权益分类	功能权益	普通用户	{{item.name}}会员
{{category.name}}	{{benefitItem.name}}

Foundations of Secure Web Programming

安全网络编程的基础

基本信息

批准号：
EP/I004246/1
负责人：
Sergio Maffeis
金额：
$ 75.43万
依托单位：
Imperial College London
依托单位国家：
英国
项目类别：
Fellowship
财政年份：
2010
资助国家：
英国
起止时间：
2010 至无数据
项目状态：
已结题

来源：
https://gtr.ukri.org/projects?ref=EP%2FI004246%2F1
关键词：
Foundations Secure Web Programming

项目摘要

Many important activities in our lives involve the web. We socialize on Facebook, have fun on YouTube, bank online, store our work in the cloud, find a job on LinkedIn and some of us even get married on Second Life. What makes web technology so exciting is that people and companies keep finding new and creative ways of using it for applications not foreseen by its designers: for example, using the web to make phone calls and mobile phones to browse the web.Unfortunately, for this very reason, the software and protocols on which web applications are based are not designed with the appropriate level of security in mind. Some of the information we share with web applications is very valuable, and should be protected carefully. News stories often remind us how cyber-crime negatively affects our finances, privacy and well-being.Web companies are strongly innovation-driven and focus on delivering new applications and features as quickly as possible, selecting which ones to maintain based on popularity or profitability. While the importance of security is acknowledged, the most common approach is to enforce security by monitoring the system and intervening when a security violation is detected. As this industry matures, there is a raising awareness that security must to be built into the languages and tools used to program web applications, and there is a growing need to gain some level of confidence that an application is effectively secure.In my career so far, I have studied in depth the foundations and principles for understanding computer programs and making sure that they work correctly without security breaches. Over the next few years, I will face the challenge of applying these principles to lay web programming on a sound formal ground. I want to understand deeply the current and emerging technologies that are used on the web, find ways to make them more secure, and contribute to the design of future web technologies and tools. This process will involve lots of creative thinking, and lead to innovative scientific results, because a secure web application must combine securely non-trivial components such as databases, internet protocols, scripting languages and web browsers.Here is an example of a first step in the direction of my proposal. Facebook users write Facebook applications in JavaScript (the language that sits inside web pages and makes them interactive) and share them with other users. This raises the problem of restricting such JavaScript, written by a potentially malicious user, to make sure that it is safe for all the other Facebook users. With colleagues in Stanford, I modelled JavaScript as a set of simple mathematical formulas with a very precise meaning, and once I understood the language and its security properties (by proving several mathematical results), I studied the way Facebook restricts JavaScript and found several flaws. A malicious user could have written bad Facebook applications, able to steal information and damage the profile or the web browser of other users. I contacted the Facebook team and discussed possible solutions, and they modified their restriction mechanism accordingly.This is just an example of how the work I am proposing consists in original foundational research that also has direct impact on the life of millions of people. Following a similar approach I will also model the languages that are used to program web servers, such as PHP, and the browser with its DOM libraries, and study their security properties. I will participate in the definition of standards related to web security, and influence the design of several major web applications such as the future versions of the iGoogle portal, Yahoo!'s advertising platform and the Microsoft Web Sandbox framework for mashups. I have already met researchers from these companies, all interested in receiving input from this line of research.

我们生活中的许多重要活动都涉及网络。我们在Facebook上社交，在YouTube上玩得开心，在线银行，将我们的工作存储在云端，在LinkedIn上找工作，我们中的一些人甚至在第二人生中结婚。Web技术之所以如此令人兴奋，是因为人们和公司不断寻找新的、创造性的方法，将其用于设计者没有预见到的应用程序：例如，使用Web打电话，使用移动的手机浏览Web。不幸的是，正是由于这个原因，Web应用程序所基于的软件和协议在设计时没有考虑到适当的安全级别。我们与Web应用程序共享的一些信息非常有价值，应该仔细保护。新闻报道经常提醒我们，网络犯罪如何对我们的财务、隐私和福祉产生负面影响。网络公司强烈地以创新为导向，专注于尽快提供新的应用程序和功能，并根据受欢迎程度或盈利能力选择要维护的应用程序和功能。虽然安全性的重要性是公认的，但最常见的方法是通过监视系统并在检测到安全违规时进行干预来加强安全性。随着这个行业的成熟，人们越来越意识到，安全性必须内置到用于编程Web应用程序的语言和工具中，并且越来越需要获得一定程度的信心，以确保应用程序是有效安全的。在我的职业生涯中，到目前为止，我已经深入研究了理解计算机程序的基础和原则，并确保它们在没有安全漏洞的情况下正确运行。在接下来的几年里，我将面临应用这些原则的挑战，将Web编程置于一个合理的正式基础上。我想深入了解当前和新兴的网络技术，找到使它们更安全的方法，并为未来的网络技术和工具的设计做出贡献。这个过程将涉及大量的创造性思维，并导致创新的科学成果，因为一个安全的网络应用程序必须安全地结合联合收割机的重要组成部分，如数据库，互联网协议，脚本语言和网络浏览器。Facebook用户用JavaScript（位于网页内部并使其具有交互性的语言）编写Facebook应用程序并与其他用户共享。这就提出了一个问题，即限制这种由潜在恶意用户编写的JavaScript，以确保它对所有其他Facebook用户都是安全的。我和斯坦福大学的同事们一起，将JavaScript建模为一组具有非常精确含义的简单数学公式，一旦我理解了这种语言及其安全属性（通过证明几个数学结果），我研究了Facebook限制JavaScript的方式，发现了几个缺陷。恶意用户可能编写了糟糕的Facebook应用程序，能够窃取信息并损坏其他用户的配置文件或Web浏览器。我联系了Facebook团队，讨论了可能的解决方案，他们相应地修改了他们的限制机制。这只是我所建议的工作如何包含在原始基础研究中的一个例子，这些研究也对数百万人的生活产生了直接影响。按照类似的方法，我还将对用于编程Web服务器的语言（如PHP）和带有DOM库的浏览器进行建模，并研究它们的安全属性。我将参与网络安全相关标准的定义，并影响几个主要网络应用程序的设计，如iGoogle门户网站的未来版本，雅虎！的广告平台和用于mashup的Microsoft Web Sandbox框架。我已经见过这些公司的研究人员，他们都有兴趣接受这方面的研究。