[HGI-News] Vortragsankündigung Dr. Michael Steiner, IBM T.J Watson NY, Montag 16.10.06, 14:00 Uhr, IC4/39

Newsletter des Horst Görtz Instituts hgi-news at lists.ruhr-uni-bochum.de
Sa Okt 14 11:03:40 CEST 2006 

Wir freuen uns, Ihnen einen Vortrag von Dr. Michael Steiner (Research
Scientist, IBM T.J Watson Research Laboratory, Hawthorne, NY, USA)
ankündigen zu können. 

Dr. Steiner wird am kommenden Montag, dem 16.10.2006, um 14:00 Uhr, zum
Thema "/PISA/ --- Portlet Isolation via Static Analysis" vortragen.

Ort: Ruhr-Universität Bochum, Gebäude IC, Ebene 4, Raum 39.

/PISA/ --- Portlet Isolation via Static Analysis Joint work with K. Vikram

\begin{abstract}
  Internet Portals provide value by aggregating information services
  from multiple providers, and display them as 'portlets' on a
  one-stop web-page. Corporate portals have been around for a while,
  and even public portals are regaining their popularity thanks to
  better adversiting models (AdSense) and programming models (AJAX).
  However, none of the portals yet have a sound security model to
  aggregate information from multiple (and potentially mutually
  distrusting) providers.  In this talk, we'll see why this is a real
  and serious problem and how it can be tackled, thereby releasing the
  untapped potential that portals have for widespread use in
  applications ranging from banking, finance to email and social
  networking.

  We will show various attacks which can be applied, e.g., to the IBM
  WebSphere Portal Server and provide the first taxonmy of security
  issues with Portal-based aggregation. We shall formulate the
  security (confidentiality and integrity) requirements in a portal
  framework, focusing on enforcing isolation between various portlets.
  The talk also outlines the design and proof-of-concept
  implementation of a tool that enforces our security policy.  The
  tool uses grammar checkers to enforce various structural invariants,
  static program analysis based on IBM Research's Domo framework to
  verify security properties of embedded JavaScript and, finally
  rewriting techniques to resolve statically unanalyzeable yet
  necessary JavaScript constructs and to provide mappings for the
  programmers convenience.

  Most importantly, the tool is designed such that existing browsers
  can be used unmodified, without compromising security.  Furthermore,
  the changes to the portlet programming models are minimal and should
  not restrict its expressitivity.
\end{abstract}

-michael-

Mit freundlichen Grüßen 

Prof. Dr. Jörg Schwenk
Horst-Görtz-Institut
Ruhr-Universität Bochum
www.nds.rub.de

Mehr Informationen über die Mailingliste Hgi-News-Deutschland