There is a signup schedule for this event (UT EID re

quired).

Type of Talk: UTCS FACULTY CANDIDATE

Speaker/Affili

ation: Maxwell Krohn/Massachusetts Institute of Technology CS and AI Labor

atory

Date/Time: Thursday April 10 2008 11:00 a.m.

Locati

on: ACES 2.302

Host: Emmett Witchel

Talk Title: Securing t

he Web With Decentralized Information Flow Control

Talk Abstract:
The recent successes of server-side applications (e.g. Google and
Face

book applications) hint that tomorrow''s computing platform
might not b

e the local desktop but rather the extensible remote
Web site. Unfortu

nately these new server-side platforms built on
conventional operating
systems are committing the same security
mistakes already ossified in
today''s insecure desktops.

In this talk I will discuss how to sec

ure both today''s Web sites and
tomorrow''s Web computing platforms with
a new OS technique called
Decentralized Information Flow Control (DIFC)

. A DIFC system tracks
the flow of secret data as it is copied from fi

le to file and communicated
from process to process. In the end the O

S lets modules known as
declassifiers legislate policies for secret data
exiting to the network.
DIFC provides better security than standard O

Ses because it allows
developers to concentrate security-critical code i

n small audit-friendly
declassifiers which remain small and contained

even as the overall
system balloons with new features.

This talk
presents DIFC an implementation of DIFC for Linux and a
case study o

f a complex popular open-source application (MoinMoin
Wiki) secured wi

th DIFC. MoinMoin is a prototype for more ambitious
and general work t

o come such as a novel Web-based application
platform with encouraging
security guarantees.