Enforcing Secure Data Sharing in Web Application Development Frameworks Like Django Through Information Flow Control

  • S. Susheel
  • N. V. Narendra Kumar
  • R. K. Shyamasundar
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9478)


The primary aim of web application development frameworks like Django is to provide a platform for developers to realize applications from concepts to launch as quickly as possible. While Django framework provides hooks that enable the developer to avoid the common security mistakes, there is no systematic way to assure compliance of a security policy while developing an application from various components. In this paper, we show the security flaws that arise by considering different versions of an application package and then show how, these mistakes that arise due to incorrect flow of information can be overcome using the Readers-Writers Flow Model that has the ability to manage the release and subsequent propagation of information.


Access Control Trojan Horse Access Control Policy Information Flow Control Discretionary Access Control 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
  2. 2.
  3. 3.
  4. 4.
  5. 5.
  6. 6.
    Microsoft office online.
  7. 7.
    Lampson, B.W.: Computer security in the real world. Computer 37(6), 37–46 (2004)CrossRefGoogle Scholar
  8. 8.
    Gruber, T.: Collective knowledge systems: where the social web meets the semantic web. Web Semant.: Sci. Serv. Agents World Wide Web 6, 4–13 (2008)CrossRefGoogle Scholar
  9. 9.
    Harrison, M.A., Ruzzo, W.L., Ullman, J.D.: Protection in operating systems. CACM 19(8), 461–471 (1976)CrossRefMATHGoogle Scholar
  10. 10.
    Ferraiolo, D., Kuhn, R.: Role-based access control. In: 15th NIST-NCSC, pp. 554–563 (1992)Google Scholar
  11. 11.
    Barkley, J., Cincotta, A., Ferraiolo, D., Gavrila, S., Kuhn, D.R.: Role based access control for the world wide web. In: 20th NCSC, pp. 331–340, April 1997Google Scholar
  12. 12.
    Kreizman, G.: Technology overview for externalized authorization management.
  13. 13.
    eXtensible access control markup language (XACML) version 3.0.
  14. 14.
    Murugesan, S.: Understanding web 2.0. IT Prof. 9(4), 34–41 (2007)CrossRefGoogle Scholar
  15. 15.
    Li, Z., Zhang, K., Wang, X.: Mash-IF: practical information-flow control within client-side mashups. In: IEEE/IFIP DSN (2010)Google Scholar
  16. 16.
    Ter Louw, M., Lim, J.S., Venkatakrishnan, V.N.: Enhancing web browser security against malware extensions. J. Comput. Virol. 4(3), 179–195 (2008)CrossRefGoogle Scholar
  17. 17.
    Magazinius, J., Askarov, A., Sabelfeld, A.: A lattice-based approach to mashup security. In: ACM 5th ASIACCS (2010)Google Scholar
  18. 18.
    De Ryck, P., Decat, M., Desmet, L., Piessens, F., Joosen, W.: Security of web mashups: a survey. In: Aura, T., Järvinen, K., Nyberg, K. (eds.) NordSec 2010. LNCS, vol. 7127, pp. 223–238. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  19. 19.
    Myers, A.C., Liskov, B.: A decentralized model for information flow control. In: ACM 16th SOSP, pp. 129–142 (1997)Google Scholar
  20. 20.
    Denning, D.E.: Cryptography and Data Security. Addison-Wesley, Reading (1982) MATHGoogle Scholar
  21. 21.
    Krohn, M., Yip, A., Brodsky, M., Cliffer, N., Frans Kaashoek, M., Kohler, E., Morris, R.: Information flow control for standard OS abstractions. In: ACM SIGOPS Operating Systems Review, vol. 41, no. 6, pp. 321–334. ACM (2007)Google Scholar
  22. 22.
    Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Sel. Areas Commun. 21(1), 5–19 (2003)CrossRefGoogle Scholar
  23. 23.
    Zdancewic, S.: Challenges for information-flow security. In: Proceedings of the 1st International Workshop on the Programming Language Interference and Dependence (PLID04) (2004)Google Scholar
  24. 24.
  25. 25.
  26. 26.
    Denning, D.E.: A lattice model of secure information flow. Commun. ACM 19(5), 236–243 (1976)CrossRefMATHMathSciNetGoogle Scholar
  27. 27.
    Narendra Kumar, N.V., Shyamasundar, R.K.: Realizing purpose-based privacy policies succinctly via information-flow labels. In: IEEE 4th BdCloud, pp. 753–760 (2014)Google Scholar
  28. 28.
    Narendra Kumar, N.V., Shyamasundar, R.K.: POSTER: dynamic labelling for analyzing security protocols. In: ACM 22nd CCS (2015)Google Scholar
  29. 29.
    Abadi, M.: Security protocols and their properties. In: Foundations of Secure Computation. NATO Science Series, pp. 39–60. IOS Press (2000)Google Scholar
  30. 30.
    Woo, T.Y.C., Lam, S.S.: A lesson on authentication protocol design. SIGOPS Oper. Syst. Rev. 28(3), 24–37 (1994)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • S. Susheel
    • 1
  • N. V. Narendra Kumar
    • 2
  • R. K. Shyamasundar
    • 3
  1. 1.P.E.S Institute of TechnologyBengaluruIndia
  2. 2.Tata Institute of Fundamental ResearchMumbaiIndia
  3. 3.Indian Institute of TechnologyMumbaiIndia

Personalised recommendations