SafeWeb: A Middleware for Securing Ruby-Based Web Applications

Hošek, Petr; Migliavacca, Matteo; Papagiannis, Ioannis; Eyers, David; Evans, David; Shand, Brian; Bacon, Jean; Pietzuch, Peter

doi:10.1007/978-3-642-25821-3_25

Cited by 16 publications

(15 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Our tests measure the performance of our solution, FlowR, compared with an equivalent solution, that extends native Ruby with RubyTrack, developed for the SafeWeb project [17]. It is important to note the feature differences that explain the performance difference of FlowR when compared with RubyTrack, as illustrated in table 3.…”

Section: Discussionmentioning

confidence: 99%

See 1 more Smart Citation

FlowR

Pasquier

Bacon

Shand

2014

Proceedings of the 13th International Conference on Modularity

Self Cite

View full text Add to dashboard Cite

This paper reports on our experience with providing Information Flow Control (IFC) as a library. Our aim was to support the use of an unmodified Platform as a Service (PaaS) cloud infrastructure by IFC-aware web applications. We discuss how Aspect Oriented Programming (AOP) overcomes the limitations of RubyTrack, our first approach. Although use of AOP has been mentioned as a possibility in past IFC literature we believe this paper to be the first illustration of how such an implementation can be attempted.We discuss how we built FlowR (Information Flow Control for Ruby), a library extending Ruby to provide IFC primitives using AOP via the Aquarium open source library. Previous attempts at providing IFC as a language extension required either modification of an interpreter or significant code rewriting. FlowR provides a strong separation between functional implementation and security constraints which supports easier development and maintenance; we illustrate with practical examples. In addition, we provide new primitives to describe IFC constraints on objects, classes and methods that, to our knowledge, are not present in related work and take full advantage of an object oriented language (OO language).The experience reported here makes us confident that the techniques we use for Ruby can be applied to provide IFC for any Object Oriented Program (OOP) whose implementation language has an AOP library.

show abstract

Section: Discussionmentioning

confidence: 99%

“…For all other uses, contact the owner/author(s). Track, a taint-tracking system for Ruby, developed by the SafeWeb project [17].…”

Section: Introductionmentioning

confidence: 99%

FlowR

Pasquier

Bacon

Shand

2014

Proceedings of the 13th International Conference on Modularity

Self Cite

View full text Add to dashboard Cite

show abstract

“…Taint tracking became of interest to the research community through its use to prevent cross-site scripting or SQLinjection [54]- [59] or to detect suspicious information flows in applications [60]- [66]. When such a flow is detected, the system could either generate a report, perform automatic data sanitisation or terminate the execution depending on the purpose of the application concerned.…”

Section: A Options For When An Ifc System Operates 1) Static Methodsmentioning

confidence: 99%

Information Flow Control for Secure Cloud Computing

Bacon

Eyers

Pasquier

et al. 2014

IEEE Trans. Netw. Serv. Manage.

Self Cite

View full text Add to dashboard Cite

“…Hosek et al, [21] developed a Ruby-based middleware that (1) associates security labels with data and (2) performs transparent label tracking, across a multi-tier web architecture in order to prevent harmful data disclosure.…”

Section: Security Platforms For Managed Codementioning

confidence: 99%

NodeSentry

Groef

Massacci

Piessens

2014

Proceedings of the 30th Annual Computer Security Applications Conference

View full text Add to dashboard Cite

Node.js is a popular JavaScript server-side framework with an efficient runtime for cloud-based event-driven architectures. Its strength is the presence of thousands of third-party libraries which allow developers to quickly build and deploy applications. These very libraries are a source of security threats as a vulnerability in one library can (and in some cases did) compromise one's entire server.In order to support the least-privilege integration of libraries, we developed NodeSentry, the first security architecture for server-side JavaScript. Our policy enforcement infrastructure supports an easy deployment of web-hardening techniques and access control policies on interactions between libraries and their environment, including any dependent library.We discuss the implementation of NodeSentry, and present its practical evaluation. For hundreds of concurrent clients, NodeSentry has the same capacity and throughput as plain Node.js. Only on a large scale, when Node.js itself yields to a heavy load, NodeSentry shows a limited overhead.

show abstract

SafeWeb: A Middleware for Securing Ruby-Based Web Applications

Cited by 16 publications

References 17 publications

FlowR

FlowR

Information Flow Control for Secure Cloud Computing

NodeSentry

Contact Info

Product

Resources

About