Security, privacy and abuse prevention

Implementing a security mechanism on top of APIs requires clear understanding of the semantics of each API, to ensure that security entitlements are enforced consistently and completely across all APIs that could perform the same function for an attacker. Unfortunately, APIs are not designed to be ”semantically orthogonal” and they often overlap, for example by offering different performance...

Online websites use cookie notices to elicit consent from the users, as required by recent privacy regulations like the GDPR and the CCPA. Prior work has shown that these notices are designed in a way to manipulate users into making websitefriendly choices which put users’ privacy at risk. In this work, we present CookieEnforcer, a new system for automatically discovering cookie notices and...

As with most large-scale migration efforts, the last 20% of Alphabet's BeyondCorp migration required disproportionate effort. After successfully transitioning most of the company's workflows to BeyondCorp, we still had a long tail of specific, oddball, or challenging situations to resolve. This article examines how we created processes, tools, and solutions to handle use cases that were not...

A complex challenge when using encryption to enforce access control on resources stored at external cloud providers is the efficient enforcement of access revocation to users who know the key used for encrypting the outsourced resources. We present an approach addressing this challenge that relies on a mixing phase. The mixing phase transforms a plaintext resource into an encrypted resource...