WebQUeST Schedule       





  • 8:00- Registration


  • 9:00-10:30 Session 1 - Mozilla
    • Introduction and Welcome - Organizers

      Welcome everyone and briefly discuss goals and agenda.

    • David Herman (Mozilla Research)

      Security challenges for the web platform

      Mozilla's mission is to promote and improve the open web, which we accomplish in large part through the development and deployment of the popular Firefox web browser. As we continue to expand the power and reach of the web, its software quality and security concerns grow broader and deeper. In this talk, I will discuss challenges we see at Mozilla and techniques we have explored for improving security in the web platform.

    • Sruthi Bandhakavi (UIUC) (Presented by Julian Dolby (IBM Research))

      Vetting Browser Extensions for Security Vulnerabilities with VEX

      we present VEX, a framework for highlighting potential security vulnerabilities in browser extensions by applying static information-flow analysis to the JavaScript code used to implement extensions. We describe several patterns of flows as well as unsafe programming practices that may lead to privilege escalations in Firefox extensions. VEX analyzes Firefox extensions for such flow patterns using high-precision, context-sensitive, flow-sensitive static analysis. We analyze thousands of browser extensions, and VEX finds six exploitable vulnerabilities, three of which were previously unknown.

    • Discussion (Possible topic: what could be added to the browser to aid security)


  • 10:30-11:00 Coffee break


  • 11:00-12:30 Session 2 - Tools
    • Anders Moeller (Aarhus)

      Providing Tool Support for JavaScript Programmers

      The dynamic nature of JavaScript makes it challenging to develop and maintain modern web applications. Even the simplest programming errors are often found only by testing, which can be a time-consuming process. Refactoring for improving code maintenance is rarely done, because it is difficult to foresee the consequences of changes to the code.

      This talk gives an overview of three research projects that aim to provide better tool support for JavaScript programmers: TAJS, a static analysis that infers type information and detects likely programming errors; Artemis, about automatically producing high-coverage testing; and JSRefactor, a framework for specifying and implementing JavaScript refactorings based on pointer analysis.

      More information: http://cs.au.dk/~amoeller/CASA/

    • Discussion (Possible topics: static analysis issues for client- and server-side Web software; whether/how to do refactorings to fix security issues)


  • 12:30- 2:00 Lunch


  • 2:00- 3:30 Session 3 - Learning and Microsoft
    • Marco Cova (Birmingham)

      Detecting and Analyzing Web-based Malware via Statistical Learning Techniques

      Malicious webpages have become a popular means for infecting hosts on the Web and, subsequently, creating large-scale botnets. In particular, in a drive-by-download attack, an attacker embeds malicious JavaScript code into a (potentially compromised) web site; this code then attempts to exploit vulnerabilities in the user's browser or in the browser's plugins.

      In this talk, we will present an approach for the detection and analysis of the malicious JavaScript code used in drive-by-download attacks. In particular, our approach is based on anomaly detection and emulation: we instrument a browser to collect events during a visit to a page, and we use a number of features and machine-learning techniques to establish the characteristics of normal JavaScript code. Then, during detection, the system is able to identify anomalous JavaScript code by emulating its behavior and comparing it to the established profiles.

      We have implemented our approach in a tool, called Wepawet, and showed with extensive experiments that it is capable of detecting drive-by-download attacks with low false positives and false negatives. We have also made Wepawet publicly available as an online service.

    • Benjamin Livshits (Microsoft Research)

      Finding Malware on a Web Scale

      Over the last several years, JavaScript malware has emerged as one of the most popular ways to deliver drive-by attacks to unsuspecting users through the browser. This talk covers recent Microsoft Research experiences with finding malware on the web. It highlights two tools: Nozzle and Zozzle. Nozzle is a runtime malware detector that focuses on finding heap spraying attacks. Zozzle is a mostly static detector that finds heap sprays and other types of JavaScript malware.

    • Discussion (Possible topic: integrating the learning techniques into browsers, and whether it would be possible to do static analysis to approximate the dynamic properties learning can find.)


  • 3:30- 4:00 Coffee break


  • 4:00- 5:30 Session 4 - IBM security analyses
    • Omer Tripp (IBM Rational)

      Information-flow Security: Moving Beyond Graph Reachability

      Reducing information-flow security to a graph-reachability problem is a tempting and elegant approach that has been explored extensively in the past. Unfortunately, with the advent of technology, this form of "reduction" is becoming increasingly more naive and unsatisfactory from a practical viewpoint. This is due to various reasons, including (i) the prominence of frameworks, which make intensive and non-trivial use of reflection, dependency injection, and other challenging coding patterns, (ii) the growing need to account for the contents of string variables in modeling control flow and reasoning about the feasibility of discovered flows, and (iii) the increasing demand for more expressiveness in security specifications. In this talk, I shall describe these inter-related challenges in more detail, as well as illustrate them using real-world codes. I shall also discuss some recent techniques and algorithms that were recently developed in response to these challenges.

    • Salvatore Guarneri (IBM Rational)

      Using Taint Analysis to Detect Vulnerabilities in Web Sites

      JavaScript allows interactive and powerful Web pages, but it also provides attackers a surface to attack. The number of Web pages on any given Web site necessitates automated testing of JavaScript code to detect programming errors. Taint analysis can be used to detect data flows that result in untrusted data being used in a trusted context. This talk explores prior work on taint analysis for JavaScript and explores some future improvements to taint analysis that would be highly useful in real world Web pages.

    • Discussion (Possible topic: around what are the key challenges to improve real-world tools)


  • 5:30- 6:00

    Wrap up: in an ideal world, it would be great to come up with concrete things that we could do that leverage the combination of approaches and techniques here. This could be research directions, ideas for product features, etc.