Abstract
The Web is playing a very important role in our lives, and is becoming an essential element of the computing infrastructure. With such a glory come the attacks–the Web has become criminals’ preferred targets. Web-based vulnerabilities now outnumber traditional computer security concerns. Although various security solutions have been proposed to address the problems on the Web, few have addressed the root causes of why web applications are so vulnerable to these many attacks. We believe that the Web’s current access control models are fundamentally inadequate to satisfy the protection needs of today’s web, and they need to be redesigned. In this extended abstract, we explain our position, and summarize our efforts in redesigning the Web’s access control systems.
This work was supported by Award No. 1017771 from the US National Science Foundation.
Chapter PDF
Similar content being viewed by others
Keywords
References
Christey, S., Martin, R.A.: Vulnerability type distributions in cve (version 1.1). MITRE Corporation (2007), http://cwe.mitre.org/documents/vuln-trends/index.html
Conover, M.: Analysis of the windows vista security model. Symantec Corporation (2007), http://www.symantec.com/avcenter/reference/Windows_Vista_Security_Model_Analysis.pdf
Symantec Corp. Symantec internet security threat report: Trends for july-december 2007 (executive summary). Page 1–2 (2008)
Douglas Crockford. ADSafe, http://www.adsafe.org
Dalton, M., Kozyrakis, C., Zeldovich, N.: Nemesis: Preventing authentication & access control vulnerabilities in web applications. In: Proceedings of the Eighteenth Usenix Security Symposium (Usenix Security), Montreal, Canada (2009)
Grossman, J.: Cross-site scripting worms and viruses. The impending threat and the best defense, http://www.whitehatsec.com/downloads/WHXSSThreats.pdf
Hallyn, S.E., Morgan, A.G.: Linux capabilities: making them work (2008), http://ols.fedoraproject.org/OLS/Reprints-2008/hallyn-reprint.pdf
Hansen, R.: XSS cheat sheet, http://ha.ckers.org/xss.html
Jackson, C., Bortz, A., Boneh, D., Mitchell, J.C.: Protecting browser state from web privacy attacks. In: WWW 2006 (2006)
Jayaraman, K., Du, W., Rajagopalan, B., Chapin, S.J.: Escudo: A fine-grained protection model for web browsers. In: Proceedings of the 30th International Conference on Distributed Computing Systems (ICDCS), Genoa, Italy, June 21-25 (2010)
Kamkar, S.: The samy worm story (2005), http://namb.la/popular/
Kamkar, S.: Technical explanation of the myspace worm (2005), http://namb.la/popular/tech.html
Karlof, C., Shankar, U., Tygar, J.D., Wagner, D.: Dynamic pharming attacks and locked same-origin policies for web browsers. In: CCS 2007 (2007)
Livshits, B., Erlingsson, Ú.: Using web application construction frameworks to protect against code injection attacks. In: PLAS 2007 (2007)
Luo, T., Du, W.: Contego: Capability-based access control for web browsers. In: Proceedings of the 4th International Conference on Trust and Trustworthy Computing, Pittsburgh, PA (2011)
Meyerovich, L.A., Livshits, V.B.: Conscript: Specifying and enforcing fine-grained security policies for javascript in the browser. In: IEEE Symposium on Security and Privacy, pp. 481–496 (2010)
National Security Agency. Security-Enhanced Liunx, http://www.nsa.gov/selinux/
OWASP. The ten most critical web application security risks (2010), http://www.owasp.org/index.php/File:OWASP_T10_-_2010_rc1.pdf
Parno, B., McCune, J.M., Wendlandt, D., Andersen, D.G., Perrig, A.: CLAMP: Practical prevention of large-scale data leaks. In: Proc. IEEE Symposium on Security and Privacy, Oakland, CA (May 2009)
Patil, K., Dong, X., Li, X., Liang, Z., Jiang, X.: Towards fine-grained access control in javascript contexts. In: Proceedings of the 31st International Conference on Distributed Computing Systems (ICDCS), Minneapolis, Minnesota, USA, June 20-24 (2011)
Solorzano, J.: The Lobo Project, http://lobobrowser.org/
SUN Microsystems, Inc. White paper: Trusted Solaris 8 operating environment, http://www.sun.com/software/whitepapers/wp-ts8/ts8-wp.pdf
Tan, X., Du, W., Luo, T., Soundararaj, K.: SCUTA: A server-side access control system for web applications. Syracuse University Technical Report (2011)
Vance, A.: Times web ads show security breach, http://www.nytimes.com/2009/09/15/technology/internet/15adco.html
WhiteHat Security. Whitehat website security statistic report, 10th edn. (2010)
Yip, A., Wang, X., Zeldovich, N., Kaashoek, M.F.: Improving application security with data flow assertions. In: Proceedings of the 22nd ACM Symposium on Operating Systems Principles, Big Sky, MT, October 11-14 (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 IFIP International Federation for Information Processing
About this paper
Cite this paper
Du, W., Tan, X., Luo, T., Jayaraman, K., Zhu, Z. (2011). Re-designing the Web’s Access Control System. In: Li, Y. (eds) Data and Applications Security and Privacy XXV. DBSec 2011. Lecture Notes in Computer Science, vol 6818. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-22348-8_2
Download citation
DOI: https://doi.org/10.1007/978-3-642-22348-8_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-22347-1
Online ISBN: 978-3-642-22348-8
eBook Packages: Computer ScienceComputer Science (R0)