Till startsida
Sitemap
To content Read more about how we use cookies on gu.se

The art of being ahead of a hacker - interview with Andrei Sabelfeld

By using programming language technology you can track exactly what happens in the system, which is essential when analyzing security

Andrei Sabelfeld came to Sweden as a PhD student in 1996 and became interested in computer security, a rather unexplored area at the time. Andrei has now been promoted to Professor at the Department of Computer Science and Engineering at Chalmers University of Technology. Today computer security is a hot area, and the need for reliable systems increases continuously.

- Our goal is to guarantee security in computing systems by secure program construction so that the risk for information leakage is reduced. To achieve this, we draw on the technology of programming languages, says Andrei.

Andrei Sabelfeld's research is based on the technology of programming languages for security applications. A typical sceanario is electronic shopping, when sensitive information is transferred during the payment. When typing in a credit card number, the browser often needs to perform some basic checks, such as whether that it is a real credit card number and whether the card is still valid. But the possibility of running code to perfom checks like this also means a security risk. One way for the attacker to inject malicious code into the browser is to write a piece of code in some field where the web developers have forgotten to ”sanitize”, a search field for example. Another way could be to put a piece of code in an unprotected discussion field in a web community.

A bit too common with security vulnerabilities in the Internet

It is often easier said than done to find general methods for protecting search and discussion fields. The rules for characters allowed in the fields are always possible to evade. At the same time, it does strike as odd that well known security problems are often ignored by web developers.

- This spring I gave a course on language based computer security, where the students were asked to roadmap the web sites they could find with security problems - and they found a lot. Despite the available lists of insecure web sites all over the world, it is not a matter of course that the web owners do something about them.

By using programming language technology it is possible to track exactly what is going on inside the system, which is crucial when you want to analyze the level of security. Andrei develops new techniques based on programming languages that can be delployed as a security supplement to browsers.

Companies in need for in-depth computer security

- Computer security is an attractive area for companies today, and we have many projects running, says Andrei. Sometimes the companies get in touch with us, sometimes we are the ones who establish the contact. Right now we have collaboration with companies as Microsoft, SAP and Siemens, who make use of our expertise to get more of in-depth security in their computer systems. I am also in contact with Brendan Eich, CTO at Mozilla Corporation, since they are interested in securing information flows in the Firefox browser.

Web mashups is a security challenge

A partucarly hot challenge for today’s security is the area of web mashups. A mashup is a web application that integrates information and functions from different sources. An example of a mashup is a web site with apartments to rent, where the information is combined with Google Maps. In a typical mashup like this, information has to be integrated, but the challenge is to secure the integration, so that, for example, secret information of one mashup component is not leaked to another component.

Dynamic tools as a supplement in computer programs

- We are also working with increasing security for programs that already exist. This work is also based on programming languages, says Andrei. Both static and dynamic analyses can be used for this goal. Static analysis can be run by the developers to help find security vulnerabilities before a program is used. Dynamic analysis can be embedded in the final product, for example, as a supplement to Mozilla web browser to track the information flow while the web application is running. It is often hard to find the balance in the security analysis - dynamic analysis is often more precise than static but the price of the precision is performance overhead. To find the right balance is one of the most important challenges.

A Volga German from Novosibirsk

Andrei Sabelfeld is originally from Novosibirsk in Russia, but has Swedish, German and Russian citizenship today. Andrei's relatives belong to the so called "Volga Germans", about 200 000 Germans that lived in a German-speaking enclave at the river Volga in Russia. During the World War II Stalin got cold feet by the thought of so many Germans living in the central part of Russia, so he deported them to Siberia. The population of the Volga Germans has then been mixed with the Russian population and both Andrei and his wife have one parent who is Russian and one that is of Volga German descent.

Language based security has grown very fast

Andrei studied for his Master’s degree in Novosibirsk and he started as a PhD student at the Department of Computer Science and Engineering in Gothenburg in 1996. He was employed as a non-affiliated PhD student, not connected to a specific project and had the opportunity to decide what research area to choose. Andrei talked to several researchers at the department and got interested in working with David Sands, who had started to look at computer security. Language based security was a very small field by the time, but it has grown very fast. In 2003 Andrei Sabelfeld wrote an article which constituted a research summary of the language based information flow security area. Today it would have resulted in a very heavy book!

Yes, Andrei does pay via Internet...

Andrei says that he actually does some Internet shopping, but as a precaution he uses a credit card which contains a very small amount of money. Some banks also provide disposable credit cards that are particularly suitable for online shopping. If you pay via Internet, you have to be observant during the process and check that the little padlock symbolizing security code is shown where it is supposed to be.

"Future Research Leader"

Andrei has received many distinctions in recent years. In 2008 he was appointed " Future Research Leader" by the Swedish Foundation for Strategic Research, SSF. The aim of the financial contribution is, according to SSF, "to place a few very promising young researchers in the front seat and give them an opportunity to build independent research groups with international striking power". In 2010 Andrei was also appointed "PhD supervisor of the year" at Chalmers University of Technology, with the justification "he lets his PhD students come first and he gives them the feeling that they are highly ranked in order to priority".

Andrei has also been invited to give a course for computer scientists at Marktoberdorf Summer School in both 2009 and 2011. Marktoberdorf Summer School is described as a Mekka for computer scientists. During 2010 Andrei Sabelfeld has been promoted to Professor at the Department of Computer Science and Engineering at Chalmers University of Technology.

 

Interview: Catharina Jerkbrant



Contact information:

Andrei Sabelfeld
Department of Computer Science and Engineering
+46 (0)31 772 10 18

 

Andrei Sabelfeld

Andrei SabelfeldIn Andrei Sabelfeld's research he uses the technology of programming languages for different kinds of security applications.

Page Manager: Catharina Jerkbrant|Last update: 10/4/2010
Share:

The University of Gothenburg uses cookies to provide you with the best possible user experience. By continuing on this website, you approve of our use of cookies.  What are cookies?