ABOUT NEWS PEOPLE RESEARCH COURSES JOBS
Distinguished Lecture Series

10.02.2021 - 16:00

Henry Corrigan-Gibbs

Henry Corrigan-Gibbs

Bio: Henry Corrigan-Gibbs is an assistant professor in MIT's EECS department and is a member of CSAIL. His research focuses on computer security, cryptography, and computer systems.

Before coming to MIT, he completed his PhD in computer science at Stanford, advised by Dan Boneh. He also spent one year as a postdoc at EPFL, hosted by Bryan Ford.


10.03.2021 - 16:00

Bart Preneel

Bart Preneel

Bio: Bart Preneel received the Electr. Eng. and PhD degrees from the KU Leuven (Belgium). He is a Full Professor at the KU Leuven where he heads the COSIC Research Group. He was visiting professor at five universities in Europe.

Bart Preneel has authored more than 200 scientific publications and is inventor of 2 patents. He has participated to more than 20 EU funded projects and has coordinated four of these including the EU NoE ECRYPT. He has served as panel member and chair for the European Research Council. Since 1997 he is serving on the Board of Directors of the IACR (International Association for Cryptologic Research), from 2002-2007 as vice president and from 2008-2013 as president. He is a member of the Permanent Stakeholders group of ENISA and of the Academia Europaea. He has served on the Advisory Board of several companies and EU projects. He has served as Program Chair of 15 international conferences and he has been invited speaker at more than 90 conferences in 40 countries. In 2014, he received the RSA Award for Excellence in the Field of Mathematics.


14.04.2021 - 16:00

Sarah Meiklejohn

Sarah Meiklejohn

Bio: Sarah Meiklejohn is a Professor in Cryptography and Security at University College London (UCL), in the Computer Science department. She is affiliated with the Information Security Group, and is also a member of the Open Music Initiative, a fellow of the Alan Turing Institute, and an Associate Director of the Initiative for Cryptocurrencies and Contracts (IC3).

From November 2019 to December 2020, she was a visiting researcher at Google UK, working with the Certificate Transparency / TrustFabric team. As of December 2020 she is a Staff Research Scientist there.

Sarah Meiklejohn received a PhD in Computer Science from the University of California, San Diego under the joint supervision of Mihir Bellare and Stefan Savage. During her PhD, she spent the summers of 2011 and 2013 at MSR Redmond, working in the cryptography group with Melissa Chase. She obtained an Sc.M. in Computer Science from Brown University under the guidance of Anna Lysyanskaya in 2009, and an Sc.B. in Mathematics from Brown in 2008.


12.05.2021 - 16:00

Thorsten Holz

Thorsten Holz

Bio: Thorsten Holz is a professor in the Faculty of Electrical Engineering and Information Technology at Ruhr-University Bochum, Germany. His research interests include technical aspects of secure systems, with a specific focus on systems security. Currently, his work concentrates on reverse engineering, automated vulnerability detection, and studying latest attack vectors. He received the Dipl.-Inform. degree in Computer Science from RWTH Aachen, Germany (2005) and the Ph.D. degree from University of Mannheim (2009). Prior to joining Ruhr-University Bochum in April 2010, he was a postdoctoral researcher in the Automation Systems Group at the Technical University of Vienna, Austria. In 2011, Thorsten received the Heinz Maier-Leibnitz Prize from the German Research Foundation (DFG) and in 2014 an ERC Starting Grant. Furthermore, he is Co-Spokesperson of the Cluster of Excellence "CASA - Cyber Security in the Age of Large-Scale Adversaries" (with C. Paar and E. Kiltz).


Past Lectures

13.01.2021 - 16:00

Andrei Sabelfeld

SandTrap: Securing JavaScript-driven Trigger-Action Platforms

Resources: [slides]

Andrei Sabelfeld

Bio: Andrei Sabelfeld is a Professor in the Department of Computer Science and Engineering at Chalmers University of Technology in Gothenburg, Sweden. Before joining Chalmers as faculty, he was a Research Associate at Cornell University in Ithaca, NY, USA. Andrei Sabelfeld's research ranges from foundations to practice in a range of topics in computer security and privacy. Today, he leads a group of researchers at Chalmers engaged in a number of internationally visible projects on software security, web security, IoT security, and applied cryptography.

Abstract: Trigger-Action Platforms (TAPs) seamlessly connect a wide variety of otherwise unconnected devices and services, ranging from IoT devices to cloud services and social networks. While enabling novel and exciting applications, TAPs raise critical security and privacy concerns because a TAP is effectively a "person-in-the-middle" between trigger and action services. Third-party code, routinely deployed as "apps" on TAPs, further exacerbates these concerns.

This talk focuses on JavaScript-driven TAPs. We show that the popular IFTTT and Zapier platforms and an open-source alternative, Node-RED, are susceptible to various attacks, ranging from massively exfiltrating data from unsuspecting users to taking over the entire platform. We report on the changes made by the platforms in response to our findings and present an empirical study to assess the security implications.

Motivated by the need for a secure yet flexible way to integrate third-party JavaScript apps, we propose SandTrap, a sandboxing approach that allows for isolating apps while letting them communicate via clearly defined interfaces. We present a formalization for a core language that soundly and transparently enforces fine-grained allowlist policies at module-, API-, value-, and context-level. We develop a novel proxy-based JavaScript monitor that encompasses a powerful policy generation mechanism and enables us to instantiate SandTrap to IFTTT, Zapier, and Node-RED. We illustrate on a set of benchmarks how SandTrap enforces a variety of policies while incurring a tolerable runtime overhead.


Members
Partners