Secure web applications via automatic partitioning

Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles Pub Date : 2007-10-14 DOI:10.1145/1294261.1294265

Stephen Chong, Jed Liu, A. Myers, Xin Qi, K. Vikram, Lantian Zheng, Xin Zheng

{"title":"Secure web applications via automatic partitioning","authors":"Stephen Chong, Jed Liu, A. Myers, Xin Qi, K. Vikram, Lantian Zheng, Xin Zheng","doi":"10.1145/1294261.1294265","DOIUrl":null,"url":null,"abstract":"Swift is a new, principled approach to building web applications that are secure by construction. In modern web applications, some application functionality is usually implemented as client-side code written in JavaScript. Moving code and data to the client can create security vulnerabilities, but currently there are no good methods for deciding when it is secure to do so. Swift automatically partitions application code while providing assurance that the resulting placement is secure and efficient. Application code is written as Java-like code annotated with information flow policies that specify the confidentiality and integrity of web application information. The compiler uses these policies to automatically partition the program into JavaScript code running in the browser, and Java code running on the server. To improve interactive performance, code and data are placed on the client side. However, security-critical code and data are always placed on the server. Code and data can also be replicated across the client and server, to obtain both security and performance. A max-flow algorithm is used to place code and data in a way that minimizes client-server communication.","PeriodicalId":20672,"journal":{"name":"Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2007-10-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"269","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/1294261.1294265","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 269

Abstract

Swift is a new, principled approach to building web applications that are secure by construction. In modern web applications, some application functionality is usually implemented as client-side code written in JavaScript. Moving code and data to the client can create security vulnerabilities, but currently there are no good methods for deciding when it is secure to do so. Swift automatically partitions application code while providing assurance that the resulting placement is secure and efficient. Application code is written as Java-like code annotated with information flow policies that specify the confidentiality and integrity of web application information. The compiler uses these policies to automatically partition the program into JavaScript code running in the browser, and Java code running on the server. To improve interactive performance, code and data are placed on the client side. However, security-critical code and data are always placed on the server. Code and data can also be replicated across the client and server, to obtain both security and performance. A max-flow algorithm is used to place code and data in a way that minimizes client-server communication.

查看原文本刊更多论文

通过自动分区保护web应用程序

Swift是一种新的、有原则的方法，用于构建安全的web应用程序。在现代web应用程序中，一些应用程序功能通常是用JavaScript编写的客户端代码实现的。将代码和数据移动到客户机可能会产生安全漏洞，但是目前还没有好的方法来确定何时这样做是安全的。Swift自动分区应用程序代码，同时保证最终的放置是安全有效的。应用程序代码编写为类似java的代码，并使用指定web应用程序信息的机密性和完整性的信息流策略进行注释。编译器使用这些策略自动将程序划分为在浏览器中运行的JavaScript代码和在服务器上运行的Java代码。为了提高交互性能，代码和数据被放置在客户端。但是，安全关键代码和数据总是放在服务器上。还可以跨客户机和服务器复制代码和数据，以获得安全性和性能。最大流算法用于以最小化客户机-服务器通信的方式放置代码和数据。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles

自引率

0.00%

发文量

文献相关原料

公司名称	产品信息	采购帮参考价格