article review secure web application via automatic
play

Article review: Secure web application via automatic partitioning - PowerPoint PPT Presentation

Aug 02, 2023 •163 likes •450 views

1 of 24 slides Article review: Secure web application via automatic partitioning Stephen Chong, Jed Liu, Andrew C. Myers, Xin Qi, K. Vikram, Lantian Zheng, and Xin Zheng; 2007 Department of Computer Science Cornell University Ivan Hristov

  1. 1 of 24 slides Article review: Secure web application via automatic partitioning Stephen Chong, Jed Liu, Andrew C. Myers, Xin Qi, K. Vikram, Lantian Zheng, and Xin Zheng; 2007 Department of Computer Science Cornell University Ivan Hristov Computational Engineering Dresden University of Technology 20.05.2008 iv.hristov@yahoo.com Article review: Secure web application via automatic partitioning Stephen Chong, Jed Liu, Andrew C. Myers, Xin Qi, K. Vikram, Lantian

  2. Motivation and Overview Architecture Programming process Transformation process The Swift runtime Evaluation 2 of 24 slides Part I Introduction Article review: Secure web application via automatic partitioning Stephen Chong, Jed Liu, Andrew C. Myers, Xin Qi, K. Vikram, Lantian

  3. Motivation and Overview Architecture Programming process Transformation process The Swift runtime Evaluation 3 of 24 slides Motivation Problem How can one easily create ... ... secure web applications? ... a dynamic, responsive user interface? ... both? Solution By using Swift! Article review: Secure web application via automatic partitioning Stephen Chong, Jed Liu, Andrew C. Myers, Xin Qi, K. Vikram, Lantian

  4. Motivation and Overview Architecture Programming process Transformation process The Swift runtime Evaluation 4 of 24 slides Web Programming Increased responsiveness? Some code and data on the client side. The problem Security vulnerabilities: confidentiality integrity explicit/implicit information flow Solution right placement automation correctness Article review: Secure web application via automatic partitioning Stephen Chong, Jed Liu, Andrew C. Myers, Xin Qi, K. Vikram, Lantian

  5. Motivation and Overview Architecture Programming process Transformation process The Swift runtime Evaluation 5 of 24 slides Overview Swift Aspects secure by construction - annotations based paradigm easy to write - less awkwardness aids the programmer - automatic protocol and code generation Article review: Secure web application via automatic partitioning Stephen Chong, Jed Liu, Andrew C. Myers, Xin Qi, K. Vikram, Lantian

  6. Motivation and Overview Architecture Programming process Transformation process The Swift runtime Evaluation 6 of 24 slides Swift Architecture Article review: Secure web application via automatic partitioning Stephen Chong, Jed Liu, Andrew C. Myers, Xin Qi, K. Vikram, Lantian

  7. Motivation and Overview Architecture Programming process Transformation process The Swift runtime Evaluation 7 of 24 slides Basic step 1st step: Jif Source Code Labels - information security policies Static check - label consistency check 2nd step: WebIL Annotations for placement 3rd step: WebIL optimization Decision of exact placement Code and data replication Placement cost minimization 4th step: Source Code Splitting Divide the original Java program into two Article review: Secure web application via automatic partitioning Stephen Chong, Jed Liu, Andrew C. Myers, Xin Qi, K. Vikram, Lantian

  8. Motivation and Overview Architecture Programming process Transformation process The Swift runtime Evaluation 7 of 24 slides Basic step 1st step: Jif Source Code Labels - information security policies Static check - label consistency check 2nd step: WebIL Annotations for placement 3rd step: WebIL optimization Decision of exact placement Code and data replication Placement cost minimization 4th step: Source Code Splitting Divide the original Java program into two Article review: Secure web application via automatic partitioning Stephen Chong, Jed Liu, Andrew C. Myers, Xin Qi, K. Vikram, Lantian

  9. Motivation and Overview Architecture Programming process Transformation process The Swift runtime Evaluation 7 of 24 slides Basic step 1st step: Jif Source Code Labels - information security policies Static check - label consistency check 2nd step: WebIL Annotations for placement 3rd step: WebIL optimization Decision of exact placement Code and data replication Placement cost minimization 4th step: Source Code Splitting Divide the original Java program into two Article review: Secure web application via automatic partitioning Stephen Chong, Jed Liu, Andrew C. Myers, Xin Qi, K. Vikram, Lantian

  10. Motivation and Overview Architecture Programming process Transformation process The Swift runtime Evaluation 7 of 24 slides Basic step 1st step: Jif Source Code Labels - information security policies Static check - label consistency check 2nd step: WebIL Annotations for placement 3rd step: WebIL optimization Decision of exact placement Code and data replication Placement cost minimization 4th step: Source Code Splitting Divide the original Java program into two Article review: Secure web application via automatic partitioning Stephen Chong, Jed Liu, Andrew C. Myers, Xin Qi, K. Vikram, Lantian

  11. Motivation and Overview Architecture Programming process Transformation process The Swift runtime Evaluation 8 of 24 slides Things to remember Additional step: Java to JavaScript Client side transformation Client side code and data Implementation of UI Faster interaction and higher responsiveness Information flow Should be strictly controlled Functionality replication Responsiveness Security reasons Article review: Secure web application via automatic partitioning Stephen Chong, Jed Liu, Andrew C. Myers, Xin Qi, K. Vikram, Lantian

  12. Motivation and Overview Architecture Programming process Transformation process The Swift runtime Evaluation 9 of 24 slides Labels, principals, flows Labels - set of security policies - confidentiality : alice → bob - integrity : alice ← bob Implicit flows int { alice → bob, alice; bob ← alice } y; int { bob → bob } x; int { alice → bob; bob ← alice } z; if (x == 0) { z = y; explicit information flow } NOTE! Implicit flow: from x to z Article review: Secure web application via automatic partitioning Stephen Chong, Jed Liu, Andrew C. Myers, Xin Qi, K. Vikram, Lantian

  13. Motivation and Overview Architecture Programming process Transformation process The Swift runtime Evaluation 10 of 24 slides Acts for relationship Principals Server (*) - maximally trusted Client (client) - untrusted Acts for examples * acts for client client acts for bob and/or alice Problem Role misconfusion (object schizophrenia) Solution Static variables must not reference directly or indirectly the principle client! Article review: Secure web application via automatic partitioning Stephen Chong, Jed Liu, Andrew C. Myers, Xin Qi, K. Vikram, Lantian

  14. Motivation and Overview Architecture Programming process Transformation process The Swift runtime Evaluation 10 of 24 slides Acts for relationship Principals Server (*) - maximally trusted Client (client) - untrusted Acts for examples * acts for client client acts for bob and/or alice Problem Role misconfusion (object schizophrenia) Solution Static variables must not reference directly or indirectly the principle client! Article review: Secure web application via automatic partitioning Stephen Chong, Jed Liu, Andrew C. Myers, Xin Qi, K. Vikram, Lantian

  15. Motivation and Overview Architecture Programming process Transformation process The Swift runtime Evaluation 11 of 24 slides Type of labels Method labels begin label end label ... 15 void makeGuess { * → client } (Integer { * → client } num) 16 where authority(*), endorse( { * ← * } ) 17 throws NullPointerException 18 { ... 39 } no end label needed in this case ... Article review: Secure web application via automatic partitioning Stephen Chong, Jed Liu, Andrew C. Myers, Xin Qi, K. Vikram, Lantian

  16. Motivation and Overview Architecture Programming process Transformation process The Swift runtime Evaluation 12 of 24 slides Type of labels Endorsement labels Usage: Prevention of untrusted access to trusted variables. Example - checked endorsement ... 19 int i = 0; 20 if (num ! = null) i = num.intValue(); 21 endorse (i, { * ← client } to { * ← * } ) 22 if (i > = 1 && i < = 10) { endorsement succeeds, ’i’ is endorsed ... 23 if (tries > 0 && i == secret) { ... 25 tries = 0; ... and tries can be accessed! ... 27 } Article review: Secure web application via automatic partitioning Stephen Chong, Jed Liu, Andrew C. Myers, Xin Qi, K. Vikram, Lantian

  17. Motivation and Overview Architecture Programming process Transformation process The Swift runtime Evaluation 13 of 24 slides Type of labels Declassify labels Usage: To allow updates over trusted variables and/or explicit information flow Example - declassify statement body 24 declassify ( { * → * } to { * → client } ) { 25 tries = 0; 26 finishApp(”You win!”); 27 } Article review: Secure web application via automatic partitioning Stephen Chong, Jed Liu, Andrew C. Myers, Xin Qi, K. Vikram, Lantian

  18. Motivation and Overview Architecture Programming process Transformation process The Swift runtime Evaluation 14 of 24 slides Type of labels Inheritance labels Usage: To control inheritance. Example - authority and auto-endorse ... 15 void makeGuess { * → client } (Integer { * → client } num) 16 where authority(*), endorse( { * ← * } ) 17 throws NullPointerException 18 { ... 39 } ... Other labels robust declassification - Usage: To control declassification. Article review: Secure web application via automatic partitioning Stephen Chong, Jed Liu, Andrew C. Myers, Xin Qi, K. Vikram, Lantian

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Article 123(2) EPC &quot;The European patent application ... may not be amended in such a way

Article 123(2) EPC &quot;The European patent application ... may not be amended in such a way

US Bar EPO Liaison Council 29th Annual Meeting Munich, 18 October 2013 5. EPO practice issues B. Article 123 EPC and support in the description Article 123(2) EPC &quot;The European patent application ... may not be amended in such a way that

214 views • 3 slides
An apparatus for the automatic presentation of color and form1 Article in Journal of the

An apparatus for the automatic presentation of color and form1 Article in Journal of the

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/247857471 An apparatus for the automatic presentation of color and form1 Article in Journal of the Experimental Analysis of Behavior

464 views • 3 slides
Systematic Reviews Application &amp; Importance Payam Kabiri, MD. PhD. Clinical Epidemiologist

Systematic Reviews Application &amp; Importance Payam Kabiri, MD. PhD. Clinical Epidemiologist

Systematic Reviews Application &amp; Importance Payam Kabiri, MD. PhD. Clinical Epidemiologist Types of Medical Articles Original Article Review Article Case Reports Editorial Short Communication (short papers) Letter to

972 views • 72 slides
Title of an article [16 pt] Introduction [14 pt] Text. Text. Text. Text. Text. Text. Text. Text.

Title of an article [16 pt] Introduction [14 pt] Text. Text. Text. Text. Text. Text. Text. Text.

REQUIREMENTS FOR POSTER PRESENTATION 1. Volume of poster presentation (or Article) from 4 to 10 pages (A4 format). Please submit an electronic version by email. Along with the article must be submitted a review of a scientist . A review

71 views • 3 slides
AATO CONSTITUTION 1 Article of the Constitution Article 6 The Council Article 1

AATO CONSTITUTION 1 Article of the Constitution Article 6 The Council Article 1

Association of African Aviation Training Organizations (AATO) Abuja, Nigeria 10-12 April 2013 AATO CONSTITUTION 1 Article of the Constitution Article 6 The Council Article 1 Establishment Article 7 The Secretariat Article 2

872 views • 18 slides
SAMHSA GRANT REVIEW THE MYSTERY OF REVIEW REVEALED TENETS OF REVIEW Each application must

SAMHSA GRANT REVIEW THE MYSTERY OF REVIEW REVEALED TENETS OF REVIEW Each application must

SAMHSA GRANT REVIEW THE MYSTERY OF REVIEW REVEALED TENETS OF REVIEW Each application must receive a thorough and impartial peer review Each application is considered and scored only in accordance with the Funding Announcements

686 views • 25 slides
UOIT Third Year Review 1 3 rd Year Review ! Article 19 of the Collective Agreement Give

UOIT Third Year Review 1 3 rd Year Review ! Article 19 of the Collective Agreement Give

UOIT%Faculty%Associa1on%3%Third%Year%Review% 16305311% Workshop%2016% UOIT Third Year Review 1 3 rd Year Review ! Article 19 of the Collective Agreement Give feedback and advice to tenure- stream Faculty Members at the rank of Assistant

439 views • 11 slides
OperationCheckpoint: SDN Application Control Workshop on Secure Network Protocols (NPSec14) 19

OperationCheckpoint: SDN Application Control Workshop on Secure Network Protocols (NPSec14) 19

OperationCheckpoint: SDN Application Control Workshop on Secure Network Protocols (NPSec14) 19 October 2014 Sandra Scott-Hayward, Christopher Kane and Sakir Sezer s.scott-hayward@qub.ac.uk Centre for Secure Information Technologies (CSIT)

359 views • 20 slides
A Fully Parallel DNN Implementation and its Application to Automatic Modulation Classification

A Fully Parallel DNN Implementation and its Application to Automatic Modulation Classification

A Fully Parallel DNN Implementation and its Application to Automatic Modulation Classification Philip Leong | Computer Engineering Laboratory School of Electrical and Information Engineering, The University of Sydney http://phwl.org/talks

476 views • 23 slides
Automatic localization of tombs in aerial imagery: application to the digital archiving of

Automatic localization of tombs in aerial imagery: application to the digital archiving of

Automatic localization of tombs in aerial imagery: application to the digital archiving of cemetery heritage M. Chaumont 1 , 2 , L. Tribouillard 2 , G. Subsol 2 , F. Courtade 2 , J. Pasquet 2 , M. Derras 3 (1) University of N mes, France (2)

418 views • 12 slides
FLEECEmax The Automatic Felt Application Machine with cutback from KMF www.kmf.at 1 -

FLEECEmax The Automatic Felt Application Machine with cutback from KMF www.kmf.at 1 -

- engineering your visions - FLEECEmax The Automatic Felt Application Machine with cutback from KMF www.kmf.at 1 - engineering your visions - Facts and Figures Established 1874 Production area 12.000m 2 5th generation family run

697 views • 13 slides
Secure application development with AOP Nils Durner &lt;ndurner@web.de&gt; 1 Outline of the

Secure application development with AOP Nils Durner &lt;ndurner@web.de&gt; 1 Outline of the

Secure application development with AOP Nils Durner &lt;ndurner@web.de&gt; 1 Outline of the talk Introduction to Aspect Oriented Programming Examples for uses of AOP for security AOP &amp; Memory safety Future work 2 What is

870 views • 59 slides
AUTOMATIC BUSINESS ATTRIBUTE LABELING FROM YELP REVIEWS : A MACHINE LEARNING APPLICATION by

AUTOMATIC BUSINESS ATTRIBUTE LABELING FROM YELP REVIEWS : A MACHINE LEARNING APPLICATION by

AUTOMATIC BUSINESS ATTRIBUTE LABELING FROM YELP REVIEWS : A MACHINE LEARNING APPLICATION by Michael Iannelli and Ephraim Rosenfeld Search Engine Architecture(CSCI-GA 3033-006 - Spring 2017) Courant Institute of Mathematical Sciences

141 views • 11 slides
Transactional Consistency and Automatic Management in an Application Data Cache Dan Ports Austin

Transactional Consistency and Automatic Management in an Application Data Cache Dan Ports Austin

Transactional Consistency and Automatic Management in an Application Data Cache Dan Ports Austin Clements Irene Zhang Samuel Madden Barbara Liskov MIT CSAIL Tuesday, October 5, 2010 Modern web applications face immense scaling challenges

1.01k views • 62 slides
How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

DIMACS Workshop On Secure Routing March 10, 2010 How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing Protocols? $ $ Sharon Goldberg Microsoft Research &amp; Boston University y Michael Schapira

701 views • 54 slides
Application Security as a Service: Start Your Application Security Initiative in Less than a Day

Application Security as a Service: Start Your Application Security Initiative in Less than a Day

Application Security as a Service: Start Your Application Security Initiative in Less than a Day David Harper Practice Principal Fortify on Demand #MicroFocusCyberSummit Agenda The Application Security Problem Security Gate Secure DevOps

37.39k views • 30 slides
Mobile Web Applications using HTML5 L. Cotfas 14 Dec. 2011 Reasons for mobile web development

Mobile Web Applications using HTML5 L. Cotfas 14 Dec. 2011 Reasons for mobile web development

Mobile Web Applications using HTML5 L. Cotfas 14 Dec. 2011 Reasons for mobile web development Many different platforms: Android, IPhone, Symbian, Windows Phone/ Mobile, MeeGo (only a few of them) Reasons for mobile web development

435 views • 31 slides
VERB Web App / Framework View, Edit, and Run (your code) in the Browser An IDE Companion Remote

VERB Web App / Framework View, Edit, and Run (your code) in the Browser An IDE Companion Remote

VERB Web App / Framework View, Edit, and Run (your code) in the Browser An IDE Companion Remote Mobile Lightweight Quick Fully-Featured Text Editor Possible Features SCM Integration Sharing ... Kellen Donohue (kellend@{cs,uw}) , Zach

380 views • 3 slides
MODERN WEB APPLICATION DEVELOPMENT WORKFLOW FIRST, LETS LOOK AT THE PAST THROW A BUNCH OF

MODERN WEB APPLICATION DEVELOPMENT WORKFLOW FIRST, LETS LOOK AT THE PAST THROW A BUNCH OF

MODERN WEB APPLICATION DEVELOPMENT WORKFLOW FIRST, LETS LOOK AT THE PAST THROW A BUNCH OF HTML FILES THROW A BUNCH OF HTML FILES ADD A COUPLE OF CSS FILES THROW A BUNCH OF HTML FILES ADD A COUPLE OF CSS FILES PUT SOME JAVASCRIPT IN ALL THIS

1.97k views • 147 slides
Seaside: An Innovative Web Application Framework Damien Cassou, Stphane Ducasse and Luc

Seaside: An Innovative Web Application Framework Damien Cassou, Stphane Ducasse and Luc

Seaside: An Innovative Web Application Framework Damien Cassou, Stphane Ducasse and Luc Fabresse W4S08 http://www.pharo.org Seaside A powerful, innovative and flexible framework Dedicated to build complex Web applications Live

363 views • 24 slides
Health and Safety Grant Program Febru ruar ary 26, 20 , 2020 AGENDA ENDA Introductions

Health and Safety Grant Program Febru ruar ary 26, 20 , 2020 AGENDA ENDA Introductions

Proposition 64 Public Health and Safety Grant Program Febru ruar ary 26, 20 , 2020 AGENDA ENDA Introductions Overview of the BSCC and the Executive Steering Committee (ESC) Grant Summary &amp; Instructions Applicant

934 views • 45 slides
W3C Web of Things Plugfest Security Review Michael McCool W3C WoT WG Security and Privacy TF

W3C Web of Things Plugfest Security Review Michael McCool W3C WoT WG Security and Privacy TF

W3C Web of Things Plugfest Security Review Michael McCool W3C WoT WG Security and Privacy TF Bundang, July 2018 Outline Who tried what Intel, Panasonic, Smart Things, Siemens, EURECOM, others? HTTPS (direct and via proxy), Auth

109 views • 10 slides
USING VBA REFERENCING WHOAREWE Aviv Grafi Amit Dori CEO, Votiro Security Researcher, Votiro

USING VBA REFERENCING WHOAREWE Aviv Grafi Amit Dori CEO, Votiro Security Researcher, Votiro

REFERENCE THIS: SANDBOX EVASION USING VBA REFERENCING WHOAREWE Aviv Grafi Amit Dori CEO, Votiro Security Researcher, Votiro Graduate of Israeli Army s elite 28 years old from Tel-Aviv. 8200 intelligence unit. BSC in

1.05k views • 45 slides
Privacy-Enhanced Sharing of Personal Content on the Web Mohammad Mannan and P . C. van Oorschot

Privacy-Enhanced Sharing of Personal Content on the Web Mohammad Mannan and P . C. van Oorschot

IMPECS WWW Presentation- April 24, 2008 Privacy-Enhanced Sharing of Personal Content on the Web Mohammad Mannan and P . C. van Oorschot Carleton University, Canada M. Mannan April 24, 2008 1 IMPECS The need for sharing is real People

422 views • 19 slides

More recommend