Andrei Sabelfeld is a Professor in the Department of Computer
Science and Engineering at Chalmers University of Technology in
Gothenburg, Sweden. After receiving his Ph.D. in Computer Science
from Chalmers in 2001 and before joining Chalmers as faculty in
2004, he was a Research Associate at Cornell University in
Ithaca, NY. His research has developed the link between two areas
of Computer Science: Programming Languages and Computer
Security. Sabelfeld's article on Language-Based Information-Flow
Security is one of the most cited articles in all of Computer
Science from 2003.
This talk discusses a principled approach to web application security
through tracking information flow in web applications. Although the
agile nature of developments in web application technology makes web
application security much of a moving target, we show that there are
some fundamental challenges and tradeoffs that determine possibilities
and limitations of automatically securing web applications. We address
challenges related to mutual distrust on the policy side (as in web
mashups) and tracking information flow in dynamic web programming
languages (such as JavaScript) to provide a foundation for practical web
application security.