Title: Designing Security Policies and Frameworks for Web Applications

Kapil Singh
Ph.D. student in Computer Science
School of Computational Science
College of Computing
Georgia Institute of Technology

Committee:

Dr. Wenke Lee (Advisor, School of Computer Science, Georgia Tech)
Dr. Mustaque Ahamad (School of Computer Science, Georgia Tech)
Dr. Nick Feamster (School of Computer Science, Georgia Tech)
Dr. Patrick Traynor (School of Computer Science, Georgia Tech)
Dr. Mihai Christodorescu (IBM Research T. J. Watson)

Summary:

There are multiple players that participate in forming the policies to determine the security of content on the web.

First, the web application hosted on a server determines who can access its content. Second, the client-side software such as web browsers have mandatory enforcement for their security policies. Finally, the average users have become substantial contributors of web content, whether it is in the form of blogs, personal pictures or social profiles, and subsequently also desire more control over security policies that determine sharing of their content.

This thesis investigates the design of effective web security policies that are aligned with the changing security requirements of the evolving Web, and the development of flexible frameworks to enable efficient enforcement of these novel policies in the dynamic web environment. With these goals, we first analyze the mechanisms by which the different web players interact to define the web security policies. We evaluate the effectiveness of such policies and propose improvements that are better suited to today's dynamic web environments. Finally, we develop frameworks that serve as platforms to enable the enforcement of security policies on behalf of the key web players.

This dissertation research makes four unique contributions. First, we develop a framework for application platforms to enforce user-defined policies with third-party applications, in particular to control flow of data. One example of such web applications is social networking where the users have to not only trust their platform application with personal data and assume that their privacy preferences are correctly enforced, but also trust each application they use in a similar manner. This leaves user data vulnerable to accidental or malicious leaks by these applications. In this work, we develop alternatives for designing generic web application platforms, by using information flow models to control what untrusted applications can do with the information they receive. We use social networking as representative application and design a novel framework, called xBook, for building social networks that require no trust in the third party applications. We implement a proof-of-concept prototype for xBook, and evaluate its usability by developing sample applications using its APIs.

Second, since users interact with web applications through browsers, we conduct a systematic analysis of the incoherencies in current browser security policies that conflict with privacy preserving policies and frameworks. One example of such policies is that current browsers support certain features that allow applications to have access to resources belonging to the user or trick the user to perform unintended action. By uncovering such trapholes, we aim to enumerate all possibilities of data leaks from the browser and suggest policies to prevent these leaks. Given that wide-scale adoption of any new browser policy, even if it is for improving security, is marked with concerns for backward compatibility, we plan to perform a large scale compatibility study to analyze the cost of, and thus ultimately motivate, the adoption of secure browser policies that protect user's privacy and prevent user data leaks.

Third, meaningful security on the web browser platform cannot be ensured without achieving end-to-end security between a user’s web browser and web sites. Although HTTPS can help achieve end-to-end security by preventing man-in-the-middle attacks, its universal adoption by web sites is hindered by its performance cost and its inability to be cached at intermediate servers (such as CDN servers and cache proxies). In our work, we observe that only end-to-end authentication and integrity are required for the browser platform to enforce its access control reliably. Without end-to-end confidentiality, content can be cached. To this end, we propose a new protocol, HTTPi, which offers only end-to-end authentication and integrity and seamlessly works with the existing web caching infrastructure. We also propose mechanisms that allow web applications to place integrity policy requirements on the content embedded on their sites. HTTPi performs content signing while perserving progressive content loading supported by browsers.

Because content signing can be done offline, HTTPi incurs negligible overhead over HTTP. Our prototype and evaluation experience show that HTTPi is practical for adoption.

Finally, we develop a generalized framework, called xAccess, for a user to specify policies on how data seekers can access the user's data in the context of web applications. On one hand, this framework enables a user to use a single unified access control model across multiple web applications; and on the other hand, it allows an application to support different access control models deployed by its users with a single model abstraction.