{"65572":{"#nid":"65572","#data":{"type":"event","title":"Ph.D. Defense of Dissertation: Kapil Singh","body":[{"value":"\u003Cp\u003E\u003Cstrong\u003ETitle: Designing Security Policies and Frameworks for Web\nApplications\u003C\/strong\u003E\u003C\/p\u003E\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\u003Cp\u003E\u003Cstrong\u003EKapil Singh\u003C\/strong\u003E\u003Cbr \/\u003EPh.D. student in Computer Science\u003Cbr \/\u003ESchool of Computational Science\u003Cbr \/\u003ECollege of Computing\u003Cbr \/\u003EGeorgia Institute of Technology\u003C\/p\u003E\n\n\u003Cp\u003E\u003Cstrong\u003ECommittee:\u003C\/strong\u003E\u003C\/p\u003E\n\n\n\n\u003Cp\u003EDr. Wenke Lee (Advisor, School of Computer Science,\nGeorgia Tech)\u003Cbr \/\u003EDr. Mustaque Ahamad (School of Computer Science, Georgia Tech)\u003Cbr \/\u003EDr. Nick Feamster (School of Computer Science, Georgia Tech)\u003Cbr \/\u003EDr. Patrick\nTraynor (School of Computer Science, Georgia Tech)\u003Cbr \/\u003EDr. Mihai Christodorescu\n(IBM Research T. J. Watson)\u003C\/p\u003E\n\n\u003Cp\u003E\u003Cstrong\u003ESummary:\u003C\/strong\u003E\u003C\/p\u003E\n\n\u003Cp\u003EThere are multiple players that participate in forming\nthe policies to determine the security of content on the web.\u003C\/p\u003E\n\n\n\n\u003Cp\u003EFirst, the web application hosted on a server determines\nwho can access its content. Second, the client-side software such as web\nbrowsers have mandatory enforcement for their security policies. Finally, the\naverage users have become substantial contributors of web content, whether it\nis in the form of blogs, personal pictures or social profiles, and subsequently\nalso desire more control over security policies that determine sharing of their\ncontent. \u003C\/p\u003E\n\n\n\n\u003Cp\u003EThis thesis investigates the design of effective web\nsecurity policies that are aligned with the changing security requirements of\nthe evolving Web, and the development of flexible frameworks to enable\nefficient enforcement of these novel policies in the dynamic web environment.\nWith these goals, we first analyze the mechanisms by which the different web\nplayers interact to define the web security policies. We evaluate the\neffectiveness of such policies and propose improvements that are better suited\nto today\u0027s dynamic web environments. Finally, we develop frameworks that serve\nas platforms to enable the enforcement of security policies on behalf of the\nkey web players.\u003C\/p\u003E\n\n\n\n\u003Cp\u003EThis dissertation research makes four unique\ncontributions. First, we develop a framework for application platforms to\nenforce user-defined policies with third-party applications, in particular to\ncontrol flow of data. One example of such web applications is social networking\nwhere the users have to not only trust their platform application with personal\ndata and assume that their privacy preferences are correctly enforced, but also\ntrust each application they use in a similar manner. This leaves user data\nvulnerable to accidental or malicious leaks by these applications. In this\nwork, we develop alternatives for designing generic web application platforms,\nby using information flow models to control what untrusted applications can do\nwith the information they receive. We use social networking as representative\napplication and design a novel framework, called xBook, for building social\nnetworks that require no trust in the third party applications. We implement a\nproof-of-concept prototype for xBook, and evaluate its usability by developing\nsample applications using its APIs.\u003C\/p\u003E\n\n\u003Cp\u003ESecond, since users interact with web applications\nthrough browsers, we conduct a systematic analysis of the incoherencies in\ncurrent browser security policies that conflict with privacy preserving\npolicies and frameworks. One example of such policies is that current browsers\nsupport certain features that allow applications to have access to resources\nbelonging to the user or trick the user to perform unintended action. By\nuncovering such trapholes, we aim to enumerate all possibilities of data leaks\nfrom the browser and suggest policies to prevent these leaks. Given that\nwide-scale adoption of any new browser policy, even if it is for improving\nsecurity, is marked with concerns for backward compatibility, we plan to\nperform a large scale compatibility study to analyze the cost of, and thus\nultimately motivate, the adoption of secure browser policies that protect\nuser\u0027s privacy and prevent user data leaks.\u003C\/p\u003E\n\n\u003Cp\u003EThird, meaningful security on the web browser platform cannot\nbe ensured without achieving end-to-end security between a user\u2019s web browser\nand web sites. Although HTTPS can help achieve end-to-end security by\npreventing man-in-the-middle attacks, its universal adoption by web sites is\nhindered by its performance cost and its inability to be cached at intermediate\nservers (such as CDN servers and cache proxies). In our work, we observe that\nonly end-to-end authentication and integrity are required for the browser\nplatform to enforce its access control reliably. Without end-to-end\nconfidentiality, content can be cached. To this end, we propose a new protocol,\nHTTPi, which offers only end-to-end authentication and integrity and seamlessly\nworks with the existing web caching infrastructure. We also propose mechanisms\nthat allow web applications to place integrity policy requirements on the\ncontent embedded on their sites. HTTPi performs content signing while\nperserving progressive content loading supported by browsers.\u003C\/p\u003E\n\n\u003Cp\u003EBecause content signing can be done offline, HTTPi incurs\nnegligible overhead over HTTP. Our prototype and evaluation experience show\nthat HTTPi is practical for adoption.\u003C\/p\u003E\u003Cp\u003EFinally, we develop a generalized framework, called\nxAccess, for a user to specify policies on how data seekers can access the user\u0027s\ndata in the context of web applications. On one hand, this framework enables a\nuser to use a single unified access control model across multiple web\napplications; and on the other hand, it allows an application to support\ndifferent access control models deployed by its users with a single model\nabstraction.\u003C\/p\u003E","summary":null,"format":"limited_html"}],"field_subtitle":"","field_summary":"","field_summary_sentence":[{"value":"Designing Security Policies and Frameworks for Web Applications"}],"uid":"27466","created_gmt":"2011-04-14 15:18:26","changed_gmt":"2016-10-08 01:54:46","author":"Dani Denton","boilerplate_text":"","field_publication":"","field_article_url":"","field_event_time":{"event_time_start":"2011-05-02T14:00:00-04:00","event_time_end":"2011-05-02T16:00:00-04:00","event_time_end_last":"2011-05-02T16:00:00-04:00","gmt_time_start":"2011-05-02 18:00:00","gmt_time_end":"2011-05-02 20:00:00","gmt_time_end_last":"2011-05-02 20:00:00","rrule":null,"timezone":"America\/New_York"},"extras":[],"groups":[{"id":"47223","name":"College of Computing"},{"id":"50875","name":"School of Computer Science"}],"categories":[],"keywords":[{"id":"11038","name":"CoC PhD Thesis Proposal Announcement"}],"core_research_areas":[],"news_room_topics":[],"event_categories":[],"invited_audience":[],"affiliations":[],"classification":[],"areas_of_expertise":[],"news_and_recent_appearances":[],"phone":[],"contact":[{"value":"\u003Cp\u003E\u003Ca href=\u0022mailto:ksingh@cc.gatech.edu\u0022\u003EKapil Kumar Singh\u003C\/a\u003E\u003C\/p\u003E","format":"limited_html"}],"email":[],"slides":[],"orientation":[],"userdata":""}}}