Information Flow Security in Practical Systems
Limin Jia - Carnegie Mellon University
Apr 12, 2017Size: 372.6MB
Download: MP4 Video
Watch in your Browser Watch on YouTube
AbstractUsers routinely type sensitive data such as passwords, credit card numbers, and even SSN into their mobile phone apps and browsers. Rich functionality combined with weak security mechanisms makes protecting users’ data a challenging. In this talk, I will present a few case studies of applying information flow security to protecting users’ data in Android, the Chromium browser, and the IFTTT framework. For these systems, we show that dynamic coarse-grained taint tracking, even though it allows implicit flows, can be retrofitted into existing systems to defend users’ data from common attacks. I will explain the challenges in striking a balance between preserving key functionality of legacy systems and ensuring formally provable security guarantees and discuss how different modeling techniques affect noninterference proofs.
About the SpeakerDr. Jia is an Assistant Research Professor in the ECE Department at Carnegie Mellon University. Dr. Jia received her PhD in Computer Science from Princeton University. She received her BE in Computer Science and Engineering from the University of Science and Technology in China. Dr. Jia's research interests are in formal aspects of software security, in particular, applying formal approaches to constructing software systems with known security guarantees.
The views, opinions and assumptions expressed in these videos are those of the presenter and do not necessarily reflect the official policy or position of CERIAS or Purdue University. All content included in these videos, are the property of Purdue University, the presenter and/or the presenter’s organization, and protected by U.S. and international copyright laws. The collection, arrangement and assembly of all content in these videos and on the hosting website exclusive property of Purdue University. You may not copy, reproduce, distribute, publish, display, perform, modify, create derivative works, transmit, or in any other way exploit any part of copyrighted material without permission from CERIAS, Purdue University.