S. Chong, K. Vikram, A. C. Myers
Citation
S. Chong, K. Vikram, A. C. Myers. "SIF: Enforcing Confidentiality and Integrity in Web Applications". Proceedings of the 16th USENIX Security Symposium, 1-16, August, 2007.
Abstract
SIF (Servlet Information Flow) is a novel software framework for building high-assurance web applications, using language-based information-flow control to enforce security. Explicit, end-to-end confidentiality and integrity policies can be given either as compile-time program annotations, or as run-time user requirements. Compile-time and run-time checking efficiently enforce these policies. Information flow analysis is known to be useful against SQL injection and cross-site scripting, but SIF prevents inappropriate use of information more generally: the flow of confidential information to clients is controlled, as is the flow of low-integrity information from clients. Expressive policies allow users and application providers to protect information from one another.
SIF moves trust out of the web application, and into the framework and compiler. This provides application deployers with stronger security assurance.
Language-based information flow promises cheap, strong information security. But until now, it could not effectively enforce information security in highly dynamic applications. To build SIF, we developed new language features that make it possible to write realistic web applications. Increased assurance is obtained with modest enforcement overhead.
Electronic downloads
| Citation formats |
- HTML
S. Chong, K. Vikram, A. C. Myers. <a href="http://www.truststc.org/pubs/451.html" >SIF: Enforcing Confidentiality and Integrity in Web Applications</a>, Proceedings of the 16th USENIX Security Symposium, 1-16, August, 2007.
- Plain text
S. Chong, K. Vikram, A. C. Myers. "SIF: Enforcing Confidentiality and Integrity in Web Applications". Proceedings of the 16th USENIX Security Symposium, 1-16, August, 2007.
- BibTeX
@inproceedings{ChongVikramMyers07_SIFEnforcingConfidentialityIntegrityInWebApplications, author = {S. Chong and K. Vikram and A. C. Myers}, title = {SIF: Enforcing Confidentiality and Integrity in Web Applications}, booktitle = {Proceedings of the 16th USENIX Security Symposium}, pages = {1-16}, month = {August}, year = {2007}, abstract = {SIF (Servlet Information Flow) is a novel software framework for building high-assurance web applications, using language-based information-flow control to enforce security. Explicit, end-to-end confidentiality and integrity policies can be given either as compile-time program annotations, or as run-time user requirements. Compile-time and run-time checking efficiently enforce these policies. Information flow analysis is known to be useful against SQL injection and cross-site scripting, but SIF prevents inappropriate use of information more generally: the flow of confidential information to clients is controlled, as is the flow of low-integrity information from clients. Expressive policies allow users and application providers to protect information from one another. SIF moves trust out of the web application, and into the framework and compiler. This provides application deployers with stronger security assurance. Language-based information flow promises cheap, strong information security. But until now, it could not effectively enforce information security in highly dynamic applications. To build SIF, we developed new language features that make it possible to write realistic web applications. Increased assurance is obtained with modest enforcement overhead. }, URL = {http://www.truststc.org/pubs/451.html} }
Posted by Andrew C. Myers, Ph.D. on 22 Aug 2008.
For additional information, see the
Publications FAQ or
contact webmaster at www truststc org.
Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.