[HGI-News] Vortragsankündigung Dr. Michael Steiner, IBM T.J Watson NY, Montag 16.10.06, 14:00 Uhr, IC4/39
Newsletter des Horst Görtz Instituts
hgi-news at lists.ruhr-uni-bochum.de
Sa Okt 14 11:03:40 CEST 2006
Wir freuen uns, Ihnen einen Vortrag von Dr. Michael Steiner (Research
Scientist, IBM T.J Watson Research Laboratory, Hawthorne, NY, USA)
ankündigen zu können.
Dr. Steiner wird am kommenden Montag, dem 16.10.2006, um 14:00 Uhr, zum
Thema "/PISA/ --- Portlet Isolation via Static Analysis" vortragen.
Ort: Ruhr-Universität Bochum, Gebäude IC, Ebene 4, Raum 39.
/PISA/ --- Portlet Isolation via Static Analysis Joint work with K. Vikram
\begin{abstract}
Internet Portals provide value by aggregating information services
from multiple providers, and display them as 'portlets' on a
one-stop web-page. Corporate portals have been around for a while,
and even public portals are regaining their popularity thanks to
better adversiting models (AdSense) and programming models (AJAX).
However, none of the portals yet have a sound security model to
aggregate information from multiple (and potentially mutually
distrusting) providers. In this talk, we'll see why this is a real
and serious problem and how it can be tackled, thereby releasing the
untapped potential that portals have for widespread use in
applications ranging from banking, finance to email and social
networking.
We will show various attacks which can be applied, e.g., to the IBM
WebSphere Portal Server and provide the first taxonmy of security
issues with Portal-based aggregation. We shall formulate the
security (confidentiality and integrity) requirements in a portal
framework, focusing on enforcing isolation between various portlets.
The talk also outlines the design and proof-of-concept
implementation of a tool that enforces our security policy. The
tool uses grammar checkers to enforce various structural invariants,
static program analysis based on IBM Research's Domo framework to
verify security properties of embedded JavaScript and, finally
rewriting techniques to resolve statically unanalyzeable yet
necessary JavaScript constructs and to provide mappings for the
programmers convenience.
Most importantly, the tool is designed such that existing browsers
can be used unmodified, without compromising security. Furthermore,
the changes to the portlet programming models are minimal and should
not restrict its expressitivity.
\end{abstract}
-michael-
Mit freundlichen Grüßen
Prof. Dr. Jörg Schwenk
Horst-Görtz-Institut
Ruhr-Universität Bochum
www.nds.rub.de
Mehr Informationen über die Mailingliste Hgi-News-Deutschland