HAILS: Protecting data privacy in untrusted web applications

Proceedings of the 10th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2012

Volumn , Issue , 2012, Pages 47-60

  Giffin, Daniel B ^a   Levy, Amit ^a   Stefan, Deian ^a   Terei, David ^a   Mazières, David ^a   Mitchell, John C ^a   Russo, Alejandro ^b  

^a NONE   (United States)

^b Chalmers   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

ACCESS CONTROL; CODES (SYMBOLS); ECONOMIC AND SOCIAL EFFECTS; PRECIPITATION (METEOROLOGY); SYSTEMS ANALYSIS;

AD HOC CONSTRAINTS; EXTENDED FEATURES; MANDATORY ACCESS CONTROL; MVC ARCHITECTURES; POLICY LANGUAGE; PRIVACY POLICIES; THIRD PARTY SOFTWARE; WEB APPLICATION;

DATA PRIVACY;

EID: 85041431588     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (47)

1. M. Abadi, M. Burrows, B. Lampson, and G. Plotkin. A calculus for access control in distributed systems. ACM Transactions on Programming Languages and Systems, 15(4):706-734, Oct. 1993.
2. M. Blaze, J. Feigenbaum, and J. Lacy. Decentralized trust management. In Security and Privacy, 1996. Proceedings., 1996 IEEE Symposium on, pages 164-173, 1996.
3. M. Blaze, J. Feigenbaum, J. Ioannidis, and A. Keromytis. The KeyNote Trust-Management System Version 2. RFC 2704 (Informational), Sept. 1999. URL http://www.ietf.org/rfc/rfc2704.txt.
4. R. Chandra, P. Gupta, and N. Zeldovich. Separating web applications from user data storage with BSTORE. In Proceedings of the 2010 USENIX conference on Web application development, pages 1-1, 2010.
5. W. Cheng, D. Ports, D. Schultz, V. Popic, A. Blankstein, J. Cowling, D. Curtis, L. Shrira, and B. Liskov. Abstractions for usable information flow control in Aeolus. In Proceedings of the 2012 USENIX Annual Technical Conference, 2012.
6. A. Chlipala. Static checking of dynamically-varying security policies in database-backed applications. In Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation, OSDI'10, 2010.
7. K. Chodorow and M. Dirolf. MongoDB: the definitive guide. O'Reilly Media, Inc., 2010.
8. S. Chong, J. Liu, A. C. Myers, X. Qi, K. Vikram, L. Zheng, and X. Zheng. Secure web applications via automatic partitioning. pages 31-44, Oct. 2007.
9. S. Chong, K. Vikram, and A. C. Myers. Sif: Enforcing confidentiality and integrity in web applications. In Proc. USENIX Security Symposium, pages 1-16, Aug. 2007.
10. M. B. Consulting. Jetty webserver, March 2012. http://jetty.codehaus.org/jetty/.
11. D. Crockford. Making JavaScript safe for advertising. http://adsafe.org/.
12. J. DeTreville. Binder, a logic-based security language. In Proceedings of the 2002 IEEE Symposium on Security and Privacy, pages 105-113. IEEE Computer Society Press, May 2002.
13. Facebook. Fbjs (Facebook JavaScript). http://developers.facebook.com/docs/fbjs/.
14. Google. Google code prettify, September 2012. http://code.google.com/p/google-code-prettify/.
15. C. Hritcu, M. Greenberg, B. Karel, B. C. Pierce, and G. Morrisett. Exceptionally available dynamic IFC. Submitted to POPL, July 2012.
16. S. Isaacs. Microsoft web sandbox. http://www.websandbox.org/.
17. M. Krohn, A. Yip, M. Brodsky, N. Cliffer, M. F. Kaashoek, E. Kohler, and R. Morris. Information flow control for standard OS abstractions. In Proceedings of the 21st Symposium on Operating Systems Principles, October 2007.
18. M. Krohn, A. Yip, M. Brodsky, R. Morris, and M. Walfish. A World Wide Web Without Walls. In 6th ACM Workshop on Hot Topics in Networking (Hotnets), Atlanta, GA, November 2007.
19. D. Larochelle and D. Evans. Statically detecting likely buffer overflow vulnerabilities. In USENIX Security Symposium, August 2001.
20. L. Latif. Github suffers a Ruby on Rails public key vulnerability, March 2012. http://www.theinquirer.net/inquirer/news/2157093/ github-suffers-ruby-rails-public-key-vulnerability.
21. N. Li and J. C. Mitchell. RT: A role-based trust-management framework. In The Third DARPA Information Survivability Conference and Exposition (DISCEX III). IEEE Computer Society Press, Apr. 2003.
22. N. Li, W. H. Winsborough, and J. C. Mitchell. Distributed credential chain discovery in trust management. Journal of Computer Security, 11(1):35-86, Feb. 2003.
23. P. Li and S. Zdancewic. Practical information-flow control in web-based information systems. In Proceedings of the 18th IEEE workshop on Computer Security Foundations. IEEE Computer Society, 2005.
24. J. Liu, M. D. George, K. Vikram, X. Qi, L. Waye,, and A. C. Myers. Fabric: A platform for secure distributed computation and storage. In Proceedings of the 22nd ACM Symposium on Operating Systems Principles, Big Sky, MT, October 2009.
25. J. MacFarlane. Pandoc:a universal document converter. http://johnmacfarlane.net/pandoc/.
26. S. Maffeis and A. Taly. Language-based isolation of untrusted javascript. In Computer Security Foundations Symposium, 2009. CSF'09. 22nd IEEE, pages 77-91, 2009.
27. J. Mayer and J. Mitchell. Third-party web tracking: Policy and technology. In Security and Privacy (SP), 2012 IEEE Symposium on, pages 413-427, 2012.
28. M. Miller, M. Samuel, B. Laurie, I. Awad, and M. Stay. Caja: Safe active content in sanitized javascript. http://google-caja.googlecode.com/files/caja-spec-2008-06-07.pdf, June 2008.
29. N. Mitchell. HLint Manual. http://community.haskell.org/~ndm/darcs/hlint/hlint.htm.
30. B. Montagu, B. Pierce, R. Pollack, and A. Surée. A theory of information-flow labels. Draft, July, 2012.
31. D. Mosberger and T. Jin. httperf-a tool for measuring web server performance. ACM SIGMETRICS Performance Evaluation Review, 26(3):31-37, 1998.
32. A. C. Myers and B. Liskov. A decentralized model for information flow control. In Proceedings of the 16th ACM symposium on Operating systems principles, pages 129-142, 1997.
33. A. C. Myers and B. Liskov. Protecting privacy using the decentralized label model. ACM Transactions on Computer Systems, 9(4):410-442, October 2000.
34. T. Preston-Werner. Public key security vulnerability and mitigation, March 2012. https://github.com/blog/1068-public-key-security-vulnerability-and-mitigation.
35. J. H. Saltzer and M. D. Schroeder. The protection of information in computer systems. Proceedings of the IEEE, 63(9):1278-1308, September 1975.
36. Sinatra. Sinatra, September 2012. http://www.sinatrarb.com/.
37. E. Sirer, W. de Bruijn, P. Reynolds, A. Shieh, K. Walsh, D. Williams, and F. Schneider. Logical attestation: an authorization architecture for trustworthy computing. In Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles, pages 249-264, 2011.
38. E. Steel and G. Fowler. Facebook in privacy breach. The Wall Street Journal, 18, October 2010.
39. D. Stefan, A. Russo, D. Mazières, and J. C. Mitchell. Disjunction category labels. In Proceedings of the NordSec 2011 Conference, October 2011.
40. D. Stefan, A. Russo, J. C. Mitchell, and D. Mazières. Flexible dynamic information flow control in Haskell. In Proceedings of the 4th Symposium on Haskell, pages 95-106, September 2011.
41. D. Stefan, A. Russo, P. Buiras, A. Levy, J. C. Mitchell, and D. Mazières. Addressing covert termination and timing channels in concurrent information flow systems. In The 17th ACM SIGPLAN International Conference on Functional Programming (ICFP), 2012.
42. B. Sterne, M. Corporation, A. Barg, and G. Inc. Content security policy, May 2012. https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html.
43. A. Taly, Ú. Erlingsson, J. C. Mitchell, M. S. Miller, and J. Nagra. Automated analysis of security-critical javascript APIs. In IEEE Symposium on Security and Privacy, 2011.
44. D. Terei, S. Marlow, S. P. Jones,, and D. Mazières. Safe Haskell. In Proceedings of the 5th Symposium on Haskell, September 2012.
45. S. Zdancewic, L. Zheng, N. Nystrom, and A. C. Myers. Untrusted hosts and confidentiality: Secure program partitioning. Oct. 2001.
46. N. Zeldovich, S. Boyd-Wickizer, E. Kohler, and D. Mazières. Making information flow explicit in HiStar. In Proceedings of the 7th Symposium on Operating Systems Design and Implementation, pages 263-278, Seattle, WA, November 2006.
47. L. Zheng, S. Chong, A. C. Myers, and S. Zdancewic. Using replication and partitioning to build secure distributed systems. In Proceedings of the 2003 IEEE Symposium on Security and Privacy, SP'03, Washington, DC, USA, 2003. IEEE Computer Society.