BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//Memento EPFL//
BEGIN:VEVENT
SUMMARY:Protecting Sensitive Data in Web Browsers with ScriptPolice
DTSTART:20130603T100000
DTEND:20130603T110000
DTSTAMP:20260408T105204Z
UID:fb22796b64ad5a5893541f963ba7f05a3681713ec26f976d6aab70f6
CATEGORIES:Conferences - Seminars
DESCRIPTION:Prof. Brad Karp\, University College London\nThe web browser h
 as become an attractive target for attackers who wish to obtain users' sen
 sitive data. The browser is rife with untrusted JavaScript: pages execute 
 scripts\, and extensions execute with elevated privilege that entitles the
 m to see content from all origins\, and to send data to third-party server
 s.Two principal threat models apply to a user's sensitive data within a br
 owser. A malicious extension author may write extension code that reads se
 nsitive page content and sends it to a remote server he controls. And a ma
 licious page author may exploit an honest but buggy extension\, thus lever
 aging its elevated privilege to disclose sensitive information from other 
 origins.\nIn this talk\, I will demonstrate zero-day vulnerabilities in re
 al-world extensions for a widely used browser that allow maliciously craft
 ed JavaScript in pages to leak a user's sensitive information. I will then
  describe two classes of policy that protect sensitive data in web browser
 s by limiting the privilege of JavaScript code. *Containment* policies blo
 ck the export of sensitive information from an extension\, however obtaine
 d. They protect against both malicious extensions and malicious pages. *Pr
 evention* policies\, by contrast\, stop the misuse of an extension's privi
 leges by a page. Both types of policy are effective for a wide range of ex
 tensions\, and are thus easy to deploy in browsers. Finally\, I will prese
 nt ScriptPolice\, a policy system for the Chrome browser's V8 JavaScript i
 nterpreter that supports simple containment and prevention policies. We de
 monstrate that on a variety of extensions and pages\, ScriptPolice effecti
 vely protects sensitive data in the browser\, while typically incurring ad
 ded latency indistinguishable by the user.\n(Joint work with Petr Marchenk
 o of UCL and Ulfar Erlingsson of Google.)
LOCATION:BC 420 https://plan.epfl.ch/?room==BC%20420
STATUS:CONFIRMED
END:VEVENT
END:VCALENDAR