Web sessions allow users to get authenticated access to their favourite online services, like social networks, e-mail services and e-commerce websites. Unfortunately, web sessions are fragile and can be attacked at many different levels, leading to security flaws which can be as severe as account takeover. Automatically enforcing desirable security guarantees on web session implementations is an important research direction to make the Web a safer place, but it's also an extremely hard task, given the highly heterogeneous nature of existing web applications. In this talk, I will present the most common attacks against web sessions and I will discuss automated solutions designed to detect and prevent such attacks, while dealing with the compatibility challenges inherent to the complexity of the modern Web.
Stefano Calzavara is an assistant professor (with tenure track) at Università Ca’ Foscari Venezia, Italy. He received his PhD from Università Ca’ Foscari Venezia in 2013 and then worked as postdoctoral researcher at Ca' Foscari and at Saarland University, Germany. His main research interests are in the area of web security, formal methods and their intersection. He published around 30 research papers on these topics at widely recognized international conferences and journals. Selected venues where he published his works include IEEE SsembioP, ACM CCS, USENIX Security, WWW, IEEE CSF, ESOP, ACM TOPLAS and ACM TWEB. In 2013, he received the EATCS prize for the best theory paper at ETAPS thanks to his research on the secure implementation of cryptographic protocols. In 2018, he was invited to the Journal Track of the Web Conference due his work on web session security. Since 2015, he served in the program committee of a number of scientific events, including USENIX Security, IEEE EuroSsembioP, IEEE CSF, POST and ESSoS.
FORUM NUMERICA is sponsored by the Academy of Excellence “Networks, Information and Digital Society” of UCA JEDI.