Thursday, May 20, 2010

... and Oakland/W2SP are over

Feel like I've been reading security papers long enough now that mind-blowing work is more rare. However, "Towards Static Flow-Based Declassification for Legacy and Untrusted Programs" felt like a good step forward and "Side-Channel Leaks in Web Applications: a Reality Today, a Challenge Tomorrow" seemed like it should have gotten some sort of award. New to me were the handling malicious hardware design (e.g., backdoor) talks, for which I still don't understand the threat model. I liked the solutions, but, for example, I wasn't sure why some couldn't have been recast as static verification problems pre-fab (at least one seemed well-suited for static verification instead of making new hardware to help check the hardware).

Our ConScript talk went smoothly (never spoke to such a large audience before, pretty intimidating, especially when it's the finger-jabbing security crowd!). Not much to report there -- some press, some emails after, and some people describing the talk to me later but not realizing I was the one who gave it ;-)

Today was W2SP and probably my favorite part of the whole thing. Gustav Rydstedt gave a hilarious (but scary) account of framebusting: not enough people do it and those that attempt it do it wrong. I didn't entirely buy the solution (e.g., it depends upon CSS-conformant browsers, which is questionable in mobile), but, then again, I'm a first principles guy, and that doesn't really work on the deployed web, while Gustav's solution does the important thing of taking care of most desktop users. Steve Hanna gave a cool account of attacks on postMessage usage (not sure I'm ready to call JS stored in a DB a problem, which accounted for the 2nd half of his talk). I wish his talk was a little longer because in his paper he started to talk about the principles behind his API fix suggestions. Brendan Meeder's talk was also interesting, particularly in how it exposed the basic problem that we don't know how important privacy attacks against basic social interactions despite them being fairly pervasive. Probably annoying for Brendan's otherwise intersting talk, this came up through tearing apart his evaluation criteria, but I don't think people appreciate the difficulty of this step.

Perhaps the most interesting talk was the keynote where Jermiah Grossman essentially provided empirical evidence that the web security model is broken on a mass scale. On the plus side, this means that all the automatic web bug finding guys should have great results for the next few years.

Our talk seemed to be amiably received. It and a CSP-like plea were the only concrete let's-do-it-right-from-the-bottom proposals and Terri Oda had something pretty in sync with Adobe's approach to languages (don't assume the developer is a coder). Unfortunately, modulo the above exceptions and a few others, I felt the overall week was woefully short on correct-by-constructions solutions and instead focused on band aids (though this is understandable for a security as opposed to SE or languages conference). This wasn't lost on others either -- the discussion at the end of W2SP essentially asked the same thing, should we have more of a focus on finding the 'right' solution or keep on keeping on?

Still piled under for the next ~5 days. Have a backlog of fascinating emails I still can't get to replying to and some code that I still don't have time to write :( May, you're such a strange beast.
Post a Comment