Lightweight Enforcement of Fine-Grained Security Policies for Untrusted Software
Uloženo v:
| Název: | Lightweight Enforcement of Fine-Grained Security Policies for Untrusted Software |
|---|---|
| Autoři: | Phung, Phu, 1979 |
| Témata: | security policy enforcement, JavaScript security, web-application security, vehicle software security, untrusted software |
| Popis: | This thesis presents an innovative approach to implementing a security enforcement mechanism in the contexts of untrusted software systems, where a piece of code in a base system may come from an untrusted third party. The key point of the approach is that it is lightweight in the sense that it does not need an additional policy language or extra tool. Instead, the approach uses the aspect-oriented programming paradigm – a programmatic means to modify the behaviour of an application based on aspects – to specify security policies and embed the policies into untrusted software. As a result, security policies can be fine-grained and application-specific, and can be inlined into the untrusted software without modifying the base system, in order to detect and prevent unintended behaviour of the software at runtime. The approach has been elaborated in two particular untrusted software contexts in this thesis.Firstly, we have developed the approach in the context of a vehicle software architecture, where a third-party application can be installed and executed in a vehicle system. We have shown that various classes of fine-grained security policies can be specified and enforced in such a system by the approach. The security assurance provided by the enforcement mechanism is promising for deployment in an existing vehicle software system. Furthermore, we have identified a number of potential threats in the vehicle software architecture and developed countermeasures in terms of security policies. We have demonstrated the deployment of countermeasures to prevent possible attacks.Secondly, we have studied web application security. We propose a novel enforcement method called lightweight self-protecting JavaScript by applying the lightweight approach in the context of web security. The method prevents or modifies inappropriate behaviour of JavaScript execution in web pages by intercepting security relevant API calls. Unlike other approaches to enforcing policies for JavaScript, the enforcement and policy code are provided as a library and therefore do not require a modified browser. Furthermore, the approach does not employ runtime parsing or transformation of code, and thus has low runtime overhead. We also present an application of the method in the context of untrusted JavaScript such as mashups by proposing a two-tier sandbox architecture in which untrusted JavaScript code can be loaded and executed dynamically. The execution of untrusted code is monitored by modular and fine-grained security policies defined via an adaptation of self-protecting JavaScript to ensure security for the hosting page. |
| Popis souboru: | electronic |
| Přístupová URL adresa: | https://research.chalmers.se/publication/146093 http://publications.lib.chalmers.se/records/fulltext/146093.pdf |
| Databáze: | SwePub |
Nájsť tento článok vo Web of Science | FullText | Text: Availability: 0 CustomLinks: – Url: https://research.chalmers.se/publication/146093# Name: EDS - SwePub (s4221598) Category: fullText Text: View record in SwePub – Url: https://www.webofscience.com/api/gateway?GWVersion=2&SrcApp=EBSCO&SrcAuth=EBSCO&DestApp=WOS&ServiceName=TransferToWoS&DestLinkType=GeneralSearchSummary&Func=Links&author=Phung%20P Name: ISI Category: fullText Text: Nájsť tento článok vo Web of Science Icon: https://imagesrvr.epnet.com/ls/20docs.gif MouseOverText: Nájsť tento článok vo Web of Science |
|---|---|
| Header | DbId: edsswe DbLabel: SwePub An: edsswe.oai.research.chalmers.se.af0a0dba.3b29.4efb.93cf.6f4a431a4593 RelevancyScore: 786 AccessLevel: 6 PubType: PubTypeId: unknown PreciseRelevancyScore: 786.180419921875 |
| IllustrationInfo | |
| Items | – Name: Title Label: Title Group: Ti Data: Lightweight Enforcement of Fine-Grained Security Policies for Untrusted Software – Name: Author Label: Authors Group: Au Data: <searchLink fieldCode="AR" term="%22Phung%2C+Phu%22">Phung, Phu</searchLink>, 1979 – Name: Subject Label: Subject Terms Group: Su Data: <searchLink fieldCode="DE" term="%22security+policy+enforcement%22">security policy enforcement</searchLink><br /><searchLink fieldCode="DE" term="%22JavaScript+security%22">JavaScript security</searchLink><br /><searchLink fieldCode="DE" term="%22web-application+security%22">web-application security</searchLink><br /><searchLink fieldCode="DE" term="%22vehicle+software+security%22">vehicle software security</searchLink><br /><searchLink fieldCode="DE" term="%22untrusted+software%22">untrusted software</searchLink> – Name: Abstract Label: Description Group: Ab Data: This thesis presents an innovative approach to implementing a security enforcement mechanism in the contexts of untrusted software systems, where a piece of code in a base system may come from an untrusted third party. The key point of the approach is that it is lightweight in the sense that it does not need an additional policy language or extra tool. Instead, the approach uses the aspect-oriented programming paradigm – a programmatic means to modify the behaviour of an application based on aspects – to specify security policies and embed the policies into untrusted software. As a result, security policies can be fine-grained and application-specific, and can be inlined into the untrusted software without modifying the base system, in order to detect and prevent unintended behaviour of the software at runtime. The approach has been elaborated in two particular untrusted software contexts in this thesis.Firstly, we have developed the approach in the context of a vehicle software architecture, where a third-party application can be installed and executed in a vehicle system. We have shown that various classes of fine-grained security policies can be specified and enforced in such a system by the approach. The security assurance provided by the enforcement mechanism is promising for deployment in an existing vehicle software system. Furthermore, we have identified a number of potential threats in the vehicle software architecture and developed countermeasures in terms of security policies. We have demonstrated the deployment of countermeasures to prevent possible attacks.Secondly, we have studied web application security. We propose a novel enforcement method called lightweight self-protecting JavaScript by applying the lightweight approach in the context of web security. The method prevents or modifies inappropriate behaviour of JavaScript execution in web pages by intercepting security relevant API calls. Unlike other approaches to enforcing policies for JavaScript, the enforcement and policy code are provided as a library and therefore do not require a modified browser. Furthermore, the approach does not employ runtime parsing or transformation of code, and thus has low runtime overhead. We also present an application of the method in the context of untrusted JavaScript such as mashups by proposing a two-tier sandbox architecture in which untrusted JavaScript code can be loaded and executed dynamically. The execution of untrusted code is monitored by modular and fine-grained security policies defined via an adaptation of self-protecting JavaScript to ensure security for the hosting page. – Name: Format Label: File Description Group: SrcInfo Data: electronic – Name: URL Label: Access URL Group: URL Data: <link linkTarget="URL" linkTerm="https://research.chalmers.se/publication/146093" linkWindow="_blank">https://research.chalmers.se/publication/146093</link><br /><link linkTarget="URL" linkTerm="http://publications.lib.chalmers.se/records/fulltext/146093.pdf" linkWindow="_blank">http://publications.lib.chalmers.se/records/fulltext/146093.pdf</link> |
| PLink | https://erproxy.cvtisr.sk/sfx/access?url=https://search.ebscohost.com/login.aspx?direct=true&site=eds-live&db=edsswe&AN=edsswe.oai.research.chalmers.se.af0a0dba.3b29.4efb.93cf.6f4a431a4593 |
| RecordInfo | BibRecord: BibEntity: Languages: – Text: English Subjects: – SubjectFull: security policy enforcement Type: general – SubjectFull: JavaScript security Type: general – SubjectFull: web-application security Type: general – SubjectFull: vehicle software security Type: general – SubjectFull: untrusted software Type: general Titles: – TitleFull: Lightweight Enforcement of Fine-Grained Security Policies for Untrusted Software Type: main BibRelationships: HasContributorRelationships: – PersonEntity: Name: NameFull: Phung, Phu IsPartOfRelationships: – BibEntity: Dates: – D: 01 M: 01 Type: published Y: 2011 Identifiers: – Type: isbn-print Value: 9173855782 – Type: isbn-print Value: 9789173855785 – Type: issn-locals Value: SWEPUB_FREE – Type: issn-locals Value: CTH_SWEPUB |
| ResultId | 1 |