Securing Web Apps
Experimental system watches applications to make sure they’re not misbehaving on the user’s end
Source: “Ripley: Automatically Securing Web Applications Through Replicated Execution”
Krishnaprasad Vikram et al.
ACM Conference on Computer and Communications Security, November 9-13, 2009, Chicago, IL
Results: Researchers designed a system that secures Web applications by protecting against attacks on the portion of the application’s code that runs on users’ machines rather than on Web servers. They found that the system protected five sample applications, and also a test version of Hotmail, without straining the network, the user’s computer, or the server.
Why it matters: The user side of Web applications has been notoriously difficult to defend, because the code on the user’s computer can be compromised very easily–even by the user. As a result, some important functions must run on the server, a requirement that slows the system down. For example, an online shopping site could work faster if each user’s shopping-cart information and purchase totals were manipulated directly in the browser, but these functions are assigned to the server lest a user hack the system to add fraudulent discounts. The new system would make sure that no such unauthorized behavior occurred.
Methods: The system replicates the part of the application running within the user’s browser and runs that replica on the server. Values computed by the replica are compared with those from the real application to ensure that the code is running on the user’s machine as it’s supposed to; if they don’t match, the system disconnects the client, ending the transaction. To avoid overburdening the server’s memory and processors, the researchers pared down the cloned software so that it performs only essential actions.
Next steps: The researchers designed their system for applications written with .NET, a software framework that runs on Microsoft Windows. They now hope to see their techniques adapted for applications written using other common programming technologies, such as Silverlight and Flash.