• 主题
高级搜索  >
历史搜索 清空历史
首页> 外文学位 >End-to-end security of information flow in Web-based applications.
【24h】

End-to-end security of information flow in Web-based applications.

机译:基于Web的应用程序中信息流的端到端安全性。

获取原文
获取原文并翻译 | 示例
页面导航
  • 摘要
  • 著录项
  • 相似文献
  • 相关主题

摘要

Web-based applications and services are increasingly being used in security-sensitive tasks. Current security protocols rely on two crucial assumptions to protect the confidentiality and integrity of information: First, they assume that end-point software used to handle security-sensitive information is free from vulnerabilities. Secondly, these protocols assume point-to-point communication between a client and a service provider. However, these assumptions do not hold true with large and complex vulnerable end point software such as the Internet browser or web services middleware or in web service compositions where there can be multiple value-adding service providers interposed between a client and the original service provider.; To address the problem of large and complex end-point software, we present the AppCore approach which uses manual analysis of information flow, as opposed to purely automated approaches, to split existing software into two parts: a simplified trusted part that handles security-sensitive information and a legacy, untrusted part that handles non-sensitive information without access to sensitive information. Not only does this approach avoid many common and well-known vulnerabilities in the legacy software that compromised sensitive information, it also greatly reduces the size and complexity of the trusted code, thereby making exhaustive testing or formal analysis more feasible. We demonstrate the feasibility of the AppCore approach by constructing AppCores for two real-world applications: a client-side AppCore for https-based applications and an AppCore for web service platforms. Our evaluation shows that security improvements and complexity reductions (over a factor of five) can be attained with minimal modifications to existing software (a few tens of lines of code, and proxy settings of a browser) and an acceptable performance overhead (a few percent).; To protect the communication of sensitive information between the clients and service providers in web service compositions, we present an end-to-end security framework called WS-FESec that provides end-to-end security properties even in the presence of misbehaving intermediate services. We show that WS-FESec is flexible enough to support the lattice model of secure information flow and it guarantees precise security properties for each component service at a modest cost of a few milliseconds per signature or encrypted field.
机译:基于Web的应用程序和服务正越来越多地用于对安全敏感的任务中。当前的安全协议依赖两个关键的假设来保护信息的机密性和完整性:首先,他们假设用于处理对安全敏感的信息的端点软件没有漏洞。其次,这些协议假定客户端与服务提供商之间进行点对点通信。但是,这些假设对于大型且复杂的易受攻击的端点软件(例如Internet浏览器或Web服务中间件)或在Web服务组合中并不适用,在Web服务组合中,客户端和原始服务提供者之间可能存在多个增值服务提供者。 ;为了解决大型复杂的端点软件的问题,我们提出了AppCore方法,该方法使用信息流的手动分析(与纯自动化方法相反)将现有软件分为两部分:简化的受信任的部分,处理安全敏感的问题信息以及处理非敏感信息而不访问敏感信息的旧式,不受信任的部分。这种方法不仅避免了遗留软件中常见的众所周知的漏洞,这些漏洞危及了敏感信息,而且还大大降低了受信任代码的大小和复杂性,从而使详尽的测试或形式分析更加可行。我们通过为两个实际应用程序构建AppCores来证明AppCore方法的可行性:针对基于https的应用程序的客户端AppCore和针对Web服务平台的AppCore。我们的评估表明,只需对现有软件进行最少的修改(几十行代码和浏览器的代理设置),并获得可接受的性能开销(百分之几),就可以提高安全性和降低复杂性(超过五分之一) )。为了保护Web服务组合中客户端和服务提供者之间的敏感信息通信,我们提出了一种称为WS-FESec的端到端安全框架,即使在中间服务行为不当的情况下,该框架也可以提供端到端安全属性。我们证明WS-FESec具有足够的灵活性来支持安全信息流的网格模型,并且它以每个签名或加密字段几毫秒的适度成本,为每个组件服务保证了精确的安全性。

著录项

  • 作者

    Singaravelu, Lenin.;

  • 作者单位

    Georgia Institute of Technology.;

  • 授予单位 Georgia Institute of Technology.;
  • 学科 Computer Science.
  • 学位 Ph.D.
  • 年度 2007
  • 页码 121 p.
  • 总页数 121
  • 原文格式 PDF
  • 正文语种 eng
  • 中图分类 自动化技术、计算机技术;
  • 关键词

相似文献

  • 外文文献
  • 中文文献
  • 专利
获取原文

客服邮箱:kefu@zhangqiaokeyan.com

京公网安备:11010802029741号 ICP备案号:京ICP备15016152号-6 六维联合信息科技 (北京) 有限公司©版权所有

  • 客服微信

  • 服务号