Building secure web applications with automatic partitioning

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Building secure web applications with automatic partitioning

Full text

Digital Edition , Html

Html (59 KB), Pdf

Pdf (950 KB)

Source

Communications of the ACM archive
Volume 52 , Issue 2 (February 2009) table of contents
Inspiring Women in Computing

SECTION: Research highlights table of contents

Pages 79-87

Year of Publication: 2009

ISSN:0001-0782

Authors

Stephen Chong	Cornell University
Jed Liu	Cornell University
Andrew C. Myers	Cornell University
Xin Qi	Cornell University
K. Vikram	Cornell University
Lantian Zheng	Cornell University
Xin Zheng	Cornell University

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 54, Downloads (12 Months): 576, Citation Count: 0

Additional Information:

abstract references index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1461928.1461949 What is a DOI?

ABSTRACT

Swift is a new, principled approach to building Web applications that are secure by construction. Modern Web applications typically implement some functionality as client-side JavaScript code, for improved interactivity. Moving code and data to the client can create security vulnerabilities, but currently there are no good methods for deciding when it is secure to do so.

Swift automatically partitions application code while providing assurance that the resulting placement is secure and efficient. Application code is written as Java-like code annotated with information flow policies that specify the confidentiality and integrity of Web application information. The compiler uses these policies to automatically partition the program into JavaScript code running in the client browser and Java code running on the server. To improve interactive performance, code and data are placed on the client. However, security-critical code and data are always placed on the server. The compiler may also automatically replicate code across the client and server, to obtain both security and performance.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Dirk Balfanz , Edward W. Felten, Hand-held computers can be better smart cards, Proceedings of the 8th conference on USENIX Security Symposium, p.2-2, August 23-26, 1999, Washington, D.C.
	2	Hans Bergsten, JavaServer Pages, 3rd Edition, O'Reilly & Associates, Inc., Sebastopol, CA, 2003
	3	Stephen Chong , Jed Liu , Andrew C. Myers , Xin Qi , K. Vikram , Lantian Zheng , Xin Zheng, Secure web application via automatic partitioning, Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles, October 14-17, 2007, Stevenson, Washington, USA
	4	Stephen Chong , Andrew C. Myers, Decentralized Robustness, Proceedings of the 19th IEEE workshop on Computer Security Foundations, p.242-256, July 05-07, 2006 [doi>10.1109/CSFW.2006.11]
	5	Cooper, E., Lindley, S., Wadler, P., Yallop, J. Links: Web programming without tiers. In Proceedings of the 5th International Symposium on Formal Methods for Components and Objects (November 2006).
	6	David Flanagan, JavaScript: The Definitive Guide, O'Reilly Media, Inc., 2006
	7	Fournet, C., Rezk, T. Cryptographically sound implementations for typed information-flow security. In IEEE Symposium on Computer Security Foundations (June 2008), 323--335.
	8	Google Web Toolkit. http://code.google.com/webtoolkit/.
	9	William G. J. Halfond , Alessandro Orso, AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks, Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering, November 07-11, 2005, Long Beach, CA, USA [doi>10.1145/1101908.1101935]
	10	Yao-Wen Huang , Fang Yu , Christian Hang , Chung-Hung Tsai , Der-Tsai Lee , Sy-Yen Kuo, Securing web application code by static analysis and runtime protection, Proceedings of the 13th international conference on World Wide Web, May 17-20, 2004, New York, NY, USA [doi>10.1145/988672.988679]
	11	Galen C. Hunt , Michael L. Scott, The Coign automatic distributed partitioning system, Proceedings of the third symposium on Operating systems design and implementation, p.187-200, February 1999, New Orleans, Louisiana, United States
	12	Nenad Jovanovic , Christopher Kruegel , Engin Kirda, Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper), Proceedings of the 2006 IEEE Symposium on Security and Privacy, p.258-263, May 21-24, 2006 [doi>10.1109/SP.2006.29]
	13	Andrew C. Myers, JFlow: practical mostly-static information flow control, Proceedings of the 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, p.228-241, January 20-22, 1999, San Antonio, Texas, United States [doi>10.1145/292540.292561]
	14	Andrew C. Myers , Barbara Liskov, Protecting privacy using the decentralized label model, ACM Transactions on Software Engineering and Methodology (TOSEM), v.9 n.4, p.410-442, Oct. 2000 [doi>10.1145/363516.363526]
	15	Myers, A.C., Zheng, L., Zdancewic, S., Chong, S., Nystrom, N. Jif 3.0: Java information flow. Software release. http://www.cs.cornell.edu/jif, July 2006.
	16	Nguyen-Tuong, A., Guarneri, S., Greene, D., Evans, D. Automatically hardening web applications using precise tainting. In Proceedings of the 20th International Information Security Conference (May 2005), 372--382.
	17	Nystrom, N., Clarkson, M. R., Myers, A.C. Polyglot: An extensible compiler framework for Java. In Proceedings of the 12th International Compiler Construction Conference (CC'03) (April 2003), LNCS 2622, 138--152.
	18	PHP: hypertext processor, http://www.php.net.
	19	Manuel Serrano , Erick Gallesio , Florian Loitsch, Hop: a language for programming the web 2.0, Companion to the 21st ACM SIGPLAN symposium on Object-oriented programming systems, languages, and applications, October 22-26, 2006, Portland, Oregon, USA [doi>10.1145/1176617.1176756]
	20	Symantec Internet security threat report, volume X. Symantec Corporation, September 2006.
	21	David Thomas , Andrew Hunt, Programming Ruby: the pragmatic programmer's guide, Addison-Wesley Longman Publishing Co., Inc., Boston, MA, 2000
	22	Yichen Xie , Alex Aiken, Static detection of security vulnerabilities in scripting languages, Proceedings of the 15th conference on USENIX Security Symposium, July 31-August 04, 2006, Vancouver, B.C., Canada
	23	Wei Xu , Sandeep Bhatkar , R. Sekar, Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks, Proceedings of the 15th conference on USENIX Security Symposium, July 31-August 04, 2006, Vancouver, B.C., Canada
	24	Fan Yang , Nitin Gupta , Nicholas Gerner , Xin Qi , Alan Demers , Johannes Gehrke , Jayavel Shanmugasundaram, A unified platform for data driven web applications with automatic client-server partitioning, Proceedings of the 16th international conference on World Wide Web, May 08-12, 2007, Banff, Alberta, Canada [doi>10.1145/1242572.1242619]
	25	Steve Zdancewic , Lantian Zheng , Nathaniel Nystrom , Andrew C. Myers, Secure program partitioning, ACM Transactions on Computer Systems (TOCS), v.20 n.3, p.283-328, August 2002 [doi>10.1145/566340.566343]
	26	Lantian Zheng , Stephen Chong , Andrew C. Myers , Steve Zdancewic, Using Replication and Partitioning to Build Secure Distributed Systems, Proceedings of the 2003 IEEE Symposium on Security and Privacy, p.236, May 11-14, 2003