FlowGuard - Lirias - KU Leuven

bootlessbwakInternet και Εφαρμογές Web

12 Νοε 2013 (πριν από 4 χρόνια και 3 μήνες)

95 εμφανίσεις

FlowGuard
Server-Side JavaScript with Information Flow Control
WASR’13
Willem De Groef
iMinds–DistriNet
Dept.of Computer Science,KU Leuven
Willem.DeGroef@cs.kuleuven.be
August 21,2013
1/8
Introduction FlowGuard Demo Conclusions
Trend 1:JavaScript Everywhere
Web applications are a big thing
HTML5
JavaScript
Client/Server -side JavaScript is booming
Efficient JavaScript runtime environments
Same developers for client–server
Callback-oriented programming
2/8
Introduction FlowGuard Demo Conclusions
Trend 2:Information Flow Security
Last years many server-side middleware platforms:
GuardRail,Safeweb,Resin,Aeolus,...
Discrepancies:
1 information flow control technologies and state-of-the-art
techniques
2 Supported languages (Ruby,PHP,Java)
Progress on Secure Multi-Execution (SME)
Strong formal guarantees
Recover from leaks while maintaining soundness
Several implementation strategies available
3/8
Introduction FlowGuard Demo Conclusions
FlowGuard
SME library on top of NODEJS
Enforcement of stateful information flow policies
Add/improve security
Safely contain third-party libraries
Even add new business logic (e.g.,pay-wall)
Features:
No infrastructural changes (compatibility,low impact)
No interweaved policies (separation of concerns)
Stateful policies in JavaScript (expressiveness)
Fix information leaks (availability/recovery)
4/8
Introduction FlowGuard Demo Conclusions
Architectural Overview
5/8
Introduction FlowGuard Demo Conclusions
Demo Setup
Simple wiki application:serve HTML files
Directory traversal bug
Policy:only files from within wiki/directory may be sent
via the network
6/8
Introduction FlowGuard Demo Conclusions
Future Work
Policies
Domain-specific concepts vs.labelling of API calls
Good,consistent,(stateful) policies?
New definition language?
Security guarantees (formal model)
Performance overhead (membranes + virtualisation)
SMEv2 (Rafnsson & Sabelfeld,CSF 2013)
...?
7/8
Introduction FlowGuard Demo Conclusions
Conclusions
Server-side JavaScript is booming
Intresting information flow technique available (SME)
FlowGuard:information flow framework for NODEJS
No infrastructural changes
Enforcement powerful policies
Solid theoretical foundation (SME)
Thank you for your attention.Questions?
Willem.DeGroef@cs.kuleuven.be
8/8