SIF: Enforcing Confidentiality and Integrity in Web Applications

SIF (Servlet Information Flow) is a novel software framework for building high-assurance web applications, using language-based information-flow control to enforce security. Explicit, end-to-end confidentiality and integrity policies can be given either as compile-time program annotations, or as run-time user requirements. Compile-time and run-time checking efficiently enforce these policies. Information flow analysis is known to be useful against SQL injection and cross-site scripting, but SIF prevents inappropriate use of information more generally: the flow of confidential information to clients is controlled, as is the flow of low-integrity information from clients. Expressive policies allow users and application providers to protect information from one another. SIF moves trust out of the web application, and into the framework and compiler. This provides application deployers with stronger security assurance. Language-based information flow promises cheap, strong information security. But until now, it could not effectively enforce information security in highly dynamic applications. To build SIF, we developed new language features that make it possible to write realistic web applications. Increased assurance is obtained with modest enforcement overhead.

[1]  Steve Vandebogart,et al.  Labels and event processes in the Asbestos operating system , 2005, TOCS.

[2]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[3]  LiskovBarbara,et al.  Protecting privacy using the decentralized label model , 2000 .

[4]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[5]  John G. P. Barnes,et al.  High Integrity Software - The SPARK Approach to Safety and Security , 2003 .

[6]  Tal Garfinkel,et al.  Terra: a virtual machine-based platform for trusted computing , 2003, SOSP '03.

[7]  Alexander Aiken,et al.  Static Detection of Security Vulnerabilities in Scripting Languages , 2006, USENIX Security Symposium.

[8]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[9]  Tzi-cker Chiueh,et al.  A General Dynamic Information Flow Tracking Framework for Security Applications , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[10]  I. V. Ramakrishnan,et al.  A Framework for Building Privacy-Conscious Composite Web Services , 2006, 2006 IEEE International Conference on Web Services (ICWS'06).

[11]  Andrew C. Myers,et al.  Decentralized robustness , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[12]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[13]  B. Lampson,et al.  Authentication in distributed systems: theory and practice , 1991, TOCS.

[14]  Boniface Hicks,et al.  From Languages to Systems: Understanding Practical Application Development in Security-typed Languages , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[15]  Geoffrey Smith,et al.  A new type system for secure information flow , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[16]  Andrew C. Myers,et al.  Enforcing robust declassification , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[17]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[18]  Alessandro Orso,et al.  AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks , 2005, ASE.

[19]  Christopher Krügel,et al.  Pixy: a static analysis tool for detecting Web application vulnerabilities , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[20]  J DenningPeter,et al.  Certification of programs for secure information flow , 1977 .

[21]  Stephen Smalley,et al.  Integrating Flexible Support for Security Policies into the Linux Operating System , 2001, USENIX Annual Technical Conference, FREENIX Track.

[22]  Andrew C. Myers,et al.  Robust declassification , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[23]  Bart Jacobs,et al.  JML (poster session): notations and tools supporting detailed design in Java , 2000, OOPSLA '00.

[24]  Wei Xu,et al.  Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks , 2006, USENIX Security Symposium.

[25]  Wilson C. Hsieh,et al.  Processes in KaffeOS: isolation, resource management, and sharing in java , 2000, OSDI.

[26]  H. Stamer Security-Typed Languages for Implementation of Cryptographic Protocols : A Case Study , 2007 .

[27]  Michael Hicks,et al.  Managing policy updates in security-typed languages , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[28]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[29]  Gary T. Leavens,et al.  JML: notations and tools supporting detailed design in Java , 2000 .

[30]  Andrei Sabelfeld,et al.  Security-Typed Languages for Implementation of Cryptographic Protocols: A Case Study , 2005, ESORICS.

[31]  Andrew C. Myers,et al.  Dynamic Security Labels and Noninterference , 2004 .

[32]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[33]  François Pottier,et al.  Information flow inference for ML , 2003, TOPL.

[34]  Johan Agat,et al.  Transforming out timing leaks , 2000, POPL '00.

[35]  Anh Nguyen-Tuong,et al.  Automatically Hardening Web Applications Using Precise Tainting , 2005, SEC.

[36]  Deyu Hu,et al.  Implementing Multiple Protection Domains in Java , 1998, USENIX Annual Technical Conference.

[37]  Steve Zdancewic,et al.  A Design for a Security-Typed Language with Certificate-Based Declassification , 2005, ESOP.

[38]  Geoffrey Smith,et al.  A Type-Based Approach to Program Security , 1997, TAPSOFT.

[39]  Peng Li,et al.  Practical information flow control in Web-based information systems , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[40]  Sylvain Conchon,et al.  Information flow inference for free , 2000, ICFP '00.

[41]  David Sands,et al.  Dimensions and principles of declassification , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[42]  Steve Zdancewic,et al.  Designing a Security-typed Language with Certificate-based Declassification , 2004 .