Modern web applications are complex entities amalgamating different languages, components, and platforms. These rich features span the application tiers and components, some from third parties, and require substantial efforts to ensure that the insecurity of a single component does not render the entire system insecure. Securing web applications requires tracking information across the client, the server, and the underlying database, since securing each component in isolation may still result in an overall insecure system.
In this talk, we will discuss two approaches for achieving end-to-end security in web applications: security type systems and security monitors. The former utilizes homogeneous meta-programming to provide a uniform language for programming different components in a secure manner.
We present JSLINQ, an extension of the WebSharper library to track information flows, and demonstrate its capabilities through case studies such as a password meter, location-based services, a movie rental database, an online Battleship game, and a friend finder app.
For the latter approach, we will present a novel security monitor that relies on precise dependency tracking across the applications and the database, leveraging such database theory concepts as disclosure lattices and query determinacy.
The monitor accounts for a realistic database model that supports security-critical constructs like triggers and dynamic policies, while allowing for common database idioms like row-level policies.
Musard Balliu (http://www.csc.kth.se/~musard) is an Assistant Professor at the School of Electrical Engineering and Computer Science at KTH Royal Institute of Technology in Stockholm, Sweden.
His research interests lie at the intersection of computer security, programming languages, formal methods and software engineering. Musard Balliu's research ranges from foundations to practice of software security and
privacy with main focus on language-based security and its applications to the Web and IoT domain.