TUW Researchers contribute to the 33rd USENIX Security Symposium

The USENIX Security Symposium is a prestigious conference in the field of computer security and privacy, drawing researchers, practitioners, system administrators, developers, and security experts from around the world. It provides a vital platform for exploring the latest breakthroughs and innovations in system and network security. This year, researchers from TUW made significant contributions to the symposium with two presentations, highlighting cutting-edge advancements in these critical areas of cybersecurity.

2024-08-14

Dr.-Ing. Sebastian Roth presented “Trust Me If You Can – How Usable Is Trusted Types in Practice?”, sharing findings from his research with Lea Gröber, Philipp Baus, Katharina Krombholz, and Ben Stock. He highlighted issues related to a novel web security mechanism called Trusted Types. By conducting a semi-structured interview and a live coding task with 13 real-world Web developers, they uncovered roadblocks that occur during the deployment of the security mechanism as well as strategies on how developers can circumvent those problems. Their work also identifies key weaknesses in the design and documentation of Trusted Types, that the standardization body should incorporate before the Trusted Types becomes a standard.
Slides of the talk
Artifact for Trust Me If You Can – How Usable Is Trusted Types In Practice?

Pedro Bernardo presented a practical framework for formally and automatically detecting security flaws in client-side security mechanisms. The research was conducted by a team including Lorenzo Veronese, Valentino Dalla Valle, Stefano Calzavara, Marco Squarcina, Pedro Adão, and Matteo Maffei. The team leveraged Web Platform Tests (WPT), a popular cross-browser test suite, to automatically collect browser execution traces and match them against Web invariants—intended security properties of web mechanisms expressed in first-order logic. Their approach demonstrated effectiveness by validating 9 invariants against the WPT test suite, uncovering violations with clear security implications in 104 tests across Firefox, Chromium, and Safari. The root causes of these violations were disclosed to browser vendors and standardization bodies, resulting in 8 individual reports and one CVE for Safari.
“Web Platform Threats: Automated Detection of Web Security Issues With WPT”
Slides of the talk

Sebastian Roth’s interview on the CISPA Podcast TL;DR, where he shares his views on an academic career, the role of developers in ensuring Internet security, and the critical importance of security standards for the web, can be heard in the episode titled ‘#CISPA@USENIX – Human Factors in Web Security with Sebastian Roth