research-article

Practical information flow for legacy web applications

Authors:

Georgios Chinis,

Polyvios Pratikakis,

Sotiris Ioannidis,

Elias AthanasopoulosAuthors Info & Claims

ICOOOLPS'13: Proceedings of the 8th Workshop on Implementation, Compilation, Optimization of Object-Oriented Languages, Programs and Systems

Pages 17 - 28

https://doi.org/10.1145/2491404.2491410

Published: 02 July 2013 Publication History

Abstract

The popularity of web applications, coupled with the data they operate on, makes them prime targets for hackers that want to misuse them. To make matters worse, a lot of these applications, have not been implemented with security in mind, while refactoring an existing, large web application to implement a security or privacy policy is prohibitively difficult. This paper presents LabelFlow, an extension of PHP that simplifies implementation of security policies in web applications. To enforce a policy, LabelFlow tracks the propagation of information throughout the application, transparently and efficiently, both in the PHP runtime and through persistent storage. We provide strong theoretical guarantees for the policy enforcement in LabelFlow; we define its semantics for a simple calculus and prove that it protects against information leaks. We used LabelFlow to add and enforce access control policies in three popular real-world large scale web applications: MediaWiki, Wordpress and OpenCart. LabelFlow requires minimal code changes of 50--100 lines of code per application, while incurring little execution overhead of up to 5.6% at worst.

References

[1]

Anindya Banerjee and David A. Naumann. Secure information flow and pointer confinement in a java-like language. In Proceedings of the 15th IEEE workshop on Computer Security Foundations, 2002.

Digital Library

[2]

Erik Bosman, Asia Slowinska, and Herbert Bos. Minemu: The world's fastest taint tracker. In Proceedings of RAID'11, Menlo Park, CA, September 2011.

Digital Library

[3]

D. Brumley and D. Boneh. Remote timing attacks are practical. In Proceedings of the 12th conference on USENIX Security Symposium - Volume 12, pages 1--1, 2003.

Digital Library

[4]

Shuo Chen, Rui Wang, XiaoFeng Wang, and Kehuan Zhang. Side-Channel Leaks in Web Applications: A Reality Today, a Challenge Tomorrow. In Proceedings of the 2010 IEEE Symposium on Security and Privacy, SP '10, pages 191--206, Washington, DC, USA, 2010. IEEE Computer Society.

Digital Library

[5]

Georgios Chinis, Polyvios Pratikakis, Elias Athanosopoulos, and Sotiris Ioannidis. Practical information flow for legacy web applications. Technical Report 428-Apr-2012, Foundation for Research and Technology - Hellas, April 2012.

[6]

Brian J. Corcoran, Nikhil Swamy, and Michael Hicks. Cross-tier, label-based security enforcement for web applications. In SIGMOD, July 2009.

Digital Library

[7]

Benjamin Davis and Hao Chen. Dbtaint: Cross-application information flow tracking via databases. In Proceedings of the 2010 USENIX conference on Web application development, 2010.

Digital Library

[8]

William Enck, Peter Gilbert, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth. Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the 9th USENIX conference on Operating systems design and implementation, OSDI'10, pages 1--6, Berkeley, CA, USA, 2010. USENIX Association.

Digital Library

[9]

Federal Trade Commission. Facebook settles ftc charges that it deceived consumers by failing to keep privacy promises. http://www.ftc.gov/opa/2011/11/privacysettlement.shtm, November 2011.

[10]

Jeffrey S. Foster, Robert Johnson, John Kodumal, and Alex Aiken. Flow-Insensitive Type Qualifiers. ACM Transactions on Programming Languages and Systems, 28(6):1035--1087, November 2006.

Digital Library

[11]

Vivek Haldar, Deepak Chandra, and Michael Franz. Dynamic Taint Propagation for Java. In Proceedings of the 21st Annual Computer Security Applications Conference, 2005.

Digital Library

[12]

C. Kambalyal. 3-tier architecture. http://channukambalyal.tripod.com/NTierArchitecture.pdf, 2010.

[13]

L. A Times. Bank of america data leak destroys trust. http://articles.latimes.com/2011/may/24/business/la-fi-lazarus-20110524, May 2011.

[14]

Peng Li and Steve Zdancewic. Practical information-flow control in web-based information systems. In Proceedings of the 18th IEEE workshop on Computer Security Foundations, 2005.

Digital Library

[15]

V. Benjamin Livshits and Monica S. Lam. Finding security vulnerabilities in java applications with static analysis. In Proceedings of the 15th conference on USENIX Security Symposium - Volume 15, 2005.

Digital Library

[16]

MediaWiki.org. Security issues with authorization extensions. http://www.mediawiki.org/wiki/Security_issues_with_authorization_extensions, August 2011.

[17]

A. C. Myers. Jflow: practical mostly-static information flow control. In Proceedings of the 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, 1999.

Digital Library

[18]

A. C. Myers and Barbara Liskov. Protecting privacy using the decentralized label model. ACM Trans. Softw. Eng. Methodol., 9(4):410--442, October 2000.

Digital Library

[19]

A. C. Myers, N. Nystrom, L. Zheng, and S. Zdancewic. Jif: Java information flow. http://www.cs.cornell.edu/jif, July 2001. Software Release.

[20]

Y. Nadji, P. Saxena, and D. Song. Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense. In In Proceedings of the Network and Distributed System Security Symposium, 2009.

[21]

S. Nanda, L. C. Lam, and T. Chiueh. Dynamic Multi-Process Information Flow Tracking for Web Application Security. In Proceedings of the 2007 ACM/IFIP/USENIX international conference on Middleware companion, 2007.

Digital Library

[22]

J. Newsome and D. Song. Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In In Proceedings of the Network and Distributed System Security Symposium, 2005.

[23]

Anh Nguyen-tuong, Salvatore Guarnieri, Doug Greene, Jeff Shirley, and David Evans. Automatically Hardening Web Applications Using Precise Tainting. In In 20th IFIP International Information Security Conference, pages 372--382, 2005.

[24]

R. Sekar. An Efficient Black-box Technique for Defeating Web Application Attacks. In In Proceedings of the Network and Distributed System Security Symposium, San Diego, CA, February 8--11, 2009.

[25]

Asia Slowinska and Herbert Bos. Pointless tainting? evaluating the practicality of pointer tainting. In Proceedings of ACM SIGOPS EUROSYS, Nuremberg, Germany, March-April 2009.

Digital Library

[26]

Pierre-Yves Strub, Nikhil Swamy, Cedric Fournet, and Juan Chen. Self-certification: Bootstrapping certified typecheckers in F* with Coq. In Proceedings of the 39th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages, 2012.

Digital Library

[27]

G. E. Suh, J. W. Lee, D. Zhang, and S. Devadas. Secure program execution via dynamic information flow tracking. In Proceedings of the 11th international conference on Architectural support for programming languages and operating systems., 2004.

Digital Library

[28]

Nikhil Swamy, Juan Chen, and Ravi Chugh. Enforcing stateful authorization and information flow policies in fine. In Proceedings of the 19th European conference on Programming Languages and Systems, 2010.

Digital Library

[29]

Nikhil Swamy, Brian Corcoran, and Michael Hicks. Fable: A language for enforcing user-defined security policies. In Proceedings of the 2008 IEEE Symposium on Security and Privacy, 2008.

Digital Library

[30]

Wietse Venema. Taint support for PHP, April 2011. https://wiki.php.net/rfc/taint. Last visited on January 2012.

[31]

P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Cross-Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. In In Proceedings of the Network and Distributed System Security Symposium, 2007.

[32]

L. Wall, T. Christiansen, and J. Orwant. Prog. Perl. O'Reilly, 3 edition, 2000.

[33]

Wordpress.org. Content visibility. http://codex.wordpress.org/Content_Visibility, August 2011.

[34]

Wei Xu, Eep Bhatkar, and R. Sekar. Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks. In Proceedings of the 15th conference on USENIX Security Symposium - Volume 15, pages 121--136, 2006.

Digital Library

[35]

Alexander Yip, Xi Wang, Nickolai Zeldovich, and M. Frans Kaashoek. Improving application security with data flow assertions. In Proceedings of the 2009 IEEE Symposium on Security and Privacy, pages 291--304, 2009.

Digital Library

[36]

Angeliki Zavou, Georgios Portokalidis, and Angelos D. Keromytis. Taint-exchange: a generic system for cross-process and cross-host taint tracking. In Proceedings of the 6th International conference on Advances in information and computer security, IWSEC'11, pages 113--128, Berlin, Heidelberg, 2011. Springer-Verlag.

Digital Library

[37]

S. Zdancewic and A. C. Myers. Secure information flow and CPS. In ESOP, 2001.

Digital Library

[38]

K. Zhang, Z. Li, R. Wang, X. F. Wang, and S. Chen. Sidebuster: automated detection and quantification of side-channel leaks in web application development. In Proceedings of the 17th ACM conference on Computer and communications security, pages 595--606, 2010.

Digital Library

Cited By

Lin WZhang LZhang HShao KZhang MXie T(2022)TaintSQL: Dynamically Tracking Fine-Grained Implicit Flows for SQL Statements2022 IEEE 33rd International Symposium on Software Reliability Engineering (ISSRE)10.1109/ISSRE55969.2022.00012(1-12)Online publication date: Oct-2022
https://doi.org/10.1109/ISSRE55969.2022.00012
Ren YDong WLin JMiao X(2019)A Dynamic Taint Analysis Framework Based on Entity EquipmentIEEE Access10.1109/ACCESS.2019.29611447(186308-186318)Online publication date: 2019
https://doi.org/10.1109/ACCESS.2019.2961144
Schutte JBrost G(2016)A Data Usage Control System Using Dynamic Taint Tracking2016 IEEE 30th International Conference on Advanced Information Networking and Applications (AINA)10.1109/AINA.2016.127(909-916)Online publication date: Mar-2016
https://doi.org/10.1109/AINA.2016.127
Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ICOOOLPS'13: Proceedings of the 8th Workshop on Implementation, Compilation, Optimization of Object-Oriented Languages, Programs and Systems

July 2013

28 pages

ISBN:9781450320450

DOI:10.1145/2491404

Conference Chair:
Olivier Zendra
INRIA - LORIA (France)

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

CNRS: Centre National De La Rechercue Scientifique
UM2: University Montpellier 2
AITO: Assoc Internationale por les Technologies Objects

In-Cooperation

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 July 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Funding Sources

European Regional Development Fund (ERDF)
Seventh Framework Programme

Conference

ECOOP '13

Sponsor:

CNRS
UM2
AITO

ECOOP '13: European Conference on Object-Oriented Programming

July 2, 2013

Montpellier, France

Acceptance Rates

Overall Acceptance Rate 11 of 14 submissions, 79%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
129
Total Downloads

Downloads (Last 12 months)6
Downloads (Last 6 weeks)0

Reflects downloads up to 01 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Lin WZhang LZhang HShao KZhang MXie T(2022)TaintSQL: Dynamically Tracking Fine-Grained Implicit Flows for SQL Statements2022 IEEE 33rd International Symposium on Software Reliability Engineering (ISSRE)10.1109/ISSRE55969.2022.00012(1-12)Online publication date: Oct-2022
https://doi.org/10.1109/ISSRE55969.2022.00012
Ren YDong WLin JMiao X(2019)A Dynamic Taint Analysis Framework Based on Entity EquipmentIEEE Access10.1109/ACCESS.2019.29611447(186308-186318)Online publication date: 2019
https://doi.org/10.1109/ACCESS.2019.2961144
Schutte JBrost G(2016)A Data Usage Control System Using Dynamic Taint Tracking2016 IEEE 30th International Conference on Advanced Information Networking and Applications (AINA)10.1109/AINA.2016.127(909-916)Online publication date: Mar-2016
https://doi.org/10.1109/AINA.2016.127
Ben-Ghorbel-Talbi MLesueur FPerrin G(2016)Information Flow Control on a Multi-paradigm Web Application for SQL Injection PreventionFoundations and Practice of Security10.1007/978-3-319-30303-1_18(277-285)Online publication date: 25-Feb-2016
https://doi.org/10.1007/978-3-319-30303-1_18
Schoepe DHedin DSabelfeld A(2014)SeLINQACM SIGPLAN Notices10.1145/2692915.262815149:9(25-38)Online publication date: 19-Aug-2014
https://dl.acm.org/doi/10.1145/2692915.2628151
Schoepe DHedin DSabelfeld AJeuring JChakravarty M(2014)SeLINQProceedings of the 19th ACM SIGPLAN international conference on Functional programming10.1145/2628136.2628151(25-38)Online publication date: 19-Aug-2014
https://dl.acm.org/doi/10.1145/2628136.2628151

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten