Abstract
The security requirements on an IT system ultimately depend on the applications that make use of it. To put today’s challenges into perspective we map the evolution of distributed systems security over the past 40 years. We then focus on web applications as an important current paradigm for deploying distributed applications. We discuss the security policies relevant for the current generation of web applications and the mechanisms available for enforcing these policies, which are increasingly to be found in components in the application layer of the software stack. Descriptions of SQL injection, cross-site scripting, cross-site request forgery, JavaScript hijacking, and DNS rebinding attacks will illustrate the deficiencies of current technologies and point to some fundamental issues of code origin authentication that must be considered when securing web applications.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Abadi, M., Burrows, M., Lampson, B., Plotkin, G.: A calculus for access control in distributed systems. ACM Transactions on Programming Languages and Systems 15(4), 706–734 (1993)
Anderson, J.: Computer security technology planning study. Technical Report 73-51, U.S. Air Force Electronic Systems Technical Report (October 1972)
Aura, T., Roe, M., Arkko, J.: Security of Internet location management. In: Proceedings of the 18th Annual Computer Security Applications Conference, pp. 78–87 (December 2002)
Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., Ho, A., Neugebauer, R., Pratt, I., Warfield, A.: Xen and the art of virtualization. In: Proceedings of the nineteenth ACM symposium on Operating systems principles, pp. 164–177 (2003)
Bell, D.E., LaPadula, L.J.: Secure computer systems: Mathematical foundations and model. Technical Report M74-244, The MITRE Corporation, Bedford, MA (May 1973)
Blaze, M., Feigenbaum, J., Ioannidis, J., Keromytis, A.D.: The KeyNote Trust-Management System Version 2, RFC 2704 (September 1999)
Blaze, M., Feigenbaum, J., Lacy, J.: Decentralized trust management. In: Proceedings of the 1996 IEEE Symposium on Security and Privacy, pp. 164–173.
Burns, J.: Cross site reference forgery. Technical report, Information Security Partners, LLC, Version 1.1 (2005)
CERT Coordination Center. Malicious HTML tags embedded in client web requests (2000), http://www.cert.org/advisories/CA-2000-02.html
Chess, B., O’Neil, Y.T., West, J.: JavaScript hijacking. Technical report, Fortify Software (2007)
Clark, D.R., Wilson, D.R.: A comparison of commercial and military computer security policies. In: Proceedings of the 1987 IEEE Symposium on Security and Privacy, pp. 184–194 (1987)
Dean, D., Felten, E.W., Wallach, D.S.: Java security: from HotJava to Netscape and beyond. In: Proceedings of the 1996 IEEE Symposium on Security and Privacy, pp. 190–200 (1996)
Denning, D.E.: Cryptography and Security. Addison-Wesley, Reading (1982)
Dierks, T., Rescorla, E.: The TLS protocol – version 1.1, RFC 4346 (April 2006)
Dolev, D., Yao, A.C.: On the security of public key protocols. IEEE Transactions on Information Theory IT-29(2), 198–208 (1983)
Fabry, R.S.: Capability-based addressing. Communications of the ACM 17(7), 403–412 (1974)
Feigenbaum, J.: Overview of the ATampT Labs Trust-Management Project. In: Christianson, B., Crispo, B., Harbison, W.S., Roe, M. (eds.) Security Protocols 1998, vol. 1550, pp. 45–50. Springer, Heidelberg (1999)
Organisation for Economic Co-operation and Development. OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (December 1980) (republished, February 2002)
Gasser, M.: The role of naming in secure distributed systems. In: Proceedings of the CS 1990 Symposium on Computer Security, Rome, Italy, pp. 97–109 (November 1990)
Gasser, M., Goldstein, A., Kaufman, C., Lampson, B.: The Digital distributed system security architecture. In: Proceedings of the 1989 National Computer Security Conference (1989)
Gollmann, D.: Authentication by correspondence. IEEE Journal on Selected Areas in Communications 21(1), 88–95 (2003)
Gollmann, D.: Why trust is bad for security. Electronic Notes on Theoretical Computer Science 157(3), 3–9 (2006)
Gong, L.: Inside Java 2 Platform Security. Addison-Wesley, Reading (1999)
Grover, D. (ed.): The protection of computer software - its technology and applications, 2nd edn. Cambridge University Press, Cambridge (1992)
Jackson, C., Barth, A., Bortz, A., Shao, W., Boneh, D.: Protecting browsers from DNS rebinding attacks. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 421–431 (2007)
Johns, M.: SessionSafe: Implementing XSS immune session handling. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) ESORICS 2006. LNCS, vol. 4189, pp. 444–460. Springer, Heidelberg (2006)
Johns, M.: (Somewhat) breaking the same-origin policy by undermining DNS pinning. Posting to the Bug Traq Mailinglist (August 2006), http://www.securityfocus.com/archive/107/443429/30/180/threaded
Johns, M., Winter, J.: RequestRodeo: Client side protection against session riding. In: Piessens, F. (ed.) Proceedings of the OWASP Europe 2006 Conference,Departement Computerwetenschappen, Katholieke Universiteit Leuven, Report CW448, May 2006, pp. 5–17 (2006)
Johnson, D., Perkins, C., Arkko, J.: Mobility Support in IPv6. RFC 3775 (June 2004)
Kent, S., Seo, K.: Security architecture for the Internet protocol, RFC 4301 (December 2005)
Macchia, B.A.L., Lange, S., Lyons, M., Martin, R., Price, K.T.: .NET Framework Security. Addison-Wesley, Reading (2002)
Lampson, B., Abadi, M., Burrows, M., Wobber, E.: Authentication in distributed systems: Theory and practice. ACM Transactions on Computer Systems 10(4), 265–310 (1992)
Hégaret, P.L., Whitmer, R., Wood , L.: Document object model (DOM). W3C Recommendation (January 2005), http://www.w3.org/DOM/
Lessig, L.: Code and other laws of cyberspace. Basic Books (1999)
Needham, R.M., Schroeder, M.D.: Using encryption for authentication in large networks of computers. Communications of the ACM 21, 993–999 (1978)
Neumann, C., Yu, T., Hartman, S., Raeburn, K.: The Kerberos Network Authentication Service (V5), Internet RFC 4120 (July 2005)
One, A.: Smashing the stack for fun and profit. Phrack Magazine, 49 (1996)
Organick, E.I.: The Multics System: An Examination of Its Structure. MIT Press, Cambridge (1972)
Qumranet. KVM - kernel-based virtualization machine. White Paper (2006)
Rivest, R., Lampson, B.: SDSI – a Simple Distributed Security Infrastructure. Technical report (1996), http://theory.lcs.mit.edu/~cis/sdsi.html
Roskind, J.: Attacks against the Netscape browser. In: RSA Conference (April 2001)
Steiner, J.G., Neuman, C., Schiller, J.I.: Kerberos: An authentication service for open network systems. In: Proceedings of the Winter 1988 Usenix Conference (February 1988)
U.S. Department of Commerce, National Bureau of Standards. Data Encryption Standard, NBS FIPS PUB 46 (January 1977)
van Kesteren, A.: Access control for cross-site requests. W3C Working Draft (February 2008), http://www.w3.org/TR/access-control/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Gollmann, D. (2008). Security in Distributed Applications. In: Börger, E., Cisternino, A. (eds) Advances in Software Engineering. Lecture Notes in Computer Science, vol 5316. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-89762-0_9
Download citation
DOI: https://doi.org/10.1007/978-3-540-89762-0_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-89761-3
Online ISBN: 978-3-540-89762-0
eBook Packages: Computer ScienceComputer Science (R0)