PBBrowser and Web Security


Browsers and the web applications that run in them have become central to the computing platform that we use every day. Vulnerabilities in browsers or web applications can cause large disruptions to the computational fabric that our society relies on. We have been working on all aspects of browser and web security, from experimental studies that expose vulnerabilities in the wild, to formal methods for proving correctness of browsers, and from low-overhead hardening/sandboxing techniques to mechanisms for doing analysis of Javascript/WASM.


Retrofitting Fine Grain Isolation in the Firefox Renderer (USENIX Security 2020)
    with Shravan Narayan, Craig Disselkoen, Tal Garfinkel, Nathan Froyd, Eric Rahm, Hovav Shacham, and Deian Stefan
    [arXiv | Site | UCSD Press release | Mozilla Blog Post ]

Protecting C++ Dynamic Dispatch Through VTable Interleaving (NDSS 2016)
    with Dimitar Bounov and Rami Gökhan Kici.

Automating Formal Proofs for Reactive Systems (PLDI 2014)
    with Daniel Ricketts, Valentin Robert, Dongseok Jang and Zachary Tatlock
    [Project web site for Reflex, including videos of what we built, video of PLDI talk, source code, and working VM image ]

SafeDispatch: Securing C++ Virtual Calls from Memory Corruption Attacks (NDSS 2014)
    with Dongseok Jang and Zachary Tatlock

Establishing Browser Security Guarantees through Formal Shim Verification (USENIX Security 2012)
    with Dongseok Jang and Zachary Tatlock
    [Project web site for Quark browser, including videos of the browser, source code, and working VM image]

An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications (CCS 2010)
    with Dongseok Jang, Ranjit Jhala, and Hovav Shacham

Staged Information Flow for JavaScript (PLDI 2009)
    with Ravi Chugh, Jeffrey A. Meister, and Ranjit Jhala