End-to-end web application security
作者: Úlfar Erlingsson , Yinglian Xie , Benjamin Livshits
DOI:
关键词:
摘要: Web applications are important, ubiquitous distributed systems whose current security relies primarily on server-side mechanisms. This paper makes the end-to-end argument that client and server must collaborate to achieve goals, eliminate common exploits, secure emerging class of rich, cross-domain referred as 2.0. In order support security, clients be enhanced. We introduce Mutation-Event Transforms: an easy-to-use client-side mechanism can enforce even fine-grained, application-specific policies, implementation requires only straightforward changes existing browsers. give numerous examples attractive, new policies demonstrate advantages application our proposed mechanism.
参考文章(14)
V. Benjamin Livshits, Monica S. Lam, Finding security vulnerabilities in java applications with static analysis usenix security symposium. pp. 18- 18 ,(2005)
Opher Dubrovsky, Saher Esmeir, John Dunagan, Helen J. Wang, Charles Reis, BrowserShield: vulnerability-driven filtering of dynamic HTML operating systems design and implementation. pp. 61- 74 ,(2006) , 10.5555/1298455.1298462
J. H. Saltzer, D. P. Reed, D. D. Clark, End-to-end arguments in system design ACM Transactions on Computer Systems. ,vol. 2, pp. 277- 288 ,(1984) , 10.1145/357401.357402
Dachuan Yu, Ajay Chander, Nayeem Islam, Igor Serikov, JavaScript instrumentation for browser security symposium on principles of programming languages. ,vol. 42, pp. 237- 249 ,(2007) , 10.1145/1190215.1190252
N. Jovanovic, C. Kruegel, E. Kirda, Pixy: a static analysis tool for detecting Web application vulnerabilities ieee symposium on security and privacy. pp. 258- 263 ,(2006) , 10.1109/SP.2006.29
Yasuhiko Minamide, Static approximation of dynamically generated Web pages the web conference. pp. 432- 441 ,(2005) , 10.1145/1060745.1060809
Martin Johns, SessionSafe: Implementing XSS Immune Session Handling Computer Security – ESORICS 2006. pp. 444- 460 ,(2006) , 10.1007/11863908_27
U. Erlingsson, F.B. Schneider, IRM enforcement of Java stack inspection ieee symposium on security and privacy. pp. 246- 255 ,(2000) , 10.1109/SECPRI.2000.848461
Zhendong Su, Gary Wassermann, The essence of command injection attacks in web applications symposium on principles of programming languages. ,vol. 41, pp. 372- 382 ,(2006) , 10.1145/1111037.1111070
O. Hallaraker, G. Vigna, Detecting malicious JavaScript code in Mozilla international conference on engineering of complex computer systems. pp. 85- 94 ,(2005) , 10.1109/ICECCS.2005.35