week3 - web2.0-2

week3 - web2.0-2 - Secure Web Applications via Automatic...

Info iconThis preview shows pages 1–2. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Secure Web Applications via Automatic Partitioning Stephen Chong Jed Liu Andrew C. Myers Xin Qi K. Vikram Lantian Zheng Xin Zheng Department of Computer Science Cornell University { schong,liujed,andru,qixin,kvikram,zlt,xinz } @cs.cornell.edu Abstract Swift is a new, principled approach to building web applications that are secure by construction . In modern web applications, some application functionality is usually implemented as client-side code written in JavaScript. Moving code and data to the client can create security vulnerabilities, but currently there are no good methods for deciding when it is secure to do so. Swift automatically partitions application code while providing assurance that the resulting placement is secure and efficient. Ap- plication code is written as Java-like code annotated with informa- tion flow policies that specify the confidentiality and integrity of web application information. The compiler uses these policies to automatically partition the program into JavaScript code running in the browser, and Java code running on the server. To improve in- teractive performance, code and data are placed on the client side. However, security-critical code and data are always placed on the server. Code and data can also be replicated across the client and server, to obtain both security and performance. A max-flow al- gorithm is used to place code and data in a way that minimizes clientserver communication. Categories and Subject Descriptors: D.4.6 [Security and Protec- tion]: Information flow controls, D.3.3 [Language Constructs and Features]: Frameworks, I.2.2 [Automatic Programming]: Program transformation General Terms: Security, Languages Keywords: Information flow, security policies, compilers. 1. Introduction Web applications are clientserver applications in which a web browser provides the user interface. They are a critical part of our infrastructure, used for banking and financial management, email, online shopping and auctions, social networking, and much more. The security of information manipulated by these systems is cru- cial, and yet these systems are not being implemented with ad- equate security assurance. In fact, web applications are recently reported to comprise 69% of all Internet vulnerabilities [24]. The problem is that with current implementation methods, it is difficult Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee....
View Full Document

Page1 / 14

week3 - web2.0-2 - Secure Web Applications via Automatic...

This preview shows document pages 1 - 2. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online