Better Abstractions for Secure Server-Side Scripting
It is notoriously difficult to program a solid web application. Besides addressing web interactions, state maintenance, and whimsical user navigation behaviors, programmers must also avoid a minefield of security vulnerabilities. The problem is twofold. First, we lack a clear understanding of the new computation model underlying web applications. Second, we lack proper abstractions for hiding common and subtle coding details that are orthogonal to the business functionalities of specific web applications. This paper addresses both issues. First, we present a language BASS for declarative server-side scripting. BASS allows programmers to work in an ideal world, using new abstractions to tackle common but problematic aspects of web programming. The meta properties of BASS provide useful security guarantees. Second, we present a language MOSS reflecting realistic web programming concepts and scenarios, thus articulating the computation model behind web programming. Finally, we present a translation from BASS to MOSS, demonstrating how the ideal programming model and security guarantees of BASS can be implemented in practice.
Server-side scripting web application security
Dachuan Yu Ajay Chander Hiroshi Inamura Igor Serikov
DoCoMo Communications Laboratories USA 3240 Hillview Avenue Palo Alto, CA 94304
国际会议
第十七届国际万维网大会(the 17th International World Wide Web Conference)(WWW08)
北京
英文
2008-04-21(万方平台首次上网日期,不代表论文的发表时间)