Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Web Applications via Automatic Partitioning Stephen Chong, Jed Liu, Andrew C. Meyers, Xin Qi, K. Vikram, Lantian Zheng, Xin Zheng. Cornell University.

Published byWesley French Modified over 9 years ago

Similar presentations

Presentation on theme: "Secure Web Applications via Automatic Partitioning Stephen Chong, Jed Liu, Andrew C. Meyers, Xin Qi, K. Vikram, Lantian Zheng, Xin Zheng. Cornell University."— Presentation transcript:

1 Secure Web Applications via Automatic Partitioning Stephen Chong, Jed Liu, Andrew C. Meyers, Xin Qi, K. Vikram, Lantian Zheng, Xin Zheng. Cornell University

2 Outline Introduction Swift Architecture Writing Swift Applications WebIL Swift Runtime Evaluation Conclusion

3 Introduction Web applications are a critical part of today’s infrastructure

4 Introduction Web applications account for 69% of internet vulnerabilities Developer dilemma Performance vs security

5 Introduction Guess a number game Confidentiality requirement Client cannot see number Integrity requirement Client cannot affect number of guesses Only server can decide if guess is correct Client side only implementation Best performance Client can cheat

6 Swift Building web applications that are secure by construction Automatic partitioning of code and data Security critical code/data placed on server side only Code/data placed on client side for performance

7 Swift Architecture Jif Source Code WebIL WebIL Optimization Splitting Code JavaScript and Java Output Partitioning and Replication

8 Swift Architecture

9 Writing Swift Applications Extensions of Jif programming language Security policies expressed using labels Confidentiality and Integrity policies Labels refer to principals *(server) and client principals Compiler statically checks that information flow is consistent with policies Trust model Un trusted client Trusted server

10 Sample Policies

11 Guess a number Application

12 WebIL Concerned with placement of code and data Replace Jif labels with placement annotations Placements chosen to optimize responsiveness without sacrificing security Partitioning solved as Integer programming problem

13 Placement Annotations 9 placement annotations

14 Guess-a-Number in WebIL

15 Partitioning Algorithm Represent control flow as weighted directed graph Graph nodes are statements Edge weights are exec. frequencies Integer programming problem Reduce to instance of max flow problem Solution is placements of code/data

16 Partioning of Guess-a-Number

17 Swift Runtime Controls synchronization and communication JavaScript runs on Client Java code runs on server Asymmetric trust model Execution blocks Closures Activation Records

18 Execution Block Methods divided into execution blocks Single entry Multiple exits Unique ids Control transfer message Branch to block executing on different host

19 Execution Blocks of Guess-a-Number

20 Activation Records Execution blocks run in context of activation records Client/server have different views of same activation record Activation record updates forwarding between hosts Security restrictions of forwarding

21 Closures Next execution block id and activation record id Stack of closures Correct simulation of method calls/exceptions Integrity of control flow Clients invoke high integrity closures in controlled way

22 Evaluation Swift Compiler Jif compiler + 20K LOC Runtime system = 2.6K LOC Six web applications implemented

23 Generated code size

24 Network messages

25 Conclusion Constructing secure web applications Automatic partitioning of functionality Enforcement of information security policies Programmer effort to add annotations

Download ppt "Secure Web Applications via Automatic Partitioning Stephen Chong, Jed Liu, Andrew C. Meyers, Xin Qi, K. Vikram, Lantian Zheng, Xin Zheng. Cornell University."

Similar presentations

Munich IETF, August 1997 Fluid A Java Version of Nifty Siegfried Löffler Rechenzentrum Universität Stuttgart.

Munich IETF, August 1997 Fluid A Java Version of Nifty Siegfried Löffler Rechenzentrum Universität Stuttgart.
CPSC 388 – Compiler Design and Construction

CPSC 388 – Compiler Design and Construction
Mobile Agents Mouse House Creative Technologies Mike OBrien.

Mobile Agents Mouse House Creative Technologies Mike OBrien.
Data Management Expert Panel - WP2. WP2 Overview.

Data Management Expert Panel - WP2. WP2 Overview.
Architecture-dependent optimizations Functional units, delay slots and dependency analysis.

Architecture-dependent optimizations Functional units, delay slots and dependency analysis.
Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009.

Building Secure Distributed Systems The CIF model : Component Information Flow Lilia Sfaxi DCS Days - 26/03/2009.
Course Outline Traditional Static Program Analysis –Theory Compiler Optimizations; Control Flow Graphs Data-flow Analysis – today’s class –Classic analyses.

Course Outline Traditional Static Program Analysis –Theory Compiler Optimizations; Control Flow Graphs Data-flow Analysis – today’s class –Classic analyses.
Untrusted Hosts and Confidentiality: Secure Program Partitioning Steve Zdancewic Lantian Zheng Nathaniel Nystrom Andrew Myers Cornell University.

Untrusted Hosts and Confidentiality: Secure Program Partitioning Steve Zdancewic Lantian Zheng Nathaniel Nystrom Andrew Myers Cornell University.
Java Script Session1 INTRODUCTION.

Java Script Session1 INTRODUCTION.
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.

Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.
Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu

Ashish Kundu CS590F Purdue 02/12/07 Language-Based Information Flow Security Andrei Sabelfield, Andrew C. Myers Presentation: Ashish Kundu
G O B E Y O N D C O N V E N T I O N WORF: Developing DB2 UDB based Web Services on a Websphere Application Server Kris Van Thillo, ABIS Training & Consulting.

G O B E Y O N D C O N V E N T I O N WORF: Developing DB2 UDB based Web Services on a Websphere Application Server Kris Van Thillo, ABIS Training & Consulting.
Swift: Secure Web Applications via Automatic Partitioning Stephen Chong, Jed Liu, Andrew C. Myers, Xin Qi, K. Vikram, Lantian Zheng, Xin Zheng Cornell.

Swift: Secure Web Applications via Automatic Partitioning Stephen Chong, Jed Liu, Andrew C. Myers, Xin Qi, K. Vikram, Lantian Zheng, Xin Zheng Cornell.
Variability Oriented Programming – A programming abstraction for adaptive service orientation Prof. Umesh Bellur Dept. of Computer Science & Engg, IIT.

Variability Oriented Programming – A programming abstraction for adaptive service orientation Prof. Umesh Bellur Dept. of Computer Science & Engg, IIT.
Distributed Systems Fall 2010 Replication Fall 20105DV0203 Outline Group communication Fault-tolerant services –Passive and active replication Highly.

Distributed Systems Fall 2010 Replication Fall 20105DV0203 Outline Group communication Fault-tolerant services –Passive and active replication Highly.
David Hughes Mark Liu William Liu Moses Nakamura Stephanie Ng.

David Hughes Mark Liu William Liu Moses Nakamura Stephanie Ng.
Jed Liu Xin Qi Michael D. George Lucas Waye K. Vikram Andrew C. Myers Department of Computer Science Cornell University 22 nd ACM SIGOPS Symposium on Operating.

Jed Liu Xin Qi Michael D. George Lucas Waye K. Vikram Andrew C. Myers Department of Computer Science Cornell University 22 nd ACM SIGOPS Symposium on Operating.
Beneficial Caching in Mobile Ad Hoc Networks Bin Tang, Samir Das, Himanshu Gupta Computer Science Department Stony Brook University.

Beneficial Caching in Mobile Ad Hoc Networks Bin Tang, Samir Das, Himanshu Gupta Computer Science Department Stony Brook University.

Similar presentations

Ads by Google