An architecture for enforcing end-to-end access control over web applications

Boniface Hicks, Sandra Rueda, Dave King, Thomas Moyer, Joshua Schiffman, Yogesh Sreenivasan, Patrick McDaniel, Trent Jaeger

Research output: Chapter in Book/Report/Conference proceedingConference contribution

21 Scopus citations

Abstract

The web is now being used as a general platform for hosting distributed applications like wikis, bulletin board messaging systems and collaborative editing environments. Data from multiple applications originating at multiple sources all intermix in a single web browser, making sensitive data stored in the browser subject to a broad milieu of attacks (cross-site scripting, crosssite request forgery and others). The fundamental problem is that existing web infrastructure provides no means for enforcing end-to-end security on data. To solve this we design an architecture using mandatory access control (MAC) enforcement. We overcome the limitations of traditional MAC systems, implemented solely at the operating system layer, by unifying MAC enforcement across virtual machine, operating system, networking and application layers. We implement our architecture using Xen virtual machine management, SELinux at the operating system layer, labeled IPsec for networking and our own label-enforcing web browser, called FlowwolF. We tested our implementation and find that it performs well, supporting data intermixing while still providing end-to-end security guarantees.

Original languageEnglish (US)
Title of host publicationSACMAT'10 - Proceedings of the 15th ACM Symposium on Access Control Models and Technologies
Pages163-172
Number of pages10
DOIs
Publication statusPublished - Jul 30 2010
Event15th ACM Symposium on Access Control Models and Technologies, SACMAT 2010 - Pittsburgh, PA, United States
Duration: Jun 9 2010Jun 11 2010

Publication series

NameProceedings of ACM Symposium on Access Control Models and Technologies, SACMAT

Other

Other15th ACM Symposium on Access Control Models and Technologies, SACMAT 2010
CountryUnited States
CityPittsburgh, PA
Period6/9/106/11/10

    Fingerprint

All Science Journal Classification (ASJC) codes

  • Software
  • Computer Networks and Communications
  • Safety, Risk, Reliability and Quality
  • Information Systems

Cite this

Hicks, B., Rueda, S., King, D., Moyer, T., Schiffman, J., Sreenivasan, Y., ... Jaeger, T. (2010). An architecture for enforcing end-to-end access control over web applications. In SACMAT'10 - Proceedings of the 15th ACM Symposium on Access Control Models and Technologies (pp. 163-172). (Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT). https://doi.org/10.1145/1809842.1809870