TUW Researchers contribute to the 33rd USENIX Security Symposium

Dr.-Ing. Sebastian Roth presented “Trust Me If You Can – How Usable Is Trusted Types in Practice?”, sharing findings from his research with Lea Gröber, Philipp Baus, Katharina Krombholz, and Ben Stock. He highlighted issues related to a novel web security mechanism called Trusted Types. By conducting a semi-structured interview and a live coding task with 13 real-world Web developers, they uncovered roadblocks that occur during the deployment of the security mechanism as well as strategies on how developers can circumvent those problems. Their work also identifies key weaknesses in the design and documentation of Trusted Types, that the standardization body should incorporate before the Trusted Types becomes a standard.
Slides of the talk
Artifact for Trust Me If You Can – How Usable Is Trusted Types In Practice?

Pedro Bernardo presented a practical framework for formally and automatically detecting security flaws in client-side security mechanisms. The research was conducted by a team including Lorenzo Veronese, Valentino Dalla Valle, Stefano Calzavara, Marco Squarcina, Pedro Adão, and Matteo Maffei. The team leveraged Web Platform Tests (WPT), a popular cross-browser test suite, to automatically collect browser execution traces and match them against Web invariants—intended security properties of web mechanisms expressed in first-order logic. Their approach demonstrated effectiveness by validating 9 invariants against the WPT test suite, uncovering violations with clear security implications in 104 tests across Firefox, Chromium, and Safari. The root causes of these violations were disclosed to browser vendors and standardization bodies, resulting in 8 individual reports and one CVE for Safari.
“Web Platform Threats: Automated Detection of Web Security Issues With WPT”
Slides of the talk

Foto: Milena Krobath