TWC: Medium: A Layered Approach to Securing Web Services

TWC：Medium：保护 Web 服务的分层方法

• 批准号: 1409868
• 负责人: Jon Solworth
• 金额: $ 90万
• 依托单位: University of Illinois at Chicago
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2014
• 资助国家: 美国
• 起止时间: 2014-08-01 至 2019-07-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1409868&HistoricalAwards=false
• 关键词: TWC; Medium; Layered; Approach; Securing

The modern web experience is dynamic, providing users with a highly responsive interface through which to interact with the world. Today's mechanisms allow servers---even those which are controlled by an attacker---to download arbitrary programs into a user's browser. It is extraordinarily difficult to secure the web browser (and its user) against attack in this scenario. While tools and techniques are useful to analyze and restrict downloaded code, they are by their very nature incomplete. As a result, the security of web services relies on a series of ad hoc, service-provided techniques. Thus even large organizations routinely outsource too-difficult-to-secure web services.This project will explore an alternative: A modern, dynamic web experience with a focus on safety. Rather than attempting to make arbitrary code safe, it aims to design a safe interface which is far less complex than today's browser environment. This interface will be analyzed for its security properties. It will result in a more tractable environment in which to secure web applications than exists today. Many security properties will be built in; such properties are not dependent on the server side-efforts to secure them. Thus, when using this interface, visiting web sites will pose a smaller threat to users, even from sites which are under the control of an attacker. The project will develop a new semantic foundation for web security and make available open source tools and educational materials for the next generation of web developers.

现代网络体验是动态的，为用户提供了一个高度响应的界面，通过它与世界互动。今天的机制允许服务器-甚至那些被攻击者控制的服务器-将任意程序下载到用户的浏览器中。 在这种情况下，保护Web浏览器（及其用户）免受攻击非常困难。 虽然工具和技术对于分析和限制下载的代码很有用，但它们本质上是不完整的。 因此，Web服务的安全性依赖于一系列专门的服务提供技术。因此，即使是大型组织也经常外包太难安全的Web服务。本项目将探索一种替代方案：一种现代的，动态的Web体验，重点是安全性。它不是试图使任意代码安全，而是旨在设计一个安全的界面，它远没有今天的浏览器环境复杂。 将分析此接口的安全属性。 它将产生一个比现在更易于处理的环境，以保护Web应用程序。 许多安全属性将被内置;这些属性不依赖于服务器端保护它们的努力。 因此，当使用此接口时，访问网站将对用户构成较小的威胁，即使来自攻击者控制下的网站。 该项目将为Web安全开发一个新的语义基础，并为下一代Web开发人员提供开源工具和教育材料。