Time filter

Source Type

Mountain View Acres, CA, United States

Patil K.,Vishwakarma Institute of Information Technology | Frederik B.,Mozilla Corporation
International Journal of Network Security | Year: 2016

Content Security Policy (CSP) is a browser security mechanism that aims to protect websites from content injection attacks. To adopt CSP, website developers need to manually compile a list of allowed content sources. Nearly all websites require modifications to comply with CSP's default behavior, which blocks inline scripts and the use of the eval() function. Alternatively, websites could adopt a policy that allows the use of this unsafe functionality, but this opens up potential attack vectors. In this paper, our measurements on a large corpus of web applications provide a key insight on the amount of efforts web developers required to adapt to CSP. Our results also identified errors in CSP policies that are set by website developers on their websites. To address these issues and make adoption of CSP easier and error free, we implemented UserCSP a tool as a Firefox extension. The UserCSP uses dynamic analysis to automatically infer CSP policies, facilitates testing, and gives savvy users the authority to enforce client-side policies on websites. Source

Kimelman D.,IBM | Mandelin D.,Mozilla Corporation | Yellin D.M.,IBM
IEEE Transactions on Software Engineering | Year: 2010

IT system architectures and many other kinds of structured artifacts are often described by formal models or informal diagrams. In practice, there are often a number of versions of a model or diagram, such as a series of revisions, divergent variants, or multiple views of a system. Understanding how versions correspond or differ is crucial, and thus, automated assistance for matching models and diagrams is essential. We have designed a framework for finding these correspondences automatically based on Bayesian methods. We represent models and diagrams as graphs whose nodes have attributes such as name, type, connections to other nodes, and containment relations, and we have developed probabilistic models for rating the quality of candidate correspondences based on various features of the nodes in the graphs. Given the probabilistic models, we can find high-quality correspondences using search algorithms. Preliminary experiments focusing on architectural models suggest that the technique is promising. © 2010 IEEE. Source

Kiefer F.,Mozilla Corporation | Manulis M.,University of Surrey
AsiaPKC 2016 - Proceedings of the 3rd ACM International Workshop on ASIA Public-Key Cryptography, Co-located with Asia CCS 2016 | Year: 2016

We propose Blind Password Registration (BPR), a new class of cryptographic protocols that is instrumental for secure registration of client passwords at remote servers with additional protection against unwitting password disclosures on the server side that may occur due to the lack of the stateof-the-art password protection mechanisms implemented by the server or due to common server-compromise attacks. The dictionary attack resistance property of BPR protocols guarantees that the only information available to the server during and after the execution of the protocol cannot be used to reveal the client password without performing an offline dictionary attack on a password verifier (e.g. salted hash value) that is stored by the server at the end of the protocol. In particular, at no point in time the server is supposed to work with plain passwords. Our BPR model allows servers to enforce password policies and the requirement on the client to obey them during the execution of the BPR protocol is covered by the policy compliance property. We construct an efficient BPR protocol in the standard model for ASCII-based password policies using some techniques underlying the recently introduced Zero-Knowledge Password Policy Checks (ZKPPC). However, we do not rely on the full power of costly ZKPPC proofs and in fact show that BPR protocols can be modelled and realised simpler and significantly faster (as supported by our implementation) without using them as a building block. Our BPR protocol can directly be used to replace ZKPPC-based registration procedure for existing VPAKE protocols. © 2016 Copyright held by the owner/author(s). Source

Frechette M.,Universite de Sherbrooke | Letourneau D.,Universite de Sherbrooke | Valin J.-M.,Mozilla Corporation | Michaud F.,Universite de Sherbrooke
IEEE International Conference on Intelligent Robots and Systems | Year: 2012

To demonstrate the influence of an artificial audition system on speech recognition and dialogue management for a robot, this paper presents a case study involving soft coupling of ManyEars, a sound source localization, tracking and separation system, with the CSLU Dialogue Management system. Trials were conducted in a laboratory and a cafeteria. Results indicate that preprocessing of the audio signals by ManyEars improves speech recognition and dialogue management of the system, demonstrating the feasibility and the added flexibility provided by ManyEars for a robot to interact vocally with humans in a wide variety of contexts. © 2012 IEEE. Source

Stenberg D.,Mozilla Corporation
Computer Communication Review | Year: 2014

A detailed description explaining the background and problems with current HTTP that has lead to the development of the next generation HTTP protocol: HTTP 2. It also describes and elaborates around the new protocol design and functionality, including some implementation specifics and a few words about the future. This article is an editorial note submitted to CCR. It has NOT been peer reviewed. The author takes full responsibility for this article's technical content. Comments can be posted through CCR Online. Source

Discover hidden collaborations