:  Michael Duff (Stanford ISO)

November 12, 2014 How to lose your data and alienate your Droid: Insights on Android Security

Speaker:  Giovanni Russello (University of Auckland)

Abstract:  Smartphones are the most successful consumer devices reaching 1 billion of units sold to end users in 2013. In this very competitive market, smartphones equipped with the Android OS represent 85% of the world-wide market.

But what about Android security? Android has smashed another record: it has become the top target for malicious code overtaking Windows OS. Android standard security mechanism is too vulnerable to provide a concrete solution to the current surge of malware. Add to this a very 'relaxed' mode in releasing updates to end-user devices and you got the Perfect Security Storm!

In this presentation, I will talk about Android, its security model and why it is so vulnerable. Then I will discuss current security threats, providing some examples of malware. Finally, I will talk about the security solutions available today (including the one we have developed at the University of Auckland) and some open questions for future research directions.

November 19, 2014 TBA

Speaker:  Ali Mashtizadeh

November 26, 2014 TBA

Speaker:  Patrick Mutchler

December 3, 2014 TBA

Speaker:  David Wu