Nothing Special   »   [go: up one dir, main page]

skip to main content
10.1109/CSF.2010.27guideproceedingsArticle/Chapter ViewAbstractPublication PagesConference Proceedingsacm-pubtype
Article

Towards a Formal Foundation of Web Security

Published: 17 July 2010 Publication History

Abstract

We propose a formal model of web security based on an abstraction of the web platform and use this model to analyze the security of several sample web mechanisms and applications. We identify three distinct threat models that can be used to analyze web applications, ranging from a web attacker who controls malicious web sites and clients, to stronger attackers who can control the network and/or leverage sites designed to display user-supplied content. We propose two broadly applicable security goals and study five security mechanisms. In our case studies, which include HTML5 forms, Referer validation, and a single sign-on solution, we use a SAT-based model-checking tool to find two previously known vulnerabilities and three new vulnerabilities. Our case study of a Kerberos-based single sign-on system illustrates the differences between a secure network protocol using custom client software and a similar but vulnerable web protocol that uses cookies, redirects, and embedded links instead.

Cited By

View all
  • (2024)Formal Security Analysis of the OpenID FAPI 2.0 Family of Protocols: Accompanying a Standardization ProcessACM Transactions on Privacy and Security10.1145/369971628:1(1-36)Online publication date: 11-Nov-2024
  • (2024)AlloyASG: Alloy Predicate Code Representation as a Compact Structurally Balanced GraphProceedings of the ACM/IEEE 27th International Conference on Model Driven Engineering Languages and Systems10.1145/3640310.3674088(57-68)Online publication date: 22-Sep-2024
  • (2023)A bug's lifeProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620443(3673-3690)Online publication date: 9-Aug-2023
  • Show More Cited By

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Guide Proceedings
CSF '10: Proceedings of the 2010 23rd IEEE Computer Security Foundations Symposium
July 2010
333 pages
ISBN:9780769540825

Publisher

IEEE Computer Society

United States

Publication History

Published: 17 July 2010

Qualifiers

  • Article

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)0
  • Downloads (Last 6 weeks)0
Reflects downloads up to 22 Nov 2024

Other Metrics

Citations

Cited By

View all
  • (2024)Formal Security Analysis of the OpenID FAPI 2.0 Family of Protocols: Accompanying a Standardization ProcessACM Transactions on Privacy and Security10.1145/369971628:1(1-36)Online publication date: 11-Nov-2024
  • (2024)AlloyASG: Alloy Predicate Code Representation as a Compact Structurally Balanced GraphProceedings of the ACM/IEEE 27th International Conference on Model Driven Engineering Languages and Systems10.1145/3640310.3674088(57-68)Online publication date: 22-Sep-2024
  • (2023)A bug's lifeProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620443(3673-3690)Online publication date: 9-Aug-2023
  • (2023)Live Programming for Finite Model FindersProceedings of the 38th IEEE/ACM International Conference on Automated Software Engineering10.1109/ASE56229.2023.00016(1747-1752)Online publication date: 11-Nov-2023
  • (2022)DISTINCTProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560692(1553-1567)Online publication date: 7-Nov-2022
  • (2022)SymMC: approximate model enumeration and counting using symmetry information for Alloy specificationsProceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3540250.3549161(1209-1220)Online publication date: 7-Nov-2022
  • (2022)Web Cryptography API: Prevalence and Possible Developer MistakesProceedings of the 17th International Conference on Availability, Reliability and Security10.1145/3538969.3538977(1-10)Online publication date: 23-Aug-2022
  • (2022)ATR: template-based repair for Alloy specificationsProceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3533767.3534369(666-677)Online publication date: 18-Jul-2022
  • (2022)Applying cognitive principles to model-finding output: the positive value of negative informationProceedings of the ACM on Programming Languages10.1145/35273236:OOPSLA1(1-29)Online publication date: 29-Apr-2022
  • (2022)HTML violations and where to find themProceedings of the 22nd ACM Internet Measurement Conference10.1145/3517745.3561437(358-373)Online publication date: 25-Oct-2022
  • Show More Cited By

View Options

View options

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media