Medlemsmøter 2013

Medlemsmøte: Torsdag 7. februar kl 17:00
Ansvarlig: Erlend Oftedal, tel: 98219335, Sponsor: Bouvet, Secode, Adresse: Bouvet Sandakerveien 24,

Agenda: Crossing Origins by Crossing Platforms

Vi får storfint besøk av Jonas Magazinius ( @internot_ )

Agenda:


 * [masked]: A lanugage based approach to securing mashups
 * [masked]: Mat
 * [masked]: Crossing origins by crossing formats

"A language based approach to securing mashups"

15 years have passed since the “same-origin policy” (SOP) was introduces, with the purpose to control the interaction between web sites. Web sites of today, in particular so called mashups, differ radically in how they interact compared to 15 years ago, and the SOP has become an obstacle that needs to be circumvented. Despite numerous hacks and efforts to control interactions in a secure manner, this problem continues to be challenging. On-going research at Chalmers investigates using language-based techniques to control the flow of information, and by doing so maintaining the hich level of interaction without making compromises in security.

"Crossing Origins by Crossing Formats"

In a heterogeneous system like the web, information is exchanged between components in versatile formats. A new breed of attacks is on the rise that exploit the mismatch between the expected and provided content. We identify the root cause of a large class of attacks: polyglots. A polyglot is a program that is valid in multiple programming languages. Polyglots allow multiple interpretations of the content, providing a new space of attack vectors. We characterize of what constitutes a dangerous format in the web setting and identify particularly dangerous formats, with PDF as the prime example. We demonstrate that polyglot-based attacks on the web open up for insecure communication across Internet origins.

Jonas Magazinius is a PhD student in the Language-based Security group at Chalmers University of Technology. The focus of his research is information-flow in mash-up web applications. Jonas is specialized in web application security, but is interested in most aspects of security. When not immersed in JavaScript, Jonas helps organize events in the OWASP Gothenburg chapter.”