Tom Van Cutsem
2011-11-03 19:31:45 UTC
Hi,
Last month, Mark Miller gave a series of talks at my university (University
of Brussels, Belgium) on web security. The videos of the talks have now
been made fully available on Youtube. I thought this may be of interest to
some on this list. Abstracts follow:
Talk 1/2: Secure Distributed Programming with Object-capabilities in
JavaScript
Until now, browser-based security has been hell. The object-capability
(ocap) model provides a simple and expressive alternative. Google's Caja
project uses the latest JavaScript standard, EcmaScript 5, to support
fine-grained safe mobile code, solving the secure mashup problem. Dr. SES
-- Distributed Resilient Secure EcmaScript -- extends the ocap model
cryptographically over the network, enabling RESTful composition of
mutually suspicious web services. We show how to apply the expressiveness
of object programming to the expression of security patterns, solving
security problems normally thought to be difficult with simple elegant
programs.
Slides: <http://soft.vub.ac.be/events/mobicrant_talks/talk1_ocaps_js.pdf>
Video:
Talk 2/2: Bringing Object-orientation to Security Programming
Just as we should not expect our base programming language to provide all
the data types we need, so we should not expect our security foundation to
provide all the abstractions we need to express security policy. The answer
to both is the same: We need foundations that provide simple abstraction
mechanisms, which we use to build an open ended set of abstractions,
which we then use to express policy. We show how to use EcmaScript 5 to
enforce the security latent in object-oriented abstraction
mechanisms: encapsulation, message-passing, polymorphism, and
interposition. With these secured, we show how to build abstractions for
confinement, rights amplification, transitive wrapping and revocation, and
smart contracts.
Slides: <http://soft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf>
Video:
Kind regards,
Tom Van Cutsem
Last month, Mark Miller gave a series of talks at my university (University
of Brussels, Belgium) on web security. The videos of the talks have now
been made fully available on Youtube. I thought this may be of interest to
some on this list. Abstracts follow:
Talk 1/2: Secure Distributed Programming with Object-capabilities in
JavaScript
Until now, browser-based security has been hell. The object-capability
(ocap) model provides a simple and expressive alternative. Google's Caja
project uses the latest JavaScript standard, EcmaScript 5, to support
fine-grained safe mobile code, solving the secure mashup problem. Dr. SES
-- Distributed Resilient Secure EcmaScript -- extends the ocap model
cryptographically over the network, enabling RESTful composition of
mutually suspicious web services. We show how to apply the expressiveness
of object programming to the expression of security patterns, solving
security problems normally thought to be difficult with simple elegant
programs.
Slides: <http://soft.vub.ac.be/events/mobicrant_talks/talk1_ocaps_js.pdf>
Video:
Talk 2/2: Bringing Object-orientation to Security Programming
Just as we should not expect our base programming language to provide all
the data types we need, so we should not expect our security foundation to
provide all the abstractions we need to express security policy. The answer
to both is the same: We need foundations that provide simple abstraction
mechanisms, which we use to build an open ended set of abstractions,
which we then use to express policy. We show how to use EcmaScript 5 to
enforce the security latent in object-oriented abstraction
mechanisms: encapsulation, message-passing, polymorphism, and
interposition. With these secured, we show how to build abstractions for
confinement, rights amplification, transitive wrapping and revocation, and
smart contracts.
Slides: <http://soft.vub.ac.be/events/mobicrant_talks/talk2_OO_security.pdf>
Video:
Kind regards,
Tom Van Cutsem