SilverLine: Preventing data leaks from compromised web applications

Yogesh Mundada, Anirudh Ramachandran, Nick Feamster

Research output: Chapter in Book/Report/Conference proceedingConference contribution

4 Scopus citations

Abstract

Web applications can have vulnerabilities that result in server-side data leaks. Securing sensitive data from Web applications while ensuring reasonable performance and without requiring developers to rewrite entire applications is challenging. We present SilverLine, which prevents bulk data leaks caused due to code injection in Web applications as well as compromised user-level processes on the application server. SilverLine uses login information to associate a user with each Web session; it then taints each file and database record and applies information-flow tracking to the data associated with each session to ensure that application data is released only to sessions of authorized users. SilverLine focuses on isolating data between user sessions and is thus most suitable to applications that involve single user sessions (e.g., banking, e-commerce). We have implemented SilverLine on Linux; our implementation demonstrates that SilverLine can protect a PHP-based Web application from many of the most common server-side Web application attacks by modifying only about 60 lines of code from the original application. Our evaluation shows that SilverLine incurs a performance overhead of about 20-30% over unmodified applications.

Original languageEnglish (US)
Title of host publicationProceedings - 29th Annual Computer Security Applications Conference, ACSAC 2013
Pages329-338
Number of pages10
DOIs
StatePublished - Dec 1 2013
Event29th Annual Computer Security Applications Conference, ACSAC 2013 - New Orleans, LA, United States
Duration: Dec 9 2013Dec 13 2013

Publication series

NameACM International Conference Proceeding Series

Other

Other29th Annual Computer Security Applications Conference, ACSAC 2013
CountryUnited States
CityNew Orleans, LA
Period12/9/1312/13/13

All Science Journal Classification (ASJC) codes

  • Software
  • Human-Computer Interaction
  • Computer Vision and Pattern Recognition
  • Computer Networks and Communications

Fingerprint Dive into the research topics of 'SilverLine: Preventing data leaks from compromised web applications'. Together they form a unique fingerprint.

  • Cite this

    Mundada, Y., Ramachandran, A., & Feamster, N. (2013). SilverLine: Preventing data leaks from compromised web applications. In Proceedings - 29th Annual Computer Security Applications Conference, ACSAC 2013 (pp. 329-338). (ACM International Conference Proceeding Series). https://doi.org/10.1145/2523649.2523663