Sciweavers

CSFW
2010
IEEE

Towards a Formal Foundation of Web Security

14 years 3 months ago
Towards a Formal Foundation of Web Security
—We propose a formal model of web security based straction of the web platform and use this model to analyze the security of several sample web mechanisms and applications. We identify three distinct threat models that can be used to analyze web applications, ranging from a web attacker who controls malicious web sites and clients, to stronger attackers who can control the network and/or leverage sites designed to display user-supplied content. We propose two broadly applicable security goals and study five security mechanisms. In our case studies, which include HTML5 forms, Referer validation, and a single sign-on solution, we use a SAT-based model-checking tool to find two previously known vulnerabilities and three new vulnerabilities. Our case study of a Kerberos-based single sign-on system illustrates the differences between a secure network protocol using custom client software and a similar but vulnerable web protocol that uses cookies, redirects, and embedded links instead.
Devdatta Akhawe, Adam Barth, Peifung E. Lam, John
Added 15 Aug 2010
Updated 15 Aug 2010
Type Conference
Year 2010
Where CSFW
Authors Devdatta Akhawe, Adam Barth, Peifung E. Lam, John C. Mitchell, Dawn Song
Comments (0)