Team for Research in
Ubiquitous Secure Technology

Secure Web Applications via Automatic Partitioning
S. Chong, J. Liu, A. C. Myers, X. Qi, K. Vikram, L. Zheng, X. Zheng

Citation
S. Chong, J. Liu, A. C. Myers, X. Qi, K. Vikram, L. Zheng, X. Zheng. "Secure Web Applications via Automatic Partitioning". Proceedings of the 21st ACM Symposium on Operating Systems Principles, 31-44, October, 2007.

Abstract
Swift is a new, principled approach to building web applications that are secure by construction. In modern web applications, some application functionality is usually implemented as client-side code written in JavaScript. Moving code and data to the client can create security vulnerabilities, but currently there are no good methods for deciding when it is secure to do so. Swift automatically partitions application code while providing assurance that the resulting placement is secure and efficient. Application code is written as Java-like code annotated with information flow policies that specify the confidentiality and integrity of web application information. The compiler uses these policies to automatically partition the program into JavaScript code running in the browser, and Java code running on the server. To improve interactive performance, code and data are placed on the client side. However, security-critical code and data are always placed on the server. Code and data can also be replicated across the client and server, to obtain both security and performance. A max-flow algorithm is used to place code and data in a way that minimizes client–server communication.

Electronic downloads

Citation formats  
  • HTML
    S. Chong, J. Liu, A. C. Myers, X. Qi, K. Vikram, L. Zheng,
    X. Zheng. <a
    href="http://www.truststc.org/pubs/452.html"
    >Secure Web Applications via Automatic
    Partitioning</a>, Proceedings of the 21st ACM
    Symposium on Operating Systems Principles, 31-44, October,
    2007.
  • Plain text
    S. Chong, J. Liu, A. C. Myers, X. Qi, K. Vikram, L. Zheng,
    X. Zheng. "Secure Web Applications via Automatic
    Partitioning". Proceedings of the 21st ACM Symposium on
    Operating Systems Principles, 31-44, October, 2007.
  • BibTeX
    @inproceedings{ChongLiuMyersQiVikramZhengZheng07_SecureWebApplicationsViaAutomaticPartitioning,
        author = {S. Chong and J. Liu and A. C. Myers and X. Qi and
                  K. Vikram and L. Zheng and X. Zheng},
        title = {Secure Web Applications via Automatic Partitioning},
        booktitle = {Proceedings of the 21st ACM Symposium on Operating
                  Systems Principles},
        pages = {31-44},
        month = {October},
        year = {2007},
        abstract = {Swift is a new, principled approach to building
                  web applications that are secure by construction.
                  In modern web applications, some application
                  functionality is usually implemented as
                  client-side code written in JavaScript. Moving
                  code and data to the client can create security
                  vulnerabilities, but currently there are no good
                  methods for deciding when it is secure to do so.
                  Swift automatically partitions application code
                  while providing assurance that the resulting
                  placement is secure and efficient. Application
                  code is written as Java-like code annotated with
                  information flow policies that specify the
                  confidentiality and integrity of web application
                  information. The compiler uses these policies to
                  automatically partition the program into
                  JavaScript code running in the browser, and Java
                  code running on the server. To improve interactive
                  performance, code and data are placed on the
                  client side. However, security-critical code and
                  data are always placed on the server. Code and
                  data can also be replicated across the client and
                  server, to obtain both security and performance. A
                  max-flow algorithm is used to place code and data
                  in a way that minimizes client–server
                  communication.},
        URL = {http://www.truststc.org/pubs/452.html}
    }
    

Posted by Andrew C. Myers, Ph.D. on 22 Aug 2008.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.