An architecture for enforcing end-to-end access control over web applications

Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT

Volumn , Issue , 2010, Pages 163-172

  Hicks, Boniface ^a   Rueda, Sandra ^a   King, Dave ^a   Moyer, Thomas ^a   Schiffman, Joshua ^a   Sreenivasan, Yogesh ^a   McDaniel, Patrick ^a   Jaeger, Trent ^a  

^a PENNSYLVANIA STATE UNIVERSITY   (United States)

Author keywords

Access control; Policy compliance; Xen security modules

Indexed keywords

ACCESS CONTROL POLICIES; APPLICATION LAYERS; COLLABORATIVE EDITING; CROSS SITE SCRIPTING; DISTRIBUTED APPLICATIONS; END-TO-END SECURITY; FUNDAMENTAL PROBLEM; MANDATORY ACCESS CONTROL; MESSAGING SYSTEM; MULTIPLE APPLICATIONS; MULTIPLE SOURCE; OPERATING SYSTEMS; SECURITY MODULES; SENSITIVE DATAS; VIRTUAL MACHINE MANAGEMENT; VIRTUAL MACHINES; WEB APPLICATION; WEB INFRASTRUCTURE;

ARCHITECTURE; COMPUTER OPERATING SYSTEMS; COMPUTER SIMULATION; DISTRIBUTED COMPUTER SYSTEMS; SECURITY SYSTEMS; WORLD WIDE WEB;

ACCESS CONTROL;

EID: 77954942438     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1809842.1809870     Document Type: Conference Paper

References (30)

1. J. P. Anderson. Computer security technology planning study, volume II. Technical Report ESD-TR-73-51, Deputy for Command and Management Systems, HQ Electronics Systems Division (AFSC), October 1972.
2. P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield. Xen and the art of virtualization. In SOSP'03, pages 164-177. ACM, 2003.
3. A. Barth, C. Jackson, and J. Mitchell. Robust defenses for cross-site request forgery. In CCS'08. ACM, 228.
4. D. E. Bell and L. J. LaPadula. Secure computer system: Unified exposition and Multics interpretation. Technical Report ESD-TR-75-306, Deputy for Command and Management Systems, HQ Electronic Systems Division (AFSC), March 1976.
5. S. Chen, D. Ross, and Y.-M. Wang. An analysis of browser domain-isolation bugs and a light-weight transparent defense mechanism. In CCS'07. ACM, 2007.
6. R. S. Cox, S. D. Gribble, H. M. Levy, and J. G. Hansen. A safety-oriented platform for web applications. In Proceedings of the 2006 IEEE Symposium on Security and Privacy, pages 350-364. IEEE Computer Society, 2006.
7. R. S. et al. Building a mac-based security architecture for the xen open-source hypervisor. In ACSAC'05, pages 276-285. IEEE Computer Society, 2005.
8. C. Grier, S. Tang, and S. T. King. Secure Web Browsing with the OP Web Browser. In IEEE Symposium on Security and Privacy, pages 402-416, 2008.
9. M. Harrison, W. Ruzzo, and J. D. Ullman. Protection in operating systems. Communications of the ACM, Aug. 1976.
10. B. Hicks, T. Misiak, and P. McDaniel. Channels: Runtime system infrastructure for security-typed languages. In ACSAC, December 2007.
11. B. Hicks, S. Rueda, T. Jaeger, and P. McDaniel. From trusted to secure: Building and executing applications that enforce system security. In Proceedings of the USENIX Annual Technical Conference, 2007.
12. J. Howell, C. Jackson, H. Wang, and X. Fan. Mashupos: Operating system abstractions for client mashups. In HotOS., 2007.
13. O. Ismail, M. Etoh, Y. Kadobayashi, and S. Yamaguchi. A proposal and implementation of automatic detection/collection system for cross-site scripting vulnerability. In AINA'04. IEEE.
14. C. Jackson, A. Bortz, D. Boneh, and J. Mitchell. Protecting browser state from web privacy attacks. In WWW'06.
15. C. Jackson and H. Wang. Subspace: Secure cross-domain communication for web mashups. In WWW'07.
16. T. Jaeger, D. King, K. Butler, S. Hallyn, J. Latten, and X. Zhang. Leveraging IPsec for mandatory access control across systems. In SecureComm, 2006.
17. T. Jim, N. Swamy, and M. Hicks. Defeating script injection attacks with browser-enforced embedded policies. In WWW, New York, NY, USA. ACM.
18. B. W. Lampson. Protection. In 5th Princeton Conference on Information Sciences and Systems, 1971.
19. R. Meushaw and D. Simard. NetTop: Commercial Technology in High Assurance Applications, 2000.
20. MyBB Group. MyBB. http://www.mybboard.net/.
21. A. C. Myers, L. Zheng, S. Zdancewic, S. Chong, and N. Nystrom. Jif: Java information flow. http://www.cs.cornell.edu/jif, July 2001-2003.
22. Netlabel - explicit labeled networking for linux. http://netlabel. sourceforge.net/, 2007.
23. Security-enhanced Linux. http://www.nsa.gov/selinux.
24. T. Oda, G. Wurster, P. van Oorschot, and A. Somayaji. SOMA: Mutual Approval for Included Content in Web Pages. In CCS'08.
25. OWASP Foundation. Open web application security project. http://www.owasp.org/index.php/Top-10-2007.
26. T. L. Project. Lobo: Java Web Browser. http://lobobrowser.org/.
27. C. Reis, J. Dunagan, H. J. Wang, O. Dubrovsky, and S. Esmeir. Browsershield: vulnerability-driven filtering of dynamic html. In OSDI. USENIX Association.
28. D. Yu, A. Chander, N. Islam, and I. Serikov. Javascript instrumentation for browser security. In POPL'07, pages 237-249, New York, NY, USA. ACM.
29. S. Zarandioon, D. Yao, and V. Ganapathy. OMOS: A Framework for Secure Communication in Mashup Applications. In ACSAC'08. IEEE.
30. N. Zeldovich, S. Boyd-Wickizer, and D. Mazieres. Securing distributed systems with information flow control. In NSDI'08.