TY - GEN
T1 - SilverLine
T2 - 29th Annual Computer Security Applications Conference, ACSAC 2013
AU - Mundada, Yogesh
AU - Ramachandran, Anirudh
AU - Feamster, Nick
N1 - Copyright:
Copyright 2014 Elsevier B.V., All rights reserved.
PY - 2013
Y1 - 2013
N2 - Web applications can have vulnerabilities that result in server-side data leaks. Securing sensitive data from Web applications while ensuring reasonable performance and without requiring developers to rewrite entire applications is challenging. We present SilverLine, which prevents bulk data leaks caused due to code injection in Web applications as well as compromised user-level processes on the application server. SilverLine uses login information to associate a user with each Web session; it then taints each file and database record and applies information-flow tracking to the data associated with each session to ensure that application data is released only to sessions of authorized users. SilverLine focuses on isolating data between user sessions and is thus most suitable to applications that involve single user sessions (e.g., banking, e-commerce). We have implemented SilverLine on Linux; our implementation demonstrates that SilverLine can protect a PHP-based Web application from many of the most common server-side Web application attacks by modifying only about 60 lines of code from the original application. Our evaluation shows that SilverLine incurs a performance overhead of about 20-30% over unmodified applications.
AB - Web applications can have vulnerabilities that result in server-side data leaks. Securing sensitive data from Web applications while ensuring reasonable performance and without requiring developers to rewrite entire applications is challenging. We present SilverLine, which prevents bulk data leaks caused due to code injection in Web applications as well as compromised user-level processes on the application server. SilverLine uses login information to associate a user with each Web session; it then taints each file and database record and applies information-flow tracking to the data associated with each session to ensure that application data is released only to sessions of authorized users. SilverLine focuses on isolating data between user sessions and is thus most suitable to applications that involve single user sessions (e.g., banking, e-commerce). We have implemented SilverLine on Linux; our implementation demonstrates that SilverLine can protect a PHP-based Web application from many of the most common server-side Web application attacks by modifying only about 60 lines of code from the original application. Our evaluation shows that SilverLine incurs a performance overhead of about 20-30% over unmodified applications.
UR - http://www.scopus.com/inward/record.url?scp=84893274038&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84893274038&partnerID=8YFLogxK
U2 - 10.1145/2523649.2523663
DO - 10.1145/2523649.2523663
M3 - Conference contribution
AN - SCOPUS:84893274038
SN - 9781450320153
T3 - ACM International Conference Proceeding Series
SP - 329
EP - 338
BT - Proceedings - 29th Annual Computer Security Applications Conference, ACSAC 2013
Y2 - 9 December 2013 through 13 December 2013
ER -