mdh.sePublications
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Web Application Security Using JSFlow
Mälardalen University, School of Innovation, Design and Engineering, Embedded Systems. Chalmers University of Technology, Sweden.ORCID iD: 0000-0002-6621-8390
Chalmers University of Technology, Sweden.
2015 (English)In: Proceedings - 17th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing, SYNASC 2015, 2015, 16-19 p.Conference paper, Published paper (Refereed)
Resource type
Text
Abstract [en]

Web applications are often vulnerable to code injection attacks and to attacksthrough buggy or malicious libraries. Unfortunately, the current protectionmechanisms are frequently ad-hoc, as a response to attacks after the fact. Thishad lead to a plethora of specialized protection mechanisms that are oftenbrittle and insufficient to guarantee security. This extended abstract accompanies a tutorial on web application security usingJSFlow, an information-flow aware interpreter for full non-strict ECMA-262(v.5). In contrast to access control, which most current protection mechanismsapply, information-flow control focuses on what applications are allowed to dowith the information they access. This removes the inherent trust that accesscontrol places on entities that are granted access. Dispensing with this trustis key for the protection to withstand bypassing in the presence ofuntrustworthy 3rd party code and code injection attacks. Based on two practical attacks against an example web application Hrafn, wedemonstrate the power of JSFlow. The attacks model the scenario where thecurrent standards protection mechanism are bypassed or not applicable. By usinga simple and natural security policy, we show how both attacks are prevented byJSFlow. Although information-flow control has not been tailor made to preventthis kind of attacks, it offers a uniform line of defense against untrustworthyand malicious code and ensures confidentiality of sensitive data.

Place, publisher, year, edition, pages
2015. 16-19 p.
Keyword [en]
Internet, authorisation, JSFlow, Web application security, access control, buggy, code injection attack, information-flow aware interpreter, information-flow control, malicious library, natural security policy, nonstrict ECMA-262-v.5, sensitive data confidentiality, untrustworthy 3rd party code, Browsers, Monitoring, Servers, Uniform resource locators, Web pages
National Category
Computer Systems
Identifiers
URN: urn:nbn:se:mdh:diva-31560DOI: 10.1109/SYNASC.2015.11ISI: 000384643800004Scopus ID: 2-s2.0-84964871155ISBN: 978-1-5090-0461-4 (print)OAI: oai:DiVA.org:mdh-31560DiVA: diva2:927188
Conference
17th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing, SYNASC 2015; Timisoara; Romania; 21 September 2015 through 24 September 2015; Category numberP5742; Code 119854
Available from: 2016-05-11 Created: 2016-05-11 Last updated: 2016-10-28Bibliographically approved

Open Access in DiVA

No full text

Other links

Publisher's full textScopus

Search in DiVA

By author/editor
Hedin, Daniel
By organisation
Embedded Systems
Computer Systems

Search outside of DiVA

GoogleGoogle Scholar

Altmetric score

Total: 5 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf