Secure compilation of a multi-tier web language

14 years 1 months ago
Secure compilation of a multi-tier web language
Storing state in the client tier (in forms or cookies, for example) improves the efficiency of a web application, but it also renders the secrecy and integrity of stored data vulnerable to untrustworthy clients. We study this general problem in the context of the LINKS multi-tier web-programming language. Like other systems, LINKS stores unencrypted application data, including web continuations, on the client tier; hence, LINKS is open to attacks that expose secrets, and modify control flow and application data. We characterise these attacks as failures of the general principle that security properties of multi-tier applications should follow simply from review of the source code (as opposed to the detailed study of the files compiled for each tier, for example). We propose a secure compilation strategy, which uses authenticated encryption to eliminate these threats, and we implement it as a simple extension to the LINKS system. We model this compilation strategy as a translation f...
Ioannis G. Baltopoulos, Andrew D. Gordon
Added 17 Mar 2010
Updated 17 Mar 2010
Type Conference
Year 2009
Where TLDI
Authors Ioannis G. Baltopoulos, Andrew D. Gordon
Comments (0)