Raising the bar: Evaluating origin-wide security manifests
Paper in proceedings, 2018

Defending a web application from attackers requires the correct configuration of several web security mechanisms for each and every web page in that web application. This configuration process can be difficult and result in gaps in the defense against web attackers because some web pages may be overlooked. In this work we provide a first evaluation of the standard draft for an origin-wide security configuration mechanism called the "origin manifest". The mechanism raises the security level of an entire web origin at once while still allowing the speciication of web security policies at the web page level. We create prototype implementations of the origin manifest mechanism for both the client-side and server-side, and provide security officers with an automated origin manifest learner and generator to aid them with the configuration of their web origins. To resolve potential collisions of policies defined by the web origin with policies defined by web pages we formalize the comparison and combination of web security policies and integrate it into our prototype implementation. We evaluate the feasibility of the origin manifest mechanism with a longitudinal study of popular websites to determine whether origin manifest files are stable enough to not require frequent reconiguration, and perform performance measurements on the Alexa top 10,000 to determine the network traffic overhead. Our results show that the origin manifest mechanism can effectively raise the security level of a web origin while slightly improving network performance.

Author

Steven Van Acker

Chalmers, Computer Science and Engineering (Chalmers), Information Security

Daniel Hausknecht

Chalmers, Computer Science and Engineering (Chalmers), Information Security

Andrei Sabelfeld

Chalmers, Computer Science and Engineering (Chalmers), Information Security

Proceedings of the 34th Annual Computer Security Applications Conference

342-354

34th Annual Computer Security Applications Conference, ACSAC 2018
San Juan, USA,

Subject Categories

Other Computer and Information Science

Computer Science

Computer Systems

DOI

10.1145/3274694.3274701

More information

Latest update

1/28/2019