*********************************
There is now a CONTENT FREEZE for Mercury while we switch to a new platform. It began on Friday, March 10 at 6pm and will end on Wednesday, March 15 at noon. No new content can be created during this time, but all material in the system as of the beginning of the freeze will be migrated to the new platform, including users and groups. Functionally the new site is identical to the old one. webteam@gatech.edu
*********************************
Title: Building Data-Centric Security Mechanisms for Web Applications
Yogesh Mundada
School of Computer Science
College of Computing
Georgia Institute of Technology
Date: Tuesday, Dec 8th, 2015
Time: 9:30 AM - 11:30 AM
Location: Klaus Room 3100
Committee:
----------
Prof. Nick Feamster, (Advisor, School of Computer Science, Georgia Tech and Department of Computer Science, Princeton University) Prof. Mostafa Ammar, (School of Computer Science, Georgia Tech) Prof. Mustaque Ahamad, (School of Computer Science, Georgia Tech) Prof. Wenke Lee, (School of Computer Science, Georgia Tech) Prof. Arvind Narayanan, (Department of Computer Science, Princeton University)
Abstract:
---------
Data loss from web applications at different points of compromise has become a major liability in recent years. Existing security guidelines, policies, and tools fail often, ostensibly for reasons stemming from blatant disregard of common practice to subtle exploits originating from complex interactions between components.
Current security mechanisms focus on "how to stop illicit data transfer"(i.e., the "syntax"), and many tools achieve that goal in principle. Yet, the practice of securing data additionally depends on allowing administrators to clearly specify "what data should be secured" (i.e., the "semantics"). Currently, translation from "security semantics" to "security syntax" is manual, time-consuming, and ad hoc. Even a slight oversight in the translation process could render the entire system insecure. Security semantics frequently need modifications due to changes in various external factors such as policy changes, user reclassification, and even code refactoring.
This dissertation hypothesizes that adaptation to such changes would be faster and less error prone if the tools also focused on automating translation from semantics to syntax, in addition to simply executing the syntax. With this approach, we build following low-maintenance security tools that prevent unauthorized sensitive data transfer at various vantage points in the World Wide Web ecosystem. We show how the security tools can take advantage of inherent properties of the sensitive information in each case, making the translation process automatic and faster:
- Appu, a tool that automatically finds personal
information(semantics) spread across web services, and suggests
actions(syntax) to minimize data loss risks.
- Newton, a tool that formalizes the access control model using web cookies. Using this formal approach, it improves the security of the existing session management techniques by detecting(semantics) and
protecting(syntax) privileged cookies without requiring input from the site administrator.
- SilverLine, a system for cloud-based web services that automatically derives data exfiltration rules(syntax) from the information about sensitive database tables & inter-table relationships(semantics).
Then, it executes these rules using information flow control mechanism.
