Fine-grained privilege separation for web applications

Proceedings of the 19th International Conference on World Wide Web, WWW '10

Volumn , Issue , 2010, Pages 551-560

  Krishnamurthy, Akshay ^a   Mettler, Adrian ^a   Wagner, David ^a  

^a UNIVERSITY OF CALIFORNIA   (United States)

Author keywords

object capabilities; privilege separation; web applications

Indexed keywords

APPLICATION COMPONENTS; APPLICATION-SPECIFIC; JAVA SERVLETS; MODEL-BASED; OBJECT-CAPABILITY LANGUAGES; PRIVILEGE SEPARATION; PROGRAMMING MODELS; SECURITY POLICY; SECURITY PROPERTIES; WEB APPLICATION; WEBMAIL;

WORLD WIDE WEB; XML;

JAVA PROGRAMMING LANGUAGE;

EID: 77954577486     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1772690.1772747     Document Type: Conference Paper

References (21)

1. S. Chong, K. Vikram, and A. C. Myers. SIF: Enforcing confidentiality and integrity in web applications. In USENIX Security Symposium, 2007.
2. D. Crockford. ADsafe. http://www.adsafe.org.
3. Edgewall Software. Genshi. http://genshi.edgewall.org.
4. N. Hardy. KeyKOS architecture. SIGOPS Oper. Syst. Rev., 19(4):8-25, 1985.
5. C. Hawblitzel, C.-c. Chang, G. Czajkowski, D. Hu, and T. Von Eicken. Implementing multiple protection domains in Java. In USENIX Annual Technical Conference, 1998.
6. Y. W. Huang, F. Yu, C. Hang, C. H. Tsai, D. T. Lee, and S. Y. Kuo. Securing web application code by static analysis and runtime protection. In 13th International World Wide Web Conference, 2004.
7. N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In IEEE Symposium on Security & Privacy, pages 258-263, 2006.
8. M. Krohn. Building secure high-performance web services with OKWS. In Proceedings of the USENIX Annual Technical Conference, pages 15-28, 2004.
9. H. M. Levy. Capability-based computer systems. Digital Press, Maynard, MA, USA, 1984.
10. V. B. Livshits and M. S. Lam. Finding security vulnerabilities in Java applications with static analysis. In 14th USENIX Security Symposium, 2005.
11. A. Mettler, D. Wagner, and T. Close. Joe-E: A security-oriented subset of Java. In 17th Network & Distributed System Security Symposium, 2010.
12. M. S. Miller. Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control. PhD thesis, Johns Hopkins University, Baltimore, Maryland, USA, May 2006.
13. M. S. Miller, M. Samuel, B. Laurie, I. Awad, and M. Stay. Caja: Safe active content in sanitized JavaScript (draft), 2008. http://google-caja. googlecode.com/files/caja-spec-2008-06-07.pdf.
14. J. H. Morris, Jr. Protection in programming languages. Commun. ACM, 16(1):15-21, 1973.
15. A. C. Myers and B. Liskov. A decentralized model for information flow control. In Symposium on Operating Systems Principles, pages 129-142, 1997.
16. N. Provos. Preventing privilege escalation. In 12th USENIX Security Symposium, pages 231-242, 2003.
17. J. A. Rees. A security kernel based on the lambda-calculus. A. I. Memo 1564, MIT, 1564, 1996.
18. J. H. Saltzer and M. D. Schroeder. The protection of information in computer systems. In Communications of the ACM, 1974.
19. J. S. Shapiro, J. M. Smith, and D. J. Farber. EROS: a fast capability system. In 17th ACM symposium on Operating Systems Principles (SOSP'99), pages 170-185, 1999.
20. Symantec Corporation. Symantec Global Internet Security Threat Report: Trends for 2008, April 2009.
21. A. Wiesmann, A. van der Stock, M. Curphey, and R. Stirbei, editors. A Guide to Building Secure Web Applications. The Open Web Application Security Project, September 2005.