Mr. Ben Siu-Yuen Fung, a graduated MPhil student, and his supervisor Prof. Patrick P. C. Lee received the best paper award in the 10th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom-11) ( for their paper titled "A Privacy-Preserving Defense Mechanism Against Request Forgery Attacks". This year there were 471 submissions including symposium and workshops. 126 of them were selected. 2 best paper awards were given.

The paper considers the request forgery problem, one of the top security risks in today's web applications, and proposes a practical defense mechanism called DeRef, which seeks to defend against a general class of cross-site and same-site request forgery attacks. DeRef allows a website to apply fine-grained access control on the scopes within which the client's authentication credentials can be embedded in requests. One key feature of DeRef is to enable privacy-preserving checking, such that the website does not know where the browser initiates requests, while the browser cannot infer the scopes being configured by the website. DeRef can make a trade-off between performance and privacy protection. A proof-of-concept prototype of DeRef is implemented on FireFox and WordPress 2.0, and its performance overhead is evaluated in various deployment scenario. The source code of DeRef is available on