buttonTrust
 
Commands
  Search pubs

Quick search by ...
Year
  2011
2010
2009
2008
2007
2006
2005
2004
2002

Group
  aftrust
aftrustfaculty
deab
eab
eduboard
education
euus
execboard
financial
gig
government
health
healthcare
hsn
hsnresearch
hsnucb
iab
iacb
icast
icastucb
idtheft
industry
knowledgetransfer
languages
netdefenses
patientmonitor
pdfellowship
physical
policy
reu
reu11gold
reu2009
reu2010
reu2011
scada
securit
securit2007
sensornets
sensorprivacy
sitevisit
superb
superb2008
telecomitalia
trust
trustadmin
trustfaculty
trustlocal
trustseminar
trustworthy
university
wise2006
SIF: Enforcing Confidentiality and Integrity in Web Applications
S. Chong, K. Vikram, A. C. Myers

Citation
S. Chong, K. Vikram, A. C. Myers. "SIF: Enforcing Confidentiality and Integrity in Web Applications". Proceedings of the 16th USENIX Security Symposium, 1-16, August, 2007.

Abstract
SIF (Servlet Information Flow) is a novel software framework for building high-assurance web applications, using language-based information-flow control to enforce security. Explicit, end-to-end confidentiality and integrity policies can be given either as compile-time program annotations, or as run-time user requirements. Compile-time and run-time checking efficiently enforce these policies. Information flow analysis is known to be useful against SQL injection and cross-site scripting, but SIF prevents inappropriate use of information more generally: the flow of confidential information to clients is controlled, as is the flow of low-integrity information from clients. Expressive policies allow users and application providers to protect information from one another. SIF moves trust out of the web application, and into the framework and compiler. This provides application deployers with stronger security assurance. Language-based information flow promises cheap, strong information security. But until now, it could not effectively enforce information security in highly dynamic applications. To build SIF, we developed new language features that make it possible to write realistic web applications. Increased assurance is obtained with modest enforcement overhead.

Electronic downloads

Citation formats  
  • HTML 
    S. Chong, K. Vikram, A. C. Myers. <a
href="http://www.truststc.org/pubs/451.html"
>SIF: Enforcing Confidentiality and Integrity in Web
Applications</a>, Proceedings of the 16th USENIX
Security Symposium, 1-16, August, 2007.
  • Plain text 
    S. Chong, K. Vikram, A. C. Myers. "SIF: Enforcing
Confidentiality and Integrity in Web Applications".
Proceedings of the 16th USENIX Security Symposium, 1-16,
August, 2007.
  • BibTeX 
    @inproceedings{ChongVikramMyers07_SIFEnforcingConfidentialityIntegrityInWebApplications,
    author = {S. Chong and K. Vikram and A. C. Myers},
    title = {SIF: Enforcing Confidentiality and Integrity in
              Web Applications},
    booktitle = {Proceedings of the 16th USENIX Security Symposium},
    pages = {1-16},
    month = {August},
    year = {2007},
    abstract = {SIF (Servlet Information Flow) is a novel software
              framework for building high-assurance web
              applications, using language-based
              information-flow control to enforce security.
              Explicit, end-to-end confidentiality and integrity
              policies can be given either as compile-time
              program annotations, or as run-time user
              requirements. Compile-time and run-time checking
              efficiently enforce these policies. Information
              flow analysis is known to be useful against SQL
              injection and cross-site scripting, but SIF
              prevents inappropriate use of information more
              generally: the flow of confidential information to
              clients is controlled, as is the flow of
              low-integrity information from clients. Expressive
              policies allow users and application providers to
              protect information from one another. SIF moves
              trust out of the web application, and into the
              framework and compiler. This provides application
              deployers with stronger security assurance.
              Language-based information flow promises cheap,
              strong information security. But until now, it
              could not effectively enforce information security
              in highly dynamic applications. To build SIF, we
              developed new language features that make it
              possible to write realistic web applications.
              Increased assurance is obtained with modest
              enforcement overhead. },
    URL = {http://www.truststc.org/pubs/451.html}
}

Posted by Andrew C. Myers, Ph.D. on 22 Aug 2008.
For additional information, see the Publications FAQ or contact webmaster at www truststc org..

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.
You are not logged in 
© 2005-2012 Trust