Skip to main content
SpringerLink
Log in

Enforcing Secure Data Sharing in Web Application Development Frameworks Like Django Through Information Flow Control

  • Conference paper
  • First Online:
Information Systems Security (ICISS 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9478))

Included in the following conference series:

Abstract

The primary aim of web application development frameworks like Django is to provide a platform for developers to realize applications from concepts to launch as quickly as possible. While Django framework provides hooks that enable the developer to avoid the common security mistakes, there is no systematic way to assure compliance of a security policy while developing an application from various components. In this paper, we show the security flaws that arise by considering different versions of an application package and then show how, these mistakes that arise due to incorrect flow of information can be overcome using the Readers-Writers Flow Model that has the ability to manage the release and subsequent propagation of information.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    DBpatterns is a service that allows you to create, share, and explore database models on the web. Uses Django, Tastypie, Backbone and MongoDB.

References

  1. Django. https://www.djangoproject.com

  2. Facebook. http://www.facebook.com

  3. LinkedIn. http://linkedin.com

  4. Twitter.com. http://twitter.com

  5. Google docs. https://www.google.co.in/docs/about/

  6. Microsoft office online. https://office.live.com

  7. Lampson, B.W.: Computer security in the real world. Computer 37(6), 37–46 (2004)

    Article  Google Scholar 

  8. Gruber, T.: Collective knowledge systems: where the social web meets the semantic web. Web Semant.: Sci. Serv. Agents World Wide Web 6, 4–13 (2008)

    Article  Google Scholar 

  9. Harrison, M.A., Ruzzo, W.L., Ullman, J.D.: Protection in operating systems. CACM 19(8), 461–471 (1976)

    Article  MATH  Google Scholar 

  10. Ferraiolo, D., Kuhn, R.: Role-based access control. In: 15th NIST-NCSC, pp. 554–563 (1992)

    Google Scholar 

  11. Barkley, J., Cincotta, A., Ferraiolo, D., Gavrila, S., Kuhn, D.R.: Role based access control for the world wide web. In: 20th NCSC, pp. 331–340, April 1997

    Google Scholar 

  12. Kreizman, G.: Technology overview for externalized authorization management. https://www.gartner.com/doc/2358815/technology-overview-externalized-authorization-management

  13. eXtensible access control markup language (XACML) version 3.0. http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html

  14. Murugesan, S.: Understanding web 2.0. IT Prof. 9(4), 34–41 (2007)

    Article  Google Scholar 

  15. Li, Z., Zhang, K., Wang, X.: Mash-IF: practical information-flow control within client-side mashups. In: IEEE/IFIP DSN (2010)

    Google Scholar 

  16. Ter Louw, M., Lim, J.S., Venkatakrishnan, V.N.: Enhancing web browser security against malware extensions. J. Comput. Virol. 4(3), 179–195 (2008)

    Article  Google Scholar 

  17. Magazinius, J., Askarov, A., Sabelfeld, A.: A lattice-based approach to mashup security. In: ACM 5th ASIACCS (2010)

    Google Scholar 

  18. De Ryck, P., Decat, M., Desmet, L., Piessens, F., Joosen, W.: Security of web mashups: a survey. In: Aura, T., Järvinen, K., Nyberg, K. (eds.) NordSec 2010. LNCS, vol. 7127, pp. 223–238. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  19. Myers, A.C., Liskov, B.: A decentralized model for information flow control. In: ACM 16th SOSP, pp. 129–142 (1997)

    Google Scholar 

  20. Denning, D.E.: Cryptography and Data Security. Addison-Wesley, Reading (1982)

    MATH  Google Scholar 

  21. Krohn, M., Yip, A., Brodsky, M., Cliffer, N., Frans Kaashoek, M., Kohler, E., Morris, R.: Information flow control for standard OS abstractions. In: ACM SIGOPS Operating Systems Review, vol. 41, no. 6, pp. 321–334. ACM (2007)

    Google Scholar 

  22. Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Sel. Areas Commun. 21(1), 5–19 (2003)

    Article  Google Scholar 

  23. Zdancewic, S.: Challenges for information-flow security. In: Proceedings of the 1st International Workshop on the Programming Language Interference and Dependence (PLID04) (2004)

    Google Scholar 

  24. DBpatterns. http://www.dbpatterns.com

  25. OWASP. https://www.owasp.org

  26. Denning, D.E.: A lattice model of secure information flow. Commun. ACM 19(5), 236–243 (1976)

    Article  MATH  MathSciNet  Google Scholar 

  27. Narendra Kumar, N.V., Shyamasundar, R.K.: Realizing purpose-based privacy policies succinctly via information-flow labels. In: IEEE 4th BdCloud, pp. 753–760 (2014)

    Google Scholar 

  28. Narendra Kumar, N.V., Shyamasundar, R.K.: POSTER: dynamic labelling for analyzing security protocols. In: ACM 22nd CCS (2015)

    Google Scholar 

  29. Abadi, M.: Security protocols and their properties. In: Foundations of Secure Computation. NATO Science Series, pp. 39–60. IOS Press (2000)

    Google Scholar 

  30. Woo, T.Y.C., Lam, S.S.: A lesson on authentication protocol design. SIGOPS Oper. Syst. Rev. 28(3), 24–37 (1994)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. P.E.S Institute of Technology, Bengaluru, India

    S. Susheel

  2. Tata Institute of Fundamental Research, Mumbai, India

    N. V. Narendra Kumar

  3. Indian Institute of Technology, Mumbai, India

    R. K. Shyamasundar

Authors
  1. S. Susheel
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. N. V. Narendra Kumar
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. R. K. Shyamasundar
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to N. V. Narendra Kumar .

Editor information

Editors and Affiliations

  1. Center for Secure Information Systems, Fairfax, Virginia, USA

    Sushil Jajoda

  2. Jadavpur University, Kolkata, India

    Chandan Mazumdar

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Susheel, S., Narendra Kumar, N.V., Shyamasundar, R.K. (2015). Enforcing Secure Data Sharing in Web Application Development Frameworks Like Django Through Information Flow Control. In: Jajoda, S., Mazumdar, C. (eds) Information Systems Security. ICISS 2015. Lecture Notes in Computer Science(), vol 9478. Springer, Cham. https://doi.org/10.1007/978-3-319-26961-0_34

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-26961-0_34

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-26960-3

  • Online ISBN: 978-3-319-26961-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation