Alejandro Russo

Abstract for the course

Nowadays, web pages are the front door to almost any online service. Despite their success, we constantly see vulnerabilities being exposed in web sites, e.g., Facebook allowing anybody to delete anyone else's pictures (Feb. 2015). The reason for that are commonly programming errors leading to serious security breaches---this is not surprising given the complexity of web applications (web apps). The status quo security practices consists on mainly add-hoc solutions. In this course, we present a disciplined manner to avoid such programming errors.

Information-Flow Control (IFC) emerges as a promising technology to harden web apps. To avoid information leaks (data corruption), IFC restricts programmers from building web sites which irresponsibly distribute (modifies) sensitive data. The course introduces security problems behind web apps, the foundations for IFC, and its applicability to online systems. The material presented is based on the latest (cutting-edge) research results.


The only prerequisite for students is to have basic programming skills. The rest of the course is self-content.

Lectures and note-taking

Please do bring your own pencil and notebook to the lectures. Some of the information from the lectures may not be available elsewhere, so you will definitely want to take notes during the lectures.


Special thanks to Deian Stefan, who helped me out with COWL and the design of ESpectro's exercises. The development of this course is supported by ECI 2015, the Swedish research agencies VR and Barbro Osher Pro Suecia Foundation, and DARPA CRASH under contract #N66001-10-2-4088.