Skip to main content
SpringerLink
Log in

Scalable Integrity-Guaranteed AJAX

  • Conference paper
Web Technologies and Applications (APWeb 2012)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 7235))

Included in the following conference series:

  • 2152 Accesses

Abstract

Interactive web systems are the de facto vehicle for implementing sensitive applications, e.g., personal banking, business workflows. Existing web services provide little protection against compromised servers, leaving users to blindly trust that the system is functioning correctly, without being able to verify this trust. Document integrity systems support stronger guarantees by binding a document to the (non-compromised) integrity state of the machine from whence it was received, at the cost of substantially higher latencies. Such latencies render interactive applications unusable. This paper explores cryptographic constructions and systems designs for providing document integrity in AJAX-style interactive web systems. The Sporf systems exploits pre-computation to offset runtime costs to support negligible latencies. We detail the design of an Apache-based server supporting content integrity proofs, and perform a detailed empirical study of realistic web workloads. Our evaluation shows that a software-only solution results in latencies of just over 200 milliseconds on a loaded system. An analytical model reveals that with a nominal hardware investment, the latency can be lowered to just over 81 milliseconds, achieving nearly the same throughput as an unmodified system.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Ajax IM – Instant Messaging Framework, http://ajaxim.com/

  2. Anonymized for submission

    Google Scholar 

  3. Gmail, http://mail.google.com/

  4. PXSC52 - Security Protocol Processor PCI-X Server Adapter / CN1520, http://www.silicom-usa.com/default.asp?contentID=677

  5. Performance Impacts of AJAX Development (October 2010), http://www.webperformanceinc.com/library/reports/AjaxBandwidth/

  6. Apache: JMeter – Apache JMeter, http://jakarta.apache.org/jmeter/

  7. Castelluccia, C., Francillon, A., Perito, D., Soriente, C.: On the difficulty of software-based attestation of embedded devices. In: CCS 2009: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 400–409. ACM, New York (2009)

    Chapter  Google Scholar 

  8. Catalano, D., Di Raimondo, M., Fiore, D., Gennaro, R.: Off-Line/On-Line Signatures: Theoretical Aspects and Experimental Results. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 101–120. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  9. Chong, S., Vikram, K., Myers, A.C.: Sif: enforcing confidentiality and integrity in web applications. In: SS 2007: Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, pp. 1–16. USENIX Association, Berkeley (2007)

    Google Scholar 

  10. Corcoran, B.J., Swamy, N., Hicks, M.: Cross-tier, label-based security enforcement for web applications. In: SIGMOD 2009: Proceedings of the 35th SIGMOD International Conference on Management of Data, pp. 269–282. ACM, New York (2009)

    Chapter  Google Scholar 

  11. Corporation, M.: Microsoft Next-Generation Secure Computing Base, http://www.microsoft.com/resources/ngscb/default.mspx

  12. cPanel: Components of Random JavaScript Toolkit Identified (January 2008), http://blog.cpanel.net/?p=31

  13. Dyer, J.G., Lindemann, M., Perez, R., Sailer, R., van Doorn, L., Smith, S.W., Weingart, S.: Building the IBM 4758 Secure Coprocessor. Computer 34(10), 57–66 (2001)

    Article  Google Scholar 

  14. Ellison, C., Schneier, B.: Ten risks of pki: What you’re not being told about public key infrastructure. Computer Security Journal 16(1), 1–7 (2000)

    Google Scholar 

  15. Even, S., Goldreich, O., Micali, S.: On-line/off-line digital signatures. Journal of Cryptology 9, 35–67 (1996), http://dx.doi.org/10.1007/BF02254791 , doi:10.1007/BF02254791

    Article  MathSciNet  MATH  Google Scholar 

  16. Gaspard, C., Goldberg, S., Itani, W., Bertino, E., Nita-Rotaru, C.: Sine: Cache-friendly integrity for the web. In: 5th IEEE Workshop on Secure Network Protocols, NPSec 2009, pp. 7–12 (2009)

    Google Scholar 

  17. Giffin, J.T., Christodorescu, M., Kruger, L.: Strengthening software self-checksumming via self-modifying code. In: ACSAC 2005: Proceedings of the 21st Annual Computer Security Applications Conference, pp. 23–32. IEEE Computer Society, Washington, DC (2005)

    Chapter  Google Scholar 

  18. Hicks, B., Rueda, S., King, D., Moyer, T., Schiffman, J., Sreenivasan, Y., McDaniel, P., Jaeger, T.: An Architecture for Enforcing End-to-End Access Control Over Web Applications. In: Proceedings of the 2010 Symposium on Access Control Models and Technologies, SACMAT 2010 (2010)

    Google Scholar 

  19. Iglio, P.: TrustedBox: A Kernel-Level Integrity Checker. In: Proc. of ACSAC 1999, Washington, DC (December 1999)

    Google Scholar 

  20. Jaeger, T., Sailer, R., Shankar, U.: PRIMA: Policy-Reduced Integrity Measurement Architecture. In: Proc. of ACM SACMAT 2006 (June 2006)

    Google Scholar 

  21. Jiang, S., Smith, S., Minami, K.: Securing web servers against insider attack. In: ACSAC 2001: Proceedings of the 17th Annual Computer Security Applications Conference, p. 265. IEEE Computer Society, Washington, DC (2001)

    Google Scholar 

  22. Jiang, S.: WebALPS Implementation and Performance Analysis: Using Trusted Co-servers to Enhance Privacy and Security of Web Interactions. Master’s thesis, Dartmouth College (2001)

    Google Scholar 

  23. Kennell, R., Jamieson, L.H.: Establishing the genuinity of remote computer systems. In: SSYM 2003: Proceedings of the 12th Conference on USENIX Security Symposium, p. 21. USENIX Association, Berkeley (2003)

    Google Scholar 

  24. Lesniewski-Lass, C., Kaashoek, M.F.: SSL splitting: securely serving data from untrusted caches. In: Proc. of USENIX Security Symposium, Washington, DC (August 2003)

    Google Scholar 

  25. Loscocco, P.A., Wilson, P.W., Pendergrass, J.A., McDonell, C.D.: Linux kernel integrity measurement using contextual inspection. In: STC 2007: Proceedings of the 2007 ACM Workshop on Scalable Trusted Computing, pp. 21–29. ACM, New York (2007)

    Chapter  Google Scholar 

  26. Merkle, R.: Protocols for public key cryptosystems. In: Proc. of the IEEE Symposium on Research in Security and Privacy, Oakland, CA (April 1980)

    Google Scholar 

  27. Mohay, G., Zellers, J.: Kernel and Shell Based Applications Integrity Assurance. In: Proceedings of the 13th Annual Computer Security Applications Conference (ACSAC 1997), San Diego, CA (December 1997)

    Google Scholar 

  28. Moyer, T., Butler, K., Schiffman, J., McDaniel, P., Jaeger, T.: Scalable Web Content Attestation. In: ACSAC 2009: Proceedings of the 2009 Annual Computer Security Applications Conference (2009)

    Google Scholar 

  29. Moyer, T., McDaniel, P.: Scalable Integrity-Guaranteed AJAX. Tech. Rep. NAS-TR-0149-2011, Network and Security Research Center, Department of Computer Science and Engineering, Pennsylvania State University, University Park, PA, USA (March 2011)

    Google Scholar 

  30. Nadji, Y., Saxena, P., Song, D.: Document structure integrity: A robust basis for cross-site scripting defense. In: Proceeding of the Network and Distributed System Security Symposium (NDSS 2009) (2009)

    Google Scholar 

  31. Nielsen, J.: Designing Web Usability: The Practice of Simplicity. New Riders Publishing, Thousand Oaks (1999)

    Google Scholar 

  32. Petroni Jr., N.L., Fraser, T., Molina, J., Arbaugh, W.A.: Copilot–a Coprocessor-based Kernel Runtime Integrity Monitor. In: Proc. of USENIX Security Symposium, San Diego, CA (August 2004)

    Google Scholar 

  33. Rabin, M.O.: Digitalized signatures and public-key functions as intractable as factorization. Report TR-212, Lab. for Computer Science, MIT (1979)

    Google Scholar 

  34. Raza, M.A.: A Leading Pakistani Bank’s Website Got Compromised, http://propakistani.pk/2008/12/26/bank-got-hacked-pakistan/

  35. Reis, C., Gribble, S.D., Kohno, T., Weaver, N.C.: Detecting in-flight page changes with web tripwires. In: Proc. of NSDI 2008, pp. 31–44. USENIX Association, Berkeley (2008)

    Google Scholar 

  36. Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)

    Article  MathSciNet  MATH  Google Scholar 

  37. Robertson, W., Vigna, G.: Static Enforcement of Web Application Integrity Through Strong Typing. In: Proceedings of the USENIX Security Symposium (2009)

    Google Scholar 

  38. Sailer, R., Zhang, X., Jaeger, T., van Doorn, L.: Design and Implementation of a TCG-based Integrity Measurement Architecture. In: Proc. of USENIX Security Symposium, San Diego, CA (August 2004)

    Google Scholar 

  39. Security Space: Secure Server Survey (June 2009), http://www.securityspace.com/s_survey/sdata/200906/certca.html

  40. Sedaghat, S., Pieprzyk, J., Vossough, E.: On-the-fly web content integrity check boosts users’ confidence. Commun. ACM 45(11), 33–37 (2002)

    Article  Google Scholar 

  41. Seshadri, A., Perrig, A., van Doorn, L., Khosla, P.: Swatt: software-based attestation for embedded devices, pp. 272–282 (May 2004)

    Google Scholar 

  42. Seshadri, A., Luk, M., Shi, E., Perrig, A., van Doorn, L., Khosla, P.: Pioneer: Verifying Code Integrity and Enforcing Untampered Code Execution on Legacy Systems. In: Proc. of the 20th ACM Symposium on Operating Systems Principles (SOSP 2005), Brighton, United Kingdom (October 2005)

    Google Scholar 

  43. Spinellis, D.: Reflection as a mechanism for software integrity verification. ACM Trans. Inf. Syst. Secur. 3(1), 51–62 (2000)

    Article  Google Scholar 

  44. Suh, E., Clarke, D., Gassend, B., van Dijk, M., Devadas, S.: AEGIS: Architectures for Tamper-Evident and Tamper-Resistant Processing. In: Proc. of the 17th International Conference on Supercomputing (June 2003)

    Google Scholar 

  45. Ter Louw, M., Venkatakrishnan, V.: Blueprint: Precise Browser-neutral Prevention of Cross-site Scripting Attacks. In: 30th IEEE Symposium on Security and Privacy (2009)

    Google Scholar 

  46. Trusted Computing Group: TPM Working Group, https://www.trustedcomputinggroup.org/groups/tpm/

  47. Trusted Computing Group: Trusted Platform Module Specifications, http://www.trustedcomputinggroup.org/developers/trusted_platform_module/specifications

  48. Vikram, K., Prateek, A., Livshits, B.: Ripley: automatically securing web 2.0 applications through replicated execution. In: CCS 2009: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 173–186. ACM, New York (2009)

    Chapter  Google Scholar 

  49. Wurster, G., Oorschot, P.C.v., Somayaji, A.: A generic attack on checksumming-based software tamper resistance. In: SP 2005: Proceedings of the 2005 IEEE Symposium on Security and Privacy, pp. 127–138. IEEE Computer Society, Washington, DC (2005)

    Google Scholar 

  50. Zhang, X., Chen, S., Sandhu, R.: Enhancing data authenticity and integrity in p2p systems. IEEE Internet Computing 9, 18–25 (2005)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Systems and Internet Infrastructure Security Laboratory, Pennsylvania State University, University Park, PA, 16802, U.S.A.

    Thomas Moyer, Trent Jaeger & Patrick McDaniel

Authors
  1. Thomas Moyer
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Trent Jaeger
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Patrick McDaniel
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. School of Computer Science, The University of Adelaide, Australia

    Quan Z. Sheng

  2. College of Information Science and Engineering, Northeastern University, 110819, Shenyang, China

    Guoren Wang

  3. Aarhus University, Denmark

    Christian S. Jensen

  4. Center for Applied Informatics, Victoria University, PO Box 14428, 8001, VIC, Australia

    Guandong Xu

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Moyer, T., Jaeger, T., McDaniel, P. (2012). Scalable Integrity-Guaranteed AJAX. In: Sheng, Q.Z., Wang, G., Jensen, C.S., Xu, G. (eds) Web Technologies and Applications. APWeb 2012. Lecture Notes in Computer Science, vol 7235. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-29253-8_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-29253-8_1

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-29252-1

  • Online ISBN: 978-3-642-29253-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation