I am currently a Ph.D. student in the Stanford computer science department, where I am studying computer security.
As wireless networks proliferate, web browsers operate in an increasingly hostile network environment. The HTTPS protocol has the potential to protect web users against network attackers, but real-world deployments must cope with misconfigured servers, causing imperfect web sites and users to inadvertently compromise browsing sessions. ForceHTTPS is a simple browser security mechanism that web sites or users can use to opt in to stricter error processing, improving the security of HTTPS by preventing network attacks such aBy augmenting the browser with a database of custom URL rewrite rules, ForceHTTPS allows users to transparently retrofit security onto insecure sites that support HTTPS. We provide an implementation of ForceHTTPS as a Firefox browser extension.
DNS rebinding attacks subvert the same-origin policy and convert browsers into open network proxies. These attacks can circumvent firewalls to access internal documents and services, and require less than $100 to temporarily hijack 100,000 IP addresses for sending spam and defrauding pay-per-click advertisers. We present both short-term mitigations and long-term defenses.
Web browsers have evolved from a single-principal platform on which one site is browsed at a time into a multi-principal platform on which data and code from mutually distrusting sites interact programmatically in a single page at the browser. Today's "Web 2.0" applications (or mashups) offer rich services, rivaling those of desktop PCs. However, the protection and communication abstractions offered by today's rowsers remain suitable only for a single-principal system — either no trust through complete isolation between principals (sites) or full trust by incorporating third party code as libraries. We address this deficiency by identifying and designing the missing abstractions needed for a browser-based multi-principal platform. We have designed our abstractions to be backward compatible and easily adoptable. We have built a prototype system that realizes almost all of our abstractions and their associated properties. Our evaluation shows that our abstractions make it easy to build more secure and robust client-side Web mashups and can be easily implemented with negligible performance overhead.
Current phishing attacks focus primarily on stealing user credentials such as passwords. In response, web sites are deploying stronger authentication and backend analytics systems. These tools are designed to make it harder for phishers to extract value from stolen passwords. We anticipate that phishers will adapt in response. In particular, we expect to see huge growth in the use of a different type of botnet malware called a Transaction Generator or TG for short. A TG waits for the user to log in to his account at a site and then issues transactions on behalf of the user. We discuss a number of mechanisms by which TGs can hide their tracks so that users have no idea that fraudulent transactions were issued by their machine. We also describe a mitigation system, called SpyBlock, that can help reduce the damage caused by TGs.
Web browser support has evolved piecemeal to balance the security and interoperability requirements of client-side script services. This evolution has led to an inadequate security model that forces Web applications to choose between security and interoperation. We draw an analogy between Web sites' sharing of browser resources and users' sharing of operating system resources, and use this analogy as a guide to develop protection and communication abstractions in MashupOS: a set of abstractions that isolate mutually-untrusting web services within the browser, while allowing safe forms of communication.
Combining data and code from third-party sources has enabled a new wave of web mashups that add creativity and functionality to web applications. However, browsers are poorly designed to pass data between domains, often forcing web developers to abandon security in the name of functionality. To address this deficiency, we developed Subspace, a novel cross-domain communication mechanism that allows efficient communication across domains without sacrificing security. Our prototype requires only a small JavaScript library, and works across all major browsers. We believe Subspace can serve as a new secure communication primitive for web mashups.
In our usability study of phishing attacks and browser antiphishing defenses, 27 users each classified 12 web sites as fraudulent or legitimate. By dividing these users into three groups, our controlled study measured both the effect of extended validation certificates that appear only at legitimate sites and the effect of reading a help file about security features in Internet Explorer 7. Across all groups, we found that picture-in-picture attacks showing a fake browser window were as effective as the best other phishing technique, the homograph attack. Extended validation did not help users identify either attack. Additionally, reading the help file made users more likely to classify both real and fake web sites as legitimate when the phishing warning did not appear.
Browsers leak information about your activities at other sites. Our SafeHistory and SafeCache Firefox browser extensions apply a general same-origin principle to sensitive browser information. Our paper, Protecting Browser State from Web Privacy Attacks, appeared at WWW 2006.
We describe a browser extension, PwdHash, that transparently produces a different password for each site, improving web password security and defending against password phishing and other attacks.
Research Interests: Access control, network protocols and software system security. Programming languages, type systems, object systems, and formal methods. Applications of mathematical logic to computer science.
Research interests: Applied cryptography and network security.