JSLINQ: Building secure applications across tiers
Paper i proceeding, 2016

Modern web and mobile applications are complex entities amalgamating different languages, components, and platforms. The rich features span the application tiers and components, some from third parties, and require substantial efforts to ensure that the insecurity of a single component does not render the entire system insecure. As of today, the majority of the known approaches fall short of ensuring security across tiers. This paper proposes a framework for end-to-end security, by tracking information flow through the client, server, and underlying database. The framework utilizes homogeneous meta-programming to provide a uniform language for programming different components. We leverage. NET metaprogramming capabilities from the F# language, thus enabling language-integrated queries on databases and interoperable heterogeneous execution on the client and the server. We develop a core of our security enforcement in the form of a security type system for a functional language with mutable store and prove it sound. Based on the core, we develop JSLINQ, an extension of the WebSharper library to track information flow. We demonstrate the capabilities of JSLINQ on the case studies of a password meter, two location-based services, a movie rental database, an online Battleship game, and a friend finder app. Our experiments indicate that JSLINQ is practical for implementing high-assurance web and mobile applications.

Författare

Musard Balliu

Chalmers, Data- och informationsteknik, Programvaruteknik

Benjamin Liebe

Chalmers, Data- och informationsteknik

Daniel Schoepe

Chalmers, Data- och informationsteknik, Programvaruteknik

Andrei Sabelfeld

Chalmers, Data- och informationsteknik, Programvaruteknik

6th ACM Conference on Data and Application Security and Privacy, CODASPY 2016; New Orleans; United States; 9 March 2016 through 11 March 2016

307-318

Styrkeområden

Informations- och kommunikationsteknik

Fundament

Grundläggande vetenskaper

Ämneskategorier

Programvaruteknik

DOI

10.1145/2857705.2857717

ISBN

978-145033935-3

Mer information

Skapat

2017-10-08