devdatta akhawe  beta

hi

I am a first second third fourth year graduate student in Computer Science at UC Berkeley interested in security. I am part of Dawn Song's research group.

In the past, I have interned at Mozilla, Microsoft (MSRC), Yahoo! Labs and Microsoft Research. I have a Bachelor's degree in Computer Science from BITS Pilani. I can be found at various places on the internet. In my spare time, I also volunteer at Asha for Education, Berkeley where I am the the steward for Guria. Please consider donating! I also have a very hard to pronounce name.

research

I am interested in security and reliability of software. Most of my research has focussed on web application security.

Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness
Devdatta Akhawe, Adrienne Porter Felt
Usenix Security Symposium, Washington DC, 2013.
An Empirical Study of Vulnerability Rewards Programs
Matthew Finifter, Devdatta Akhawe, David Wagner
Usenix Security Symposium, Washington DC, 2013.
Here's My Cert, So Trust Me, Maybe? Understanding TLS Errors on the Web   pdf   slides
Devdatta Akhawe, Bernhard Amann, Matthias Vallentin, Robin Sommer
World Wide Web Conference (WWW), Rio De Janerio, 2013.
≻ Abstract
When browsers report TLS errors, they cannot distinguish between attacks and harmless server misconfigurations; hence they leave it to the user to decide whether continuing is safe. However, actual attacks remain rare. As a result, users quickly become used to ``false positives'' that deplete their attention span, making it unlikely that they will pay sufficient scrutiny when a real attack comes along. Consequently, browser vendors should aim to minimize the number of low-risk warnings they report. To guide that process, we perform a large-scale measurement study of common TLS warnings. Using a set of passive network monitors located at different sites, we identify the prevalence of warnings for a total population of about 300,000 users over a nine-month period. We identify low-risk scenarios that consume a large chunk of the user attention budget and make concrete recommendations to browser vendors that will help maintain user attention in high-risk situations. We study the impact on end users with a data set much larger in scale than the data sets used in previous TLS measurement studies. A key novelty of our approach involves the use of internal browser code instead of generic TLS libraries for analysis, providing more accurate and representative results.
How to Ask for Permission   pdf   slides
Adrienne Porter Felt, Serge Egelman, Matthew Finifter, Devdatta Akhawe, David Wagner
Hot Topics in Security (HotSec), Bellevue 2012.
≻ Abstract
Application platforms provide third-party applications with access to hardware (e.g., GPS and cameras) and personal data. Many platforms use permission systems to protect access to these resources. The nature of these permission systems vary widely across platforms. Some platforms obtain user consent as part of installation, while others display runtime consent dialogs. We propose a set of guidelines to aid platform designers in determining the most appropriate permission-granting mechanism for a given permission. We apply our proposal to a smartphone platform. A preliminary evaluation indicates that our model will reduce the number of warnings presented to users, thereby reducing habituation effects.
Privilege Separation for HTML5 Applications   pdf   slides
Devdatta Akhawe, Prateek Saxena, Dawn Song
21st Usenix Security Symposium, Bellevue 2012.
≻ Abstract
The standard approach for privilege separation in web applications is to execute application components in different web origins. This limits the practicality of privilege separation since each web origin has financial and administrative cost. In this paper, we propose a new design for achieving effective privilege separation in HTML5 applications that shows how applications can cheaply create arbitrary number of components. Our approach utilizes standardized abstractions already implemented in modern browsers. We do not advocate any changes to the underlying browser or require learning new high-level languages, which contrasts prior approaches. We empirically show that we can retrofit our design to real-world HTML5 applications (browser extensions and rich client-side applications) and achieve reduction of 6x to 10000x in TCB for our case studies. Our mechanism requires less than 13 lines of application-specific code changes and considerably improves auditability.
Product Labels for Mobile Application Markets   pdf   slides
Devdatta Akhawe, Matthew Finifter
Mobile Security Technologies, San Francisco 2012.
≻ Abstract
Mobile application markets thrive, yet they are heldback from their full potential by the information asymmetrybetween application developers and application consumers. AConsumer has no way to gauge the security or reliability of anapplication, and a developer has no way to differentiate hisapplication from that of the competition on the basis of thesefactors. We argue that the centralized nature of mobileapplication markets, such as Android Market and the iOS App Store,afford them a unique opportunity to gather and present information. We discuss a number of ideas to leverage thisopportunity to eliminate information asymmetry, includingthirdparty certifications, qualitative descriptions of attacksurface, and aggregated usage data.
A Systematic Analysis of XSS Sanitization in Web Application Frameworks   pdf   slides
Joel Weinberger, Prateek Saxena, Devdatta Akhawe, Matthew Finifter, Dawn Song
16th European Symposium on Research in Computer Security (ESORICS), Leuven 2011.
≻ Abstract
While most research on XSS defense has focused on techniques for securing existing applications and re-architecting browser mechanisms, sanitization remains the industry-standard defense mechanism. By streamlining and automating XSS sanitization, web application frameworks stand in a good position to stop XSS but have received little research attention. In order to drive research on web frameworks, we systematically study the security of the XSS sanitization abstractions frameworks provide. We develop a novel model of the web browser and characterize the challenges of XSS sanitization. Based on the model, we systematically evaluate the XSS abstractions in 14 major commercially-used web frameworks. We find that frameworks often do not address critical parts of the XSS conundrum. We perform an empirical analysis of 8 large web applications to extract the requirements of sanitization primitives from the perspective of real-world applications. Our study shows that there is a wide gap between the abstractions provided by frameworks and the requirements of applications.
Do You Know Where Your Data Are?
Secure Data Capsules for Deployable Data Protection   pdf   slides
Petros Maniatis, Devdatta Akhawe, Kevin Fall, Elaine Shi, Stephen McCamant, Dawn Song
13th Workshop on Hot Topics in Operating Systems (HotOS), Napa 2011.
Towards a Formal Foundation of Web Security   pdf   slides
Devdatta Akhawe, Adam Barth, Peifung Eric Lam, John Mitchell, Dawn Song
23rd IEEE Computer Security Foundations Symposium (CSF), Edinburgh 2010.
≻ Abstract
We propose a formal model of web security based on an abstraction of the web platform and use this model to analyze the security of several sample web mechanisms and applications. We identify multiple distinct threat models that can be used to analyze web applications, ranging from a web attacker who controls malicious web sites and clients, to stronger attackers who can control the network and/or leverage sites designed to display user-supplied content. We propose two broadly applicable security goals and study five security mechanisms. In our case studies, which include HTML5 forms, Referer validation, and a single sign-on solution, we use a SAT-based model-checking tool to fid two previously known vulnerabilities and three new vulnerabilities. The case study of a Kerberos-based single sign-on system illustrates key differences between network protocols and web protocols and finds a vulnerability that arises because of the way cookies, redirects, and embedded links are used.
A Symbolic Execution Framework for JavaScript   pdf   slides
Prateek Saxena, Devdatta Akhawe, Steve Hanna, Stephen McCamant, Feng Mao, Dawn Song
31st IEEE Symposium on Security and Privacy, Oakland 2010.
Winner of AT&T Best Applied Security Research Paper award at CSAW
≻ Abstract
As AJAX applications gain popularity, client-side JavaScript code is becoming increasingly complex. However, few automated vulnerability analysis tools for JavaScript exist. In this paper, we describe the first system for exploring the execution space of JavaScript code using symbolic execution. To handle JavaScript code’s complex use of string operations, we design a new language of string constraints and implement a solver for it. We build an automatic end-to-end tool, Kudzu, and apply it to the problem of finding client-side code injection vulnerabilities. In experiments on 18 live web applications, Kudzu automatically discovers 2 previously unknown vulnerabilities and 9 more than that were previously found only with a manually-constructed test suite.
The Emperor’s New API: On the (In)Secure Usage of New Client Side Primitives   pdf   slides
Steve Hanna, Richard Shin, Devdatta Akhawe, Prateek Saxena, Arman Boehm, Dawn Song
4th Web 2.0 Security and Privacy Workshop, Oakland 2010.
≻ Abstract
Several new browser primitives have been proposed to meet the demands of application interactivity while enabling security. To investigate whether applications consistently use these primitives safely and adequately in practice, we study the real-world usage of two client-side primitives, namely postMessage and HTML5’s client-side database storage. We examine new purely client-side communication protocols layered on postMessage (Facebook Connect, Google Friend Connect) and several real-world web applications (including Gmail, Buzz, Maps and others) which use client-side storage abstractions. We find that, in practice, these abstractions are widely used insecurely, which leads to severe vulnerabilities and can increase the attack surface for web applications in unexpected ways. We conclude the paper by offering insights into why these abstractions can be hard to use safely, and propose the economy of liabilities principle for designing future abstractions. The principle recommends that a good design for a primitive should minimize the liability that the user undertakes to ensure application security. We suggest enhancements to the existing browser primitives to make their secure use more practical.

etc

I have been hacking over a simple tool to check for common errors in academic writing. If you use it, I would appreciate feedback/comments/patches.

I was czaring the Security Reading Group at Berkeley. Kevin is now in charge.

The Web Security model project I worked on is now opensource.

Kaluza, a tool I worked on, is now available to play with online. During this work, I also wrote a tool to convert Perl compatible regular expressions to the Hampi string solver input format. It is now part of the Hampi codebase.