Micro-policies for Web Session Security

2016 IEEE 29th Computer Security Foundations Symposium (CSF) Pub Date : 2016-06-01 DOI:10.1109/CSF.2016.20

Stefano Calzavara, R. Focardi, Niklas Grimm, Matteo Maffei

{"title":"Micro-policies for Web Session Security","authors":"Stefano Calzavara, R. Focardi, Niklas Grimm, Matteo Maffei","doi":"10.1109/CSF.2016.20","DOIUrl":null,"url":null,"abstract":"Micro-policies, originally proposed to implement hardware-level security monitors, constitute a flexible and general enforcement technique, based on assigning security tags to system components and taking security actions based on dynamic checks over these tags. In this paper, we present the first application of micro-policies to web security, by proposing a core browser model supporting them and studying its effectiveness at securing web sessions. In our view, web session security requirements are expressed in terms of a simple, declarative information flow policy, which is then automatically translated into a micro-policy enforcing it. This leads to a browser-side enforcement mechanism which is elegant, sound and flexible, while being accessible to web developers. We show how a large class of attacks against web sessions can be uniformly and effectively prevented by the adoption of this approach. We also develop a proof-of-concept implementation of a significant core of our proposal as a Google Chrome extension, Michrome: our experiments show that Michrome can be easily configured to enforce strong security policies without breaking the functionality of websites.","PeriodicalId":6500,"journal":{"name":"2016 IEEE 29th Computer Security Foundations Symposium (CSF)","volume":"25 1","pages":"179-193"},"PeriodicalIF":0.0000,"publicationDate":"2016-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"12","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2016 IEEE 29th Computer Security Foundations Symposium (CSF)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CSF.2016.20","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 12

Abstract

Micro-policies, originally proposed to implement hardware-level security monitors, constitute a flexible and general enforcement technique, based on assigning security tags to system components and taking security actions based on dynamic checks over these tags. In this paper, we present the first application of micro-policies to web security, by proposing a core browser model supporting them and studying its effectiveness at securing web sessions. In our view, web session security requirements are expressed in terms of a simple, declarative information flow policy, which is then automatically translated into a micro-policy enforcing it. This leads to a browser-side enforcement mechanism which is elegant, sound and flexible, while being accessible to web developers. We show how a large class of attacks against web sessions can be uniformly and effectively prevented by the adoption of this approach. We also develop a proof-of-concept implementation of a significant core of our proposal as a Google Chrome extension, Michrome: our experiments show that Michrome can be easily configured to enforce strong security policies without breaking the functionality of websites.

查看原文本刊更多论文

Web会话安全的微策略

微策略最初是为了实现硬件级安全监视器而提出的，它构成了一种灵活而通用的实施技术，其基础是为系统组件分配安全标签，并根据对这些标签的动态检查采取安全行动。在本文中，我们提出了微策略在网络安全中的第一个应用，提出了一个支持微策略的核心浏览器模型，并研究了微策略在保护网络会话方面的有效性。在我们看来，web会话安全需求是用简单的、声明性的信息流策略来表示的，然后该策略会自动转换为执行该策略的微策略。这就产生了一种优雅、健全和灵活的浏览器端强制机制，同时也便于web开发人员访问。我们展示了如何通过采用这种方法统一有效地阻止针对web会话的大量攻击。我们还开发了一个概念验证实现我们的提案的一个重要核心，作为谷歌Chrome扩展，microrome:我们的实验表明，microrome可以很容易地配置，以强制执行强大的安全策略，而不会破坏网站的功能。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2016 IEEE 29th Computer Security Foundations Symposium (CSF)

自引率

0.00%

发文量