SSOScan is an automated scanner of web applications for Single Sign-On vulnerabilities. Our paper is published at the 23rd USENIX Security Symoposium (2014), and more details can be found here.
The goal of Explicating SDKs project is to systematically uncover implicit assumptions that are important to applications' security properties, this work is published at the 22nd USENIX Security Symposium (2013).
This short paper is presented at W2SP 10' (co-hosted with Oakland 10'), we looked at the history and current status of how well HTTP-only cookies are deployed, and give some suggestions about how future security works can improve themselves to achieve a higher deploy rate.
This poster is presented at USENIX 11', the idea is to generate annotated policies automatically from server-side using GuardRails, and enforce the access control policies at client side using DOMinator.