Our weekly meeting and talk series, known affectionately as “PL-wonks”, is open to everyone interested in discussing programming languages research happening here at IU. Our talks include original research, experience reports, and tutorials. We also sometimes present papers from the literature that we're interested in.
Unless otherwise noted, PL talks happen every Friday at 4:15pm in Lindley Hall Room 101.
All are welcome to attend.
We have a tradition of baking cookies and other treats for our meetings (though we avoid peanuts due to allergies).
|SEP 5||Joe Near||Derailer: Interactive Security Analysis for Web Applications||Rob Zinkov||ICFP|
|SEP 12||Ambrose BS||Andre Kuhlenschmidt|
|SEP 19||Chris Wailes||Peter Fogg|
|SEP 26||Ed Amsden||Praveen|
|OCT 03||Matteo Cimini||Jason Hemann|
|OCT 10||Eric Holk||Ambrose BS|
|OCT 17||Mike Vitousek||Cameron Swords|
|OCT 24||Andre Kuhlenschmidt||Edward Amsden||OOPSLA|
|OCT 31||Spenser Bauman||Jaime Guerrero|
|NOV 07||Aaron Hsu||Johanna Hsu|
|NOV 14||Andrew Kent||Eric Holk|
|NOV 21||Tim Zakian||Mike Vollmer|
|DEC 05||Jeremy Siek||Andrew Kent|
|DEC 12||Praveen / Mike Vollmer||Mike Vitousek|
|DEC 19||Finals Week|
Speaker: Joe Near
Derailer is an interactive tool for finding security bugs in web applications. Using symbolic execution, it enumerates the ways in which application data might be exposed. The user is asked to examine these exposures and classify the conditions under which they occur as security-related or not; in so doing, the user effectively constructs a specification of the application’s security policy. The tool then highlights exposures missing security checks, which tend to be security bugs.
We have tested Derailer’s scalability on several large open-source Ruby on Rails applications. We have also applied it to a large number of student projects (designed with different security policies in mind), exposing a variety of security bugs that eluded human reviewers.