| dc.identifier.uri | http://hdl.handle.net/11401/77246 | |
| dc.description.sponsorship | This work is sponsored by the Stony Brook University Graduate School in compliance with the requirements for completion of degree. | en_US |
| dc.format | Monograph | |
| dc.format.medium | Electronic Resource | en_US |
| dc.language.iso | en_US | |
| dc.publisher | The Graduate School, Stony Brook University: Stony Brook, NY. | |
| dc.type | Dissertation | |
| dcterms.abstract | Over the past decade, web application vulnerabilities have become far more common than vulnerabilities in conventional applications. To mitigate them, we approach the problem from two extremes: one that requires no changes to existing applications but is limited to a few well-defined vulnerability classes, and the second that provides a comprehensive solution but requires a re-thinking of web applications. Our first approach mitigates specific vulnerabilities using policies that do not depend on the application logic, and thus require no developer involvement or effort. We target two of the most common high-profile vulnerabilities, namely, cross-site scripting (XSS) and cross-site request forgery (CSRF). The solutions we have developed are very effective, efficient, and represent significant advances over previous research in these area. Unfortunately, some of the more subtle and complex vulnerabilities arise due to a lack of specification of security policies, and due to the ad-hoc way in which they are enforced within application code. We therefore propose a new way to develop web applications that separates and decouples security policy from application logic. Our proposal, called WebSheets, provides a simple and intuitive language for policy specification, based on the familiar spreadsheet paradigm. A spreadsheet model is natural because web applications typically operate on tabular data. As a result, we show that the logic of many simple web applications is nothing more than a specification of security policies, and hence a WebSheet security specification is all that is needed to realize them. This dissertation presents the WebSheet model, and describes proposed work aimed at developing and implementing the model, and demonstrating its ability to secure a range of significant web applications. | |
| dcterms.available | 2017-09-20T16:52:16Z | |
| dcterms.contributor | Sekar, R. | en_US |
| dcterms.contributor | Stoller, Scott | en_US |
| dcterms.contributor | Nikiforakis, Nikolaos | en_US |
| dcterms.contributor | Robertson, William E.. | en_US |
| dcterms.creator | Pelizzi, Riccardo | |
| dcterms.dateAccepted | 2017-09-20T16:52:16Z | |
| dcterms.dateSubmitted | 2017-09-20T16:52:16Z | |
| dcterms.description | Department of Computer Science | en_US |
| dcterms.extent | 162 pg. | en_US |
| dcterms.format | Application/PDF | en_US |
| dcterms.format | Monograph | |
| dcterms.identifier | http://hdl.handle.net/11401/77246 | |
| dcterms.issued | 2016-12-01 | |
| dcterms.language | en_US | |
| dcterms.provenance | Made available in DSpace on 2017-09-20T16:52:16Z (GMT). No. of bitstreams: 1
Pelizzi_grad.sunysb_0771E_12859.pdf: 1140238 bytes, checksum: 25690309f796cedc20e82ccfebb2d91d (MD5)
Previous issue date: 1 | en |
| dcterms.publisher | The Graduate School, Stony Brook University: Stony Brook, NY. | |
| dcterms.subject | Cross-Site Request Forgery, Cross-Site Scripting, Information-Flow Control, Security, Spreadsheet, Web Application | |
| dcterms.subject | Computer science | |
| dcterms.title | Securing Web Applications | |
| dcterms.type | Dissertation | |
