Type

Text

Type

Dissertation

Advisor

Sekar, R. | Stoller, Scott | Nikiforakis, Nikolaos | Robertson, William E..

Date

2016-12-01

Keywords

Computer science | Cross-Site Request Forgery, Cross-Site Scripting, Information-Flow Control, Security, Spreadsheet, Web Application

Department

Department of Computer Science

Language

en_US

Source

This work is sponsored by the Stony Brook University Graduate School in compliance with the requirements for completion of degree.

Identifier

http://hdl.handle.net/11401/77246

Publisher

The Graduate School, Stony Brook University: Stony Brook, NY.

Format

application/pdf

Abstract

Over the past decade, web application vulnerabilities have become far more common than vulnerabilities in conventional applications. To mitigate them, we approach the problem from two extremes: one that requires no changes to existing applications but is limited to a few well-defined vulnerability classes, and the second that provides a comprehensive solution but requires a re-thinking of web applications. Our first approach mitigates specific vulnerabilities using policies that do not depend on the application logic, and thus require no developer involvement or effort. We target two of the most common high-profile vulnerabilities, namely, cross-site scripting (XSS) and cross-site request forgery (CSRF). The solutions we have developed are very effective, efficient, and represent significant advances over previous research in these area. Unfortunately, some of the more subtle and complex vulnerabilities arise due to a lack of specification of security policies, and due to the ad-hoc way in which they are enforced within application code. We therefore propose a new way to develop web applications that separates and decouples security policy from application logic. Our proposal, called WebSheets, provides a simple and intuitive language for policy specification, based on the familiar spreadsheet paradigm. A spreadsheet model is natural because web applications typically operate on tabular data. As a result, we show that the logic of many simple web applications is nothing more than a specification of security policies, and hence a WebSheet security specification is all that is needed to realize them. This dissertation presents the WebSheet model, and describes proposed work aimed at developing and implementing the model, and demonstrating its ability to secure a range of significant web applications. | 162 pages

Download

Share

COinS
 
 

To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.