Title :
Towards a Formal Foundation of Web Security
Author :
Akhawe, Devdatta ; Barth, Adam ; Lam, Peifung E. ; Mitchell, John ; Song, Dawn
Author_Institution :
Univ. of California, Berkeley, CA, USA
Abstract :
We propose a formal model of web security based on an abstraction of the web platform and use this model to analyze the security of several sample web mechanisms and applications. We identify three distinct threat models that can be used to analyze web applications, ranging from a web attacker who controls malicious web sites and clients, to stronger attackers who can control the network and/or leverage sites designed to display user-supplied content. We propose two broadly applicable security goals and study five security mechanisms. In our case studies, which include HTML5 forms, Referer validation, and a single sign-on solution, we use a SAT-based model-checking tool to find two previously known vulnerabilities and three new vulnerabilities. Our case study of a Kerberos-based single sign-on system illustrates the differences between a secure network protocol using custom client software and a similar but vulnerable web protocol that uses cookies, redirects, and embedded links instead.
Keywords :
Internet; hypermedia markup languages; security of data; formal foundation; formal model; malicious web clients; malicious web sites; web attacker; web platform; web security; Analytical models; Browsers; Protocols; Security; Web server; Web sites;
Conference_Titel :
Computer Security Foundations Symposium (CSF), 2010 23rd IEEE
Conference_Location :
Edinburgh
Print_ISBN :
978-1-4244-7510-0
Electronic_ISBN :
1940-1434
DOI :
10.1109/CSF.2010.27