The 9th Annual Paris C. Kanellakis Memorial Lecture


"Safety on the Wild and Wooly World-Wide Web: Sandboxing Untrusted JavaScript"

John C. Mitchell, Stanford University

Thursday, December 3, 2009 at 4:00 P.M.

Room 368 (CIT 3rd Floor)

Many Web-based applications, such as publishers showing advertisements, social networking sites, and online shopping sites combine trusted and untrusted content within the same page. If the untrusted content includes JavaScript code, this code must be prevented from maliciously altering pages, stealing sensitive information, or causing other harm.

This talk will outline some of the practical security problems that have arisen in recent years as a result of combining trusted and untrusted content and describe methods for solving these problems. Using a formal semantics of Ecma-262 Standard JavaScript, we have studied techniques to control untrusted JavaScript code, using Facebook FBJS, Yahoo! ADSafe, and Google Caja as motivating and illustrative examples. We have found that a combination of filtering, rewriting, and library wrapping can provide provably safe methods for displaying advertisements, user-supplied applications, and other active content from untrusted sources.

Joint work with Sergio Maffeis and Ankur Taly.

About John Mitchell

John Mitchell is the Mary and Gordon Crary Family Professor in the Stanford Computer Science Department. His research in computer security focuses on web security, network security, privacy, and distributed authorization management. He has also worked on programming language analysis and design, formal methods, and applications of mathematical logic to computer science. Prof. Mitchell currently leads research projects funded by the US Air Force, the Office of Naval Research, private companies and foundations, and he is the Stanford Principal Investigator of the multidisciplinary TRUST NSF Science and Technology Center. He is a consultant and advisor to a number of companies and is the author of over 140 research articles and two books.

* * * * * * * * * * * * * * *

This lecture series honors Paris Kanellakis, a distinguished computer scientist who was an esteemed and beloved member of the Brown Department of Computer Science. Paris joined the Department in 1981 and became a full professor in 1990. His research area was theoretical computer science, with emphasis on the principles of database systems, logic in computer science, the principles of distributed computing and combinatorial optimization. He died in an airplane crash on December 20, 1995, along with his wife, Maria Teresa Otoya, and their two young children, Alexandra and Stephanos Kanellakis.

* * * * * * * * * * * * * * *

A reception will follow.

Host: Shriram Krishnamurthi

To see the poster for this lecture, please click here.