Browsers and the web applications that run in them have become
central to the computing platform that we use every
day. Vulnerabilities in browsers or web applications can cause
large disruptions to the computational fabric that our society
relies on. We have been working on all aspects of browser and
web security, from experimental studies that expose
vulnerabilities in the wild, to formal methods for proving
correctness of browsers, and from low-overhead
hardening/sandboxing techniques to mechanisms for doing
analysis of Javascript/WASM.
Retrofitting Fine Grain Isolation in the Firefox Renderer (USENIX Security 2020)
with Shravan Narayan, Craig Disselkoen, Tal Garfinkel, Nathan Froyd, Eric Rahm, Hovav Shacham, and Deian Stefan
[arXiv |
Site |
UCSD Press release |
Mozilla Blog Post
]
Protecting C++ Dynamic Dispatch Through VTable Interleaving (NDSS 2016)
with Dimitar Bounov and Rami Gökhan Kici.
Automating Formal Proofs for Reactive Systems (PLDI 2014)
with Daniel Ricketts, Valentin Robert, Dongseok Jang and Zachary Tatlock
[Project web site for Reflex, including videos of what we built, video of PLDI talk, source code, and working VM image ]
SafeDispatch: Securing C++ Virtual Calls from Memory Corruption Attacks (NDSS 2014)
with Dongseok Jang and Zachary Tatlock
Establishing Browser Security Guarantees through Formal Shim Verification (USENIX Security 2012)
with Dongseok Jang and Zachary Tatlock
[Project web site for Quark browser, including videos of the browser, source code, and working VM image]
An Empirical Study of
Privacy-Violating Information Flows in JavaScript Web Applications
(CCS 2010)
with Dongseok Jang, Ranjit Jhala, and Hovav Shacham
Staged Information Flow for
JavaScript (PLDI 2009)
with Ravi Chugh, Jeffrey A. Meister, and Ranjit Jhala