Workshop Program

W2SP 2011: Web 2.0 Security and Privacy 2011

Thursday, May 26
The Claremont Resort, Oakland, California

The goal of this one day workshop is to bring together researchers and practitioners from academia and industry to focus on understanding Web 2.0 security and privacy issues, and establishing new collaborations in these areas. (For full submission details, see the call for papers.)

Previous W2SP Workshops:2010, 2009, 2008, 2007

Registration: Online registration. Workshop registration will also be available on-site.


8:00–9:00 Continental Breakfast
9:00–9:15 Opening Remarks
9:15–10:15 Keynote: Protecting the Graph

Facebook is under attack all the time from phishers, fraudsters, and spammers. They aim to steal user information and expose users to unwanted spam. The attackers have vast resources at their disposal. They are well-funded, with full-time skilled labor, control over compromised and infected accounts, and access to global botnets. Protecting our users is a challenging adversarial learning problem with extreme scale and load requirements. Over the past several years we have built and deployed a system to protect our users and the graph. The system performs realtime checks and classifications on every read and write action. As of March 2011, this is 25B checks per day, reaching 650K classifications per second. The system also generates signals for use as feedback in classifiers and other components. We believe this system has contributed to making Facebook the safest place on the Internet for people and their information. This talk will outline specific threats to the graph and describe the systems we have built and challenges we continue to face.

Speaker: Tao Stein is an Engineer at Facebook. For the past 3 years he has been building systems to protect users and the Graph. Prior to Facebook, Tao was a Researcher at Microsoft Research Asia in Beijing for several years where he built an experimental multicore OS and deployed a video distribution system on the Internet connecting Chinese colleges. Tao received a PhD from Harvard in computer systems.

10:00–10:15 Break
10:15–11:45 Session 1: Attacks (Session Chair: Shuo Chen)

Lin-Shung Huang, Eric Y. Chen, Adam Barth, Eric Rescorla, Collin Jackson (CMU, Google, RTFM)
Talking to Yourself for Fun and Profit (slides)

Alexander Neumann, Johannes Barnickel, Ulrike Meyer (RWTH Aachen University, RedTeam Pentesting)
Security and Privacy Implications of URL Shortening Services (slides)

Keaton Mowery, Dillon Bogenreif, Scott Yilek, Hovav Shacham (UC San Diego, University of St. Thomas)
Fingerprinting Information in JavaScript Implementations (slides)

11:45–1:00 Lunch
1:00–2:30 Session 2: Cross-Origin Interactions (Session Chair: Collin Jackson)

Andrew Bortz, Adam Barth, Alexei Czeskis (Stanford, Google, U. Washington)
Origin Cookies: Session Integrity for Web Applications (slides)

Sebastian Lekies, Martin Johns, Walter Tighzert (SAP AG & Research)
The State of the Cross-domain Nation (slides)

Dongseok Jang, Aishwarya Venkataraman, G. Michael Sawka, and Hovav Shacham (UC San Diego, Topix)
Analyzing the Cross-domain Policies of Flash Applications (slides)

2:30–2:45 W3C workshop recap: Identity in the browser (Thomas Roessler)
2:45–3:00 Break
3:00–4:00 Session 3: Privacy (Session Chair: Larry Koved)

Balachander Krishnamurthy, Konstantin Naryshkin, Craig Wills (AT&T Research, Worcester Polytechnic Institute)
Privacy leakage vs. Protection measures: the growing disconnect (slides)

Antonio Tapiador, Diego Carrera, j. Salvachua (Technical University of Madrid, Universidad Politecnica de Madrid)
Short paper: Tie-RBAC: An application of RBAC to Social Networks (slides)

Matt Fredrikson, Ben Livshits, Somesh Jha, Drew Davidson (University of Wisconsin, Microsoft Research)
Short paper: Towards Enforceable Data-Driven Privacy Policies (slides)

4:00–4:15 Break
4:15–5:30 Session 4: Mobile (Session Chair: Dirk Balfanz)

Adrienne Felt, David Wagner (UC Berkeley)
Phishing on Mobile Devices (slides)

Timothy Vidas, Nicolas Christin, Lorrie Cranor (CMU)
Short paper: Curbing Android Permission Creep (slides)

Markus Jakobsson, Debin Liu (PayPal, Indiana University)
Bootstrapping Mobile PINs Using Passwords (slides)

5:30–... Schmoozing