A hardware architecture for implementing protection rings
Communications of the ACM
Advanced PHP Programming
Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper)
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Protecting browser state from web privacy attacks
Proceedings of the 15th international conference on World Wide Web
A Framework for Building Privacy-Conscious Composite Web Services
ICWS '06 Proceedings of the IEEE International Conference on Web Services
Defeating script injection attacks with browser-enforced embedded policies
Proceedings of the 16th international conference on World Wide Web
Using web application construction frameworks to protect against code injection attacks
Proceedings of the 2007 workshop on Programming languages and analysis for security
Dynamic pharming attacks and locked same-origin policies for web browsers
Proceedings of the 14th ACM conference on Computer and communications security
SIF: enforcing confidentiality and integrity in web applications
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
CLAMP: Practical Prevention of Large-Scale Data Leaks
SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy
Fine-grained privilege separation for web applications
Proceedings of the 19th international conference on World wide web
Links: web programming without tiers
FMCO'06 Proceedings of the 5th international conference on Formal methods for components and objects
ESCUDO: A Fine-Grained Protection Model for Web Browsers
ICDCS '10 Proceedings of the 2010 IEEE 30th International Conference on Distributed Computing Systems
Nemesis: preventing authentication & access control vulnerabilities in web applications
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
Towards Fine-Grained Access Control in JavaScript Contexts
ICDCS '11 Proceedings of the 2011 31st International Conference on Distributed Computing Systems
Improving access control for browsers using dynamic scoping
Proceedings of the 51st ACM Southeast Conference
Hi-index | 0.00 |
The Web is playing a very important role in our lives, and is becoming an essential element of the computing infrastructure. Unfortunately, its importance makes it the preferred target of attacks. Web-based vulnerabilities now outnumber traditional computer security concerns. A recent study shows that over 80 percent of web sites have had at least one serious vulnerability. We believe that the Web's problems, to a large degree, are caused by the inadequacy of its underlying access control systems. To reduce the number of vulnerabilities, it is essential to provide web applications with better access control models that can adequately address the protection needs of the current Web. As a part of the efforts to develop a better access control system for the Web, we focus on the server-side access control in this paper. We introduce a new concept called subsession, based on which, we have developed a ringbased access control system (called Scuta) for web servers. Scuta provides a fine-grained and backward-compatible access control mechanism for web applications. We have implemented Scuta in PHP, and have conducted comprehensive case studies to evaluate its benefits.