Web Contents Filtering Technology
Secure Mashups!! A step towards corporate mashups
Mashup applications mix and merge content (data and code) from multiple content providers in a user′s browser, providing high-value Web applications that can rival the user experience provided by desktop applications. When the first mashups started popping up on the Internet, corporate users started noticing the potential of combining different data sources into one new representation, not only for their private lives, but also to enhance their work lives.
However, current browser security models were not designed to support such applications and they are therefore implemented with insecure workarounds. This leads to potential dangers with mixtures of corporate data and third-party data without any reliable security mechanisms in place to prevent both kinds of data from accessing each other.
In our secure mashups research, we are working on a secure component model, where components are provided by different trust domains, and can interact using communication abstractions that allows easy specification of security policies. We have developed an implementation of this model that works in all of the major browsers, and that addresses such challenges as communication integrity and frame-phishing. By sandboxing third party components in a webpage, we are providing an answer to the security concerns that were preventing mashups from being widely adopted by corporations. The current results of this work were presented at WWW 2008.
Content-Based Data Leakage Prevention Technology
The emergence of Software as a Service (SaaS) has changed the way people use software. Instead of purchasing packaged software and installing it on their own computing platforms, people now use applications hosted on servers of third-party service providers. SaaS can free the IT department of a company from the burdens of installation, maintenance (such as version updates and security patches), backups, etc., and thus reduces the IT management costs.
However, because of the nature of SaaS, there are many security concerns that may prevent users from migrating to the SaaS environment. A SaaS environment may be shared not only between multiple organizations within a company, but may also allow collaboration across corporate boundaries. On the one hand, such collaborative SaaS environments introduce additional concerns regarding data protection. On the other hand, such an SaaS environment offers companies an opportunity to centralize the data management, even across corporate borders. It is well known that the majority of sensitive information in an enterprise is within individual PCs, especially due to the prevalence of office documents. However, by migrating to a SaaS environment, employees no longer need to keep data on their HDDs, which makes data governance an easier task.
Our technology addresses the threats of data leakage in collaborative SaaS environments, especially in the context of document security. The Content-Based Data Leakage Prevention technology detects potentially confidential documents by validating their contents and protects them from unauthorized disclosures.
Web Application Vulnerability Detection Technology
We are studying theoretical aspects of Web applications and developing technologies to detect security flaws and to verify the safety of Web applications based on these theories.
In particular, we are focusing on program analysis techniques such as static information flow analyses, static string analyses, and combinations of static and dynamic analyses.
With information flow analysis, we can verify confidentiality and integrity for server-side and client-side applications. For a server-side application, we address how to check the integrity of the applications. For client-side applications, we are trying to formalize the behaviors of a Web browser as a basis for studying techniques to protect the Web browser from attacks such as cross-site scripting (XSS) .
In addition, we are also interested in string analysis and its applications , since a lot of the security flaws Web applications are caused by illegal strings input by the users of the application. Our string analysis forms a family of static program analyses that can statically determine the possible strings that can appear at runtime.