Our society relies on the web to support the economic, governmental, and military infrastructure, making web security critical for Cybersecurity and Information Security at large. WebSec: Securing Web-driven Systems sets out to develop a principled security platform for the web. The project is supported by the Swedish Foundation for Strategic Research (SSF) and will result in:

  • Comprehensive framework for detection, mitigation, and prevention of cross-site scripting (XSS) attacks.

  • JavaScript program analysis platform for monitoring and symbolically executing JavaScript.

  • Principled framework for system-wide security, enabling confinement, tainting, and information-flow control mechanisms across web component boundaries.

Read more

News in English

Andrei Sabelfeld gave a PhD course ARCADIAN-IoT Summer School

Andrei Sabelfeld gave a PhD course on Security and Privacy of IoT Apps at the ARCADIAN-IoT Summer School.

Source: ARCADIAN-IoT's website

Andrei Sabelfeld gave a CASA Distinguished Lecture

Andrei Sabelfeld gave a CASA Distinguished Lecture on Next-Generation Web Application Scanning.

Source: Ruhr-Universität Bochum's Website

Navigating the Cybersecurity Landscape

Chalmers ICT Area of Advance invites you to a full-day seminar of the subject Cyber Security.

Source: Chalmers

Andrei creates protection against the digital threats of the future

Andrei Sabelfeld is the researcher who thinks daily about how to stop cyber attacks and make our IT systems more secure. Privately, however, he takes the digital threats in stride.
Video interview on Youtube.

Source: Chalmers

Slack’s and Teams’ Lax App Security Raises Alarms

Collaboration apps like Slack and Microsoft Teams have become the connective tissue of the modern workplace, tying together users with everything from messaging to scheduling to video conference tools. But as Slack and Teams become full-blown, app-enabled operating systems of corporate productivity, one group of researchers has pointed to serious risks in what they expose to third-party programs—at the same time as they're trusted with more organizations' sensitive data than ever before.

Source: Wired

Investing in academic research to improve privacy technology: Our approach and recent RFP winners

Facebook Research award in privacy-enhancing technology for research on securing browser extensions. Much work is yet to be done in this active field!

Source: Facebook Research

Password change day – how to act

January 20, is the annual Password Change Day set to remind us to review and change login to our Internet accounts. We often hear reports of leaked login information, hijacked accounts and are urged to choose a safe password. So how can we keep our accounts secure online?

Source: Chalmers University of Technology

Andrei Sabelfeld: Securing the web of things

What is the Web of Things? What are the security implications of connecting previously incompatible standards, platforms, and technologies? This, as well as suitable countermeasuers, are discussed in the talk.

Source: Chalmers University of Technology

Building a solid ground for cybersecurity

Substantial tools and methods to counter the most common vulnerabilities on the web. Efforts to develop a secure internet of things for industrial use. Two new, extensive cybersecurity projects are about to start at the Department of Computer Science and Engineering.

Source: Chalmers Computer Science and Engineering


News in Swedish

Professorn: "Utgå från att allt du gör på jobbet övervakas digitalt"

Utgå ifrån att allt du gör på din arbetsdator eller telefon kan övervakas av din arbetsgivare. Det säger Andrei Sabelfeld som är professor vid avdelningen för informationssäkerhet på Chalmers tekniska högskola.

Source: Akavia Aspekt

Navigera genom cybersäkerhetens landskap

Chalmers styrkeområde Informations- och kommunikationsteknik bjuder in till ett heldagsseminarium på ämnet cybersäkerhet.

Source: Chalmers

Cybersäkerhetsexperten om Coop-attacken: ”Är väldigt allvarligt”

Att Coop Värmlands medlemmars uppgifter har läckt ut på nätet och finns på Darknet är allvarligt, säger cybersäkerhetsexperten Andrei Sabelfeld som är professor vid Chalmers tekniska högskola i Göteborg.

Source: SVT

IT-experten: Därför är Vklass-läckan i Göteborg allvarlig

Tiotusentals elevers personuppgifter har läckt från Göteborgs stads lärplattform Vklass. Uppgifterna lades ut till försäljning i en annons på internet. Ett allvarligt problem, menar cybersäkerhetsexperten Andrei Sabelfeld som tagit del av annonsen.

Source: SVT

Elevernas uppgifter läckte i augusti – upptäcktes i oktober

Personuppgifter från 47 000 elever i Göteborg läckte från plattformen Vklass i augusti. Det upptäcktes först i oktober, nästan två månader senare.

Source: GP

MSB tillåter anställa att ha Tiktok trots risker

Sveriges television och sveriges radio har uppmanat sina anställda att radera appen TikTok men vissa myndigheter tillåter fortfarande anställada att använda appen. Professor Andrei Sabelfeld förklara riskerna med appen och hur den skiljer sig från andra datahungriga appar.

Source: TV4

Lösenordsbytardagen – detta behöver du veta

Den 20 januari infaller den årliga Lösenordsbytardagen som ska påminna oss om att se över och byta inlogg till våra konton på internet. Regelbundet kommer rapporter om läckta inloggningsuppgifter, kapade konton och uppmaningar att välja ett säkert lösenord. Så hur håller man sina konton säkra på nätet?

Source: Chalmers University of Technology

Tar helhetsgrepp på säkerhet i webbdrivna system

Cybersecurity är den största utmaningen för fortsatt digitalisering, och webbsäkerhet spelar en viktig roll i den strävan. Andrei Sabelfeld, professor vid avdelningen för informationssäkerhet på Chalmers och hans forskargrupp siktar på att bygga in säkerhet i webben redan från början.

Source: Framtidens Forskning

Bygger cybersäkerhet från grunden

Konkreta verktyg och metoder för att motverka de vanligaste sårbarheterna på webben. Insatser för att utveckla ett säkert sakernas internet för industrin. Två nya, omfattande projekt inom cybersäkerhet startar inom kort vid institutionen för data- och informationsteknik.

Source: Chalmers Computer Science and Engineering

Källström möter Andrei Sabelfeld

Med de hot som många ser framför sig i och med digitaliseringens aktiva närvaro i vår vardag ställs frågan: Hur kan vi garantera en säkerhet i cybervärlden?

Source: Sustainability Circle


Publications

2024


A Constraint Solving Approach to Parikh Images of Regular Languages
Amanda Stjerna; Philipp Rümmer
In The Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA), October 2024

Spider-Scents: Grey-box Database-aware Web Scanning for Stored XSS,
Eric Olsson, Benjamin Eriksson, Adam Doupé, and Andrei Sabelfeld.
In USENIX Security Symposium (USENIX Security), August 2024.

FakeX: A Framework for Detecting Fake Reviews of Browser Extensions
Eric Olsson, Benjamin Eriksson, Pablo Picazo-Sanchez, Lukas Andersson, Andrei Sabelfeld
In ACM ASIA Conference on Computer and Communications Security (ASIACCS 2024), July 2024

2023


Black Ostrich: Web Application Scanning with String Solvers
Benjamin Eriksson, Amanda Stjerna, Riccardo De Masellis, Philipp Ruemmer and Andrei Sabelfeld.
In ACM Conference on Computer and Communications Security (CCS), November 2023.

LazyTAP: On-Demand Data Minimization for Trigger-Action Applications
Mohammad M. Ahmadpanah, Daniel Hedin and Andrei Sabelfeld
In IEEE Symposium on Security and Privacy (S&P'23), May 2023.

Reconciling Shannon and Scott with a Lattice of Computable Information
Sebastian Hunt, David Sands, and Sandro Stucki
In Proceedings of the ACM on Programming Languages

A Theory of Cartesian Arrays (with Applications in Quantum Circuit Verification).
Yu-Fang Chen, Philipp Rümmer, Wei-Lun Tsai
In Automated Deduction CADE 2023

Decision Procedures for Sequence Theories
Artur Jez, Anthony W. Lin, Oliver Markgraf, Philipp Rümmer
In Proceedings of Computer Aided Verification (CAV), 2023

2022


SecWasm: Information Flow Control for WebAssembly
Iulia Bastys, Maximilian Algehed,Alexander Sjösten, and Andrei Sabelfeld.
In Static Analysis Symposium (SAS), December 2022.

Are Chrome extensions compliant with the spirit of least privilege?
Pablo Picazo-Sanchez, Lara Ortiz-Martin, Gerardo Schneider, and Andrei Sabelfeld
In International Journal of Information Security (IJIS), December 2022.

Practical Data Access Minimization in Trigger-Action Platforms
Yunang Chen, Mohannad Alhanahnah, Rahul Chatterjee, Earlence Fernandes, and Andrei Sabelfeld
In USENIX Security Symposium (USENIX Security), August 2022.

CatNap: Leveraging Generic MPC for Actively Secure Privacy-Enhancing Proximity Testing with a Napping Party
Ivan Oleynikov, Elena Pagnin, and Andrei Sabelfeld
In International Conference on Security and Cryptography (SECRYPT), July 2022.

Outsourcing MPC Precomputation for Location Privacy
Ivan Oleynikov, Elena Pagnin, and Andrei Sabelfeld.
In Location Privacy Workshop (LPW), June 2022.

Hardening the Security Analysis of Browser Extensions
Benjamin Eriksson and Pablo Picazo-Sanchez
In ACM Symposium On Applied Computing (SAC), April 2022.

DeDup.js: Discovering Malicious and Vulnerable Extensions by Detecting Duplication
Pablo Picazo-Sanchez, Maximilian Algehed, and Andrei Sabelfeld.
In International Conference on Information Systems Security and Privacy (ICISSP), February 2022.

Solving string constraints with Regex-dependent functions through transducers with priorities and variables.
Taolue Chen, Alejandro Flores-Lamas, Matthew Hague, Zhilei Han, Denghang Hu, Shuanglong Kan, Anthony W. Lin, Philipp Rümmer, Zhilin Wu
In ACM on Programming Languages, Volume 6, January 2022

CertiStr: a certified string solver.
Shuanglong Kan, Anthony Widjaja Lin, Philipp Rümmer, Micha Schrader
In ACM SIGPLAN International Conference on Certified Programs and ProofsJanuary, January 2022

2021


Securing Node-RED Applications
Mohammad M. Ahmadpanah, Musard Balliu, Daniel Hedin, Lars Eric Olsson, and Andrei Sabelfeld
In Protocols, Logic, and Strands: Festschrift in honor of Joshua Guttman, 2021

Efficient Error Prediction for Differentially Private Algorithms
Boel Nelson
In Proceedings of The 16th International Conference on Availability, Reliability and Security (ARES 2021)

SandTrap: Securing JavaScript-driven Trigger-Action Platforms
Mohammad M. Ahmadpanah, Daniel Hedin, Musard Balliu, Lars Eric Olsson, and Andrei Sabelfeld
In Proceedings of the USENIX Security Symposium, 2021.

EssentialFP: Exposing the Essence of Browser Fingerprinting
Alexander Sjösten, Daniel Hedin. and Andrei Sabelfeld
In IEEE Workshop on Designing Security for the Web (SecWeb), September 2021.

Nontransitive Policies Transpiled
Mohammad M. Ahmadpanah, Aslan Askarov, and Andrei Sabelfeld
In Proceedings of the IEEE European Symposium on Security and Privacy (EuroS&P), 2021

Data Privacy in Trigger-Action Systems,
Yunang Chen, Amrita Roy Chowdhury, Ruizhe Wang, Andrei Sabelfeld, Rahul Chatterjee, and Earlence Fernandes
In Proceedings of the IEEE Symposium on Security and Privacy (S&P), May 2021.

Black Widow: Blackbox Data-driven Web Scanning
Benjamin Eriksson, Giancarlo Pellegrino and Andrei Sabelfeld.
In Proceedings of the IEEE Symposium on Security and Privacy (S&P), 2021

Interpolating bit-vector formulas using uninterpreted predicates and Presburger arithmetic
Peter Backeman, Philipp Rümmer and Aleksandar Zeljić
In Proceedings of the Formal Methods in System Design, 2021

Towards String Support in JayHorn (Competition Contribution)
Ali Shamakhi, Hossein Hojjat and Philipp Rümmer
In Proceedings of the International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS), 2021

2020


Clockwork: Tracking Remote Timing Attacks,
Iulia Bastys, Musard Balliu, Tamara Rezk and Andrei Sabelfeld
In Proceedings of the IEEE Computer Security Foundations Symposium (CSF), June 2020.

Securing Asynchronous Exceptions
Carlos Tomé Cortiñas, Marco Vassena and Alejandro Russo
In Proceedings of the IEEE Computer Security Foundations Symposium (CSF), June 2020.

SoK: Chasing Accuracy and Privacy, and Catching Both in Differentially Private Histogram Publication
Boel Nelson, Jenni Reuben
In Transactions on Data Privacy (TDP), 2020

Monadic Decomposition in Integer Linear Arithmetic
Matthew Hague, Anthony W. Lin, Philipp Rümmer, Zhilin Wu
In International Joint Conference on Automated Reasoning (IJCAR), 2020

A Decision Procedure for Path Feasibility of String Manipulating Programs with Integer Data Type.
Taolue Chen, Matthew Hague, Jinlong He, Denghang Hu, Anthony Widjaja Lin, Philipp Rümmer, Zhilin Wu
In Automated Technology for Verification and Analysis (ATVA), 2020

HMAC and "Secure Preferences": Revisiting Chromium-based Browsers Security,
Pablo Picazo-Sanchez, Gerardo Schneider and Andrei Sabelfeld
In Proceedings of the International Conference on Cryptology And Network Security (CANS), 2020

AutoNav: Evaluation and Automatization of Web Navigation Policies
Benjamin Eriksson and Andrei Sabelfeld.
In Proceedings of the Web Conference (WWW), 2020

Reasoning in the Theory of Heap: Satisfiability and Interpolation
Zafer Esen, Philipp Rümmer
In Proceedings of the Logic-based Program Synthesis and Transformation (LOPSTR), 2020

2019


Simple Noninterference by Normalization
Carlos Tomé Cortiñas and Nachiappan Valliappan
In Proceedings of the Programming Languages and Software (PLAS), 2019

On Strings in Software Model Checking
Hossein Hojjat, Philipp Ruemmer, and Ali Shamakhi.
In Proceedings of the Asian Symposium on Programming Languages and Systems (APLAS), 2019

An Empirical Study of Information Flows in Real-World JavaScript
Cristian-Alexandru Staicu, Daniel Schoepe, Musard Balliu, Michael Pradel and Andrei Sabelfeld
In Proceedings of the Workshop on Programming Languages and Analysis for Security (PLAS), 2019

Securing IoT Apps
Musard Balliu, Iulia Bastys and Andrei Sabelfeld
In IEEE Security and Privacy Magazine, Special Issue on the Internet of Things (IoT), 2019

Latex Gloves: Protecting Browser Extensions from Probing and Revelation Attacks
Alexander Sjösten, Steven Van Acker, Pablo Picazo-Sanchez and Andrei Sabelfeld.
In Proceedings of Network and Distributed System Security Symposium (NDSS), 2019

Information-Flow Control for Database-backed Applications
Marco Guarnieri, Musard Balliu, Daniel Schoepe, David Basin, and Andrei Sabelfeld.
In Proceedings of IEEE European Symposium on Security and Privacy (EuroS&P), 2019

Probabilistic Bisimulation for Parameterized Systems (with applications to verifying anonymous protocols)
Chih-Duo Hong, Anthony W. Lin, Rupak Majumdar and Philipp Ruemmer.
In Proceedings of Computer Aided Verification (CAV), 2019

Decision Procedures for Path Feasibility of String-Manipulating Programs with Complex Operations
Taolue Chen, Matthew Hague, Anthony W. Lin, Philipp Ruemmer, Zhilin Wu.
In Proceedings of Principles of Programming Languages (POPL), 2019

2018


Raising the Bar: Evaluating Origin-wide Security Manifests
Steven Van Acker, Daniel Hausknecht and Andrei Sabelfeld.
In Proceedings of the Annual Computer Security Applications Conference (ACSAC), 2018

Tracking Information Flow via Delayed Output: Addressing Privacy in IoT and Emailing Apps
Iulia Bastys, Frank Piessens and Andrei Sabelfeld.
In Proceedings of the Nordic Conference on Secure Systems (NordSec), 2018

If This Then What? Controlling Flows in IoT Apps
Iulia Bastys, Musard Balliu and Andrei Sabelfeld.
In Proceedings of the ACM Conference on Computer and Communications Security (CCS), 2018

Prudent Design Principles for Information Flow Control
Iulia Bastys, Frank Piessens and Andrei Sabelfeld.
In Proceedings of the Workshop on Programming Languages and Analysis for Security (PLAS), 2018

Information Flow Tracking for Side-effectful Libraries
Alexander Sjösten, Daniel Hedin and Andrei Sabelfeld.
In Proceedings of the International Conference on Formal Techniques for Distributed Objects, Components, and Systems (FORTE), 2018

Trau: SMT solver for string constraints
Parosh Aziz Abdulla, Mohamed Faouzi Atig, Yu-Fang Chen, Bui Phi Diep, Lukas Holik, Ahmed Rezine and Philipp Ruemmer.
In Proceedings of Formal Methods in Computer-Aided Design (FMCAD), 2018

Bit-Vector Interpolation and Quantifier Elimination by Lazy Reduction
Peter Backeman, Philipp Ruemmer and Aleksandar Zeljic
In Proceedings of Formal Methods in Computer-Aided Design (FMCAD), 2018

A Better Facet of Dynamic Information Flow Control
Minh Ngo, Nataliia Bielova, Cormac Flanagan, Tamara Rezk, Alejandro Russo, and Thomas Schmitz
In Proceedings of the Web Conference (WWW), 2018


Tools

Black Widow Web Scanner
Web scanner capable of finding XSS vulnerabilities in modern web applications.

JSFlow
JSFLow is a security-enhanced JavaScript interpreter for fine-grained tracking of information flow written in TypeScript. JSFlow

OSTRICH
OSTRICH is a solver for string constraints with support for complex operations like replace-all and transduction.

SandTrap
SandTrap is a novel JavaScript monitor that securely combines the Node.js vm module with fully structural proxy-based two-sided membranes to enforce fine-grained access control policies.

Web Scanner ModuleMatcher
Masters thesis project focusing on creating a method for combining crawlers and attack modules. For example, allowing us to combine the crawling component of Black Widow and the attack module of sqlmap.


People


Andrei Sabelfeld

Project Leader

Chalmers University of Technology

Daniel Hedin

Chalmers University of Technology
Mälardalen University

Alejandro Russo


Chalmers University of Technology

Philipp Rümmer


Uppsala University

David Sands


Chalmers University of Technology

Mohammad Ahmadpanah


Chalmers University of Technology

Iulia Bastys


Chalmers University of Technology

Carlos Tomé Cortiñas


Chalmers University of Technology

Benjamin Eriksson


Chalmers University of Technology

Matthías P. Gissurarson


Chalmers University of Technology

Riccardo De Masellis

Uppsala University

Pablo Picazo-Sanchez


Chalmers University of Technology

Amanda Stjerna


Uppsala University

Alumni


Boel Nelson


Chalmers University of Technology

Alexander Sjösten


Chalmers University of Technology

Daniel Schoepe


Chalmers University of Technology

Musard Balliu


KTH Royal Institute of Technology