- Author:
- Maxwell Norman Krohn,
- Advisers:
- Frans Kaashoek,
- Robert Morris,
- Eddie Kohler
Sometimes Web sites fail in the worst ways. They can reveal private data that can never be retracted. Or they can succumb to vandalism, and subsequently show corrupt data to users. Blame can fall on the off-the-shelf software that runs the site (e.g., the operating system, the application libraries, the Web server, etc.), but more frequently the custom application code is the guilty party. Unfortunately, the custom code behind many Web sites is difficult to secure and audit, due to large and rapidly-changing trusted computing bases (TCBs).
A promising approach to reducing TCBs for Web sites is decentralized information flow control. DIFC allows the split of a Web application into two types of components: those inside the TCB (trusted), and those without (untrusted). The untrusted components are large, change frequently, and do most of the computation. Even if buggy, they cannot move data contrary to security policy. Trusted components are much smaller, and configure the Web site's security policies. They need only change when the policy changes, and not when new features are introduced. Bugs in the trusted code can lead to compromise, but the trusted code is smaller and therefore easier to audit.
The drawback of DIFC, up to now, is that the approach requires a major shift in how programmers develop applications and thus remains inaccessible to programmers using today's proven programming abstractions. This thesis proposes a new DIFC system, Flume, that brings DIFC controls to the operating systems and programming languages in wide use today. Its key contributions are: (1) a simplified DIFC model with provable security guarantees; (2) a new primitive called endpoints that bridges the gap between the Flume DIFC model and standard operating systems interfaces; (3) an implementation at user-level on Linux; and (4) success in securing a popular preexisting Web application (MoinMoin Wiki). (Copies available exclusively from MIT Libraries, Rm. 14-0551, Cambridge, MA 02139-4307. Ph. 617-253-5668; Fax 617-253-1690.)
Cited By
Hunger C, Vilanova L, Papamanthou C, Etsion Y and Tiwari M (2018). DATS - Data Containers for Web Applications, ACM SIGPLAN Notices, 53:2, (722-736), Online publication date: 30-Nov-2018.- Hunger C, Vilanova L, Papamanthou C, Etsion Y and Tiwari M DATS - Data Containers for Web Applications Proceedings of the Twenty-Third International Conference on Architectural Support for Programming Languages and Operating Systems, (722-736)
Recommendations
Nonmalleable Information Flow Control
CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications SecurityNoninterference is a popular semantic security condition because it offers strong end-to-end guarantees, it is inherently compositional, and it can be enforced using a simple security type system. Unfortunately, it is too restrictive for real systems. ...
How to make web sites talk together: web service solution
WWW '05: Special interest tracks and posters of the 14th international conference on World Wide WebIntegrating web sites to provide more efficient services is a very promising way in the Internet. For example searching house for rent based on train system or preparing a holiday with several constrains such as hotel, air ticket, etc... From resource ...