Designing Security for the Web
May 7, 2024: The program is online!
February 22, 2024: Deadline extended to February 26, 2024.
February 8, 2024: The submission site is live! Please visit HotCRP to submit your papers. Deadline February 22, 2024.
December 18, 2023: SecWeb 2024 will be jointly held with IEEE S&P in San Francisco on May 23, 2024.
Back in the days, the Web was not designed with security or privacy in mind. Many key mechanisms we rely on today for critical functionality were arguably not designed for security (such as cookies for authentication purposes) and numerous mechanisms have been piecemeal retrofitted to the Web to add security to it. In this workshop, we want to move away from augmenting the Web with Security and rather design Security for the Web.
The Web has become the key access point to a plethora of security-sensitive services, which we use on a daily basis, yet it was not designed with security in mind. Over the years, this has led to many security mechanisms which were piecemeal retrofit to not cause breakage to existing web applications. The goal of the SecWeb workshop is therefore twofold: we want to collect ideas on how the Web could be extended with novel security mechanisms, better access interfaces (browsers) and disciplined programming abstractions, so as to natively support secure web application development. Moreover, we also invite in particular contributions which aim to redesign parts of the ecosystem, so as not to be stuck on a patchwork of security on the Web, but rather have security built-in by design.
Besides traditional Web security papers, SecWeb particularly welcomes position papers which propose provocative thoughts on how (parts of) the current web platform could be heavily re-envisioned for security. Such proposals often do not fit major computer security conferences, because their real-world deployment might be complicated, yet they have value for the web security community, since they advance the understanding of relevant web security problems, their root causes and the design space of possible solutions. Ideally, we expect well-thought proposals accepted at SecWeb to be excellent starting points for discussion with browser vendors (which we explicitly envision as participants) and/or major players of the Web market, who have the commitment and the resources to convert academic proposals into reality.
SecWeb 2024 is co-located with IEEE S&P 2024 and scheduled for May 23, 2024.
| 9:00 - 9:10 | SecWeb Opening Remarks | Jason Polakis (University of Illinois at Chicago) Marco Squarcina (TU Wien) |
|---|---|---|
| 09:10 - 10:00 | The Journey towards a Cookie-free Diet (Keynote) For multiple decades, we have been consistently ingesting all types of cookies. This unimpeded consumption of cookies has helped flourish many aspects that today we consider common practice, ranging from signing in to a social network site to online banking. However, gobbling up copious amounts of cookies has also left us with plenty of nefarious side effects on our online security and privacy. On the privacy side, third-party tracking is virtually omnipresent on today's Web, where with all the cookies we digest bits and pieces of personal information often leak to others without our explicit approval. At the same time, on the security side, our adoration of cookies has led to countless types of cross-site attacks, ranging from CSRF to the more recently explored XS-Leaks. While there have been certain initiatives that allow websites to follow a "lax" or "strict" diet, global adoption has been challenging. With more recent developments, we are on a path towards a universally cookie-free diet. In this presentation we discuss the different issues caused by cookies, and the lessons we can learn from them. Finally we explore how our ecosystem will (have to) adapt to the cookie-free diet, and whether the diet allows us to become more healthy and protected. |
Tom Van Goethem (Google / DistriNet, KU Leuven) Tom Van Goethem is a software engineer at Google in the Chrome Privacy team and a researcher in the DistriNet group at the University of Leuven, Belgium. His research interests cover a broad spectrum of web security and privacy topics, primarily focusing on side-channel attacks. By uncovering threats and proposing mitigations, Tom aims to make the web a nicer place, a tiny bit at a time. |
| 10:00 - 10:45 | Coffee Break | |
| 10:45 - 11:15 | A Public and Reproducible Assessment of the Topics API on Real Data [Slides] | Yohan Beugin (University of Wisconsin-Madison), Patrick McDaniel (University of Wisconsin-Madison) |
| 11:15 - 11:45 | From Blocking to Breaking: Evaluating the Impact of Adblockers on Web Usability [Slides] | Ritik Roongta (New York University), Mitchell Zhou (New York University), Ben Stock (CISPA), Rachel Greenstadt (New York University) |
| 11:45 - 13:00 | Lunch Break | |
| 13:00 - 13:30 | User Verification System using Location-based Dynamic Questions for Account Recovery [Slides] | Shuji Yamaguchi (LY Corporation), Hidehito Gomi (LY Corporation), Tetsutaro Uehara (Ritsumeikan University) |
| 13:30 - 14:00 | Manufactured Narratives: On the Potential of Manipulating Social Media to Politicize World Events [Slides] | Chris Tsoukaladelis (Stony Brook University), Nick Nikiforakis (Stony Brook University) |
| 14:00 - 14:30 | Exploring the Capabilities and Limitations of Video Stream Fingerprinting [Slides] | Timothy Walsh (Naval Postgraduate School), Trevor Thomas (Naval Postgraduate School), Armon Barton (Naval Postgraduate School) |
| 14:30 - 15:15 | Coffee Break | |
| 15:15 - 16:05 | Unveiling Web Threats: Insights from JavaScript Behavior (Keynote) The web has become an integral part of our daily lives, enabling communication, commerce, and access to information. However, the increasing complexity of web applications and the JavaScript language that powers them has also opened the door to security threats. Malicious actors exploit JavaScript to track users, deliver malware, and launch sophisticated attacks that compromise user privacy and security. Understanding and mitigating these threats requires deep visibility into real-world JavaScript behavior and the ability to detect emerging attack techniques. In this keynote, I will present our research on uncovering web threats through analysis of JavaScript behavior in the wild. We built VisibleV8 to enable in-browser monitoring of JavaScript execution across the web, providing unprecedented insights into the scripts that web pages run. Leveraging this visibility, we developed techniques to automatically discover new browser fingerprinting methods that websites use to stealthily track users. A novel approach to detect JavaScript obfuscation that hides malicious behavior was also created by identifying scripts' usage of concealed browser APIs. Finally, I will discuss work on conducting realistic and reproducible web crawl measurements, which is critical for understanding the web threat landscape. Together, this body of research enables a novel way of studying security and privacy threats on the web. |
Alexandros Kapravelos (NC State University) Alexandros Kapravelos is an Associate Professor in the Department of Computer Science at North Carolina State University. He received his PhD in Computer Science from University of California, Santa Barbara in 2015. His research interests span the areas of systems, software and AI security. Currently, he studies how the web and the browser evolve over time and how we can make the browser more secure in the future. He is also interested in AI security and how LLMs impact security and privacy. Together with the Order of the Overflow team, he organized DEF CON CTF for four years (2018-2021), the oldest and most prestigious Capture The Flag security competition that attracts tens of thousands of participants every year. He is the recipient of the NSF CAREER award in 2021, two best paper awards from the IEEE Symposium on Security and Privacy and a best paper award from Network and Distributed System Security Symposium (NDSS). More info at https://www.kapravelos.com/ |
| 16:05 - 16:10 | Closing Remarks |
All papers discussing Web security and Web privacy aspects are solicited for submission. SecWeb particularly welcomes position papers which propose provocative thoughts on how (parts of) the current Web platform could be heavily re-envisioned for security. This explicitly includes proposals that would break today’s Web to improve its security tomorrow.
Topics of interest include, but are not limited to, the following:
SecWeb solicits both full and short papers. All papers must be written in English and must not exceed 10 pages (full) and 6 pages (short) in A4 format using the IEEE conference proceeding template (excluding bibliography and well-marked appendixes). Submissions must be in PDF format and should print easily on simple default configurations. Submissions are anonymous, so information that might identify the authors must be excluded. It is the authors' responsibility to ensure that their anonymity is preserved when citing their own work. Failures to adhere to these requirements can be grounds for rejection.
The proceedings will be published by the IEEE after the workshop and will be made available in IEEE Xplore. During submission, authors can choose to have their paper excluded from the proceedings. At least one author of each accepted paper must register to the workshop for presentation.
All submissions considered for inclusion in the proceedings must contain an original contribution. That is, these papers must not substantially overlap papers that have been published or that are simultaneously submitted to a journal, conference or workshop. In particular, simultaneous submission of the same work is not allowed. This requirement is relaxed for submissions which will not be included in the proceedings: in particular, we also invite papers that are currently under submission or planned to be submitted before the SecWeb notification.
Submissions go to https://secweb24.secpriv.tuwien.ac.at/.
Reviewing is hard, constructive reviewing even more so. For SecWeb, we therefore will have a mentoring program for junior members of the community. We will invite a limited number of students in the area of Web security into the PC and each junior member will have a mentor with whom to discuss their reviews. In this way, junior community members are exposed to the reviewing and discussion process, while also benefiting from the experience and insights of more senior reviewers. If you or your students are interested in this, fill in the form to indicate your (or your students') interest.