CS Talk - Deian Stefan

Event time: 
Wednesday, February 25, 2015 - 10:30am
AKW 200 See map
51 Prospect Street
New Haven, CT 06511
Event description: 

CS Talk - Deian Stefan
Title: Principled and Practical Web Application Security

Hosts: Zhong Shao and Ruzica Piskac

Abstract: On a recurring basis we learn of popular websites being breached or accidentally exposing sensitive user data.  This is because building secure web applications is hard.  Web applications face security issues on two fronts, server-side and browser-side, and existing programming models make it notoriously difficult to produce secure code.

In this talk, I will first describe Hails, a framework that enables novice developers to build secure server-side web applications.  Hails separates the security and privacy concerns of an application from its functionality.  In Hails, developers specify data access policies in a simple, declarative fashion alongside the data model.  Hails then uses language-level information flow control (IFC) to enforce such policies on the error-prone code that implements the app functionality.

Next, I will describe COWL, a browser security architecture that allows developers to further protect user privacy from untrusted JavaScript.  COWL adopts Hails’ IFC abstractions to the browser in a away that is fully backwards compatible with legacy websites. Together, Hails and COWL, provide end-to-end security for modern web applications.  Indeed, the strong security opens up the possibility of deploying applications that, because of security concerns, were not previously practical.

Bio: Deian Stefan is a PhD student in Computer Science at Stanford.  His research interests intersect systems, programming languages, and security.  As part of his PhD work, Deian focused on web application security; he built practical systems with formal underpinnings that enable average developers to build secure web applications. Deian is a recipient of a NDSEG Fellowship, and a Mozilla Research Grant for his work on web security.  He is a co-founder and the CTO of GitStar Inc., a company that provides security-as-a-service to web developers.  He is a member of the W3C Web Application Security Group, where he serves as editor of the COWL spec.  He received his BE and ME in Electrical Engineering from Cooper Union.