In this talk, we explore the state of server-side JavaScript sandboxing, a critical mechanism for executing untrusted code securely. We demonstrate how sandbox breakouts in real-world commercial platforms can lead to exposing sensitive data and executing arbitrary code.
Web applications are evolving at an unprecedented pace, introducing new features that often come with new vulnerabilities. Relying solely on developers to identify these issues is no longer sustainable, highlighting the urgent need for automated tools to support the security process. Web application scanning is arguably the flagship testing technique capable of taking on this responsibility, yet significant challenges remain to achieve full automation.
In this talk, we briefly review the current state of web application scanning and outline its key challenges and limitations. We then introduce YuraScanner, one of the first autonomous, task-driven web scanners. YuraScanner approaches attack surface discovery as a goal-oriented agent: it dynamically generates testing objectives and executes actions to navigate complex web application workflows with no human intervention. Unlike traditional scanners, it leverages large language models (LLMs) to interpret and reason about the application’s state and behavior, enabling broad adaptability across diverse web applications. Our evaluation across 20 popular web applications demonstrates that YuraScanner uncovers deeper attack surfaces and identifies more XSS vulnerabilities than conventional tools.
In this talk, Rune gives an overview of his research so far.
The first part of the talk covers Signal's initial handshake protocol and transitioning to a post-quantum protocol.
He has proposed a post-quantum replacement protocol called SPQR [PKC:BFGJS22] and analyzed the confidentiality [PKC:FieGun25] and deniability [PoPETS:FieJan24] of PQXDH, the post-quantum protocol that Signal has deployed for the initial handshake.
In the second part he presents his (impossibility) results on deniable authentication against malicious verifiers and the implications for Signal's initial handshake. [EPRINT:FieLan25]
In the third part he introduces the Beyond UnForgeability Features (BUFF) for signature schemes [SP:CDFFJ21] and gives an overview how the signature schemes in the NIST standardization process are doing wrt. BUFF properties [SAC:DuzFieFis24].
[PKC:BFGJS22] https://eprint.iacr.org/2021/769
[PKC:FieGun25] https://eprint.iacr.org/2024/702
[PoPETS:FieJan24] https://eprint.iacr.org/2024/702
[EPRINT:FieLan25] https://eprint.iacr.org/2025/470
[SP:CDFFJ21] https://eprint.iacr.org/2020/1525
[SAC:DuzFieFis24] https://eprint.iacr.org/2024/710
At Meta, we’ve been working to incorporate privacy into different systems of our software stack as part of our Privacy Aware Infrastructure (PAI) initiative. PAI offers efficient and reliable first-class privacy constructs embedded in Meta infrastructure to address complex privacy issues. In this talk, we will describe Policy Zones: an Information-Flow Control system that is deployed across our infrastructure to address privacy restrictions on data, such as using data only for allowed purposes, providing strong guarantees for limiting the purposes of its processing.
In this talk, we describe how we model the restrictions on data through a mix of toy examples and a real-world case study. Our approach to enforcing restrictions on data involves using annotations to represent different aspects of data and its processing and using these annotations to apply policy checks across data flows. Equipped with privacy-relevant annotations, we show how Policy Zones enforces high-level data restrictions across two paradigms that, together, encompass the common lifecycle of data: general-purpose programming languages where the data is initially collected, and data warehouse systems where the data is processed in batch.
There are several challenges in designing Policy Zones, including: translating high-level privacy restrictions to code; handling different data granularities to avoid label creep; maintaining homogeneity of data annotations across heterogeneous data processing systems; managing reclassification in practice; and the scale of applying this tech to large companies such as Meta.
Enforcing Privacy Requirements at scale is a challenging task. In this talk we will go over key learnings on this space, using the more familiar domain of Security to draw analogies and highlight differences. The talk covers four key learnings: (a) the key similarities and distinctions between security and privacy requirements, (b) how to design an effective enforcement framework, (c) how to get such an enforcement framework deployed at scale, and (d), the main approaches for demonstrating the effectiveness of such enforcement to relevant parties. Overall, the talk will emphasize a proactive and comprehensive approach to enforcing privacy requirements.
Using open-source dependencies is essential in modern software development. However, this practice implies significant trust in third-party code, while there is little support for developers to assess this trust. As a consequence, attacks have been increasingly occurring through third-party dependencies. These are called software supply chain attacks. In this talk, we will introduce the novel concept of software supply chain smell and present DIRTY-WATERS, a tool for detecting software supply chain smells. We will also demonstrate the prevalence of all proposed software supply chain smells.
Several recent works have established lower bounds on the communication cost of secure messaging protocols using only selected primitives. We argue that these bounds no longer apply if succinct noninteractive multi-party key exchange (SMNIKE) exists, a setup-free primitive where no party’s message depends on the number of parties. We introduce succinct PPRFs, where the punctured key is of size 5λ and, in particular, independent of the input size, as long as the punctured point has a short description. We then show how to combine succinct PPRFs with JJ to show that a variant of the Boneh–Zhandry construction is already an SMNIKE.
Strong Asymmetric Password-Authenticated Key Exchange (saPAKE) enables a client, holding only a low-entropy password, to repeatedly establish shared high-entropy session keys with a server, holding a digest of that password. Ideally, an adversary is limited to impersonation attempts, online dictionary attacks, and, in the event of a leaked digest, a brute-force attack that does not admit precomputation. In this talk, I will present our novel saPAKE protocol, which is the first to simultaneously achieve the ideal security, as described, in a single round trip without generic algebraic models. We instantiate our saPAKE from an oblivious pseudorandom function (OPRF); I will also present our novel Dodis-Yampolskiy-based OPRF, the first online-extractable and input-committing UC-secure OPRF.
In this talk, I will discuss the problem of privacy-preserving statistical analysis. I will start with an introduction to _differential privacy_, a key framework in this area. Then, I will present _pointwise maximal leakage_ (PML), a privacy measure that I developed during my PhD studies. PML quantifies the amount of information leaking about a secret when releasing the outcome of a randomized function calculated on the secret. I will draw connections between PML and differential privacy while also highlighting their differences. Additionally, I will discuss an application where private information is sanitized while guaranteeing privacy in the sense of PML. Finally, I will explore open questions, current, and future research directions.
Ensuring cyber security often poses particular challenges for Small and Medium-sized Enterprises (SMEs), with constraints in terms of time, skills and resources leading to difficulties in understanding the issues and following good practice. The Cyber Security Communities of Support (CyCOS) project has been further investigating the challenges, with data collected from both SMEs and support providers. The project aims to trial a new community-based approach to support, offering a further channel through which to socialise and demystify cyber security for the SME audience, based upon collaboration between organisations in the same region, sector or supply chain. In this session, Prof. Steven Furnell will discuss the issue of cyber security for SMEs, drawing upon key findings from the work to date from both the SME and provider perspectives. He will also outline the plans for the proposed Communities of Support approach.