Dagstuhl-Seminar 12401
Web Application Security
( 30. Sep – 05. Oct, 2012 )
Permalink
Organisatoren
- Lieven Desmet (KU Leuven, BE)
- Martin Johns (SAP SE - Karlsruhe, DE)
- Ben Livshits (Microsoft Corporation - Redmond, US)
- Andrei Sabelfeld (Chalmers UT - Göteborg, SE)
Kontakt
- Annette Beyer (für administrative Fragen)
Since its birth in 1990, the web has evolved from a simple, stateless delivery mechanism for static hypertext documents to a fully-fledged run-time environment for distributed multi-party applications. Recently, the web technologies have gradually shifted from a central server technology towards a rich/stateful client paradigm and lively interaction models. The wave of popular peer-to-peer web applications and web mashup applications confirm this emerging trend. But the shift from the server-centered paradigm poses a significant challenge of securing web applications in the presence of multiple stakeholders, including security-ignorant end-users. This motivates the need for solid "web application security".
The seminar aimed to address the open question of how to protect against the pervasive threats to web applications. Some of the key objectives put forward are (i) over-viewing the state of the art to consolidate and structure it, (ii) identifying key challenges, and (iii) brainstorming on new ideas and approaches towards resolving these challenges. The inception of this Dagstuhl seminar was strongly inspired by the following emerging trends and challenges in the web security landscape:
- Fine-grained access control. Fine-grained access control policies define how the application authenticates and authorizes end users, from which application contexts the application can be consulted, and which interaction sequences maintain the application's integrity (i.e. control-flow integrity). Our objective is to address a range of questions from formal foundation of authentication policies and protocols to the practicalities of authentication such as secure session management.
- Information-flow control. Information-flow control specifies how sensitive data, possibly originating from multiple content providers in multiple trust domains, can be used in data aggregations, and client-side and server-side processing as is typically done in mashups. Challenges here include reconciling information-flow policies from several involved parties, with possibly conflicting goals. Moreover, tracking end-to-end information flow in web applications remains an open question. Our objective is enhanced understanding of how to make information-flow control policies and mechanisms practical in a web setting.
- Secure composition. Secure composition policies specify how active third-party components, for instance written in JavaScript, can be securely integrated into applications via client-side and server-side mashups. By nature, web mashups heavily depend on interaction and communication across different origins, but contradictory, mashup security relies on separation techniques for protecting both code and data. As a result, traditional HTML techniques (mainly based on the same-origin policies) fail to address both the interaction and separation needs. We will explore principled approaches to the delicate balance between interaction and separation in security composition.
- Cross-domain interaction. One of the original and still unresolved problems of the web is the inherent incompatibility between the cross-domain nature of the hyperlink and the same-origin security policy of its active content. In the recent past the situation has become even more complex with the introduction of client-side primitives for cross-domain interaction, such as CORS. Our objective is to assess the impact of current developments and identify promising directions for solutions.
- Recent advances in JavaScript and HTML5.There are several technological advances in the latest versions of JavaScript (such as strict mode, frozen objects, proxies and SES), that might contribute to the security of web applications. In addition, the research community did make important steps forward in understanding and improving the language by formalizing its semantics. At the same time, web specification (including HTML5 and CSP) are adding tons of new features as well as security measures as part of the browsing environment. Our objective was to have an enhanced understanding of the latest trends and research advances in JavaScript and HTML5 with respect to security.
The Dagstuhl seminar on Web Application Security was a timely follow-up of the previous Dagstuhl seminar on this topic in 2009. The research domain has been maturing over the last five years, and new challenges have emerged such as the client-side complexity, the need of information-flow control enforcement, and hardening of JavaScript code.
The seminar brought 44 web security researchers together, coming from companies and research institutions across Europe and the US. The seminar had a well-filled program, with 3 keynotes, 28 research talks, and 15 5-minute talks. As web application security is a broad research domain, a diverse set of recent research results was presented during the talks, covering the web security vulnerability landscape, information-flow control, JavaScript formalization, JavaScript confinement, and infrastructure and server hardening.
In addition to the plenary program, the seminar also featured three parallel break-out sessions on Cross-Site Scripting (XSS), JavaScript and Information-flow control. The main goal of the break-out sessions was to informally discuss the most important state-of-the-art work, as well as to identify the main challenges and research directions for future research, as documented in this report.
Finally, the organizers of the Dagstuhl seminar have set up a Special Issue on Web Application Security as part of the Journal of Computer Security, specifically devoted to a selection of promising results presented at the seminar. Four participants have been invited to submit an extended paper of their talk to the special issue, and the manuscripts are currently under review.
- Marco Balduzzi (TREND MICRO Italy S.r.l. - Sesto San Giovanni, IT)
- Nataliia Bielova (INRIA Rennes - Bretagne Atlantique, FR) [dblp]
- Arnar Birgisson (Chalmers UT - Göteborg, SE)
- Egon Börger (University of Pisa, IT) [dblp]
- Bastian Braun (Universität Passau, DE)
- Juan Chen (Microsoft Corporation - Redmond, US)
- Ravi Chugh (University of California - San Diego, US) [dblp]
- Jorge R. Cuéllar (Siemens AG - München, DE) [dblp]
- Valentin Dallmeier (Universität des Saarlandes, DE) [dblp]
- Philippe De Ryck (KU Leuven, BE)
- Lieven Desmet (KU Leuven, BE) [dblp]
- Akhawe Devdatta (University of California - Berkeley, US)
- Daniele Filaretti (Imperial College London, GB) [dblp]
- Cormac Flanagan (University of California - Santa Cruz, US) [dblp]
- Cédric Fournet (Microsoft Research UK - Cambridge, GB) [dblp]
- Michael Franz (University of California - Irvine, US) [dblp]
- Dieter Gollmann (TU Hamburg-Harburg, DE) [dblp]
- Arjun Guha (Cornell University, US) [dblp]
- Daniel Hedin (Chalmers UT - Göteborg, SE)
- Mario Heiderich (Ruhr-Universität Bochum, DE) [dblp]
- Boris Hemkemeier (Commerzbank AG - Frankfurt, DE) [dblp]
- Michael Hicks (University of Maryland - College Park, US) [dblp]
- Thorsten Holz (Ruhr-Universität Bochum, DE) [dblp]
- Thomas Jensen (INRIA Rennes - Bretagne Atlantique, FR) [dblp]
- Ranjit Jhala (University of California - San Diego, US) [dblp]
- Martin Johns (SAP SE - Karlsruhe, DE) [dblp]
- Shriram Krishnamurthi (Brown University - Providence, US) [dblp]
- Ben Livshits (Microsoft Corporation - Redmond, US) [dblp]
- Sergio Maffeis (Imperial College London, GB) [dblp]
- Fabio Massacci (University of Trento, IT) [dblp]
- John C. Mitchell (Stanford University, US) [dblp]
- Nick Nikiforakis (KU Leuven, BE) [dblp]
- Martin Ochoa (Siemens AG - München, DE) [dblp]
- Frank Piessens (KU Leuven, BE) [dblp]
- Joseph Gibbs Politz (Brown University - Providence, US) [dblp]
- Joachim Posegga (Universität Passau, DE) [dblp]
- Tamara Rezk (INRIA Sophia Antipolis - Méditerranée, FR) [dblp]
- Eric Rothstein (Universität Passau, DE)
- Andrei Sabelfeld (Chalmers UT - Göteborg, SE) [dblp]
- Sebastian Schinzel (Universität Erlangen-Nürnberg, DE) [dblp]
- Juraj Somorovsky (Ruhr-Universität Bochum, DE) [dblp]
- Nikhil Swamy (Microsoft Corporation - Redmond, US) [dblp]
- Steven Van Acker (KU Leuven, BE)
- John Wilander (Hägersten, SE) [dblp]
Verwandte Seminare
Klassifikation
- programming languages / compiler
- security / cryptology
- world wide web / internet
Schlagworte
- application security
- secure interaction
- information flow
- secure composition
- web 2.0