Stanford Security Lunch
Spring 2009

Get announcements:

April 1 Organizational meeting

Organizational meeting: Sign up to give a talk!

April 8 No talk

April 15 No talk (Stanford computer forum)

April 22 Content-based access control

Speaker: Liz Stinson

Abstract: Standard components of the semantic web include a format for storing data (Resource Description Framework (RDF)), a language for querying that data (SPARQL), and a logic which enables using rules to make inferences over that data. In contrast to relational databases where a value’s location (i.e., table, column) provides its context, the meaning of an RDF tuple is encoded in the tuple itself. Hence, access control policy must be expressible in terms of tuple contents. Motivated by an effort to enable users to have a single logical view of their on-line information (e.g., pictures, tweets, virtual identities, social networks) — referred to as a Personal Index or Pix — we present a framework for specifying and enforcing access control policies for data stored using RDF and queried via SPARQL. Since a user’s on-line information may be diverse, extensive and ever-growing, sharing policies over that data must be intuitive for the non-expert and easy-to-maintain. Hence, we allow users to specify policy via high-level rules which automatically generate the appropriate policy facts, which are stored alongside of the data in the RDF store. Policy enforcement is via a query rewriting module which, in contrast to previous approaches, does not need visibility into the set of configured policies. PixACL policies are easily composed and can be queried using the same expressive language used to query data.

April 29 Maintainable software via high-level data languages

Speaker: Daniel Giffin

Abstract: In many software applications with human interfaces, most interaction may be characterized as "editing structured information." Thus, much effort in design and implementation might be saved by using generic tools for:

Where these tools are used to describe policies on the application's behavior — e.g., What information is recorded about each product, or What information a particular user may see — getting the "correct" behavior is much more likely when policy-specification languages can be read and written directly by policy-makers, without requiring experts to convert human-language intentions into formal prescriptions. With this ability, policy-makers could also adapt software to evolving needs themselves, avoiding confusion and the expense of additional time and money.

This goal is difficult to reach with data models so general that typical application-level concepts can only be described with complex expressions (as in, e.g., Relational Databases or RDF without additional semantic layers). But more-specific models are often awkward to map to arbitrary application domains (as in many Content Management Systems). Still, a high-level and recursive data model providing just a few, orthogonal constructs can provide the expressivity and flexibility needed to serve a broad range of applications.

I will demonstrate parts of a system that is being developed to accept university applications over the web, and the generic languages and tools that are used to manage its data. An important feature is that the shared database, guarded by the access-control policy, permits arbitrary queries from users. This allows the user-interface code — often the bulk of an application's complexity and frequently responsible for ad-hoc access control — to be trusted only by the user: in fact it runs in the browser.

May 6 Blog spam

Speaker: Elie Bursztein

Abstract: If email spamming is well known and studied, blog spam on the other hand received so far very little attention. To observe how spammer try to abuse the blog comment mechanism we have run a honey blog for over a year. In this talk I will present the preliminary results we have on this experiment.

Joint work with: Eric Lam

May 13 Automatic creation of SQLI and XSS attacks

Speaker: Philip Guo

Abstract: We present an automatic technique for creating inputs that expose SQLI and XSS vulnerabilities in Web applications. The technique generates sample inputs, symbolically tracks taints through execution (including through database accesses), and mutates the inputs to produce concrete exploits. Ours is the first analysis of which we are aware that precisely addresses second-order XSS attacks. Our technique creates real attack vectors, has few false positives, incurs no runtime overhead for the deployed application, works without requiring modification of application code, and handles dynamic programming-language constructs. We implemented the technique for PHP, in a tool Ardilla. We evaluated Ardilla on five PHP applications and found 68 previously unknown vulnerabilities (23 SQLI, 33 first-order XSS, and 12 second-order XSS).

May 20 Embedded management interfaces and XSS

Speaker: Elie Burstein

Abstract: Browser-based management is quickly becoming a standard feature for small appliances from SOHO NAS storage to picture frames. We present the results from a study of embedded management interfaces in a broad range of devices, and identify a new class of attacks called XCS (Cross-Channel Scripting).

An extended version of this talk will be presented at Black Hat USA 2009.

Joint work with: Dan Boneh and Elie Bursztein

May 27 Web browser storage and communication

Speaker: Ryan Stutsman

Abstract: Web browsers have evolved into powerful and popular application platforms, providing a compelling combination of user-interface and operating system features. However, compared to desktop applications, they have a critical lack of functionality in two areas: storage and communication. Browser-based applications must store user data on servers run by the application developer, which rules out applications that need private data or fast response times, and makes it difficult for users to change application vendors. Likewise, tight restrictions on how browser-based software can communicate across the Internet rules out many applications requiring high bandwidth or low latency, by placing the application's server on everyone's data path.

These restrictions were originally intended to provide security. However, we argue that these restrictions are neither necessary nor sufficient, and we explore how browsers can provide flexible storage and communication while enforcing stronger security guarantees.