Automating isolation and least privilege in web services

Aaron Blankstein, Michael J. Freedman

Research output: Chapter in Book/Report/Conference proceedingConference contribution

11 Scopus citations

Abstract

In many client-facing applications, a vulnerability in any part can compromise the entire application. This paper describes the design and implementation of Passe, a system that protects a data store from unintended data leaks and unauthorized writes even in the face of application compromise. Passe automatically splits (previously shared-memory-space) applications into sandboxed processes. Passe limits communication between those components and the types of accesses each component can make to shared storage, such as a backend database. In order to limit components to their least privilege, Passe uses dynamic analysis on developer-supplied end-to-end test cases to learn data and control-flow relationships between database queries and previous query results, and it then strongly enforces those relationships. Our prototype of Passe acts as a drop-in replacement for the Django web framework. By running eleven unmodified, off-the-shelf applications in Passe, we demonstrate its ability to provide strong security guarantees-Passe correctly enforced 96% of the applications' policies-with little additional overhead. Additionally, in the web-specific setting of the prototype, we also mitigate the cross-component effects of cross-site scripting (XSS) attacks by combining browser HTML5 sandboxing techniques with our automatic component separation.

Original languageEnglish (US)
Title of host publicationProceedings - IEEE Symposium on Security and Privacy
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages133-148
Number of pages16
ISBN (Electronic)9781479946860
DOIs
StatePublished - Nov 13 2014
Event35th IEEE Symposium on Security and Privacy, SP 2014 - San Jose, United States
Duration: May 18 2014May 21 2014

Publication series

NameProceedings - IEEE Symposium on Security and Privacy
ISSN (Print)1081-6011

Other

Other35th IEEE Symposium on Security and Privacy, SP 2014
CountryUnited States
CitySan Jose
Period5/18/145/21/14

All Science Journal Classification (ASJC) codes

  • Safety, Risk, Reliability and Quality
  • Software
  • Computer Networks and Communications

Keywords

  • capabilities
  • isolation
  • principle of least privilege
  • security policy inference
  • web security

Fingerprint Dive into the research topics of 'Automating isolation and least privilege in web services'. Together they form a unique fingerprint.

  • Cite this

    Blankstein, A., & Freedman, M. J. (2014). Automating isolation and least privilege in web services. In Proceedings - IEEE Symposium on Security and Privacy (pp. 133-148). [6956561] (Proceedings - IEEE Symposium on Security and Privacy). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/SP.2014.16