Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

Securing Web Apps
Experimental system watches applications to make sure they’re not misbehaving on the user’s end

Source: “Ripley: Automatically Securing Web Applications Through Replicated Execution”
Krishnaprasad Vikram et al.
ACM Conference on Computer and Communications Security, November 9-13, 2009, Chicago, IL

Results: Researchers designed a system that secures Web applications by protecting against attacks on the portion of the application’s code that runs on users’ machines rather than on Web servers. They found that the system protected five sample applications, and also a test version of Hotmail, without straining the network, the user’s computer, or the server.

Why it matters: The user side of Web applications has been notoriously difficult to defend, because the code on the user’s computer can be compromised very easily–even by the user. As a result, some important functions must run on the server, a requirement that slows the system down. For example, an online shopping site could work faster if each user’s shopping-cart information and purchase totals were manipulated directly in the browser, but these functions are assigned to the server lest a user hack the system to add fraudulent discounts. The new system would make sure that no such unauthorized behavior occurred.

Methods: The system replicates the part of the application running within the user’s browser and runs that replica on the server. Values computed by the replica are compared with those from the real application to ensure that the code is running on the user’s machine as it’s supposed to; if they don’t match, the system disconnects the client, ending the transaction. To avoid overburdening the server’s memory and processors, the researchers pared down the cloned software so that it performs only essential actions.

Next steps: The researchers designed their system for applications written with .NET, a software framework that runs on Microsoft Windows. They now hope to see their techniques adapted for applications written using other common programming technologies, such as Silverlight and Flash.

0 comments about this story. Start the discussion »

Credit: Nate DeGraff/NC State

Tagged: Computing, Web

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me