skip to main content
10.1145/2465106.2465432acmconferencesArticle/Chapter ViewAbstractPublication PagespldiConference Proceedingsconference-collections
research-article

GlassTube: a lightweight approach to web application integrity

Published: 20 June 2013 Publication History

Abstract

The HTTP and HTTPS protocols are the corner stones of the modern web. From a security point of view, they offer an all-or- nothing choice to web applications: either no security guarantees with HTTP or both confidentiality and integrity with HTTPS. How- ever, in many scenarios confidentiality is not necessary and even undesired, while integrity is essential to prevent attackers from compromising the data stream.
We propose GlassTube, a lightweight approach to web application integrity. GlassTube guarantees integrity at application level, without resorting to the heavyweight HTTPS protocol. GlassTube prevents man-in-the-middle attacks and provides a general method for integrity in web applications and smartphone apps. GlassTube is easily deployed in the form of a library on the server side, and offers flexible deployment options on the client side: from dynamic code distribution, which requires no modification of the browser, to browser plugin and smartphone app, which allow smooth key predistribution. The results of a case study with a web-based chat indicate a boost in the performance compared to HTTPS, achieved with no optimization efforts.

References

[1]
Ben Adida. SessionLock: securing web sessions against eavesdropping. In Proc. International Conference on World Wide Web (WWW), pages 517--524, 2008.
[2]
Aung Khant. A Most-Neglected Fact about Cross Site Request Forgery. http://yehg.net/lab/pr0js/articles/A_Most-Neglected_Fact_About_CSRF.pdf?1334750354, August 2010.
[3]
A. Barth. The Web Origin Concept. RFC 6454 (Proposed Standard), December 2011.
[4]
A. Birgisson, A. Russo, and A. Sabelfeld. Unifying facets of information integrity. In Proc. International Conference on Information Systems Security, LNCS, December 2010.
[5]
Eric Butler. Firesheep. http://codebutler.com/firesheep.
[6]
Eric Yawei Chen, Jason Bau, Charles Reis, Adam Barth, and Collin Jackson. App isolation: get the security of multiple browsers with just one. In Proceedings of the 18th ACM conference on Computer and communications security, CCS'11, pages 227--238, New York, NY, USA, 2011. ACM.
[7]
Taehwan Choi and M.G. Gouda. HTTPI: An HTTP with Integrity. In Proc. Computer Communications and Networks (ICCCN), pages 1--6, August 2011.
[8]
S. Chong, K. Vikram, and A. C. Myers. Sif: Enforcing confidentiality and integrity in web applications. In Proc. USENIX Security Symposium, pages 1--16, August 2007.
[9]
Stephen Chong, Jed Liu, Andrew C. Myers, Xin Qi, K. Vikram, Lantian Zheng, and Xin Zheng. Building secure web applications with automatic partitioning. Commun. ACM, 52(2):79--87, February 2009.
[10]
C. Chung, A. Kasyanov, J. Livingood, N. Mody, and B. Van Lieu. Comcast's Web Notification System Design. RFC 6108 (Informational), February 2011.
[11]
Italo Dacosta, Saurabh Chakradeo, Mustaque Ahamad, and Patrick Traynor. One-time cookies: Preventing session hijacking attacks with stateless authentication tokens. http://smartech.gatech.edu/handle/1853/42609.
[12]
T. Dierks and E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard), August 2008. Updated by RFCs 5746, 5878, 6176.
[13]
W. Diffie and M. E. Hellman. New directions in cryptography. IEEE Trans. on Information Theory, 22(6):644--654, November 1976.
[14]
W. Diffie, P. C. Van Oorschot, and M. J. Wiener. Authentication and authenticated key exchanges. Designs, Codes and Cryptography, 2(2):107--125, June 1992.
[15]
R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee. Hypertext Transfer Protocol -- HTTP/1.1. RFC 2616 (Draft Standard), June 1999. Updated by RFCs 2817, 5785, 6266.
[16]
D. Gollmann. Computer Security (2nd Edition). Wiley, 2006.
[17]
Google. Google Web Toolkit. https://developers.google.com/web-toolkit/.
[18]
J. Guttman. Invited tutorial: Integrity. Presentation at the Dagstuhl Seminar on Mobility, Ubiquity and Security, February 2007. http://www.dagstuhl.de/07091/. Slides at http://web.cs.wpi.edu/ guttman/.
[19]
E. Hammer-Lahav. The OAuth 1.0 Protocol. RFC 5849 (Informational), April 2010.
[20]
Martin Johns, Bastian Braun, Michael Schrank, and Joachim Posegga. Reliable protection against session fixation attacks. In Proceedings of the 2011 ACM Symposium on Applied Computing, SAC '11, pages 1531--1537, New York, NY, USA, 2011. ACM.
[21]
Martin Johns, Sebastian Lekies, and Walter Tighzert. Betterauth: Web authentication revisited. In 28th Annual Computer Security Applications Conference (ACSAC 2012), 2012.
[22]
Kenji Urushima. SSL/TLS Supported Cipher Suites. http://www9.atwiki.jp/kurushima/pub/pkimisc/SSLTLS_CipherSuite_Support_Table_.html, March 2010.
[23]
Sebastian Lekies, Walter Tighzert, and Martin Johns. Towards stateless, client-side driven cross-site request forgery protection for web applications. In 5th conference on "Sicherheit, Schutz und Zuverlässigkeit" (GI Sicherheit 2012), 2012.
[24]
P. Li, Y. Mao, and S. Zdancewic. Information integrity policies. In Workshop on Formal Aspects in Security and Trust (FAST'03), 2003.
[25]
L. Masinter. The "data" URL scheme. RFC 2397 (Proposed Standard), August 1998.
[26]
T. Mayfield, J. E. Roskos, S. R. Welke, J. M. Boone, and C. W. McDonald. Integrity in automated information systems. Technical Report P-2316, Institute for Defense Analyses, 1991.
[27]
A. C. Myers, L. Zheng, S. Zdancewic, S. Chong, and N. Nystrom. Jif: Java information flow. Software release. Located at http://www.cs.cornell.edu/jif, July 2001.
[28]
National Institute of Standards and Technology. Cryptographic Algorithm Object Registration. http://csrc.nist.gov/groups/ST/crypto_apps_infra/csor/algorithms.html, February 2011.
[29]
B. Noble, G. Nguyen, M. Satyanarayanan, and R. Katz. Mobile Network Tracing. RFC 2041 (Informational), October 1996.
[30]
Charles P. Pfleeger and Shari Lawrence Pfleeger. Security in Computing (4th Edition). Prentice Hall, 2006.
[31]
M. Roe. Performance of protocols. In Security Protocols, volume 1796 of LNCS, pages 147--152, 2000.
[32]
A. Sabelfeld and A. C. Myers. Language-based information-flow security. IEEE J. Selected Areas in Communications, 21(1):5--19, January 2003.
[33]
Ravi S. Sandhu. On five definitions of data integrity. In Proceedings of the IFIP WG11.3 Working Conference on Database Security VII, pages 257--267, 1994.
[34]
K. Singh, H.J. Wang, A. Moshchuk, C. Jackson, and W. Lee. Practical end-to-end web content integrity. In Proceedings of the 21st international conference on World Wide Web, pages 659--668. ACM, 2012.
[35]
William Stallings. Cryptography and Network Security. Pearson Education, fifth edition, 2011.
[36]
W3C Web Cryptography Working Group. Group charter. http://www.w3.org/2011/11/webcryptography-charter.html.
[37]
World Wide Web Consortium. Cross-Origin Resource Sharing. http://www.w3.org/TR/2012/WD-cors-20120403/, April 2012.

Cited By

View all
  • (2022)Covariate Software Vulnerability Discovery Model to Support Cybersecurity Test & Evaluation (Practical Experience Report)2022 IEEE 33rd International Symposium on Software Reliability Engineering (ISSRE)10.1109/ISSRE55969.2022.00025(157-168)Online publication date: Oct-2022
  • (2019)Web Server Integrity Protection Using Blockchain2019 International Conference on Frontiers of Information Technology (FIT)10.1109/FIT47737.2019.00052(239-2395)Online publication date: Dec-2019
  • (2018)Sub-session hijacking on the web: Root causes and preventionJournal of Computer Security10.3233/JCS-181149(1-25)Online publication date: 23-Oct-2018
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
PLAS '13: Proceedings of the Eighth ACM SIGPLAN workshop on Programming languages and analysis for security
June 2013
96 pages
ISBN:9781450321440
DOI:10.1145/2465106
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 20 June 2013

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. application-level security policies
  2. data integrity
  3. lightweight enforcement
  4. web application security

Qualifiers

  • Research-article

Conference

PLDI '13
Sponsor:

Acceptance Rates

PLAS '13 Paper Acceptance Rate 8 of 14 submissions, 57%;
Overall Acceptance Rate 43 of 77 submissions, 56%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)1
  • Downloads (Last 6 weeks)0
Reflects downloads up to 17 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2022)Covariate Software Vulnerability Discovery Model to Support Cybersecurity Test & Evaluation (Practical Experience Report)2022 IEEE 33rd International Symposium on Software Reliability Engineering (ISSRE)10.1109/ISSRE55969.2022.00025(157-168)Online publication date: Oct-2022
  • (2019)Web Server Integrity Protection Using Blockchain2019 International Conference on Frontiers of Information Technology (FIT)10.1109/FIT47737.2019.00052(239-2395)Online publication date: Dec-2019
  • (2018)Sub-session hijacking on the web: Root causes and preventionJournal of Computer Security10.3233/JCS-181149(1-25)Online publication date: 23-Oct-2018
  • (2017)Surviving the WebACM Computing Surveys10.1145/303892350:1(1-34)Online publication date: 6-Mar-2017
  • (2014)Provably Sound Browser-Based Enforcement of Web Session IntegrityProceedings of the 2014 IEEE 27th Computer Security Foundations Symposium10.1109/CSF.2014.33(366-380)Online publication date: 19-Jul-2014
  • (2014)Attacks on the User’s SessionPrimer on Client-Side Web Security10.1007/978-3-319-12226-7_7(69-82)Online publication date: 26-Nov-2014

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media