Synapse India Complaints on SECURE WEB APPLICATIONS

VIA AUTOMATIC PARTITIONING

Designers of web applicationsWant to push as much as possible application

functionality into the clients Must protect application integrity against

rogue clientsPaper presents a “principled approach” to

building secure web applications“Secure by construction”

Servers can be trustedClients cannot

We cannot update ourselves the balances of our bank accounts

Swift enforces security by controlling information flow

Prevents release of information toless secure consumers

Will not accept information fromless trusted sources

Applications are written in a higher-level programming language that details all security

requirements as annotationsCompiler uses these annotations to decide whether an application and its data can run

on the clientPartitions code and data at the level of individual expressions and object fields

Written in an extension of Jif 3.0 programming language

Jif is itself an extension of Java with specific mechanisms for information flow control and

access controlExpressed in Jif as labels attached to

program variables

Intermediate language with much simpler annotations

S means annotated code/data must be placed on the server

S?C means annotated code/data must be placed on the server but can be replicated on

the client

Second phase produces exact placement and replication of code and data

Satisfying all security requirementsMinimizing costs and avoiding unnecessary

network messages

Fine grain transformationSome statements within a specific method

may run on the client while other statements must remain on the server