Practical Cross-Tier Information Flow Control for Web Applications
Ladda ner
Typ
Examensarbete för masterexamen
Master Thesis
Master Thesis
Program
Computer systems and networks (MPCSN), MSc
Publicerad
2015
Författare
Liebe, Benjamin
Modellbyggare
Tidskriftstitel
ISSN
Volymtitel
Utgivare
Sammanfattning
Web applications are increasingly processing critical data. Maintaining information security in them is therefore a very important task. This is however a hard problem, as web applications typically split their functionality between different components in a three-tier architecture. One promising approach for this problem is to apply methods of Information Flow Control (IFC) across all tiers of web applications. These methods go beyond the possibilities of traditional security mechanisms such as access control and allow to tightly control where for example confidential information may or may not end up. Embedded into current research at Chalmers, this thesis aims to put the theory into practice: it first takes a closer look at what IFC actually means for web applications, which yields a discussion of how IFC policies can be used to better protect trust relationships and the business logic of the application. As a second step does the thesis use a given formal model for a security type system and turn it into a working prototype that extends the F# programming language in an unobtrusive way. Viability of this prototype is finally demonstrated by developing and discussing six different case studies that touch different aspects of web application development. The results show for the prototype that practical IFC requires a large initial effort but allows later a good integration into existing languages and development processes.
Beskrivning
Ämne/nyckelord
Data- och informationsvetenskap , Computer and Information Science