Deian Stefan: 2015 Security Workshop

Modern web applications handle user-specific, often sensitive, information. Unfortunately, protecting user data is notoriously difficult today---web frameworks do not provide a way for declaring and enforcing application-specific security policies. In response, developers often specify and enforce security policy in an ad-hoc fashion (e.g., by strewing security checks throughout the code-base). Recent headlines alone serve to highlight that this is not working---web applications are plagued by privacy leaks. In this talk I will describe ESpectro, a new framework for building least-privileged Node.js applications. ESpectro provides developers with libraries for compartmentalizing applications and declaring high-level security policies. ESpectro then enforces these policies on application code, assuming it to have been compromised, by employing application-level virtualization. We demonstrate the generality of this approach by implementing previous web security architectures, including, OKWS, Passe, and Hails as libraries atop ESpectro. ESpectro will be released as part of a forthcoming open source commercial product.

Deian Stefan is a PhD student in Computer Science at Stanford. His research interests intersect systems, programming languages, and security. As part of his PhD work, Deian focused on web application security; he built practical systems with formal underpinnings that enable average developers to build secure web applications. Deian is a recipient of a NDSEG Fellowship and a Mozilla Research Grant for his work on web security. He is a co-founder and the CTO of GitStar Inc., a company that provides security-as-a-service to web developers. He is a member of the W3C Web Application Security Group, where he serves as editor of the COWL spec. He received his BE and ME in Electrical Engineering from Cooper Union.