2014
DOI: 10.1007/978-3-319-13841-1_6
|View full text |Cite
|
Sign up to set email alerts
|

Client Side Web Session Integrity as a Non-interference Property

Abstract: Abstract. Sessions on the web are fragile. They have been attacked successfully in many ways, by network-level attacks, by direct attacks on session cookies (the main mechanism for implementing the session concept) and by application-level attacks where the integrity of sessions is violated by means of cross-site request forgery or malicious script inclusion. This paper defines a variant of non-interference -the classical security notion from information flow security -that can be used to formally define the n… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
1
1
1
1

Citation Types

0
5
0

Year Published

2015
2015
2024
2024

Publication Types

Select...
3
3
2

Relationship

4
4

Authors

Journals

citations
Cited by 8 publications
(5 citation statements)
references
References 24 publications
0
5
0
Order By: Relevance
“…We remark that both our theory and implementation just focus on the confidentiality of session cookies, which is a necessary precondition for thwarting the risks of session hijacking. However, several serious security threats against web sessions do not follow by confidentiality violations: for instance, classic CSRF vulnerabilities should rather be interpreted in terms of attacks on request integrity [23]. Several existing browser-based defenses mitigate the risk of other attacks against web sessions [32,31,30,27,10].…”
Section: Browser-side Protection Mechanismsmentioning
confidence: 99%
“…We remark that both our theory and implementation just focus on the confidentiality of session cookies, which is a necessary precondition for thwarting the risks of session hijacking. However, several serious security threats against web sessions do not follow by confidentiality violations: for instance, classic CSRF vulnerabilities should rather be interpreted in terms of attacks on request integrity [23]. Several existing browser-based defenses mitigate the risk of other attacks against web sessions [32,31,30,27,10].…”
Section: Browser-side Protection Mechanismsmentioning
confidence: 99%
“…Software systems, in particular those used in business or life critical systems, must be ensured to behave as desired using formal tools. Bugliesi et al used formal techniques to study web session integrity [25,26] and web session confidentiality [27,28]. In addition to the formal analysis, they also developed prototype browser extension as the proof of concept.…”
Section: Formal Software Verificationmentioning
confidence: 99%
“…Images. To state and prove interesting properties of binary and grayscale images, different operations over pixels and images are first defined in Listing 10. ese operations include equality of colors eqbcol (lines 1-6), negation of a color negcolor (lines 8-12), negation of a pixel color negpix (lines 14-17), negation of a binary image negimage (lines[19][20][21][22][23], equality of pixels eqpixel (lines[25][26][27][28][29], and negation of a specific pixel in an image negpiximg (lines 31-37), respectively. e first function eqbcol defines when two colors are equal.…”
mentioning
confidence: 99%
“…In the context of web sessions, [12] employed reactive non-interference [10] to formalize and prove strong confidentiality properties for session cookies protected with the HttpOnly and Secure attributes, a necessary condition for any reasonable notion of session integrity. A variant of reactive non-interference was also proposed in [29] to formalize an integrity property of web sessions which rules out CSRF attacks and malicious script inclusions. The paper also introduced a browser-side enforcement mechanism based on secure multi-execution [21].…”
Section: Related Workmentioning
confidence: 99%
“…Given the complexity of session management and the range of threats to be faced on the web, a formal understanding of web session security and the design of automated verification techniques is an important research direction. Web sessions and their desired security properties have been formally studied in several papers developing browser-side defenses for web sessions [13], [12], [29], [14]: while the focus on browserside protection mechanisms is appealing to protect users of vulnerable web applications, the deployment of these solutions is limited since it is hard to design browser-side defenses that do not cause compatibility issues on existing websites and are effective enough to be integrated in commercial browsers [16].…”
Section: Introductionmentioning
confidence: 99%