Implementing fault-tolerant services using the state machine approach: a tutorial
ACM Computing Surveys (CSUR)
Deterministic replay of Java multithreaded applications
SPDT '98 Proceedings of the SIGMETRICS symposium on Parallel and distributed tools
Untrusted hosts and confidentiality: secure program partitioning
SOSP '01 Proceedings of the eighteenth ACM symposium on Operating systems principles
JavaScript: The Definitive Guide
JavaScript: The Definitive Guide
Practical byzantine fault tolerance and proactive recovery
ACM Transactions on Computer Systems (TOCS)
Using Replication and Partitioning to Build Secure Distributed Systems
SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
Secure and Scalable Replication in Phalanx
SRDS '98 Proceedings of the The 17th IEEE Symposium on Reliable Distributed Systems
Security Design in Online Games
ACSAC '03 Proceedings of the 19th Annual Computer Security Applications Conference
Securing web application code by static analysis and runtime protection
Proceedings of the 13th international conference on World Wide Web
ReVirt: enabling intrusion analysis through virtual-machine logging and replay
OSDI '02 Proceedings of the 5th symposium on Operating systems design and implementationCopyright restrictions prevent ACM from being able to make the PDFs for this conference available for downloading
BugNet: Continuously Recording Program Execution for Deterministic Replay Debugging
Proceedings of the 32nd annual international symposium on Computer Architecture
Dynamic Taint Propagation for Java
ACSAC '05 Proceedings of the 21st Annual Computer Security Applications Conference
Hilda: A High-Level Language for Data-DrivenWeb Applications
ICDE '06 Proceedings of the 22nd International Conference on Data Engineering
Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper)
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
HOP: achieving efficient anonymity in MANETs by combining HIP, OLSR, and pseudonyms
Companion to the 21st ACM SIGPLAN symposium on Object-oriented programming systems, languages, and applications
JavaScript instrumentation for browser security
Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Defeating script injection attacks with browser-enforced embedded policies
Proceedings of the 16th international conference on World Wide Web
Linux Journal
Self-securing storage: protecting data in compromised system
OSDI'00 Proceedings of the 4th conference on Symposium on Operating System Design & Implementation - Volume 4
Establishing the genuinity of remote computer systems
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Finding security vulnerabilities in java applications with static analysis
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Enforcing Semantic Integrity on Untrusted Clients in Networked Virtual Environments
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Static detection of security vulnerabilities in scripting languages
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Secure web applications via automatic partitioning
Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
Ajax Security
MashupOS: operating system abstractions for client mashups
HOTOS'07 Proceedings of the 11th USENIX workshop on Hot topics in operating systems
End-to-end web application security
HOTOS'07 Proceedings of the 11th USENIX workshop on Hot topics in operating systems
SIF: enforcing confidentiality and integrity in web applications
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Better abstractions for secure server-side scripting
Proceedings of the 17th international conference on World Wide Web
Exploiting online games: cheating massively distributed systems
Exploiting online games: cheating massively distributed systems
Doloto: code splitting for network-bound web 2.0 applications
Proceedings of the 16th ACM SIGSOFT International Symposium on Foundations of software engineering
The Art of Capacity Planning: Scaling Web Resources
The Art of Capacity Planning: Scaling Web Resources
Capo: a software-hardware interface for practical deterministic multiprocessor replay
Proceedings of the 14th international conference on Architectural support for programming languages and operating systems
Using static analysis for Ajax intrusion detection
Proceedings of the 18th international conference on World wide web
XSS Attacks: Cross Site Scripting Exploits and Defense
XSS Attacks: Cross Site Scripting Exploits and Defense
Exploring Adobe Flash CS4
Links: web programming without tiers
FMCO'06 Proceedings of the 5th international conference on Formal methods for components and objects
Defending against injection attacks through context-sensitive string evaluation
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Mugshot: deterministic capture and replay for Javascript applications
NSDI'10 Proceedings of the 7th USENIX conference on Networked systems design and implementation
Symbolic security analysis of ruby-on-rails web applications
Proceedings of the 17th ACM conference on Computer and communications security
NoTamper: automatic blackbox detection of parameter tampering opportunities in web applications
Proceedings of the 17th ACM conference on Computer and communications security
Enforcing request integrity in web applications
DBSec'10 Proceedings of the 24th annual IFIP WG 11.3 working conference on Data and applications security and privacy
Paranoid Android: versatile protection for smartphones
Proceedings of the 26th Annual Computer Security Applications Conference
Plato: a compiler for interactive web forms
PADL'11 Proceedings of the 13th international conference on Practical aspects of declarative languages
Server-side verification of client behavior in online games
ACM Transactions on Information and System Security (TISSEC)
Automated construction of JavaScript benchmarks
Proceedings of the 2011 ACM international conference on Object oriented programming systems languages and applications
Position paper: why are there so many vulnerabilities in web applications?
Proceedings of the 2011 workshop on New security paradigms workshop
Quo vadis? a study of the evolution of input validation vulnerabilities in web applications
FC'11 Proceedings of the 15th international conference on Financial Cryptography and Data Security
An empirical analysis of input validation mechanisms in web applications and languages
Proceedings of the 27th Annual ACM Symposium on Applied Computing
Scalable integrity-guaranteed AJAX
APWeb'12 Proceedings of the 14th Asia-Pacific international conference on Web Technologies and Applications
The CloudBrowser web application framework
Proceedings of the 3rd annual conference on Systems, programming, and applications: software for humanity
The design of RIA accessibility evaluation tool
Advances in Engineering Software
TamperProof: a server-agnostic defense for parameter tampering attacks on web applications
Proceedings of the third ACM conference on Data and application security and privacy
Control-Flow integrity in web applications
ESSoS'13 Proceedings of the 5th international conference on Engineering Secure Software and Systems
Jalangi: a selective record-replay and dynamic analysis framework for JavaScript
Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering
Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering
Flexible access control for javascript
Proceedings of the 2013 ACM SIGPLAN international conference on Object oriented programming systems languages & applications
25 million flows later: large-scale detection of DOM-based XSS
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
A survey on server-side approaches to securing web applications
ACM Computing Surveys (CSUR)
A Systematic Survey of Self-Protecting Software Systems
ACM Transactions on Autonomous and Adaptive Systems (TAAS) - Special Section on Best Papers from SEAMS 2012
Automated detection of parameter tampering opportunities and vulnerabilities in web applications
Journal of Computer Security
Hi-index | 0.00 |
Rich Internet applications are becoming increasingly distributed, as demonstrated by the popularity of AJAX or Web 2.0 applications such as Facebook, Google Maps, Hotmail and many others. A typical multi-tier AJAX application consists, at least, of a server-side component implemented in Java J2EE, PHP or ASP.NET and a client-side component running JavaScript. The resulting application is more responsive because computation has moved closer to the client, avoiding unnecessary network round trips for frequent user actions. However, once a portion of the code has moved to the client, a malicious user can subvert the client side of the computation, jeopardizing the integrity of the server-side state. In this paper we propose Ripley, a system that uses replicated execution to automatically preserve the integrity of a distributed computation. Ripley replicates a copy of the client-side computation on the trusted server tier. Every client-side event is transferred to the replica of the client for execution. Ripley observes results of the computation, both as computed on the client-side and on the server side using the replica of the client-side code. Any discrepancy is flagged as a potential violation of computational integrity. We built Ripley on top of Volta, a distributing compiler that translates .NET applications into JavaScript, effectively providing a measure of security by construction for Volta applications. We have evaluated the Ripley approach on 5 representative AJAX applications built in Volta and also Hotmail, a large widely-used AJAX application. Our results so far suggest that Ripley provides a promising strategy for building secure distributed web applications, which places minimal burden on the application developer at the cost of a low performance overhead.