Securing The Next Generation Web Platform

Prateek Saxena

UC Berkeley

Thursday, January 26, 2012
1:00 - 2:00pm

The Web is the primary gateway to many critical services and offers a powerful computing platform for emerging applications. However, security of the Web platform is a major concern. Web vulnerabilities are pervasive, exceeding system vulnerabilities by thousands in public vulnerability repositories (CVE database) as of 2012. These vulnerabilities also constitute the most dangerous software errors today. Yet, analysis techniques for finding vulnerabilities and mechanisms for building secure Web applications are at a nascent stage. How can we secure the future Web platform? In this line of research, I explore a broad range of solutions, including design of new browser abstractions, languages, and analysis techniques.

In this talk, I describe two examples from my work in this space. In both these works, I develop new techniques based on formal mechanisms, such as symbolic execution and type systems, and implement them into practical systems for real-world use. First, I present a system for automatically finding vulnerabilities in JavaScript applications using dynamic symbolic execution. This system has discovered several previously unknown flaws in popular Web applications without raising any false positives. One of the key contributors toward its success is a new decision procedure for handling complex string operations found extensively in Web applications. In my second work, I present a fundamental security abstraction for ensuring integrity of Web application code and a type-based mechanism for enforcing it. These defenses have been adopted in compilation infrastructure for commercial Web applications such as Google+.

Bio:
Prateek Saxena is a PhD student in Computer Science at UC Berkeley. His research interests are in computer security and its areas of intersection with programming languages, formal methods, compilers, and operating systems. His current work focuses on software and Web security. He is the recipient of several awards, including the Symantec Research Fellowship Award for 2011 and the AT&T Best Applied Security Paper Award for 2010.