Building secure web applications with automatic partitioning

Authors:
Stephen Chong;Jed Liu;Andrew C. Myers;Xin Qi;K. Vikram;Lantian Zheng;Xin Zheng
Affiliations:
Cornell University;Cornell University;Cornell University;Cornell University;Cornell University;Cornell University;Cornell University
Venue:
Communications of the ACM - Inspiring Women in Computing
Year:
2009

Citing 20
Cited 8

JFlow: practical mostly-static information flow control

Proceedings of the 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
The Coign automatic distributed partitioning system

OSDI '99 Proceedings of the third symposium on Operating systems design and implementation
Programming Ruby: the pragmatic programmer's guide

Programming Ruby: the pragmatic programmer's guide
Protecting privacy using the decentralized label model

ACM Transactions on Software Engineering and Methodology (TOSEM)
Secure program partitioning

ACM Transactions on Computer Systems (TOCS)
Using Replication and Partitioning to Build Secure Distributed Systems

SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
JavaServer Pages, 3rd Edition

JavaServer Pages, 3rd Edition
Securing web application code by static analysis and runtime protection

Proceedings of the 13th international conference on World Wide Web
AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks

Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering
Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper)

SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Decentralized Robustness

CSFW '06 Proceedings of the 19th IEEE workshop on Computer Security Foundations
HOP: achieving efficient anonymity in MANETs by combining HIP, OLSR, and pseudonyms

Companion to the 21st ACM SIGPLAN symposium on Object-oriented programming systems, languages, and applications
JavaScript: The Definitive Guide

JavaScript: The Definitive Guide
A unified platform for data driven web applications with automatic client-server partitioning

Proceedings of the 16th international conference on World Wide Web
Hand-held computers can be better smart cards

SSYM'99 Proceedings of the 8th conference on USENIX Security Symposium - Volume 8
Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks

USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Static detection of security vulnerabilities in scripting languages

USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Secure web applications via automatic partitioning

Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
Polyglot: an extensible compiler framework for Java

CC'03 Proceedings of the 12th international conference on Compiler construction
Links: web programming without tiers

FMCO'06 Proceedings of the 5th international conference on Formal methods for components and objects

Towards reasoning for web applications: an operational semantics for Hop

APLWACA '10 Proceedings of the 2010 Workshop on Analysis and Programming Languages for Web Applications and Cloud Applications
Compiling information-flow security to minimal trusted computing bases

ESOP'11/ETAPS'11 Proceedings of the 20th European conference on Programming languages and systems: part of the joint European conferences on theory and practice of software
SAFE extensibility of data-driven web applications

Proceedings of the 21st international conference on World Wide Web
Automated code injection prevention for web applications

TOSCA'11 Proceedings of the 2011 international conference on Theory of Security and Applications
Reasoning about Web Applications: An Operational Semantics for HOP

ACM Transactions on Programming Languages and Systems (TOPLAS)
A multi-tier semantics for Hop

Higher-Order and Symbolic Computation
Decision support for partially moving applications to the cloud: the example of business intelligence

Proceedings of the 2013 international workshop on Hot topics in cloud services
GlassTube: a lightweight approach to web application integrity

Proceedings of the Eighth ACM SIGPLAN workshop on Programming languages and analysis for security

Quantified Score

Hi-index	0.00

Visualization

Abstract

Swift is a new, principled approach to building Web applications that are secure by construction. Modern Web applications typically implement some functionality as client-side JavaScript code, for improved interactivity. Moving code and data to the client can create security vulnerabilities, but currently there are no good methods for deciding when it is secure to do so. Swift automatically partitions application code while providing assurance that the resulting placement is secure and efficient. Application code is written as Java-like code annotated with information flow policies that specify the confidentiality and integrity of Web application information. The compiler uses these policies to automatically partition the program into JavaScript code running in the client browser and Java code running on the server. To improve interactive performance, code and data are placed on the client. However, security-critical code and data are always placed on the server. The compiler may also automatically replicate code across the client and server, to obtain both security and performance.