Paper Info
Title
JSLINQ: Building Secure Applications across Tiers.
Abstract
Modern web and mobile applications are complex entities amalgamating different languages, components, and platforms. The rich features span the application tiers and components, some from third parties, and require substantial efforts to ensure that the insecurity of a single component does not render the entire system insecure. As of today, the majority of the known approaches fall short of ensuring security across tiers. This paper proposes a framework for end-to-end security, by tracking information flow through the client, server, and underlying database. The framework utilizes homogeneous meta-programming to provide a uniform language for programming different components. We leverage .NET meta-programming capabilities from the F# language, thus enabling language-integrated queries on databases and interoperable heterogeneous execution on the client and the server. We develop a core of our security enforcement in the form of a security type system for a functional language with mutable store and prove it sound. Based on the core, we develop JSLINQ, an extension of the WebSharper library to track information flow. We demonstrate the capabilities of JSLINQ on the case studies of a password meter, two location-based services, a movie rental database, an online Battleship game, and a friend finder app. Our experiments indicate that JSLINQ is practical for implementing high-assurance web and mobile applications.
Year
DOI
Venue
2016
10.1145/2857705.285771
CODASPY
Field
DocType
ISBN
Information flow (information theory),World Wide Web,Functional programming,Computer science,Interoperability,Computer security,Cloud computing security,Battleship,Password,Web application security,Computer security model
Conference
978-1-4503-3935-3
Citations 
PageRank 
References 
3
0.40
21
Authors
4
Name
Order
Citations
PageRank
Musard Balliu1614.39
Benjamin Liebe230.40
Daniel Schoepe3322.21
Andrei Sabelfeld42692121.16