NII Shonan Meeting on Web Application Security
NII Shonan Meeting (No.159)

March 18th-21st, 2024

Overview

Today's web applications are a mix of existing online libraries and data that are combined to write applications in a rapid and inexpensive manner. Moreover, the last decades have witnessed an accelerating trend to integrate not only documents and code but also the so called Web of Things that uses web applications to connect homes, cars, appliances, and other physical devices. However, this same flexibility together with the mix of heterogeneous technologies make the task of programming secure web applications and protecting users against exploits very complex. As web applications are becoming essential in people's life, web and browser vulnerabilities as well as privacy issues associated with web technologies such as tracking and fingerprinting have become a major threat that people face today. Challenges regarding security and privacy issues of web technology include the handling of injections in clients and servers due to the mix of technologies, the inclusion of untrusted code as a common practice, the protection of web sessions implemented over HTTP, the lack of languages available on the client side, the complexity of the JavaScript language, the main language for web pages, and the complexity of the browser infrastructure. Developers and users are facing an unprecedented need of security mechanisms to help identify, mitigate, and remove web vulnerabilities.

The aim of this meeting is to provide a forum to

Discuss recent developments and issues in security and privacy of web technology.
Discuss the effectiveness of security mechanisms in face of the current overall vulnerability landscape

In particular, we plan to address the following questions:

What do formal methods bring to web security and privacy in practice?
Which security analyses are appropriate in face of the heterogeneity of technologies required in modern web applications?
The heterogeneity and new security threats of Web of Things technology makes analysis or enforcing security policies even more difficult: which are the new security and privacy concerns in the Web of Things?
How to bring state of the art to practice? What are the actual obstacles that prevent the technology from being applied?
The steep learning curve (usability of the tool), and infrastructure dependency makes it difficult to keep a tool up to date with the newest infrastructure (e.g., tools that require heavy modification of software infrastructure such as Chrome simply cannot keep up with Google's frequent updates to Chrome). How to develop techniques that are infrastructure independent.

To promote discussions, we plan to organise breakout sessions with time to discuss different topics. We will encourage tutorials, brainstorming and working-group sessions rather than mere conference-like presentations.

Program

March 17, 2024 (Sunday)

15:30 - 19:00	Check in
19:00 - 21:00	Welcome Banquet

March 18, 2024 (Monday)

7:30 - 9:00	Breakfast
9:00 - 9:30	Welcome and self-introduction (Research Wing Room 208)
9:30 - 10:30	Talk Session 1 (Research Wing Room 208) Security and Privacy, Platform vs Engine (20 Min) John Wilander Evaluating Web Archives for Reproducible Web Security Measurements (10 Min) Ben Stock Privacy breaches by chatbots in group messaging (10 Min) Hsu-Chun Hsiao When protecting users breaks the web (10 Min) Steven Englehardt Ongoing Work: A Systematic Overview of the Challenges in Blackbox Dynamic Application Security Testing (10 Min) Merve Sahin
10:30 - 11:00	Break
11:00 - 12:00	Talk Session 2 (Research Wing Room 208) Understanding and measuring "bad" ads (10 Min) Lujo Bauer Security Challenges in Web Systems from the Perspective of Runtime Platform Evolution (10 Min) Zhenkai Liang Developer-Centric Approach towards Web Security (10 Min) Sebastian Roth
12:00 - 13:30	Lunch
13:30 - 14:00	Group Photo
14:00 - 15:30	Group Discussion Session 1 Browser infrastructure for academics (40 Min) Lead: Abhishek Bichhawat break (10 Min) Web measurement infrastructure sharing and maintenance and result replicability (40 Min) Lead: Ben Stock
15:30 - 16:00	Break
16:00 - 16:20	Group Discussion Summary Report
16:20 - 18:00	Group Discussion Session 2 Usability of web security mechanisms (40 Min) Lead: Lujo Bauer
18:00 - 19:30	Dinner

March 19, 2024 (Tuesday)

7:30 - 9:00	Breakfast
9:00 - 9:20	Group discussion summary report
9:20 - 10:30	Talk Session 3 (Research Wing Room 208) Abstract Interpretation-based Static Analysis for Security: Abstractions for Security (20 Min) Xavier Rival Code-reuse attacks in JavaScript-driven server-side applications and runtimes (20 Min) Musard Balliu Model Driven Security and Privacy (10 Min) David Basin Unifying Data Minimisation and Erasure (10 Min) David Sands Least privilege access for persistent storage in browsers (10 Min) Abhishek Bichhawat
10:30 - 11:00	Break
11:00 - 12:00	Discussion Session ML and web security research Lead: John Mitchell
12:00 - 13:30	Lunch
13:30 - 18:00	Outing Visiting Jomyoji and Hokokuji temple with Japanese Tea ceremony
18:00 - 21:00	Banquet

March 20, 2024 (Wednesday)

7:30 - 9:00	Breakfast
9:00 - 10:30	Talk Session 4 (Research Wing Room 208) Repairing DoS Vulnerability of Real-World Regexes (20 Min) Tachio Terauchi Jack-in-the-box: An Empirical Study of JavaScript Bundling on the Web and its Security Implications (10 Min) Cristian-Alexandru Staicu Cookie Crumbles: Breaking and Fixing Web Session Integrity (20 Min) Pedro Adão Microarchitectural side-channel mitigations for serverless applications (10 Min) Aastha Mehta Static analysis for web applications: testability challenges and improvements (20 Min) Luca Compagna Hardening the Firefox Web Browser (10 Min) Christoph Kerschbaumer
10:30 - 11:00	Break
11:00 - 12:00	Tutorial Session A brief overview of the DY* framework for mechanized protocol security Leads: Klaas Pruiksma and Abhishek Bichhawat
12:00 - 13:30	Lunch
13:30 - 15:30	Group Discussion Session 3 New grand challenges in web security (40 Min) Lead: John Wilander break (10 Min) New and emerging threat models of web applications (40 Min) Lead: Christoph Kerschbaumer
15:30 - 16:00	Break
16:00 - 16:20	Group Discussion Summary Report
16:20 - 17:00	Group Discussion Session 4 Formal methods and web security (40 Min) Lead: David Sands
18:00 - 19:30	Dinner

March 21, 2024 (Thursday)

7:30 - 9:00	Breakfast
9:00 - 9:10	Group Discussion Summary Report
9:10 - 10:30	Talk and Group Discussion Session 5 Security implications of the File System Access API (20 Min) Dolière Francis Somé Towards ethical server-side web scanning (10 Min) Ben Stock Web security education (40 Min) Lead: Musard Balliu
10:30 - 11:00	Break
11:00 - 12:00	Talk and Group Discussion Session 6 Group Discussion Summary Report (10 Min) Javascript sandboxing (40 Min) Lead: Cristian-Alexandru Staicu Group Discussion Summary Report (10 Min)
12:00 - 13:30	Lunch (End of meeting)