EPSRC logo

Details of Grant 

EPSRC Reference: EP/I004246/1
Title: Foundations of Secure Web Programming
Principal Investigator: Maffeis, Dr S
Other Investigators:
Researcher Co-Investigators:
Project Partners:
Department: Computing
Organisation: Imperial College London
Scheme: Career Acceleration Fellowship
Starts: 01 August 2010 Ends: 31 July 2015 Value (£): 591,978
EPSRC Research Topic Classifications:
Fundamentals of Computing Information & Knowledge Mgmt
EPSRC Industrial Sector Classifications:
No relevance to Underpinning Sectors
Related Grants:
Panel History:
Panel DatePanel NameOutcome
09 Jun 2010 EPSRC Fellowships 2010 Interview Panel F Announced
Summary on Grant Application Form
Many important activities in our lives involve the web. We socialize on Facebook, have fun on YouTube, bank online, store our work in the cloud, find a job on LinkedIn and some of us even get married on Second Life. What makes web technology so exciting is that people and companies keep finding new and creative ways of using it for applications not foreseen by its designers: for example, using the web to make phone calls and mobile phones to browse the web.Unfortunately, for this very reason, the software and protocols on which web applications are based are not designed with the appropriate level of security in mind. Some of the information we share with web applications is very valuable, and should be protected carefully. News stories often remind us how cyber-crime negatively affects our finances, privacy and well-being.Web companies are strongly innovation-driven and focus on delivering new applications and features as quickly as possible, selecting which ones to maintain based on popularity or profitability. While the importance of security is acknowledged, the most common approach is to enforce security by monitoring the system and intervening when a security violation is detected. As this industry matures, there is a raising awareness that security must to be built into the languages and tools used to program web applications, and there is a growing need to gain some level of confidence that an application is effectively secure.In my career so far, I have studied in depth the foundations and principles for understanding computer programs and making sure that they work correctly without security breaches. Over the next few years, I will face the challenge of applying these principles to lay web programming on a sound formal ground. I want to understand deeply the current and emerging technologies that are used on the web, find ways to make them more secure, and contribute to the design of future web technologies and tools. This process will involve lots of creative thinking, and lead to innovative scientific results, because a secure web application must combine securely non-trivial components such as databases, internet protocols, scripting languages and web browsers.Here is an example of a first step in the direction of my proposal. Facebook users write Facebook applications in JavaScript (the language that sits inside web pages and makes them interactive) and share them with other users. This raises the problem of restricting such JavaScript, written by a potentially malicious user, to make sure that it is safe for all the other Facebook users. With colleagues in Stanford, I modelled JavaScript as a set of simple mathematical formulas with a very precise meaning, and once I understood the language and its security properties (by proving several mathematical results), I studied the way Facebook restricts JavaScript and found several flaws. A malicious user could have written bad Facebook applications, able to steal information and damage the profile or the web browser of other users. I contacted the Facebook team and discussed possible solutions, and they modified their restriction mechanism accordingly.This is just an example of how the work I am proposing consists in original foundational research that also has direct impact on the life of millions of people. Following a similar approach I will also model the languages that are used to program web servers, such as PHP, and the browser with its DOM libraries, and study their security properties. I will participate in the definition of standards related to web security, and influence the design of several major web applications such as the future versions of the iGoogle portal, Yahoo!'s advertising platform and the Microsoft Web Sandbox framework for mashups. I have already met researchers from these companies, all interested in receiving input from this line of research.
Key Findings
This information can now be found on Gateway to Research (GtR) http://gtr.rcuk.ac.uk
Potential use in non-academic contexts
This information can now be found on Gateway to Research (GtR) http://gtr.rcuk.ac.uk
Impacts
Description This information can now be found on Gateway to Research (GtR) http://gtr.rcuk.ac.uk
Summary
Date Materialised
Sectors submitted by the Researcher
This information can now be found on Gateway to Research (GtR) http://gtr.rcuk.ac.uk
Project URL:  
Further Information:  
Organisation Website: http://www.imperial.ac.uk