TC: Small: To Configure or to Implement, That is the Access Control Question for Web Applications

TC：小：配置还是实现，这就是Web应用程序的访问控制问题

• 批准号: 1017771
• 负责人: Wenliang Du
• 金额: $ 47.2万
• 依托单位: Syracuse University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2010
• 资助国家: 美国
• 起止时间: 2010-09-01 至 2014-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1017771&HistoricalAwards=false
• 关键词: TC; Small; Configure; Implement; Access

As the Web is playing a more and more important role in our lives,it has become criminals' preferred targets. Web-based vulnerabilities now outnumber traditional computer security concerns. We believe that the root cause of many of these attacksis the Web's current access control models: they arefundamentally inadequate to satisfy the protection needs of today's web.The objective of this project is to re-design the access control modelsfor the Web to fix the security problems at the fundamental level. We target two essential components of the Web infrastructure: browser and database. We have designed a generic access control model for web browsersto enforce the browser-side access control needs of webapplications. The model replaces the web's current Same Origin Policy (SOP) model,which is the culprit of many of the security problems. The success of this task will help significantly reduce the number of security problems at the browser side.We have also designed DAC-DB, a Discretionary Access Control (DAC) model for database to automate the enforcement of DAC inweb applications. With this model, web application developers can be liberated from implementing the complicated and error-prone security enforcement logics. Both access control models are designed based on the well-established security principles.To help disseminate our results, we will implement our designs for open-source web browsers and databases, and persuade the webcommunity to adopt our models. The outcome of this research will alsobe converted to hands-on labs to enhance students' learning insystem security.

随着网络在我们的生活中扮演着越来越重要的角色，它已经成为犯罪分子的首选目标。基于Web的漏洞现在超过了传统的计算机安全问题。我们认为，许多这些攻击的根本原因是Web当前的访问控制模型：它们从根本上不足以满足当今Web的保护需求。本项目的目标是重新设计Web的访问控制模型，以解决基础级别的安全问题。我们的目标是Web基础设施的两个基本组件：浏览器和数据库。我们设计了一个通用的访问控制模型，用于Web浏览器，以加强Web应用程序的浏览器端访问控制需求。该模型取代了Web当前的同源策略（SOP）模型，该模型是许多安全问题的罪魁祸首。我们还设计了DAC-DB，一种数据库自主访问控制（DAC）模型，用于自动执行Web应用程序中的DAC。有了这个模型，Web应用程序开发人员可以从实现复杂和容易出错的安全实施逻辑中解放出来。这两种访问控制模型都是基于成熟的安全原则设计的，为了帮助传播我们的成果，我们将在开源Web浏览器和数据库上实现我们的设计，并说服网络社区采用我们的模型。这项研究的成果也将转化为动手实验室，以提高学生的学习系统安全。