Article

Towards a Formal Foundation of Web Security

Authors:

Dawn SongAuthors Info & Claims

CSF '10: Proceedings of the 2010 23rd IEEE Computer Security Foundations Symposium

Pages 290 - 304

https://doi.org/10.1109/CSF.2010.27

Published: 17 July 2010 Publication History

Publisher Site

Abstract

We propose a formal model of web security based on an abstraction of the web platform and use this model to analyze the security of several sample web mechanisms and applications. We identify three distinct threat models that can be used to analyze web applications, ranging from a web attacker who controls malicious web sites and clients, to stronger attackers who can control the network and/or leverage sites designed to display user-supplied content. We propose two broadly applicable security goals and study five security mechanisms. In our case studies, which include HTML5 forms, Referer validation, and a single sign-on solution, we use a SAT-based model-checking tool to find two previously known vulnerabilities and three new vulnerabilities. Our case study of a Kerberos-based single sign-on system illustrates the differences between a secure network protocol using custom client software and a similar but vulnerable web protocol that uses cookies, redirects, and embedded links instead.

Cited By

View all

Franken GVan Goethem TDesmet LJoosen WCalandrino JTroncoso C(2023)A bug's lifeProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620443(3673-3690)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620443
Jannett LMladenov VMainka CSchwenk JYin HStavrou ACremers CShi E(2022)DISTINCTProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560692(1553-1567)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3560692
Wang WHu YMcMillan KKhurshid SRoychoudhury ACadar CKim M(2022)SymMC: approximate model enumeration and counting using symmetry information for Alloy specificationsProceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3540250.3549161(1209-1220)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3540250.3549161
Show More Cited By

Index Terms

Towards a Formal Foundation of Web Security

Index terms have been assigned to the content through auto-classification.

Recommendations

Enhancing web browsing security
Web Security: A WhiteHat Perspective
Web browser security update effectiveness
CRITIS'09: Proceedings of the 4th international conference on Critical information infrastructures security

We analyze the effectiveness of different Web browser update mechanisms on various operating systems; from Google Chrome's silent update mechanism to Opera's update requiring a full re-installation. We use anonymized logs from Google's world wide ...

Comments

Information & Contributors

Information

Published In

CSF '10: Proceedings of the 2010 23rd IEEE Computer Security Foundations Symposium

July 2010

333 pages

ISBN:9780769540825

Publisher

IEEE Computer Society

United States

Publication History

Published: 17 July 2010

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

54
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 27 Jul 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Franken GVan Goethem TDesmet LJoosen WCalandrino JTroncoso C(2023)A bug's lifeProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620443(3673-3690)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620443
Jannett LMladenov VMainka CSchwenk JYin HStavrou ACremers CShi E(2022)DISTINCTProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560692(1553-1567)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3560692
Wang WHu YMcMillan KKhurshid SRoychoudhury ACadar CKim M(2022)SymMC: approximate model enumeration and counting using symmetry information for Alloy specificationsProceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3540250.3549161(1209-1220)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3540250.3549161
Wichmann PBlochberger MFederrath H(2022)Web Cryptography API: Prevalence and Possible Developer MistakesProceedings of the 17th International Conference on Availability, Reliability and Security10.1145/3538969.3538977(1-10)Online publication date: 23-Aug-2022
https://dl.acm.org/doi/10.1145/3538969.3538977
Zheng GNguyen TBrida SRegis GAguirre NFrias MBagheri HRyu SSmaragdakis Y(2022)ATR: template-based repair for Alloy specificationsProceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3533767.3534369(666-677)Online publication date: 18-Jul-2022
https://dl.acm.org/doi/10.1145/3533767.3534369
Dyer TNelson TFisler KKrishnamurthi S(2022)Applying cognitive principles to model-finding output: the positive value of negative informationProceedings of the ACM on Programming Languages10.1145/35273236:OOPSLA1(1-29)Online publication date: 29-Apr-2022
https://dl.acm.org/doi/10.1145/3527323
Hantke FStock BBarakat CPelsser CBenson TChoffnes D(2022)HTML violations and where to find themProceedings of the 22nd ACM Internet Measurement Conference10.1145/3517745.3561437(358-373)Online publication date: 25-Oct-2022
https://dl.acm.org/doi/10.1145/3517745.3561437
Zhang CWagner ROrvalho PGarlan DManquinho VMartins RKang ESpinellis DGousios GChechik MDi Penta M(2021)AlloyMax: bringing maximum satisfaction to relational specificationsProceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3468264.3468587(155-167)Online publication date: 20-Aug-2021
https://dl.acm.org/doi/10.1145/3468264.3468587
Calzavara SJonker HKrumnow BRabitti A(2021)Measuring Web Session Security at ScaleComputers and Security10.1016/j.cose.2021.102472111:COnline publication date: 1-Dec-2021
https://dl.acm.org/doi/10.1016/j.cose.2021.102472
De Meo FViganò L(2020)A formal and automated approach to exploiting multi-stage attacks of web applicationsJournal of Computer Security10.3233/JCS-18126228:5(525-576)Online publication date: 1-Jan-2020
https://dl.acm.org/doi/10.3233/JCS-181262
Show More Cited By

Abstract

Cited By

Index Terms

Recommendations

Enhancing web browsing security

Web Security: A WhiteHat Perspective

Web browser security update effectiveness

Comments

Information

Published In

Publisher

Publication History

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations