FlowWatcher: Defending against Data Disclosure Vulnerabilities in Web Applications
作者: Divya Muthukumaran , Dan O'Keeffe , Christian Priebe , David Eyers , Brian Shand
关键词:
摘要: Bugs in the authorisation logic of web applications can expose data one user to another. Such disclosure vulnerabilities are common---they be caused by a single omitted access control check application. We make observation that, while implementation is complex and therefore error-prone, most only use simple models, which each piece accessible or group users. This makes it possible validate correct operation externally, based on observed HTTP traffic from an describe FlowWatcher, proxy that mitigates unmodified applications. FlowWatcher monitors shadows part application's state rule-based specification user-data-access (UDA) policy. The UDA policy states intended ownership how changes requests. detects violations tracking items likely unique across requests responses different evaluate prototype as plug-in for Nginx reverse show with short policies, mitigate CVE bugs six~popular
acm.org
imperial.ac.uk
ic.ac.uk 
sci-hub.se 参考文章(31)
Christopher Kruegel, Viktoria Felmetsger, Ludovico Cavedon, Giovanni Vigna, Toward automated detection of logic vulnerabilities in web applications usenix security symposium. pp. 10- 10 ,(2010)
Nick Feamster, Yogesh Mundada, Anirudh Ramachandran, Silverline: data and network isolation for cloud services ieee international conference on cloud computing technology and science. pp. 13- 13 ,(2011) , 10.5555/2170444.2170457
R. Sekar, An Efficient Black-box Technique for Defeating Web Application Attacks. network and distributed system security symposium. ,(2009)
Vasilis Pappas, Vasileios P. Kemerlis, Angeliki Zavou, Michalis Polychronakis, Angelos D. Keromytis, CloudFence: Data Flow Tracking as a Cloud Service recent advances in intrusion detection. pp. 411- 431 ,(2013) , 10.1007/978-3-642-41284-4_21
Marco Cova, Davide Balzarotti, Viktoria Felmetsger, Giovanni Vigna, Swaddler: an approach for the anomaly-based detection of state violations in web applications recent advances in intrusion detection. pp. 63- 86 ,(2007) , 10.1007/978-3-540-74320-0_4
Christos Kozyrakis, Nickolai Zeldovich, Michael Dalton, Nemesis: preventing authentication & access control vulnerabilities in web applications usenix security symposium. pp. 267- 282 ,(2009)
Yuan Cheng, Jaehong Park, Ravi Sandhu, A user-to-user relationship-based access control model for online social networks DBSec'12 Proceedings of the 26th Annual IFIP WG 11.3 conference on Data and Applications Security and Privacy. pp. 8- 24 ,(2012) , 10.1007/978-3-642-31540-4_2
Davide Balzarotti, Marco Cova, Viktoria V. Felmetsger, Giovanni Vigna, Multi-module vulnerability analysis of web-based applications computer and communications security. pp. 25- 35 ,(2007) , 10.1145/1315245.1315250
Prithvi Bisht, Timothy Hinrichs, Nazari Skrupsky, V. N. Venkatakrishnan, WAPTEC Proceedings of the 18th ACM conference on Computer and communications security - CCS '11. pp. 575- 586 ,(2011) , 10.1145/2046707.2046774
Adam Doupé, Bryce Boe, Christopher Kruegel, Giovanni Vigna, Fear the EAR Proceedings of the 18th ACM conference on Computer and communications security - CCS '11. pp. 251- 262 ,(2011) , 10.1145/2046707.2046736