Practical information flow for legacy web applications
作者: Georgios Chinis , Polyvios Pratikakis , Sotiris Ioannidis , Elias Athanasopoulos
关键词:
摘要: The popularity of web applications, coupled with the data they operate on, makes them prime targets for hackers that want to misuse them. To make matters worse, a lot these have not been implemented security in mind, while refactoring an existing, large application implement or privacy policy is prohibitively difficult. This paper presents LabelFlow, extension PHP simplifies implementation policies applications. enforce policy, LabelFlow tracks propagation information throughout application, transparently and efficiently, both runtime through persistent storage. We provide strong theoretical guarantees enforcement LabelFlow; we define its semantics simple calculus prove it protects against leaks. used add access control three popular real-world scale applications: MediaWiki, Wordpress OpenCart. requires minimal code changes 50--100 lines per incurring little execution overhead up 5.6% at worst.
core.ac.uk
acm.org
forth.gr
tracer-project.gr 参考文章(29)
R. Sekar, An Efficient Black-box Technique for Defeating Web Application Attacks. network and distributed system security symposium. ,(2009)
Nikhil Swamy, Juan Chen, Ravi Chugh, Enforcing stateful authorization and information flow policies in fine european symposium on programming. pp. 529- 549 ,(2010) , 10.1007/978-3-642-11957-6_28
Engin Kirda, Christopher Krügel, Nenad Jovanovic, Giovanni Vigna, Philipp Vogt, Florian Nentwich, Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. network and distributed system security symposium. ,(2007)
V. Benjamin Livshits, Monica S. Lam, Finding security vulnerabilities in java applications with static analysis usenix security symposium. pp. 18- 18 ,(2005)
Anh Nguyen-Tuong, Salvatore Guarnieri, Doug Greene, Jeff Shirley, David Evans, Automatically Hardening Web Applications Using Precise Tainting information security conference. pp. 295- 307 ,(2004) , 10.1007/0-387-25660-1_20
Yacin Nadji, Prateek Saxena, Dawn Song, Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense. network and distributed system security symposium. ,(2009)
Dan Boneh, David Brumley, Remote timing attacks are practical usenix security symposium. pp. 1- 1 ,(2003)
Sandeep Bhatkar, R. Sekar, Wei Xu, Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks usenix security symposium. pp. 9- ,(2006)
Steve Zdancewic, Andrew C. Myers, Secure Information Flow and CPS european symposium on programming. pp. 46- 61 ,(2001) , 10.1007/3-540-45309-1_4
Erik Bosman, Asia Slowinska, Herbert Bos, Minemu: The World’s Fastest Taint Tracker Lecture Notes in Computer Science. pp. 1- 20 ,(2011) , 10.1007/978-3-642-23644-0_1