Practical Cross-Tier Information Flow Control for Web Applications

Abstract

Web applications are increasingly processing critical data. Maintaining information security in them is therefore a very important task. This is however a hard problem, as web applications typically split their functionality between different components in a three-tier architecture. One promising approach for this problem is to apply methods of Information Flow Control (IFC) across all tiers of web applications. These methods go beyond the possibilities of traditional security mechanisms such as access control and allow to tightly control where for example confidential information may or may not end up. Embedded into current research at Chalmers, this thesis aims to put the theory into practice: it first takes a closer look at what IFC actually means for web applications, which yields a discussion of how IFC policies can be used to better protect trust relationships and the business logic of the application. As a second step does the thesis use a given formal model for a security type system and turn it into a working prototype that extends the F# programming language in an unobtrusive way. Viability of this prototype is finally demonstrated by developing and discussing six different case studies that touch different aspects of web application development. The results show for the prototype that practical IFC requires a large initial effort but allows later a good integration into existing languages and development processes.