The Computer Science Department of the University of Washington just published a talk from Max Krohn, (MIT) on Securing the Web with Decentralized Information Flow Control.
In this talk, Max explains that he sees a computing shift happening
right now, moving from desktop software to server-side software and
cloud computing.
He notes however that:
Web software is buggy, attackers find and exploit these bugs. And as a result, data is stolen or corrupted.
Most people use dynamic languages which do not allow for a static
analysis, they easily use 3rd party code, plugins,... and let's face
it, there is a lot of duck-taping going because the Web Site needs to
be up and running fast.
He actually defines an interesting metric to get a sense of how
vulnerable a software can be. He recommends to take the # of Lines of
Code divided by the # of installs. The more a software is installed,
say like Linux, the less number of vulnerabilities should be expected
since they would have most likely be discovered and corrected. He
presents a couple of slides to illustrate his point, representing a web
app in LOCs and the same web app in LOCs/Installs.
The goal of his research is to define a security model for these new
types of applications and architectures. The problem is becoming acute
with applications such as Facebook which are allowing developers to
insert code in the platform, or even now enable 3rd party servers to
provide functionality within the Facebook platform.
To respond to these challenges, Max and his colleagues have developed Flume, an open source web application security infrastructure based on a Decentralized Information Flow Control (DFIC) model:
Decentralized Information Flow Control (DIFC) is an
approach to security that allows application writers to control how
data flows between the pieces of an application and the outside world.
When applied to privacy, DIFC allows untrusted software to compute
with private data while trusted security code controls the release of
that data while when applied to integrity, DIFC allows trusted code to
protect untrusted software from unexpected malicious inputs.
They treat the server as black box and track the data as the
response to a request is being constructed. The security architecture
is made of a security gateway and an operating system library which
tags data as it is being used by the web application. The core concept
is to centralize all security decisions in the gateway and prevent
unwanted data access.
A typical Flume application consists of processes of two
types. Untrusted processes do most of the computation. They are
constrained by, but possibly unaware of, DIFC controls. Trusted
processes, in contrast, are aware of DIFC and set up the privacy and
integrity controls that constrain untrusted processes. Trusted
processes also have the privilege to selectively violate classical
information flow control—for instance, by declassifying private data
(perhaps to export it from the system), or by endorsing data as high
integrity.
The core of the system is based on a fairly simple set of rules to track data based on Tags and Labels.
A tag t carries no inherent meaning, but processes
generally associate each tag with some category of secrecy or
integrity. Tag b, for example, might label Bob’s private data. A label
is a subset of the tag set.
A flume process p can send data to process q if one of its label is
a subset of q. The Flume model assumes many processes running on the
same machine and communicating via messages, or “flows”. The model’s
goal is to track data flow by regulating both process communication and
process label changes.
Fig1. Communication Rule
Max indicates that this concept is not new and it has been around since the 80s.
The Gateway is a key element of the security architecture. First the
web application does not need to know anything about the browser since
the gateway can legislate policies. However this central role also
requires the introduction of a new abstraction: Endpoints. Because the
Gateway needs to coordinate interactions with several systems (browser,
authentication repository, web application...) it cannot expose a
single set of labels to all these processes. Endpoints help define
specific combinations of labels dedicated to enforce the communication
between the gateway and a specific process.
The second part of the presentation is focused on presenting a use case based on MoinMoin Wiki.
Max shows in this use case that Flume tackles problems well beyond
known vulnerability types (buffer overrun, cross-site scripting and SQL
injection). He demonstrated that MoinMoin Wiki had a bug in their
calendar functionality and that all users could actually see some items
in the calendar that were intended to be restricted to a particular
group. Flume was able to prevent the content of the calendar to be
displayed simply based on its standard policies.
Fig 2. System Call Delegation
Max concluded that there is still a lot of work to be done. They
want to be able to make the system flexible enough to work with 3rd
party software uploaded in the Web Application. They are also working
on enabling people to share data using the same principles. They also
plan to extend the reach at the browser level and bring JavaScript in
the architecture. Max sees a large set of applications in the financial
industry.
The development of connected systems will increasingly require
end-to-end security solutions to prevent unwanted access to data using
policy enforcement strategies outside the comfort of the code of an
application. What is your opinion? Have you been confronted to this
kind of security issues yet? What solutions did you use?
分享到:
相关推荐
这是一个结合了Hadoop,Hbase,Spark,MongoDB,Django等开源框架的高可用分布式电影推荐系统,并以Web页面为用户提供了友好的访问方式。 系统功能 基本功能 登录注册 个人信息维护 按类别电影展示 电影搜索 电影...
为此,他修改了 Struts(一种流行的开放源码MVC 框架),以使其适用于 Web 服务领域。通过研究此处所概述的样本应用程序,您将知道如何才能将 Struts 与 Web 服务联合起来使用。 不断发展的 Java 编程语言和 Sun ...
引用类型和原始类型具有不同的特征和用法,它们包括:大小和速度问题,这种类型以哪种类型的数据结构存储,当引用类型和原始类型用作某个类的实例数据时所指定的缺省值。对象引用实例变量的缺省值为 null,而原始...
第二部分介绍可依赖性和信息安全性问题;第三部分介绍高级软件工程;第四部分介绍软件管理,重点介绍技术管理问题。 《软件工程(原书第9版)》适合作为软件和系统工程专业本科生或研究生教材,同时也是软件工程师难得...
本健身管理信息系统开发主要包括前台界面的设计以及后台数据库的建立与维护开发 两个方面,经过对课题的调研以及可行性分析,本系统设计采用MyEclipse作为开发环境 ,HTML和JSP作为开发工具,基于B/S结构设计方案,...
本论文主要包括学生选排课系统方案分析与网络规划,本系统是一个典型的信息管理系统(MIS),其开发主要包括后台数据库的建立和维护以及前端应用程序的开发两个方面。对于前者要求建立起数据一致性和完整性强、数据安全...
本网站以xp为Web平台,JSP+Ajax+Servlet+JavaBean+Hibernate为网站实现技术,建立基于MySQL数据库系统的核心动态网页,实现博客网站前台及博客个人维护管理等功能模块。 1、 系统处理的准确性和及时性:系统处理的...
本网站以xp为Web平台,JSP+Ajax+Servlet+JavaBean+Hibernate为网站实现技术,建立基于MySQL数据库系统的核心动态网页,实现博客网站前台及博客个人维护管理等功能模块。 1、 系统处理的准确性和及时性:系统处理的...
9.1.3测试中的信息流 9.2软件测试过程 9.2.1 单元测试 9.2.2集成测试 9.2.3 确认测试 9.3软件测试用例设计 9.3.1 白盒测试用例设计 9.3.2黑盒测试用例设计 9.4面向对象测试 9.4.1 面向对象单元测试 9.4.2面向对象...
9.1.3测试中的信息流 9.2软件测试过程 9.2.1 单元测试 9.2.2集成测试 9.2.3 确认测试 9.3软件测试用例设计 9.3.1 白盒测试用例设计 9.3.2黑盒测试用例设计 9.4面向对象测试 9.4.1 面向对象单元测试 9.4.2...
本书内容包括核心概念、Informix SQL、服务器管理、安装与维护、性能调整、应用程序开发、Web应用程序和对象关系式数据库等,所附光盘中有大量实用程序、白皮书和与书中内容有关的其他信息。还提供一些Web站点链接....
引用类型和原始类型具有不同的特征和用法,它们包括:大小和速度问题,这种类型以哪种类型的数据结构存储,当引用类型和原始类型用作某个类的实例数据时所指定的缺省值。对象引用实例变量的缺省值为 null,而原始...
欢迎相同爱好者加入一起维护此项目webKettleETL产品介绍webkettle平台,优化的将平台构建为B / S架构的ETL模型设计以及集成用户专业调度管理的分布式ETL建模运维系统。系统分为七大模块:模型,平台,任务,定时调度...
4.5 流控制语句 4.5.1 注释 4.5.2 语句块-Begin...End 4.5.3 条件执行--If语句 4.5.4 循环--While语句 4.5.5 无条件执行--GoTo语句 4.5.6 调度执行--WaitFor语句 4.6 光标 4.6.1 Transact-SQL光标 4.6.2 与光标有关...
4.5 流控制语句 4.5.1 注释 4.5.2 语句块-Begin...End 4.5.3 条件执行--If语句 4.5.4 循环--While语句 4.5.5 无条件执行--GoTo语句 4.5.6 调度执行--WaitFor语句 4.6 光标 4.6.1 Transact-SQL光标 4.6.2 与光标有关...
1.2 种类和来源多样化,存储管理复杂 随着互联网、物联网、移动互联技术的发展,以电子商务(如京东、天猫、阿 里巴巴等)、社交网络(微信、微博等)为代表的新型web2.0 应用迅速普及,大数据主要来源于搜索引擎...
主要有以下几个方面的设计任务:制定规范、系统构架设计、软件结构设计、公共数据结构设计、安全性设计、故障处理设计、可维护性设计、编写文档、设计评审。 2.系统构架设计 (1)集中式结构 集中式系统由一台...
Flume 是一个分布式、可靠和高可用的服务,用于收集、聚合以及移动大量日志数据,使用一个简单灵活的架构,就流数据模型。这是一个可靠、容错的服务。 彩信发送开发包 apimms apimms 提供了各种语言用来发送彩信...
MuseMailServer以其设置简单,简捷易用,出色的稳定性和灵活的web邮件服务二次开发接口为用户的商务应用、办公应用、学习提供更好,更容易,更快捷的支持。 MuseMailServer从3.0版本开始,改变原有的基于文件型...
Flume 是一个分布式、可靠和高可用的服务,用于收集、聚合以及移动大量日志数据,使用一个简单灵活的架构,就流数据模型。这是一个可靠、容错的服务。 彩信发送开发包 apimms apimms 提供了各种语言用来发送彩信...