TC: Small: To Configure or to Implement, That is the Access Control Question for Web Applications

TC：小：配置还是实现，这就是Web应用程序的访问控制问题

• 批准号: 1017771
• 负责人: Wenliang Du
• 金额: $ 47.2万
• 依托单位: Syracuse University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2010
• 资助国家: 美国
• 起止时间: 2010-09-01 至 2014-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1017771&HistoricalAwards=false
• 关键词: TC; Small; Configure; Implement; Access

As the Web is playing a more and more important role in our lives,it has become criminals' preferred targets. Web-based vulnerabilities now outnumber traditional computer security concerns. We believe that the root cause of many of these attacksis the Web's current access control models: they arefundamentally inadequate to satisfy the protection needs of today's web.The objective of this project is to re-design the access control modelsfor the Web to fix the security problems at the fundamental level. We target two essential components of the Web infrastructure: browser and database. We have designed a generic access control model for web browsersto enforce the browser-side access control needs of webapplications. The model replaces the web's current Same Origin Policy (SOP) model,which is the culprit of many of the security problems. The success of this task will help significantly reduce the number of security problems at the browser side.We have also designed DAC-DB, a Discretionary Access Control (DAC) model for database to automate the enforcement of DAC inweb applications. With this model, web application developers can be liberated from implementing the complicated and error-prone security enforcement logics. Both access control models are designed based on the well-established security principles.To help disseminate our results, we will implement our designs for open-source web browsers and databases, and persuade the webcommunity to adopt our models. The outcome of this research will alsobe converted to hands-on labs to enhance students' learning insystem security.

随着网络在我们的生活中扮演着越来越重要的角色，它已经成为犯罪分子的首选目标。现在，基于网络的漏洞数量超过了传统的计算机安全担忧。我们认为，许多攻击的根本原因是Web当前的访问控制模型：它们从根本上不能满足当今Web的保护需求。该项目的目标是重新设计Web的访问控制模型，以从根本上解决安全问题。我们的目标是Web基础设施的两个基本组件：浏览器和数据库。我们为Web浏览器设计了一个通用的访问控制模型，以加强Web应用程序的浏览器端访问控制需求。该模型取代了网络当前的同源策略(SOP)模型，该模型是许多安全问题的罪魁祸首。这项任务的成功将有助于显著减少浏览器端的安全问题。我们还设计了DAC-DB，一个用于数据库的自主访问控制(DAC)模型，用于在Web应用程序中自动执行DAC。使用该模型，Web应用程序开发人员可以从实现复杂且容易出错的安全实施逻辑中解放出来。这两个访问控制模型都是基于公认的安全原则设计的。为了帮助传播我们的结果，我们将实现我们的开源Web浏览器和数据库的设计，并说服网络社区采用我们的模型。这项研究的成果还将转化为动手实验室，以增强学生在系统中的学习安全性。