Team for Research in
Ubiquitous Secure Technology

SIF: Enforcing Confidentiality and Integrity in Web Applications
S. Chong, K. Vikram, A. C. Myers

Citation
S. Chong, K. Vikram, A. C. Myers. "SIF: Enforcing Confidentiality and Integrity in Web Applications". Proceedings of the 16th USENIX Security Symposium, 1-16, August, 2007.

Abstract
SIF (Servlet Information Flow) is a novel software framework for building high-assurance web applications, using language-based information-flow control to enforce security. Explicit, end-to-end confidentiality and integrity policies can be given either as compile-time program annotations, or as run-time user requirements. Compile-time and run-time checking efficiently enforce these policies. Information flow analysis is known to be useful against SQL injection and cross-site scripting, but SIF prevents inappropriate use of information more generally: the flow of confidential information to clients is controlled, as is the flow of low-integrity information from clients. Expressive policies allow users and application providers to protect information from one another. SIF moves trust out of the web application, and into the framework and compiler. This provides application deployers with stronger security assurance. Language-based information flow promises cheap, strong information security. But until now, it could not effectively enforce information security in highly dynamic applications. To build SIF, we developed new language features that make it possible to write realistic web applications. Increased assurance is obtained with modest enforcement overhead.

Electronic downloads

Citation formats  
  • HTML
    S. Chong, K. Vikram, A. C. Myers. <a
    href="http://www.truststc.org/pubs/451.html"
    >SIF: Enforcing Confidentiality and Integrity in Web
    Applications</a>, Proceedings of the 16th USENIX
    Security Symposium, 1-16, August, 2007.
  • Plain text
    S. Chong, K. Vikram, A. C. Myers. "SIF: Enforcing
    Confidentiality and Integrity in Web Applications".
    Proceedings of the 16th USENIX Security Symposium, 1-16,
    August, 2007.
  • BibTeX
    @inproceedings{ChongVikramMyers07_SIFEnforcingConfidentialityIntegrityInWebApplications,
        author = {S. Chong and K. Vikram and A. C. Myers},
        title = {SIF: Enforcing Confidentiality and Integrity in
                  Web Applications},
        booktitle = {Proceedings of the 16th USENIX Security Symposium},
        pages = {1-16},
        month = {August},
        year = {2007},
        abstract = {SIF (Servlet Information Flow) is a novel software
                  framework for building high-assurance web
                  applications, using language-based
                  information-flow control to enforce security.
                  Explicit, end-to-end confidentiality and integrity
                  policies can be given either as compile-time
                  program annotations, or as run-time user
                  requirements. Compile-time and run-time checking
                  efficiently enforce these policies. Information
                  flow analysis is known to be useful against SQL
                  injection and cross-site scripting, but SIF
                  prevents inappropriate use of information more
                  generally: the flow of confidential information to
                  clients is controlled, as is the flow of
                  low-integrity information from clients. Expressive
                  policies allow users and application providers to
                  protect information from one another. SIF moves
                  trust out of the web application, and into the
                  framework and compiler. This provides application
                  deployers with stronger security assurance.
                  Language-based information flow promises cheap,
                  strong information security. But until now, it
                  could not effectively enforce information security
                  in highly dynamic applications. To build SIF, we
                  developed new language features that make it
                  possible to write realistic web applications.
                  Increased assurance is obtained with modest
                  enforcement overhead. },
        URL = {http://www.truststc.org/pubs/451.html}
    }
    

Posted by Andrew C. Myers, Ph.D. on 22 Aug 2008.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.