Title :
Mash-IF: Practical information-flow control within client-side mashups
Author :
Li, Zhou ; Zhang, Kehuan ; Wang, XiaoFeng
Author_Institution :
Indiana Univ. at Bloomington, Bloomington, IN, USA
fDate :
June 28 2010-July 1 2010
Abstract :
Mashup is a representative of Web 2.0 technology that needs both convenience of cross-domain access and protection against the security risks it brings in. Solutions proposed by prior research focused on mediating access to the data in different domains, but little has been done to control the use of the data after the access. In this paper, we present Mash-IF, a new technique for information-flow control within mashups. Our approach allows cross-domain communications within a browser, but disallows disclosure of sensitive information to remote parties without the user´s permission. It mediates the cross-domain channels in existing mashups and works on the client without collaborations from other parties. Also of particular interest is a novel technique that automatically generates declassification rules for a script by statically analyzing its code. Such rules can be efficiently enforced through monitoring the script´s call sequences and DOM operations.
Keywords :
Internet; client-server systems; security of data; DOM operations; Mash-IF; Web 2.0 technology; client-side mashup; cross-domain channels; declassification rules; practical information-flow control; script call sequences; Automatic control; Control systems; Data security; Information security; Mashups; Monitoring; Permission; Protection; Web services; YouTube; Browser; Information-Flow Control; Mashup; Protection; Security Model; Web;
Conference_Titel :
Dependable Systems and Networks (DSN), 2010 IEEE/IFIP International Conference on
Conference_Location :
Chicago, IL
Print_ISBN :
978-1-4244-7500-1
Electronic_ISBN :
978-1-4244-7499-8
DOI :
10.1109/DSN.2010.5544312
