[Invited Talk] From IFTTT to XSS, it's all about the information-flow lattice

星期三, 十二月 19, 2018 -
14:00 to 15:00
台灣大學德田館210 / 台北市羅斯福路四段1號

 

Topic : From IFTTT to XSS, it's all about the information-flow lattice

 

Speaker:  Dr. Limin Jia (Carnegie Mellon University)

 

Date: Wednesday, December 19th, 2018

Time: 14:00 - 15:00 

Venue: R210, CSIE - DerTian Hall, NTU 臺灣大學 德田館 210會議室

 

Abstract

The Bell-LaPadula and Biba models developed in the 1970s were considered cornerstones of computer security. These models described how to protect and use potentially sensitive information, e.g., to prevent leaking classified information to the public and to avoid making critical decisions based on inputs of uncertain provenance. I will illustrate through examples from our recent research that the Bell-LaPadula and Biba models are still surprisingly relevant to modern day computer security. I'll show how information-flow lattices in the style of Bell-LaPadula and Biba can help us understand unsafe uses of IFTTT, an end-user-programming service that allows users to write if-then-style rules to connect arbitrary IoT devices to each other and to online services. Then I'll describe a technique for detecting JavaScript code injection attacks, which can be seen as enforcing the Biba model.

Biography

Dr. Jia is an Associate Research Professor in the ECE Department at Carnegie Mellon University. Dr. Jia received her PhD in Computer Science from Princeton University. She received her BE in Computer Science and Engineering from the University of Science and Technology in China. Dr. Jia's research interests are in formal aspects of software security, including applying formal logic to constructing software systems with known security guarantees and to analyzing security properties of systems.