Ripley: Automatically securing web 2.0 applications through replicated execution

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2009, Pages 173-186

  Vikram, K ^a   Prateek, Abhishek ^b   Livshits, Benjamin ^c  

^a Cornell University ^*  (United States)

^b INDIAN INSTITUTE OF TECHNOLOGY DELHI   (India)

^c MICROSOFT RESEARCH   (United States)

Author keywords

Replication; Tier splitting; Web applications

Indexed keywords

APPLICATION DEVELOPERS; ASP.NET; DISTRIBUTED COMPUTATIONS; DISTRIBUTED WEB APPLICATION; FACEBOOK; GOOGLE MAPS; HOTMAIL; JAVASCRIPT; MULTI-TIER; RICH INTERNET APPLICATIONS; ROUND TRIP; USER ACTION; WEB 2.0 APPLICATIONS; WEB APPLICATION;

HIGH LEVEL LANGUAGES; NETWORK SECURITY; QUALITY ASSURANCE; WORLD WIDE WEB;

JAVA PROGRAMMING LANGUAGE;

EID: 74049104017     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1653662.1653685     Document Type: Conference Paper

References (59)

1. J. Allspaw. The Art of Capacity Planning: Scaling Web Resources. O'Reilly Media, 2008.
2. C. Anley. Advanced SQL injection in SQL server applications, 2002.
3. J. Boutelle. Bandwidth savings with AJAX. http://www.jonathanboutelle. com/mt/archives/2006/01/bandwidth-savin.html, Jan. 2006.
4. M. Castro and B. Liskov. Practical byzantine fault tolerance and proactive recovery. ACM Transactions on Computer Systems, 20(4):398-461, Nov. 2002.
5. CGI Security. The cross-site scripting FAQ. http://www.cgisecurity.net/ articles/xss-faq.shtml.
6. J.-D. Choi and H. Srinivasan. Deterministic replay of Java multithreaded applications. In Proceedings of the Symposium on Parallel and Distributed Tools, pages 48-59, Aug. 1998.
7. S. Chong, J. Liu, A. C. Myers, X. Qi, K. Vikram, L. Zheng, and X. Zheng. Secure web applications via automatic partitioning. In Proceedings of the Symposium on Operating Systems Principles, pages 31-44, Oct. 2007.
8. S. Chong, K. Vikram, and A. C. Myers. Sif: enforcing confidentiality and integrity in Web applications. In Proceedings of USENIX Security Symposium, pages 1-16, Aug. 2007.
9. G. W. Dunlap, S. T. King, S. Cinar, M. A. Basrai, and P. M. Chen. Revirt: Enabling intrusion analysis through virtual-machine logging and replay. In In Proceedings of the Symposium on Operating Systems Design and Implementation, pages 211-224, Dec. 2002.
10. Ú. Erlingsson, B. Livshits, and Y. Xie. End-to-end Web application security. In Proceedings of the USENIX Workshop on Hot topics in operating systems, pages 1-6, May 2007.
11. Ezra Cooper and Sam Lindley and Philip Wadler and Jeremy Yallop. Links: Web Programming Without Tiers. In Formal Methods for Components and Objects, pages 266-296. Springer, Oct. 2007.
12. D. Flanagan. JavaScript: The Definitive Guide. O'Reilly, 4th edition, 2002.
13. S. Fogie, J. Grossman, R. Hansen, A. Rager, and P. D. Petkov. XSS Attacks: Cross Site Scripting Exploits and Defense. Syngress, 2007.
14. Google Gears. http://gears.google.com.
15. Google Web toolkit. http://code.google.com/webtoolkit.
16. A. Guha, S. Krishnamurthi, and T. Jim. Using static analysis for Ajax intrusion detection. In Proceedings of the International Conference on World Wide Web, pages 561-570, Apr. 2009.
17. V. Haldar, D. Chandra, and M. Franz. Dynamic taint propagation for Java. In Proceedings of the Annual Computer Security Applications Conference, pages 303-311, Dec. 2005.
18. A. Hartman. Exploring Adobe Flash CS4. Delmar Learning, 2009.
19. B. Hoffman. Ajax security dangers. http://www.spidynamics.com/assets/ documents/AJAXdangers.pdf, 2006.
20. B. Hoffman and B. Sullivan. AJAX security. Addison-Wesley Professional, 2007.
21. G. Hoglund and G. McGraw. Exploiting Online Games: Cheating Massively Distributed Systems. Addison-Wesley Professional, 2007.
22. J. Howell, C. Jackson, H. J. Wang, and X. Fan. MashupOS: Operating system abstractions for client mashups. In Proceedings of the USENIX Workshop on Hot topics in operating systems, pages 1-7, May 2007.
23. Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo. Securing Web application code by static analysis and runtime protection. In Proceedings of the International Conference on World Wide Web, pages 40-52, May 2004.
24. S. Jha, S. Katzenbeisser, and H. Veith. Enforcing semantic integrity on untrusted clients in networked virtual environments. In Proceedings of the IEEE Symposium on Security and Privacy, pages 179-186, May 2007.
25. T. Jim, N. Swamy, and M. Hicks. Defeating script injection attacks with browser-enforced embedded policies. In Proceedings of the International Conference on World Wide Web, pages 601-610, May 2007.
26. N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A static analysis tool for detecting Web application vulnerabilities. In Proceedings of the IEEE Symposium on Security and Privacy, pages 258-263, May 2006.
27. A. Judson. Tamper data Firefox add-on. https://addons.mozilla.org/en-US/ firefox/addon/966.
28. R. Kennell and L. H. Jamieson. Establishing the genuinity of remote computer systems. In Proceedings of the USENIX Security Symposium, pages 21-21, Aug. 2003.
29. R. Lerner. At the forge: Firebug. Linux J., 2007(157):8, 2007.
30. B. Livshits and E. Kiciman. Doloto: Code splitting for network-bound Web 2.0 applications. In Proceedings of the ACM SIGSOFT International Symposium on Foundations of software engineering, pages 350-360, Sep 2008.
31. B. Livshits and M. S. Lam. Finding security errors in Java programs with static analysis. In Proceedings of the USENIX Security Symposium, pages 18-18, Aug. 2005.
32. D. Malkhi and M. K. Reiter. Secure and scalable replication in phalanx. In Proceedings of the The IEEE Symposium on Reliable Distributed Systems, page 51, Oct. 1998.
33. D. Manolescu, B. Beckman, and B. Livshits. Volta: Developing distributed applications by recompiling. IEEE Software, 25(5):53-59, Oct. 2008.
34. M. Martin, B. Livshits, and M. S. Lam. SecuriFly: Runtime vulnerability protection for Web applications. Technical report, Stanford University, 2006.
35. Microsoft Corporation. Microsoft Live Labs Deepfish. http://labs.live. com/deepfish/, 2006.
36. Microsoft Corporation. Microsoft Live Labs Volta. http: //research.microsoft.com/~emeijer/CloudProgrammability.html, 2007.
37. Microsoft Corporation. Silverlight. http://silverlight.net, 2007.
38. P. Montesinos, M. Hicks, S. T. King, and J. Torrellas. Capo: a software-hardware interface for practical deterministic multiprocessor replay. In Proceeding of International Conference on Architectural Support for Rrogramming Languages and Operating Systems, pages 73-84, Mar. 2009.
39. S. Narayanasamy, G. Pokam, and B. Calder. Bugnet: Continuously recording program execution for deterministic replay debugging. SIGARCH Computer Architecture News, 33(2):284-295, May 2005.
40. A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening Web applications using precise tainting. In Proceedings of the IFIP International Information Security Conference, pages 372-382, June 2005.
41. T. Pietraszek and C. V. Berghe. Defending against injection attacks through context-sensitive string evaluation. In Proceedings of the Recent Advances in Intrusion Detection, Sept. 2005.
42. J. Richter. CLR via C#. Microsoft Press, 2006.
43. A. Russell. Comet: Low latency data for the browser. http://alex. dojotoolkit.org/wp-content/LowLatencyData.pdf, 2006.
44. F. B. Schneider. Implementing fault-tolerant services using the state machine approach: a tutorial. ACM Compututing Surveys, 22(4):299-319, Dec. 1990.
45. S. Segan. For Skyfire's mobile Web, the secret's in the server. http: //www.pcmag.com/print-article2/0,1217,a%253D223932,00.asp, Jan. 2008.
46. M. Serrano, E. Gallesio, and F. Loitsch. Hop: a language for programming the web 2.0. In Companion to the Conference on Object-oriented Programming Systems, Languages, and Applications, pages 975-985, Oct. 2006.
47. S. Smith. Capacity and performance planning. In European Microsoft SharePoint Conference 2007, Feb. 2007.
48. C. Stockwell. What's Coming in IE8. http: //blogs.msdn.com/ie/archive/ 2008/08/26/ie8-performance.aspx, 2008.
49. J. D. Strunk, G. R. Goodson, M. L. Scheinholtz, C. A. N. Soules, and G. R. Ganger. Self-securing storage: protecting data in compromised system. In Proceedings of the Conference on Symposium on Operating System Design and Implementation, pages 12-12, Oct. 2000.
50. The Samy worm. http://namb.la/popular.
51. F. Tip. A survey of program slicing techniques. Journal of programming languages, 3:121-189, 1995.
52. Y. Xie and A. Aiken. Static detection of security vulnerabilities in scripting languages. In Proceedings of the USENIX Security Symposium, Aug. 2006.
53. J. Yan. Security design in online games. In Proceedings of the Annual Computer Security Applications Conference, page 286, Dec. 2003.
54. F. Yang, J. Shanmugasundaram, M. Riedewald, and J. Gehrke. Hilda: A high-level language for data-driven Web applications. In Proceedings of the International Conference on Data Engineering, pages 32-43, Apr. 2006.
55. D. Yu, A. Chander, H. Inamura, and I. Serikov. Better abstractions for secure server-side scripting. In Proceeding of the International Conference on World Wide Web, pages 507-516, Apr. 2008.
56. D. Yu, A. Chander, N. Islam, and I. Serikov. JavaScript instrumentation for browser security. In Proceedings of the Symposium on Principles of Programming Languages, pages 237-249, Jan. 2007.
57. S. Zdancewic and A. C. Myers. Secure information flow and CPS. Lecture Notes in Computer Science, 2028:46-61, 2001.
58. S. Zdancewic, L. Zheng, N. Nystrom, and A. C. Myers. Untrusted hosts and confidentiality: Secure program partitioning. In Proceedings of Symposium on Operating System Principles, pages 1-14, 2001.
59. L. Zheng, S. Chong, A. C. Myers, and S. Zdancewic. Using replication and partitioning to build secure distributed systems. In Proceedings of the IEEE Symposium on Security and Privacy, pages 236-250, May 2003.