Sachiko Yoshihama

after finishing 42.195Km at Naha Marathon 2008

Hi, I am Sachiko Yoshihama, a researcher at IBM Research - Tokyo. I am interested in research of information security; in particular, Web 2.0/SaaS security, information flow control and data leakage prevention. My past research interests include trusted computing and pervasive computing.

Profile

• 1993 to 2001 : SEC Co. Ltd.
• 2001 to 2003 : IBM T.J. Watson Research Center
• 2003 to present : IBM Japan, Tokyo Research Laboratory
• April 2008 to present : Committee member of IPSJ CSEC WG
• April 2009 to present : Editorial committee member of IPSJ Magazine

My Projects

• Web 2.0/SaaS Security
• Data Leakage Prevention
• Trusted Computing and Trusted Virtual Domains
• BlueSpace

My Favorite Pursuit

• Jogging / Marathon
• Hiking / Mountain Climbing

Asynchronous JavaScript + XML (Ajax), a key technology in Web 2.0, allows user interaction with Web pages to be decoupled from the Web browser's communication with the server. In particular, Ajax drives mashups, which integrate multiple contents or services into a single user experience. However, Ajax and mashup technology introduce new types of threats because of their dynamic and multidomain nature.

In particular, the current browser security model is designed under an assumption that the content within a server is mutually trustworthy. However, Web 2.0 emphasizes collaboration and interaction of users, which implies that any webpage could include content from multiple participants, including potentially malicious ones. In addition, the use of mashup introduces more chances to integrate potentially malicious content into a single webpage.

Our team addresses the Web 2.0 seucurity issues from different aspects, such as the server-side protection, attack detection and filtering at proxy servers, and retrofit of the browser security model. Our article on the developerWorks identifies some Ajax threats and proposes best practices.

I have been interested in the Trusted Computing technology since I joined TRL in 2003. Because of heterogeneity and complexity of IT systems, and because of plethora of various kinds of threats and attacks, it becomes increasingly difficult to have confidence in what and how computing systems behave. The Trusted Computing technology allows us to verify and validate integrity and assurance of not only your computer but also that of somebody you are talking to. It is an essential technology that raises the bar of security and trust in next-gen IT environment.

Please also visit:

• IBM Research Security Page
• Trusted Virtual Domains web page at IBM Research
• the project page at TRL
• We have successfully organized the 2nd Workshop on Advances in Trusted Computing (WATC'06 Fall), Nov.30-Dec.1, 2006, in Tokyo, Japan.
• Trusted Mobile Platform proposes a next-gen security architecture for mobile devices.

Before joining TRL, I was working with the pervasive computing solution team in IBM Watson Research Center, where we tried to bring the office of the future into reality in collaboration with Steelcase, one of the largest office furniture manufacturer in USA. BlueSpace was introduced by many mass media (that is something really exciting -- to see the prototype GUI you wrote on the front page of the New York Times :-)

BlueSpace was demonstrated in shows including CeBIT, Gartner Symposium, etc. If you are interested in seeing the live demo, visit one of Industrial Solutions Labs in Hawthorne, NY or Zurich, Switzerland.

BlueSpace integrates various technologies, such as sensor and actuator devices, peripheral displays, futuristic office facility, and exciting Everywhere Displays. I was most interested in the Context-Aware computing and my research focus was to build a framework for context-aware applications.

2010

• New Sachiko Yoshihama, Takuya Mishina, Tsutomu Matsumoto, Web-based Data Leakage Prevention, International Workshop on Security (IWSEC) 2010, Nov 22-24, 2010, Kobe, Japan.
• New Masashi Une, Masataka Suzuki, and Sachiko Yoshihama, Agenda and response to information security management in cloud computing, INSTITUTE FOR MONETARY AND ECONOMIC STUDIES (IMES) Discussion Paper No. 2010-J-24. URL: http://www.imes.boj.or.jp/security/ (Japanese)
• New Sachiko Yoshihama, Information-Flow Control for Web Application Security, a doctoral dissertation.
• Takuya Mishina, Sachiko Yoshihama, Naohiko Uramoto, A technology for detecting document reuse to prevent confidential information leakage, the 49th Workshop on Computer Security, CSEC, Information Processing Society of Japan. (Japanese)
• Ai Ishida, Sachiko Yoshihama, Naohiko Uramoto, Detecting Script Injectin in HTML by using anomaly detection methods, Computer Security Symposium (CSS) 2010. (Japanese)

2009

• Frederik De Keukelaere, Sachiko Yoshihama, Scott Trent, Yu Zhang, Lin Luo, Mary Ellen Zurko, Adaptive Security Dialogs for Improved Security Behavior of Users. In proceedings of the 12th IFIP TC 13 International Conference on Human-Computer Interaction (INTERACT 2009) Part I, pp.510-523, Uppsala, Sweden, August 2009.
• Sachiko Yoshihama, Takaaki Tateishi, Naoshi Tabuchi, Tsutomu Matsumoto, Information-flow-based Access Control for Web Browsers. IEICE Transactions Vol.E92-D,No.5: May. 2009. Content is also available in the doctoral dissertation.

2008

• Frederik De Keukelaere, Sumeer Bhola, Michael Steiner, Suresh Chari, Sachiko Yoshihama: SMash: secure component model for cross-domain mashups on unmodified browsers. WWW 2008: pp.535-544
• Seiji Munetoh, Megumi Nakamura, Sachiko Yoshihama, Michiharu Kudo: Integrity Management Infrastructure for Trusted Computing. IEICE Transactions Vol. E91-D, No.5: pp.1242-1251, May 2008.

2007

• Takuya Mishina, Sachiko Yoshihama, Michiharu Kudoh, Fine-grained Sticky Provenance Architecture for Office Documents, in the International Workshop on Security 2007 (IWSEC2007), October 29 - 31, 2007, Nara, Japan, Lecture Note in Computer Science, Vol. 4752, Springer 2007.
• Sachiko Yoshihama, Takeo Yoshizawa, Yuji Watanabe, Michiharu Kudoh and Kazuko Oyanagi, Dynamic Information Flow Control Architecture for Web Applications, in Proceedings of the 12th European Symposium Research Computer Security (ESORICS 2007), September 24-26, 2007, Dresden, Germany, Lecture Notes in Computer Science, Vol. 4734, Springer 2007.
• Sachiko Yoshihama, Michiharu Kudoh, Kazuko Oyanagi, Language-Based Information Flow Control in Dynamic Approach, in IPSJ Journal, September 2007. Also available as IBM Research Report RT0694. (in Japanese)
• Frederik De Keukelaere, Sumeer Bhola, Michael Steiner, Suresh Chari, Sachiko Yoshihama, SMash: Secure Cross-Domain Mashups on Unmodified Browsers, IBM Research Report (RT0742), June 2007.
• Sachiko Yoshihama, Naohiko Uramoto, Satoshi Makino, Ai Ishida, Shinya Kawanaka, and Frederik De Keukelaere, Security Model for the Client-Side Web Application Environments, Web 2.0 Security & Privacy 2007 (W2SP2007), May 24, 2007, Oakland, CA, USA.
• Yasuharu Katsuno, Yuji Watanabe, Sachiko Yoshihama, Takuya Mishina, Michiharu Kuodh, A Multi-Layered Attestation on Trusted Virtual Domains, SCIS 2007.

2006

• Yasuharu Katsuno, Michiharu Kudo, Yuji Watanabe, Sachiko Yoshihama, Ronald Perez, Reiner Sailer, and Leendert van Doorn, Towards Multi-Layer Trusted Virtual Domains (slides), the 2nd Workshop on Advances in Trusted Computing (WATC '06 Fall), November 2006, also available as IBM Research Report RT0650.
• Yasuharu Katsuno, Yuji Watanabe, Sachiko Yoshihama, Takuya Mishina and Michiharu Kudo, Layering Negotiations for Flexible Attestation, In Proceedings of the First ACM Workshop on Scalable Trusted Computing (STC'06), ACM Press, November, 2006.
• Yuji Watanabe, Yasuharu Katsuno, Sachiko Yoshihama, Takuya Mishina and Michiharu Kudo, Secure Routing Mechanism for Trusted Virtual Domain and Its Application (in Japanese), in Computer Security Symposium (CSS2006), October 2006.
• Sachiko Yoshihama, Michiharu Kudoh, Kazuko Oyanagi, Inforation Flow Control for Java with Inline Reference Monitors, (in Japanese), in Computer Security Symposium (CSS2006), October 2006.
• Yuji Watanabe, Sachiko Yoshihama, Takuya Mishina, Michiharu Kudo and Hiroshi Maruyama, Bridging the Gap between Inter-Communication Boundary and Inside Trusted Components, in the 11th European Symposium on Research in Computer Security(ESORICS 2006), Lecture Notes in Computer Science, Vol.4189, Springer, September 2006.
• Sachiko Yoshihama, Platform Trust Based Access Control Framework (in Japanese), Symposium on Cryptography and Information Security 2006 (SCIS2006), January 17-20, 2006, Hiroshima, Japan.
• Yuji Watanabe, Sachiko Yoshihama, Takuya Mishina, Michiharu Kudoh, Security Assurance Model for Software-Execution Environment Using Trust Management (in Japanese), in the Proceedings of the 2006 Symposium on Cryptography and Information Security (SCIS2006), Jan. 17-20, 2006, Hiroshima, Japan.
• Megumi Nakamura, Seiji Munetoh, Sachiko Yoshihama, Effciency improvement of integrity verification for Thin Client (in Japanese) , in the Proceedings of the 2006 Symposium on Cryptography and Information Security (SCIS2006), Jan. 17-20, 2006, Hiroshima, Japan.

2005

• A. Bussani, J.L. Griffin, B.Jansen, K. Julisch, G. Karjoth, H. Maruyama, M. Nakamura, R. Perez, M. Schunter, A. Tanner, L. Van Doorn, E.A. Van Herreweghen, M. Waidner, S. Yoshihama, Trusted Virtual Domains: Secure Foundations for Business and IT Services (Whitepaper, RC23792), November 9, 2005.
• S. Yoshihama, M. Nakamura, K. Sorensen, S. Munetoh, Thin Clean Client, IBM Research Report RT0631.
• S. Yoshihama, T. Ebringer, M. Nakamura, S. Munetoh, H. Maruyama, WS-Attestation: Efficient and Fine-Grained Remote Attestation on Web Services, to appear in the 2005 IEEE International Conference on Web Services (ICWS 2005), July 11-15, 2005, Orlando, Florida, USA, also available as IBM Research Report RT0598.

2004

• Trusted Mobile Platform Specifications Rev. 1.0 Oct 27 2004
• S. Yoshihama, Web Services Assurance: Verifiable Trust and Security in Service Level Agreement, IBM Research Report RT0576.
• S.Yoshihama, P.K. Austel, H. Maruyama, Assuarance of Web Service, Symposium on Cryptography and Information Security 2004 (SCIS2004), January 27-30, 2004, Sendai, Japan.
• Hiroshi Maruyama, Frank Seliger, Nataraj Nagaratnam, Tim Ebringer, Seiji Munetoh, Sachiko Yoshihama, Taiga Nakamura, Trusted Platform on Demand (TPod), February 1, 2004, IBM Research Report RT0564.

2003

• Sachiko Yoshihama, Paula K. Austel, Hiroshi Maruyama, Assurance of Web Services, October 20, 2003, IBM Research Report RT0553.

BlueSpace (2001-2003)

• Sachiko Yoshihama, Paul Chou, Danny Wong. "Managing Behavior of Intelligent Environments". Proceedings of First IEEE International Conference on Pervasive Computing and Communications (PerCom'03), March 23 - 26, 2003, Fort Worth,Texas.
• Lai, J., S. Yoshihama, T. Bridgman, M. Podlaseck, P. Chou and D. Wong (2003). "MyTeam: Availability Awareness through the Use of Sensor Data". Proceedings of Ninth IFIP TC13 International Conference on Human-Computer Interaction (Interact 2003), September 1-5, 2003 - Zurich, Switzerland.
• P. Chou, M. Gruteser, J. Lai, A. Levas, S. McFaddin, C. Pinhanez, M. Viveros, D. Wong, and S. Yoshihama, "BlueSpace: Creating a Personalized and Context-Aware Workspace", Research Report RC22281, December, 2001.
• S. Yoshihama, P. Chou, and D. Wong, "Personalizing Behavior in Context-Aware Workspaces", Resaerch Report RC22480, June 2002.

• Sachiko Yoshihama, Tim Ebringer, Megumi Nakamura, Seiji Munetoh, Takuya Mishina, Hiroshi Maruyama, WS-Attestation: Enabling Trusted Computing on Web Services, in Springer Monograph on Test and Analysis of Web Services, September 2007, also available as IBM Research Report RT0695.

• Sachiko Yoshihama, Wiedget Technologies for Commercial Systems, Vol.2, "Secure Mashups with OpenAjax Hub 2.0", CodeZine Nov 24, 2009. Also available on IBM developerWorks. (Japanese Only)
• Sachiko Yoshihama, Ai Ishida, Naohiko Uramoto, Typical Web 2.0 Attack Vectors and Countermeasures, IPSJ Magazine, Vol. 50, No.1, January 2009.
• Naoya Moritani, Norihiko Nakabayashi, Frederik De Keukelaere, Sachiko Yoshihama, Adopting 'Mashups' in Enterprises - Now ready for business, IBM PROVISION No.59, Fall 2008. (in Japanese)
• Naohiko Uramoto, Sachiko Yoshihama, Satoshi Makino, "Web 2.0 Security - Towards establishing a secure Web 2.0 environment", IBM PROVISION No. 55, Fall 2007. (in Japanese)
• T. Uesugi, T. Akutsu, S. Munetoh, S. Yoshihama, “Trusted Network Connect - the trend of TPM related technologies", IPSJ Magazine, November 2007.
• Sachiko Yoshihama, Frederik De Keukelaere, Michael Steiner, Naohiko Uramoto, "Overcome security threats for Ajax applications - Learn tips and best practices to secure your mashup apps", developerWorks, June 19, 2007.
  • The article has been translated to other languages: (Japanese, Chinese, Korean)
  • An extended version also available as an OpenAjax Whitepaper)
• Hiroshi Maruyama, Sachiko Yoshihama, "Building trustworthy computing platforms", Cyber Security Management ，2003.

• IBM Research 2008 Technical Accomplishment
• Excellent Paper Award, Institute of Information Security, March 2006
• IBM Research Division Technical Group Award for Creating Mindshare through BlueSpace Prototype.

Related Projects

• Web 2.0/SaaS Security

• Trusted Virtual Domains

• BlueSpace