1 / 13

A Language-based Perspective on Web Application Security

A Language-based Perspective on Web Application Security. Jonas Magazinius Chapter co-leader Chalmers University of Technology jonas.magazinius@chalmers.se. 2011-08-25. Introduction. PhD at Chalmers Language-based Security research group Co-leader OWASP Gothenburg local chapter

clio
Download Presentation

A Language-based Perspective on Web Application Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Language-based Perspective on Web Application Security Jonas Magazinius Chapter co-leader Chalmers University of Technology jonas.magazinius@chalmers.se 2011-08-25

  2. Introduction • PhD at Chalmers • Language-based Security research group • Co-leader OWASP • Gothenburg local chapter • Security tweeter • @internot_

  3. Web Applications 15 Years Ago Loremipsum dolor sit amet, consectetueradipiscingelit, seddiamnonummynibheuismodtinciduntutlaoreetdolore magna aliquameratvolutpat. Utwisienim ad minim veniam, quisnostrudexercitationullamcorpersuscipitlobortisnislutaliquip ex ea commodoconsequat. Duisautemveleumiriure dolor in hendrerit in vulputatevelitessemolestieconsequat, velillumdoloreeufeugiatnullafacilisis at veroeros et accumsan et iustoodiodignissim qui blanditpraesentluptatumzzrildelenitaugueduisdoloretefeugaitnullafacilisi. Nam libertempor cum solutanobiseleifend option conguenihilimperdiet doming id quod mazimplacerat facer possimassum. Same-Origin Policy

  4. Web Applications Today Loremipsum dolor sit amet, consectetueradipiscingelit, seddiamnonummynibheuismodtinciduntutlaoreetdolore magna aliquameratvolutpat. Utwisienim ad minim veniam, quisnostrudexercitationullamcorpersuscipitlobortisnislutaliquip ex ea commodoconsequat. Duisautemveleumiriure dolor in hendrerit in vulputatevelitessemolestieconsequat, velillumdoloreeufeugiatnullafacilisis at veroeros et accumsan et iustoodiodignissim qui blanditpraesentluptatumzzrildelenitaugueduisdoloretefeugaitnullafacilisi. Nam libertempor cum solutanobiseleifend option conguenihilimperdiet doming id quod mazimplacerat facer possimassum. Typi non habentclaritateminsitam; estususlegentis in iis qui faciteorumclaritatem. Investigationesdemonstraveruntlectoreslegere me lius quod ii leguntsaepius. Claritasestetiamprocessusdynamicus, qui sequitur mutationemconsuetudiumlectorum. Mirumestnotare quam litteragothica, quam nuncputamusparumclaram, anteposueritlitterarumformashumanitatis per seaculaquartadecima et quintadecima. Eodemmodotypi, qui nuncnobisvidenturparumclari, fiantsollemnes in futurum.

  5. Mashups

  6. The Mashup Security Problem 1337 of your friends likes this Enter credit card: 1234 5678 9012 3456

  7. Language-based Security • public = secret + 1; • if (secret) { • public = true; • } else { • public = false; • } Secret Secret Public Public Escapes Requires declassification {“secret+1”: Public}

  8. A Language-based Approach Public Public

  9. Enforcement Static analysis Dynamic analysis secret=false; if (secret) { public=true; } alert(public); secret=false; if (secret) { public=true; } alert(public);

  10. x = expr; *x = lev(expr); if (x) { y = expr; *y = lev(x + expr); } Shadow variables • { • owner: • ‘chalmers.se’, • readers: • [‘google.com’] • } Public Native support?

  11. On-the-fly Rewriting Information flow Policy No assumptions about programming practices No change to the runtime environment is needed Unsafe code Safe monitored code Trans-formation Monitor Security label tracking

  12. A Language-based Approach Public Public

  13. Where Are We Now? • ECMAScript 5 • DOM interaction • Events • Integrity THANK YOU!

More Related