Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Language-based Perspective on Web Application Security

Published byHandoko Sukarno Jayadi Modified over 6 years ago

Similar presentations

Presentation on theme: "A Language-based Perspective on Web Application Security"— Presentation transcript:

1 A Language-based Perspective on Web Application Security
Jonas Magazinius Chapter co-leader Chalmers University of Technology

2 Introduction PhD at Chalmers Co-leader OWASP Security tweeter
Language-based Security research group Co-leader OWASP Gothenburg local chapter Security tweeter @internot_

3 Web Applications 15 Years Ago
Lorem ipsum dolor sit amet, consectetuer adipiscing elit, sed diam nonummy nibh euismod tincidunt ut laoreet dolore magna aliquam erat volutpat. Ut wisi enim ad minim veniam, quis nostrud exerci tation ullamcorper suscipit lobortis nisl ut aliquip ex ea commodo consequat. Duis autem vel eum iriure dolor in hendrerit in vulputate velit esse molestie consequat, vel illum dolore eu feugiat nulla facilisis at vero eros et accumsan et iusto odio dignissim qui blandit praesent luptatum zzril delenit augue duis dolore te feugait nulla facilisi. Nam liber tempor cum soluta nobis eleifend option congue nihil imperdiet doming id quod mazim placerat facer possim assum. Same-Origin Policy

4 Web Applications Today
Lorem ipsum dolor sit amet, consectetuer adipiscing elit, sed diam nonummy nibh euismod tincidunt ut laoreet dolore magna aliquam erat volutpat. Ut wisi enim ad minim veniam, quis nostrud exerci tation ullamcorper suscipit lobortis nisl ut aliquip ex ea commodo consequat. Duis autem vel eum iriure dolor in hendrerit in vulputate velit esse molestie consequat, vel illum dolore eu feugiat nulla facilisis at vero eros et accumsan et iusto odio dignissim qui blandit praesent luptatum zzril delenit augue duis dolore te feugait nulla facilisi. Nam liber tempor cum soluta nobis eleifend option congue nihil imperdiet doming id quod mazim placerat facer possim assum. Typi non habent claritatem insitam; est usus legentis in iis qui facit eorum claritatem. Investigationes demonstraverunt lectores legere me lius quod ii legunt saepius. Claritas est etiam processus dynamicus, qui sequitur mutationem consuetudium lectorum. Mirum est notare quam littera gothica, quam nunc putamus parum claram, anteposuerit litterarum formas humanitatis per seacula quarta decima et quinta decima. Eodem modo typi, qui nunc nobis videntur parum clari, fiant sollemnes in futurum.

5 Mashups

6 The Mashup Security Problem
1337 of your friends likes this Enter credit card:

7 Language-based Security
public = secret + 1; if (secret) { public = true; } else { public = false; } Secret Secret Public Public Escapes Requires declassification {“secret+1”: Public}

8 A Language-based Approach
Public Public

9 secret=false; if (secret) { public=true; } alert(public);
Enforcement Static analysis Dynamic analysis secret=false; if (secret) { public=true; } alert(public); secret=false; if (secret) { public=true; } alert(public);

10 Public Shadow variables
x = expr; *x = lev(expr); if (x) { y = expr; *y = lev(x + expr); } { owner: ‘chalmers.se’, readers: [‘google.com’] } Public Native support?

11 On-the-fly Rewriting Information flow
Policy No assumptions about programming practices No change to the runtime environment is needed Unsafe code Safe monitored code Trans-formation Monitor Security label tracking

12 A Language-based Approach
Public Public

13 THANK YOU! Where Are We Now? ECMAScript 5 DOM interaction Events
Integrity THANK YOU!

Download ppt "A Language-based Perspective on Web Application Security"

Similar presentations

Community Planning Training 1- Community Planning Training 7-1 Community Planning Training 7-1.

Community Planning Training 1- Community Planning Training 7-1 Community Planning Training 7-1.
Google Web Toolkit and the Model View Presenter architecture Philippe Beaudoin (Track Sponsor)

Google Web Toolkit and the Model View Presenter architecture Philippe Beaudoin (Track Sponsor)
Legrandgroup.com legrand.country bticino.country cablofil.country ortronics.country bticino.country legrand.country cablofil.country ortronics.country.

Legrandgroup.com legrand.country bticino.country cablofil.country ortronics.country bticino.country legrand.country cablofil.country ortronics.country.
© 2014 ELLUCIAN. ALL RIGHTS RESERVED – CONFIDENTIAL & PROPRIETARY. CALBHR: What Ellucian Does For You Jan Wilder Sr. Business Analyst, Ellucian February.

© 2014 ELLUCIAN. ALL RIGHTS RESERVED – CONFIDENTIAL & PROPRIETARY. CALBHR: What Ellucian Does For You Jan Wilder Sr. Business Analyst, Ellucian February.
From Blobs to Structured Data SEO in the Age of Entities Jonathon Colman, In-House SEO for REI INFO 498: Content Strategy.

From Blobs to Structured Data SEO in the Age of Entities Jonathon Colman, In-House SEO for REI INFO 498: Content Strategy.
Name of presentation Company name. Second Page Your Text here Lorem ipsum dolor sit amet, consectetuer adipiscing elit, sed diam nonummy nibh euismod.

Name of presentation Company name. Second Page Your Text here Lorem ipsum dolor sit amet, consectetuer adipiscing elit, sed diam nonummy nibh euismod.
Full Scale PowerPoint Poster Template: 36 by 48 Layout

Full Scale PowerPoint Poster Template: 36" by 48" Layout
Kapi‘olani Community College, Honolulu, Hawai‘i

Kapi‘olani Community College, Honolulu, Hawai‘i
VIDEO MARKETING Lorem ipsum dolor sit amet, consectetuer adipiscing elit, sed diam nonummy nibh euismod tincidunt ut laoreet dolore magna aliquam Lorem.

VIDEO MARKETING Lorem ipsum dolor sit amet, consectetuer adipiscing elit, sed diam nonummy nibh euismod tincidunt ut laoreet dolore magna aliquam Lorem.
Company name Name of presentation. Slide master Your Text here Lorem ipsum dolor sit amet, consectetuer adipiscing elit, sed diam nonummy nibh euismod.

Company name Name of presentation. Slide master Your Text here Lorem ipsum dolor sit amet, consectetuer adipiscing elit, sed diam nonummy nibh euismod.
VIDEO MARKETING Lorem ipsum dolor sit amet, consectetuer adipiscing elit, sed diam nonummy nibh euismod tincidunt ut laoreet dolore magna aliquam Lorem.

VIDEO MARKETING Lorem ipsum dolor sit amet, consectetuer adipiscing elit, sed diam nonummy nibh euismod tincidunt ut laoreet dolore magna aliquam Lorem.
Poster Title Author Names INTRODUCTION RESULTS CONCLUSION

Poster Title Author Names INTRODUCTION RESULTS CONCLUSION
Lorem ipsum dolor sit amet consectetuer adipiscing elit

Lorem ipsum dolor sit amet consectetuer adipiscing elit
PRESENTATION TITLE.

PRESENTATION TITLE.
Presentation Title Here

Presentation Title Here
Name of presentation Company name.

Name of presentation Company name.
TRIUMF, 4004 Wesbrook Mall, Vancouver, BC, Canada, V6T 2A3

TRIUMF, 4004 Wesbrook Mall, Vancouver, BC, Canada, V6T 2A3
POWERPOINT Best Solution !!

POWERPOINT Best Solution !!
Multipurpose PowerPoint Template

Multipurpose PowerPoint Template
AGENCY PowerPoint template.

AGENCY PowerPoint template.

Similar presentations

Ads by Google