16:198:500:01: Light Seminar

Web-Application, Browser and Javascript Security

Fall 2008

General Information

Course number: 16:198:500:01, Index: 07897.
Instructor: Vinod Ganapathy
Class hours: Tuesdays 1:00pm-2:15pm.
Class location: Hill 250.

October 7, 2008: Since I will be traveling, there will be no class on October 13, 2008.

Course overview

Recent advances in Web technology aim to improve end-users' Web browsing experience through a variety of new techniques and tools: Ajax-enabled client-side code execution, mashup applications, and browser extensions, to name a few. However, these techniques also raise several new security concerns: How does a Web browser confine untrusted code either in the form of scripts downloaded from Web pages or as plugins and extensions? How can a user ensure that a script in a mashup will not compromise his privacy? How to deal with worms that exploit browser bugs and hijack control of the browser? These and similar questions are the focus of much recent research in Computer Security.

In this light seminar, we will study the state of the art in attacks and defenses on modern Web applications and Web browsers. We will discuss papers from recent Computer Security and Operating Systems conferences such as the IEEE Symposium on Security and Privacy, ACM CCS, USENIX Security, SOSP, OSDI and the WWW Conference.

The class will be discussion-oriented, and each student will be expected to lead the presentation of one or two papers during the course of the semester. We plan to cover 1-2 papers per week. Occasionally, we will also have invited speakers.

Reading list

Here is the reading list for this course. We will discuss one or two papers a week, roughly in the order that they appear in this list. The seminar will be informal, and grades will be based upon class participation. Please see the class schedule for the assigned readings for each week.

Class schedule

Each week, we will discuss one or two papers from our reading list according to the schedule below.

Date	Assigned reading	Presenter (tentative)	Slides
September 2	Introduction and organization (no reading)	Vinod
September 9	OP Chrome	Mohan	PPT
September 16	Tahoma	Mark
September 23	DNS Rebinding BEEP	Rick Luying Li
September 30	ForceHTTPS Dynamic Pharming	Huijun Bill
October 7	iFrame Honeymonkey	Nitya Yan Xiong
October 14	Interframe XSRF	Crystal ~~Alexander~~
October 21	Caja CoreScript	Tuan
October 28	No class (CCS 2008)	-
November 4	MashupOS	Nishat
November 11	Smash Subspace	Qiang Jinyun Yan
November 18	PwdHash Skins	Zhiyuan Ed
December 2	Doppelganger Privacy	Chih-Cheng Rezwana
December 9	Fable Swift	Shakeel

Presentation guidelines

Note that you are required to make your own slides for the papers that you present in class. Here is an informal set of guidelines that you should use as you prepare to present papers in class. These guidelines may not be appropriate for all the papers that we discuss in class (especially position papers, which are speculative and propose new ideas, and may thus not contain a full-fledged experimental results section). There are several excellent resources on the Web with advice on effective presentation; please see the resources section for links to these resources.

In each case, I've also suggested the approximate timeframe for each section of your presentation (assuming a one hour presentation: scale things down for a half hour presentation). Note that there will be questions and discussion as you present the paper, so please use the timeframe as a guideline for the number of slides that you want to prepare.

Summarize. (15-20 minutes)
- Problem. What problem does the paper address? Why will the world be a better place if the problem is solved?
- Solution. What is the solution proposed by the paper? Does the solution address the problem in its entirety? If not, under what assumptions does the solution work? Are these assumptions reasonable?
- Evaluation. What aspects of the system are evaluated in the paper? What is the experimental testbed used? What experiments were performed? Details of experimental results. What aspects of the system were not evaluated/evaluated in an unsatisfactory way?
- Related work. What other solutions have been proposed for the problem addressed by this paper? What is unique about this paper's approach? Why does this paper's approach improve upon prior approaches?
Critique. (10-15 minutes)
- Pros. What did you like about the paper? Did you learn any new tricks from the paper that you can add to your toolbox?
- Cons. What didn't you like about the paper? If you thought the problem was cool, but the solution was not, how would you have solved the problem instead? If the experimental results section was lacking, what additional experiments would you have performed instead? Why do you think the authors did not perform these experiments?
Extend. (10-15 minutes)
- Future work. What is the logical next step (i.e., the low-hanging fruit) in extending this paper? What about longer-term/more ambitious extensions?
- Wild and crazy ideas. Your wacky suggestions here!

You can either choose to make slides for the presentation, or use the whiteboard. However, we strongly prefer slides, because (a) they help organize your thoughts before and during the presentation, and (b) they can be distributed and serve as a record of that class. (Transparencies are no longer in style; but if you are really keen on using transparencies, please let the instructors know in advance, and we can try to arrange for a projector).

Grading

Grades for this course are based upon class participation.

Resources

Organizations

Tips to read an academic paper

How to read a paper, by Professor S. Keshav, Univerity of Waterloo.

Tips for effective presentation

Giving a technical talk, by Professor Michael Ernst.
Tips for a good conference talk, by Professor Jennifer Widom.
Oral presentation advice, by Professor Mark Hill.
Giving an Academic Talk, by Professor Jonathan Shewchuk.

Vinod Ganapathy