Title: Security and privacy implications of the multi-component nature of Software-as-a-Service
Speaker: Dr. Shuo Chen, Microsoft Research Redmond
Time: 3:00pm, September 1st (Thursday), 2011.Venue: Lecture Room, 3rd Floor, Building No. 5, State Key Laboratory of Computer Science, Institute of Software, Chinese Academy of Sciences
Abstract:The essence of Software-as-a-Service is that an application is
distributed between a browser and one-or-more web servers, which is a
multi-component system across the Internet. In this talk, I will discuss
two of our recent papers, showing that the web industry needs more
disciplined programming practices to deal with security and privacy
challenges due to the multi-component nature. The first paper (to appear
in Oakland¡¯11) is about logic bugs in web service integrations.
Specifically, we studied merchant websites that accept payments through
third-party cashiers (e.g., PayPal, Amazon Payments and Google
Checkout). We found that leading merchant applications and popular
online stores contain serious logic flaws that allow a malicious shopper
to purchase at an arbitrarily low price, shop for free after paying for
one item, or even avoid payment. We reported these bugs to developers.
Most of them have been fixed. Besides bug finding, we used a
verification tool to study the omplexity of a representative merchant
logic. The second paper (in Oakland¡¯10) shows that, despite encryption,
side-channel leaks are a realistic and serious threat to user privacy.
We found that surprisingly detailed sensitive information is being
leaked out from a number of high-profile web applications in healthcare,
taxation, investment and web search: an eavesdropper can infer the illnesses/medications/surgeries of the user, her family income and
investment secrets, despite HTTPS protection; a stranger on the street
can glean enterprise employees' web search queries, despite WPA/WPA2
Wi-Fi encryption. The root causes of the problem are some fundamental
characteristics of web 2.0 applications: stateful communication, low
entropy input, and significant traffic distinctions. We further
conducted an analysis to demonstrate the challenges of mitigating such a
threat. The URLs of the two papers are:
Biography:Shuo Chen is a researcher at Microsoft Research Redmond. His current research focus is on system security and privacy. He likes to study real-world operational systems to understand their security challenges and flaws. His recent projects include browser security, web privacy/security and memory-based security problems. He frequently serves on the program committees for the Oakland Conference£¬ACM CCS, WWW, etc¡£Shuo obtained his Ph.D. degree in computer science under the guidance of Prof. Ravi Iyer from University of Illinois at Urbana-Champaign. He obtained his master's and bachelor's degree from Tsinghua University and Peking University, both in computer science.