dc.contributor.author | Dalton, Michael | |
dc.contributor.author | Kozyrakis, Christos | |
dc.contributor.author | Zeldovich, Nickolai | |
dc.date.accessioned | 2011-04-08T20:19:24Z | |
dc.date.available | 2011-04-08T20:19:24Z | |
dc.date.issued | 2009-08 | |
dc.identifier.uri | http://hdl.handle.net/1721.1/62182 | |
dc.description.abstract | This paper presents Nemesis, a novel methodology for
mitigating authentication bypass and access control vulnerabilities
in existing web applications. Authentication
attacks occur when a web application authenticates users
unsafely, granting access to web clients that lack the appropriate
credentials. Access control attacks occur when
an access control check in the web application is incorrect
or missing, allowing users unauthorized access to
privileged resources such as databases and files. Such
attacks are becoming increasingly common, and have occurred
in many high-profile applications, such as IIS [10]
and WordPress [31], as well as 14% of surveyed web
sites [30]. Nevertheless, none of the currently available
tools can fully mitigate these attacks.
Nemesis automatically determines when an application
safely and correctly authenticates users, by using Dynamic
Information Flow Tracking (DIFT) techniques to
track the flow of user credentials through the application’s
language runtime. Nemesis combines authentication information
with programmer-supplied access control rules
on files and database entries to automatically ensure that
only properly authenticated users are granted access to
any privileged resources or data. A study of seven popular
web applications demonstrates that a prototype of
Nemesis is effective at mitigating attacks, requires little
programmer effort, and imposes minimal runtime overhead.
Finally, we show that Nemesis can also improve the
precision of existing security tools, such as DIFT analyses
for SQL injection prevention, by providing runtime
information about user authentication. | en_US |
dc.description.sponsorship | National Science Foundation (U.S.) (Award 0546060) (Award 0701607) | en_US |
dc.language.iso | en_US | |
dc.publisher | USENIX Association | en_US |
dc.relation.isversionof | http://www.usenix.org/events/sec09/tech/full_papers/dalton.pdf | en_US |
dc.rights | Creative Commons Attribution-Noncommercial-Share Alike 3.0 | en_US |
dc.rights.uri | http://creativecommons.org/licenses/by-nc-sa/3.0/ | en_US |
dc.source | MIT web domain | en_US |
dc.title | Nemesis: Preventing Authentication & [and] Access Control Vulnerabilities in Web Applications | en_US |
dc.type | Article | en_US |
dc.identifier.citation | Dalton, Michael, Christos Kozyrakis, and Nickolai Zeldovich. "Nemesis: Preventing Authentication & Access Control Vulnerabilities in Web Applications" USENIX UNIX Security Symposium, 2009. | en_US |
dc.contributor.department | Massachusetts Institute of Technology. Computer Science and Artificial Intelligence Laboratory | en_US |
dc.contributor.department | Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science | en_US |
dc.contributor.approver | Zeldovich, Nickolai | |
dc.contributor.mitauthor | Zeldovich, Nickolai | |
dc.relation.journal | USENIX UNIX Security Symposium | en_US |
dc.eprint.version | Author's final manuscript | en_US |
dc.type.uri | http://purl.org/eprint/type/ConferencePaper | en_US |
dspace.orderedauthors | Dalton, Michael; Kozyrakis, Christos; Zeldovich, Nickolai | |
dc.identifier.orcid | https://orcid.org/0000-0003-0238-2703 | |
mit.license | OPEN_ACCESS_POLICY | en_US |
mit.metadata.status | Complete | |