Section: Partnerships and Cooperations

Regional Initiatives

• Région Bretagne ARED grant: the PhD of Regina Marin on privacy protection in distributed social networks is supported by a grant from the Région Bretagne.

• Labex COMINLAB contract (2012-2015): $«$ POSEIDON $»$

  POSEIDON deals with the protection of data in outsourced or mutualized systems such as cloud computing and peer-to-peer networks. While these approaches are very promising solutions to outsource storage space, contents, data and services, they also raise serious security and privacy issues since users lose their sovereignty on their own data, services and systems. Instead of trying to prevent the bad effects of the cloud and of peer-to-peer systems, the main objective of the POSEIDON project is to turn benefit from their main characteristics (distribution, decentralization, multiple authorities, etc.) to improve the security and the privacy of the users' data, contents and services.

  This study is conducted in cooperation with Télécom Bretagne and Université de Rennes 1.

• Labex COMINLAB contract (2012-2015): $«$ SecCloud $»$

  Nowadays attacks targeting the end-user and especially its web browser constitute a major threat. Indeed web browsers complexity has been continuously increasing leading to a very large attack surface. Among all possible threats, we tackle in the context of the SecCloud project those induced by client-side code execution (for example javascript, flash or html5).

  Existing security mechanisms such as os-level access control often only rely on users identity to enforce the security policy. Such mechanisms are not sufficient to prevent client-side browser attacks as the web browser is granted the same privileges as the user. Consequently, a malicious code can perform every actions that are allowed to the user. For instance, it can read and leak user private data (credit cart numbers, registered passwords, email contacts, etc.) or download and install malware.

  One possible approach to deal with such threats is to monitor information flows within the web browser in order to enforce a security information flow policy. Such a policy should allow to define fine-grained information flow rules between user data and distant web sites. This implies to propose an approach and to design and implement a mechanism that can handle both OS-level and browser-level information flows.

  Dynamically monitoring information flow at the web browser level may dramatically impact runtime performances of executed codes. Consequently, an important aspect of this work will be to benefit as far as possible from static analysis of application code. This static-dynamic hydride approach should reduce the number of verifications performed at run time.

  This study is conducted in cooperation with other Inria Teams (Ascola and Celtique).