ABSTRACT
We present a programming model for building web applications with security properties that can be confidently verified during a security review. In our model, applications are divided into isolated, privilege-separated components, enabling rich security policies to be enforced in a way that can be checked by reviewers. In our model, the web framework enforces privilege separation and isolation of web applications by requiring the use of an object-capability language and providing interfaces that expose limited, explicitly-specified privileges to application components. This approach restricts what each component of the application can do and quarantines buggy or compromised code. It also provides a way to more safely integrate third-party, less-trusted code into a web application. We have implemented a prototype of this model based upon the Java Servlet framework and used it to build a webmail application. Our experience with this example suggests that the approach is viable and helpful at establishing reviewable application-specific security properties.
- S. Chong, K. Vikram, and A. C. Myers. SIF: Enforcing confidentiality and integrity in web applications. In USENIX Security Symposium, 2007. Google ScholarDigital Library
- D. Crockford. ADsafe. http://www.adsafe.org.Google Scholar
- Edgewall Software. Genshi. http://genshi.edgewall.org.Google Scholar
- N. Hardy. KeyKOS architecture. SIGOPS Oper. Syst. Rev., 19(4):8--25, 1985. Google ScholarDigital Library
- C. Hawblitzel, C.-c. Chang, G. Czajkowski, D. Hu, and T. Von Eicken. Implementing multiple protection domains in Java. In USENIX Annual Technical Conference, 1998. Google ScholarDigital Library
- Y. W. Huang, F. Yu, C. Hang, C. H. Tsai, D. T. Lee, and S. Y. Kuo. Securing web application code by static analysis and runtime protection. In 13th International World Wide Web Conference, 2004. Google ScholarDigital Library
- N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In IEEE Symposium on Security & Privacy, pages 258--263, 2006. Google ScholarDigital Library
- M. Krohn. Building secure high-performance web services with OKWS. In Proceedings of the USENIX Annual Technical Conference, pages 15--28, 2004. Google ScholarDigital Library
- H. M. Levy. Capability-based computer systems. Digital Press, Maynard, MA, USA, 1984. Google ScholarDigital Library
- V. B. Livshits and M. S. Lam. Finding security vulnerabilities in Java applications with static analysis. In 14th USENIX Security Symposium, 2005. Google ScholarDigital Library
- A. Mettler, D. Wagner, and T. Close. Joe-E: A security-oriented subset of Java. In 17th Network & Distributed System Security Symposium, 2010.Google Scholar
- M. S. Miller. Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control. PhD thesis, Johns Hopkins University, Baltimore, Maryland, USA, May 2006. Google ScholarDigital Library
- M. S. Miller, M. Samuel, B. Laurie, I. Awad, and M. Stay. Caja: Safe active content in sanitized JavaScript (draft), 2008. http://google-caja.googlecode.com/files/caja-spec-2008-06-07.pdf.Google Scholar
- J. H. Morris, Jr. Protection in programming languages. Commun. ACM, 16(1):15--21, 1973. Google ScholarDigital Library
- A. C. Myers and B. Liskov. A decentralized model for information flow control. In Symposium on Operating Systems Principles, pages 129--142, 1997. Google ScholarDigital Library
- N. Provos. Preventing privilege escalation. In 12th USENIX Security Symposium, pages 231--242, 2003. Google ScholarDigital Library
- J. A. Rees. A security kernel based on the lambda-calculus. A. I. Memo 1564, MIT, 1564, 1996. Google ScholarDigital Library
- J. H. Saltzer and M. D. Schroeder. The protection of information in computer systems. In Communications of the ACM, 1974.Google Scholar
- J. S. Shapiro, J. M. Smith, and D. J. Farber. EROS: a fast capability system. In 17th ACM symposium on Operating Systems Principles (SOSP'99), pages 170--185, 1999. Google ScholarDigital Library
- Symantec Corporation. Symantec Global Internet Security Threat Report: Trends for 2008, April 2009.Google Scholar
- A. Wiesmann, A. van der Stock, M. Curphey, and R. Stirbei, editors. A Guide to Building Secure Web Applications. The Open Web Application Security Project, September 2005.Google Scholar
Index Terms
- Fine-grained privilege separation for web applications
Recommendations
Modular Java web applications
SAC '08: Proceedings of the 2008 ACM symposium on Applied computingAs Java EE applications increase in size and complexity the constraints imposed by the existing component model restrict their utility. In this paper, we describe a solution to the problem related to building modular and evolvable server-side ...
Roles-based Access Control Modeling and Testing for Web Applications
WCSE '12: Proceedings of the 2012 Third World Congress on Software EngineeringWeb applications are widely used in people's everyday life. They have permeated financial sectors, banking sectors, e-business and online shopping. Usually, different users have different permissions on these applications. Additionally, role-based ...
Comments