Check out the new USENIX Web site.
ConfWeek '10
USENIX WebApps '11 Banner


Wednesday, June 15, 2011
10:30 a.m.–Noon

GuardRails: A Data-Centric Web Application Security Framework
Back to Program
Modern web application frameworks have made it easy to create powerful web applications. Developing a secure web application, however, still requires a developer to posses a deep understanding of security vulnerabilities and attacks. Even for experienced developers it is tedious, if not impossible, to find and eliminate all vulnerabilities. This paper presents GuardRails, a source-to-source tool for Ruby on Rails that helps developers build secure web applications. GuardRails works by attaching security policies defined using annotations to the data model itself. GuardRails produces a version of the input application that automatically enforces the specified policies. GuardRails helps developers prevent a myriad of security problems including cross-site scripting attacks and access control violations while providing a large degree of flexibility to support a range of policies and development styles.

PHP Aspis: Using Partial Taint Tracking to Protect Against Injection Attacks
Back to Program
Web applications are increasingly popular victims of security attacks. Injection attacks, such as Cross Site Scripting or SQL Injection, are a persistent problem. Even though developers are aware of them, the suggested best practices for protection are error prone: unless all user input is consistently filtered, any application may be vulnerable. When hosting web applications, administrators face a dilemma: they can only deploy applications that are trusted or they risk their system's security. To prevent injection vulnerabilities, we introduce PHP Aspis: a source code transformation tool that applies partial taint tracking at the language level. PHP Aspis augments values with taint meta-data to track their origin in order to detect injection vulnerabilities. To improve performance, PHP Aspis carries out taint propagation only in an application's most vulnerable parts: third-party plugins. We evaluate PHP Aspis with Wordpress, a popular open source weblog platform, and show that it prevents all code injection exploits that were found in Wordpress plugins in 2010.

Secure Data Preservers for Web Services
Back to Program
We examine a novel proposal wherein a user who hands off her data to a web service has complete choice over the code and policies that constrain access to her data. Such an approach is possible if the web service does not require raw access to the user's data to implement its functionality; access to a carefully chosen interface to the data suffices. Our data preserver framework rearchitects such web services around the notion of a preserver, an object that encapsulates the user's data with code and policies chosen by the user. Our framework relies on a variety of deployment mechanisms, such as administrative isolation, software-based isolation (e.g., virtual machines), and hardware-based isolation (e.g., trusted platform modules) to enforce that the service interacts with the preserver only via the chosen interface. Our prototype implementation illustrates three such web services, and we evaluate the cost of privacy in our framework by characterizing the performance overhead compared to the status quo.

1:00 p.m.–2:30 p.m.

BenchLab: An Open Testbed for Realistic Benchmarking of Web Applications
Back to Program
Web applications have evolved from serving static content to dynamically generating Web pages. Web 2.0 applications include JavaScript and AJAX technologies that manage increasingly complex interactions between the client and the Web server. Traditional benchmarks rely on browser emulators that mimic the basic network functionality of real Web browsers but cannot emulate the more complex interactions. Moreover, experiments are typically conducted on LANs, which fail to capture real latencies perceived by users geographically distributed on the Internet. To address these issues, we propose BenchLab, an open testbed that uses real Web browsers to measure the performance of Web applications. We show why using real browsers is important for benchmarking modern Web applications such as Wikibooks and demonstrate geographically distributed load injection for modern Web applications.

Resource Provisioning of Web Applications in Heterogeneous Clouds
Back to Program
Cloud computing platforms provide very little guarantees regarding the performance of seemingly identical virtual machine instances. Such instances have been shown to exhibit significantly different performance from each other. This heterogeneity creates two challenges when hosting multi-tier Web applications in the Cloud. First, different machine instances have different processing capacity so balancing equal amounts of load to different instances leads to poor performance. Second, when an application must be reprovisioned, depending on the performance characteristics of the new machine instance it may be more beneficial to add the instance to one tier or another. This paper shows how we can efficiently benchmark the individual performance profile of each individual virtual machine instance when we obtain it from the Cloud. These performance profiles allow us to balance the request load more efficiently than standard load balancers, leading to better performance at lower costs. The performance profiles also allow us to predict the performance that the overall application would have if the new machine instance would be added to any of the application tiers, and therefore to decide how to make best use of newly acquired machine instances. We demonstrate the effectiveness of our techniques by provisioning the TPC-W e-commerce benchmark in the Amazon EC2 platform.

C3: An Experimental, Extensible, Reconfigurable Platform for HTML-based Applications
Back to Program
The common conception of a (client-side) web application is some collection of HTML, CSS and JavaScript (JS) that is hosted within a web browser and that interacts with the user in some non-trivial ways. The common conception of a web browser is a monolithic program that can render HTML, execute JS, and gives the user a portal to navigate the web. Both of these are misconceptions: nothing inherently confines webapps to a browser's page-navigation idiom, and browsers can do far more than merely render content. Indeed, browsers and web apps are converging in functionality, but their underlying technologies are so far largely distinct. We present C3, an implementation of the HTML/CSS/JS platform designed for web-client research and experimentation. C3's typesafe, modular architecture lowers the barrier to webapp and browser research. Additionally, C3 explores the role of extensibility throughout the web platform for customization and research efforts, by introducing novel extension points and generalizing existing ones. We discuss and evaluate C3's design choices for flexibility, and provide examples of various extensions that we and others have built.

3:00 p.m.–4:30 p.m.

The Effectiveness of Application Permissions
Back to Program
Traditional user-based permission systems assign the user's full privileges to all applications. Modern platforms are transitioning to a new model, in which each application has a different set of permissions based on its requirements. Application permissions offer several advantages over traditional user-based permissions, but these benefits rely on the assumption that applications generally require less than full privileges. We explore whether that assumption is realistic, which provides insight into the value of application permissions. We perform case studies on two platforms with application permissions, the Google Chrome extension system and the Android OS. We collect the permission requirements of a large set of Google Chrome extensions and Android applications. From this data, we evaluate whether application permissions are effective at protecting users. Our results indicate that application permissions can have a positive impact on system security when applications' permission requirements are declared up-front by the developer, but can be improved.

Experiences on a Design Approach for Interactive Web Applications
Back to Program
Highly interactive web applications that offer a lot of functionality are increasingly replacing their desktop counterparts. However, the browser and the web itself were originally designed for viewing and exchanging documents and data and not for running applications. Over the years, web pages have slowly been transformed into web applications and as a result, they have been forcefully fit into an unnatural mold for them. In this paper we present a pattern for implementing web applications in a way that completes this transition and creates a more natural environment for web applications to live in. In the pattern, the full MVC stack is implemented in the client while the server is completely decoupled via a RESTful interface. We also present experiences in building an industrial-scale application utilizing this pattern.

Exploring the Relationship Between Web Application Development Tools and Security
Back to Program
How should software engineers choose which tools to use to develop secure web applications? Different developers have different opinions regarding which language, framework, or vulnerability-finding tool tends to yield more secure software than another; some believe that there is no difference at all between such tools. This paper adds quantitative data to the discussion and debate. We use manual source code review and an automated black-box penetration testing tool to find security vulnerabilities in 9 implementations of the same web application in 3 different programming languages. We explore the relationship between programming languages and number of vulnerabilities, and between framework support for security concerns and the number of vulnerabilities. We also compare the vulnerabilities found by manual source code review and automated black-box penetration testing. Our findings are: (1) we do not find a relationship between choice of programming language and application security, (2) automatic framework protection mechanisms, such as for CSRF and session management, appear to be effective at precluding vulnerabilities, while manual protection mechanisms provide little value, and (3) manual source code review is more effective than automated black-box testing, but testing is complementary.

Thursday, June 16, 2011
1:00 p.m.–2:30 p.m.

Integrating Long Polling with an MVC Web Framework
Back to Program
Long polling is a technique that simulates server push using Ajax requests, allowing Web pages to be updated quickly in response to server events. Unfortunately, existing long poll approaches are difficult to use, do not work well with server-side frameworks based on the Model-View-Controller (MVC) pattern, and are not scalable. Vault is an architecture for long polling that integrates cleanly with MVC frameworks and scales for clustered environments of hundreds of application servers. Vault lets developers focus on writing application-specific code without worrying about the details of how long polling is implemented. We have implemented Vault in two different Web frameworks.

Detecting Malicious Web Links and Identifying Their Attack Types
Back to Program
Malicious URLs have been widely used to mount various cyber attacks including spamming, phishing and malware. Detection of malicious URLs and identification of threat types are critical to thwart these attacks. Knowing the type of a threat enables estimation of severity of the attack and helps adopt an effective countermeasure. Existing methods typically detect malicious URLs of a single attack type. In this paper, we propose method using machine learning to detect malicious URLs of all the popular attack types and identify the nature of attack a malicious URL attempts to launch. Our method uses a variety of discriminative features including textual properties, link structures, webpage contents, DNS information, and network traffic. Many of these features are novel and highly effective. Our experimental studies with 40,000 benign URLs and 32,000 malicious URLs obtained from real-life Internet sources show that our method delivers a superior performance: the accuracy was over 98% in detecting malicious URLs and over 93% in identifying attack types. We also report our studies on the effectiveness of each group of discriminative features, and discuss their evadability.

Maverick: Providing Web Applications with Safe and Flexible Access to Local Devices
Back to Program
Web browsers do not yet provide Web programs with the same safe, convenient access to local devices that operating systems provide to native programs. As a result, Web programmers must either wait for the slowly evolving HTML standard to add support for the device classes they want to use, or they must use difficult to deploy browser plug-ins to add the access they need. This paper describes Maverick, a browser that provides Web applications with safe and flexible access to local devices. Maverick lets Web programmers implement USB device drivers and frameworks, like file systems or streaming video layers, using standard Web programming technologies such as HTML, JavaScript, or even code executed in a native client sandbox. These Web drivers and Web frameworks are downloaded dynamically from Web servers and executed by browsers alongside Web applications. Maverick provides Web drivers with protected access to the USB bus, and it provides Web drivers and frameworks with event-driven IPC channels to communicate with each other and with Web applications. We prototyped Maverick by modifying the Chrome Web browser and the Linux kernel. Using Maverick, we have implemented: several Web drivers, including a USB mass storage driver and a Webcam driver; several Web frameworks, including a FAT16 filesystem and a streaming video framework; and, several Web applications that exercise them. Our experiments show that Web drivers, frameworks, and applications are practical, easy to author, and have sufficient performance, even when implemented in JavaScript.

?Need help? Use our Contacts page.

Last changed: 5 May 2011 jel