In this talk, I will present some work in progress on using IFC principles for enforcing GDPR-style privacy principles. Privacy legislation such as the GDPR specifies legal requirements for protecting the private data of individuals but remains vague …
Information flow properties are the semantic cornerstone of a wide range of program transformations, program analyses, and security properties. The variety of information that can be transmitted from inputs to outputs in a deterministic system can …
IT security is an ever important topic. From pioneering to modern times, new security problems keep being discovered. Still, many problems stem from similar flaws. As such, solutions to security problems often involve applying old solutions to new …
Histograms and synthetic data are of key importance in data analysis. However, researchers have shown that even aggregated data such as histograms, containing no obvious sensitive attributes, can result in privacy leakage. To enable data analysis, a …
Memory corruption plagues systems since the dawn of computing. Despite the rise of strong mitigations, exploits are still prevalent. This situation calls for automatic software testing techniques that discover reachable vulnerabilities before any …
WebAssembly (Wasm) is a portable bytecode originally designed to safely run native code (e.g., C/C++ and Rust) in the browser. Since its initial design, though, Wasm has been increasingly used to sandbox untrusted code outside the browser. For …
Modern applications handle sensitive user data in complex ways, subject to increasingly complex security policies. A promising approach to enforcing these policies is to use Information Flow Control (IFC) frameworks, which separate policy …
Web application security is a complicated matter. To assist site operators in secure web application development, browser vendors offer client-side security mechanisms designed to offer robust protection against common threats. Unfortunately, prior …
The work of Fuzz has pioneered the use of functional programming languages where types allow reasoning about the sensitivity of programs. Fuzz and subsequent work (e.g., DFuzz and Duet) use technical devices like linear types, modal types, and …
Google disabled years ago the possibility to freely modify some internal configuration parameters, so options like silently (un)install browser extensions, changing the home page or the search engine were banned. This capability was as simple as …