Distinguished Lecture: Back to the Future: From IFTTT to XSS, it's all about the information-flow lattice

Speaker: Lujo Bauer, Carnegie Mellon University
UCL Contact: Emiliano De Cristofaro (Visitors from outside UCL please email in advance).
Date/Time: 09 Jul 18, 16:00 - 17:00
Venue: 1.03

Abstract

The Bell-LaPadula and Biba models developed in the 1970s were considered cornerstones of computer security. These models described how to protect and use potentially sensitive information, e.g., to prevent leaking classified information to the public and to avoid making critical decisions based on inputs of uncertain provenance. In modern computer security research, the Bell-LaPadula and Biba models are rarely discussed. However, they're still surprisingly relevant, which I'll illustrate through three examples from my group's recent research.
* I'll show how information-flow lattices in the style of Bell-LaPadula and Biba can help us understand unsafe uses of IFTTT, an end-user-programming service that allows users to write if-then-style rules to connect arbitrary IoT devices to each other and to online services.
* I'll describe a technique for detecting JavaScript code injection attacks, which can be seen as enforcing the Biba model.
* Finally, I'll describe how an enforcement system based around information-flow lattices can help us build web browsers that can prevent malicious scripts and extensions from stealing our data.

Lujo Bauer

Lujo Bauer is an Associate Professor of Electrical and Computer Engineering, and of Computer Science, at Carnegie Mellon University. He received his B.S. in Computer Science from Yale University in 1997 and his Ph.D., also in Computer Science, from Princeton University in 2003. Dr. Bauer is a member of CyLab, Carnegie Mellon's computer security and privacy research institute, and serves as the director of CyLab's Cyber Autonomy Research Center. Dr. Bauer's research interests span many areas of computer security and privacy, and include building usable access-control systems with sound theoretical underpinnings, developing languages and systems for run-time enforcement of security policies on programs, and generally narrowing the gap between a formal model and a practical, usable system. His recent work focuses on developing tools and guidance to help users stay safer online and in examining how advances in machine learning can lead to a more secure future. Dr. Bauer served as the program chair for the flagship computer security conferences of the IEEE (S&P 2015) and the Internet Society (NDSS 2014) and is an associate editor of ACM Transactions on Privacy and Security.