Stanford EE Computer Systems Colloquium

4:15PM, Wednesday, March 12, 2008
HP Auditorium, Gates Computer Science Building B01

Building a Safer Web: Web Tripwires and a New Browser Architecture

Charles Reis
University of Washington
About the talk:

Web content has shifted from simple documents to active programs, but web protocols and browsers have not evolved adequately to support them. As a result, safety problems in web sites and web browsers now regularly make headlines, from browser exploits to ISPs that modify web pages. In this talk, I will discuss my research into improving the security and reliability of web content and browsers.

For most of this talk, I will focus on one particular problem: the ability for intermediaries to modify web content in-flight. Our recent measurement study shows that many clients now receive web pages that have been altered before reaching the browser. The changes range from injected advertisements to popup blocking code to malware, often affecting the user's privacy and security. Some of these changes introduce bugs and even vulnerabilities into the pages they modify. Most sites are unwilling to switch to SSL for reasons of cost and performance, so I will show how web servers can use "web tripwires" to detect in-flight page changes with inexpensive JavaScript code.

After this, I will talk more broadly about my research on web browser security, focusing on the deficiencies of today's web as an application platform. Starting from my prior work on BrowserShield, I will show how we need a safer architecture for running programs within the browser. Like an operating system, this new architecture will need effective mechanisms to define, isolate, and enforce policies on these web programs.


There is no downloadable version of the slides for this talk available at this time.

About the speaker:

Charles Reis is a PhD student in the Department of Computer Science & Engineering at the University of Washington, studying with Steve Gribble and Hank Levy. His current research focuses on improving the security and reliability of web content and web browsers. In the past, he has also worked on models of wireless interference with David Wetherall. Charles received a B.A. and an M.S. in Computer Science from Rice University, where he worked with Corky Cartwright and Peter Druschel. At Rice, Charles was the second lead developer for DrJava, a widely used educational programming environment.

Contact information:

Charles Reis