A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2011; you can also visit the original URL.
The file type is application/pdf
.
Filters
Static Enforcement of Web Application Integrity Through Strong Typing
2009
USENIX Security Symposium
In this work, we present a web application framework that leverages existing work on strong type systems to statically enforce a separation between the structure and content of both web documents and database ...
and dynamic analyses of server-side web application code, and client-side security policy enforcement. ...
We would also like to thank Adam Barth for providing feedback on an earlier version of this paper. ...
dblp:conf/uss/RobertsonV09
fatcat:plln545qcfcn5nrhovmrlgijqq
Secure Code Generation for Web Applications
[chapter]
2010
Lecture Notes in Computer Science
through static program analysis • [Volpano & Smith 96], formalizes Denning's approach through a type system • public is a subtype of secret • Biba model [Biba 77] • Dual model to Bell-LaPadula • Enforces ...
EU 08 Detection of string-based code injection • Instruction set randomization for web applications Similarities within the bug pattern: • String-based foreign code assembly • [Unmediated interfaces to ...
through static
program analysis
• [Volpano & Smith 96], formalizes Denning's approach
through a type system
• public is a subtype of secret
• Compile time enforcement through type checking
Formal ...
doi:10.1007/978-3-642-11747-3_8
fatcat:m6hc6ufwdfexxbbt4qni3jz6hi
Information Flow Control for Static Enforcement of User-Defined Privacy Policies
2011
2011 IEEE International Symposium on Policies for Distributed Systems and Networks
This paper reports on the first case-study of using IFC to enforce Web users' self-defined privacy constraints. ...
Information flow control (IFC) is a technical approach to prevent the unintended leakage and manipulation of sensitive information, and could provide strong guarantees that deployed applications respect ...
ACKNOWLEDGEMENT Alastair Beresford and Florian Kammüller have provided helpful comments on earlier versions of this work. ...
doi:10.1109/policy.2011.23
dblp:conf/policy/Preibusch11
fatcat:pis3n2lnv5eevo2gf7h6mr7o2m
Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers
2009
2009 30th IEEE Symposium on Security and Privacy
We implemented this approach in a tool called BLUEPRINT that was integrated with several popular web applications. ...
In this threat climate, mechanisms that render web applications immune to XSS attacks have been of recent research interest. ...
Through extensive experimental analysis, we have learned that the return value of this script is a static property value type and thus is not useful as an XSS injection vector. ...
doi:10.1109/sp.2009.33
dblp:conf/sp/LouwV09
fatcat:rmng7p7i2bfolgsq3bd6iqlzkq
Survey on JavaScript security policies and their enforcement mechanisms in a web browser
2013
The Journal of Logic and Algebraic Programming
The dynamism of web applications is provided by the use of web scripts, and in particular JavaScript, that accesses this information through a browserprovided set of APIs. ...
We observe a rapid growth of web-based applications every day. These applications are executed in the web browser, where they interact with a variety of information belonging to the user. ...
Originally web pages were simple HTML pages containing simple elements such as paragraphs, buttons, input boxes etc. With the evolution of the web, the new type of web applications appeared: mashups. ...
doi:10.1016/j.jlap.2013.05.001
fatcat:5pntdqk5fnasnpmjvfgsgkk5za
A survey on server-side approaches to securing web applications
2014
ACM Computing Surveys
These phases are secure construction of new web applications, security analysis/testing of legacy web applications and runtime protection of legacy web applications. ...
We first present the unique aspects of the web application development which cause inherent challenges in building secure web applications. ...
DSI [Nadji et al. 2009 ] enforces the structure integrity of web documents through parserlevel isolation of untrusted data in the browser based on a server-specified policy. ...
doi:10.1145/2541315
fatcat:bjbtc55l4rf2bhbwznyhbldbge
Provable Protection against Web Application Vulnerabilities Related to Session Data Dependencies
2008
IEEE Transactions on Software Engineering
This paper shows how to guarantee the absence of runtime errors due to broken dependencies on session data in Web applications. ...
Web applications are widely adopted and their correct functioning is mission critical for many businesses. ...
Thus, WAFs are typically configured without a strong binding to the implementation of the Web application they protect and because of this, there is no strong guarantee that a configured WAF actually mitigates ...
doi:10.1109/tse.2007.70742
fatcat:dkw3scuvqjhajh3xvs7tj44uou
Preventing Input Validation Vulnerabilities in Web Applications through Automated Type Analysis
2012
2012 IEEE 36th Annual Computer Software and Applications Conference
Web applications have become an integral part of the daily lives of millions of users. ...
In this paper, we present IPAAS, a novel technique for preventing the exploitation of XSS and SQL injection vulnerabilities based on automated data type detection of input parameters. ...
This work has also been supported by the French National Research Agency through the CESSA and VAMPIRE projects. We would also like to thank Secure Business Austria for their support. ...
doi:10.1109/compsac.2012.34
dblp:conf/compsac/ScholteRBK12
fatcat:uuno4er3b5bj3ioqn7zzgjk5um
Verified Enforcement of Security Policies for Cross-Domain Information Flows
2007
MILCOM 2007 - IEEE Military Communications Conference
We discuss the design of our main case study : a web-based Collaborative Planning Application that will permit a collection of users, with varying security requirements and clearances, to access sensitive ...
We are enhancing existing techniques from the field of Security-oriented Programming Languages to construct a new language for the construction of secure networked applications, SELINKS. ...
The remainder of this paper is structured as follows. In Section 2 we describe the functionality and security goals of a web-based application that integrates with the network of Figure 1 . ...
doi:10.1109/milcom.2007.4455189
fatcat:7kfgqxjdkrhvxl3xmgugldhk4i
Security models for web-based applications
2001
Communications of the ACM
daunting challenge of ensuring the security and privacy of information in such Web-based applications [4] . ...
At the same time, there is a growing concern over the security of Web-based applications, which are rapidly being deployed over the Internet [4] . ...
For Web-based applications, multilevel classification of information may be an essential requirement that can be enforced by a service provider to distinguish among the users and the type of information ...
doi:10.1145/359205.359224
fatcat:vsa4ca3kabfvzeve6zp7kkg2ze
SafeWeb: A Middleware for Securing Ruby-Based Web Applications
[chapter]
2011
Lecture Notes in Computer Science
Currently, software bugs may lead to irreversible disclosure of confidential data in multi-tier web applications. ...
We evaluate SafeWeb by reporting our experience of implementing a web-based cancer treatment application and deploying it as part of the UK National Health Service (NHS). ...
Acknowledgements This work was supported by grants EP/F042469 and EP/F044216 ("Smart-Flow: Extendable Event-Based Middleware") and grant EP/I501053 ("SafeWeb: Demonstrating End-to-End Security of NHS Patient ...
doi:10.1007/978-3-642-25821-3_25
fatcat:uow54ctyzbbvxmrvj2qhxrlbru
Cloud Platform Support for API Governance
2014
2014 IEEE International Conference on Cloud Engineering
"Service-izing" digital assets consists of encapsulating assets in software that exposes them to web and mobile applications via well-defined yet flexible, network accessible, application programming interfaces ...
As scalable information technology evolves to a more cloud-like model, digital assets (code, data and software environments) increasingly require curation as web-accessible services. ...
EAGER also extends PaaS with support for the specification and analysis of governance policies for APIs and their application to cloud-hosted web services statically, during deployment, and at runtime. ...
doi:10.1109/ic2e.2014.90
dblp:conf/ic2e/KrintzJDPWB14
fatcat:sp7zr654mfhjrkrm5l2pywyrie
Eliminating Trust From Application Programs By Way Of Software Architecture
2008
Software Engineering
Keyt oo ur approach is the use of at rusted multi-levels ecurity virtual machine, inside of which all secrets remain locked at all times. ...
We present asoftware architecture in which applications can be completely untrusted, even when theym anipulate secrets. ...
Denning wasalso one of the first to point out that the information flowproperty should be enforced statically to contain label creep, and to avoid leaks through implicit flows. ...
dblp:conf/se/Franz08
fatcat:6vryj3bgizdghgk7cydnkhjv3y
Information Flow Control for Secure Cloud Computing
2014
IEEE Transactions on Network and Service Management
particulars of the cloud software stack in order to effect enforcement. ...
In this paper we describe the properties of cloud computing-Platform-as-a-Service clouds in particular-and review a range of IFC models and implementations to identify opportunities for using IFC within ...
It uses IFC to track data flows through all tiers of the web application infrastructure, in order to ensure endto-end data confidentiality and integrity. ...
doi:10.1109/tnsm.2013.122313.130423
fatcat:oczijxwkfvdtrgar6nvab4ypem
Aspectizing JavaScript security
2013
Proceedings of the 3rd workshop on Modularity in systems software - MISS '13
To this end, we review major categories of approaches to make client-side applications secure and discuss uses of aspects that exist for some of them. ...
In this position paper we argue that aspects are wellsuited to describe and implement a range of strategies to make secure JavaScript-based applications. ...
Acknowledgments This work has been partially funded by the SecCloud project of the French "Laboratoire d'Excellence" CominLabs. ...
doi:10.1145/2451613.2451616
fatcat:7yrvqlusmjbcli5qjuffdngeqy
« Previous
Showing results 1 — 15 out of 32,767 results