SilverLine: Preventing data leaks from compromised web applications

ACM International Conference Proceeding Series

Volumn , Issue , 2013, Pages 329-338

  Mundada, Yogesh ^a   Ramachandran, Anirudh ^b   Feamster, Nick ^a  

^a Georgia Institute of Technology   (United States)

^b Nouvou ^*  (United States)

Author keywords

[No Author keywords available]

Indexed keywords

APPLICATION DATA; APPLICATION SERVERS; AUTHORIZED USERS; DATABASE RECORDS; INFORMATION FLOWS; SENSITIVE DATAS; WEB APPLICATION; WEB APPLICATION ATTACKS;

APPLICATIONS; COMPUTER OPERATING SYSTEMS; SECURITY OF DATA; SECURITY SYSTEMS;

WORLD WIDE WEB;

EID: 84893274038     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2523649.2523663     Document Type: Conference Paper

References (41)

1. Amazon Relational Database Service. http://aws.amazon.com/rds/.
2. Attrition.net. Absolute Sownage. http://attrition.org/security/rant/sony- aka-sownage.html, 2011.
3. J. Burket, P. Mutchler, M. Weaver, M. Zaveri, and D. Evans. Guardrails: A data-centric web application security framework. In WebApps, 2011.
4. V. Business. Verizon Data Breach Investigations Report. http://www.verizonbusiness.com/resources/reports/rp-data-breach-investigations- report-2011-en-xg.pdf, 2011.
5. E. S. Cohen and D. Jefferson. Protection in the hydra operating system. In Symposium on Operating Systems Principles (SOSP), pages 141-160, 1975.
6. M. Dalton, N. Zeldovich, and C. Kozyrakis. Nemesis: Preventing authentication & access control vulnerabilities in web applications. In 18th Usenix Security Symposium, 2009.
7. B. Davis and H. Chen. Dbtaint: Cross-application information flow tracking via databases. In Proceedings of the USENIX Conference on Web Applications, June 2010.
8. D. E. Denning. A lattice model of secure information flow. Communications of the ACM, 19(5): 236-243, May 1976.
9. L. Dignan. Sony's data breach costs. http://www.zdnet.com/blog/btl/sonys- data-breach-costs-likely-to-scream-higher49161, 2011.
10. W. Enck, P. Gilbert, B. gon Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In Symposium on Operating Systems Principles (SOSP), Oct. 2010.
11. Floodlight OpenFlow Controller. http://floodlight.openflowhub.org/.
12. B. Hicks, S. Rueda, T. Jaeger, and P. McDaniel. From Trusted to Secure: Building Applications that Enforce System Security. In Proceedings of the USENIX Annual Technical Conference, Santa Clara, CA, June 2007.
13. Information Week. Stanford Hospital Breach Exposes 20,000 ER Records. http://www.Information Week.com/news/security/attacks/231601110, 2011.
14. T. Inquirer. Citibank Hacked by altering URLs. http://www.theinquirer. net/inquirer/news/2079431/citibank-hacked-altering-urls, 2011.
15. X. Jiang, A. Walters, F. Buchholz, D. Xu, Y.-M. Wang, and E. H. Spafford. Provenance-Aware Tracing of Worm Break-in and Contaminations: A Process Coloring Approach. In ICDCS, June 2006.
16. J. Jung, A. Sheth, B. Greenstein, D. Wetherall, and T. K. Gabriel Maganis. Privacy Oracle: a System for Finding Application Leaks with Black Box Differential Testing. In ACM Conference on Computer and Commnications Security, 2008.
17. E. Kohler. Hot crap! In In Proceedings of WOWCS, Apr. 2008.
18. M. Krohn, A. Yip, M. Brodsky, N. Cliffer, M. F. Kaashoek, E. Kohler, and R. Morris. Information flow control for standard os abstractions. In Proc. 21st ACM Symposium on Operating Systems Principles (SOSP), Stevenson, WA, Oct. 2007.
19. C. Monsanto, J. Reich, N. Foster, J. Rexford, and D. Walker. Composing Software-Defined Networks. In USENIX NSDI, 2013.
20. A. C. Myers. Jflow: practical mostly-static information flow control. In POPL '99: Proceedings of the 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, pages 228-241, New York, NY, USA, 1999. ACM.
21. MySQL Proxy. http://forge.mysql.com/wiki/MySQL-Proxy.
22. J. Newsome and D. X. Song. Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In Proceedings of the Network and Distributed System Security Symposium (NDSS), San Diego, CA, 2005.
23. OpenFlow Switch Consortium. http://www.openflowswitch.org/, 2008.
24. osCommerce: Open Source online shop e-commerce solution. http://www.oscommerce.com/.
25. OWASP. OWASP Top 10 Application Security Risks - 2010. https://www.owasp.org/index.php/Top-10-2010-Main, 2010.
26. I. Papagiannis, M. Migliavacca, and P. Pietzuch. Php aspis: Using partial taint tracking to protect against injection attacks. In 2nd USENIX Conference on Web Application Development (WebApps), June 2011.
27. B. Parno, J. M. McCune, D. Wendlandt, D. G. Andersen, and A. Perrig. CLAMP: Practical prevention of large-scale data leaks. In Proc. IEEE Symposium on Security and Privacy, Oakland, CA, May 2009.
28. P. Broadwell, M. Harren, N. Sastry. Scrash: A system for generating security crash information. In Proc. 12th USENIX Security Symposium, Washington, DC, Aug. 2003.
29. R. A. Popa, C. M. S. RedïňA̧eld, N. Zeldovich, and H. Balakrishnan. Cryptdb: Protecting conïňA̧dentiality with encrypted query processing. In Proc. 23nd ACM Symposium on Operating Systems Principles (SOSP), Cascais, Portugal, Oct. 2011.
30. POX OpenFlow controller. http://www.noxrepo.org/pox/about-pox/.
31. Redis. http://redis.io/.
32. Redis Benchmarks. https://code.google.com/p/redis/wiki/Benchmarks.
33. U. Shankar, K. Talwar, J. Foster, D. Wagner. Detecting format string vulnerabilities with type qualifiers. In Proc. 10th USENIX Security Symposium, Washington, DC, Aug. 2001.
34. S. VanDeBogart, P. Efstathopoulos, E. Kohler, M. Krohn, C. Frey, D. Ziegler, F. Kaashoek, R. Morris, and D. Mazieres. Labels and event processes in the Asbestos operating system. ACM Transactions on Computer Systems, 25(4): 1-43, Dec. 2007.
35. E. Wobber, M. Abadi, and M. Burrows. Authentication in the Taos operating system. ACM Transactions on Computer Systems, 12(1): 3-32, 1994.
36. C. Wright, C. Cowan, S. Smalley, J. Morris, and G. Kroah-Hartman. Linux Security Modules: General Security Support for the Linux Kernel. In Proc. 11th USENIX Security Symposium, San Francisco, CA, Aug. 2002.
37. H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda. Panorama: capturing system-wide information flow for malware detection and analysis. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), Alexandria, VA, Oct. 2007.
38. A. Yip, X. Wang, N. Zeldovich, and M. F. Kaashoek. Improving application security with data flow assertions. In Proc. of the 22nd ACM Symposium on Operating System Principles, Oct. 2009.
39. N. Zeldovich, S. Boyd-Wickizer, E. Kohler, and D. Mazieres. Making Information Flow Explicit in HiStar. In Proc. 7th USENIX OSDI, Seattle, WA, Nov. 2006.
40. N. Zeldovich, S. Boyd-Wickizer, and D. Mazieres. Securing Distributed Systems with Information Flow Control. In Proc. 5th USENIX NSDI, San Francisco, CA, Apr. 2008.
41. Q. Zhang, J. McCullough, J. Ma, N. Schear, M. Vrable, A. C. Snoeren, G. M. Voelker, S. Savage, and A. Vahdat. Neon: System Support for Derived Data Management. In ACM Conference on Virtual Execution Environments, Mar. 2010.