Simple security policy for the web
Simple security policy for the web(2012)
摘要
If web security were a siege, the attackers would be winning: it is relatively easy to compromise a site, but it takes significant resources for a defender to provide even modest security. One of the reasons for this is that current web security technologies are very complex to learn, understand, implement and maintain. As a result, security may be ignored in favour of other concerns. Simple security policy would allow defenders tools that could be used despite other constraints: The web needs simpler policy which can stop basic attacks in order to level the playing field. In this thesis, I demonstrate how several facets of the web can be extended to allow for lightweight policy additions: the same origin policy can be adapted to allow additional restrictions on inclusions and communication as we show with the Same Origin Mutual Approval (SOMA) policy. The visual layout of the page can be leveraged to produce policies that control within-page communications for page elements as we show with Visual Security Policy (ViSP). And finally, cascading style sheets can be adapted to produce an extensible policy that encompasses some of the best mitigation strategies currently available as we show with Security Style Sheets. To show the utility of these policy languages, I give formal models followed by case studies demonstrating how these simple policy languages could be used in practice and how their simplicity makes them especially attractive compared to existing solutions in the web space.
更多查看译文
关键词
simple policy language,extensible policy,modest security,lightweight policy addition,simpler policy,policy language,web security,simple security policy,current web security technology,origin policy
AI 理解论文
溯源树
样例
生成溯源树,研究论文发展脉络