Security violations and the unintended flow of important data are some of the problems faced by Web application developers. Yip et al. propose a methodology and a runtime system, RESIN, for avoiding and preventing such problems.
The basis for RESIN is that often, security problems in Web applications arise due to an unforeseen incorrect flow of data that is exploited by adversaries to extract secure data. RESIN helps prevent security violations by providing mechanisms that allow application developers to explicitly specify correct data flow, within and outside various application components in terms of data-flow assertions. RESIN data-flow assertions can be written in the same application language, so that the application-level data structure can be easily accessed by the assertions. Additionally, assertion checking is done at runtime, so that user-defined data can also be checked.
In order to achieve RESIN’s goals, three distinct mechanisms are provided: policy objects--assertions written in the same language as the application; automatic data tracking; and filter objects that check the assertions whenever data leaves or enters the boundary of an application. All three mechanisms are explained using many illustrations, and the entire design and implementation of RESIN is described in sufficient detail.
The paper provides a thorough evaluation of the system, both in terms of security violation expression and detection functionality, and in terms of overheads on the performance, using some benchmarks. The limitations of the proposed work are also studied. The paper ends with an extensive list of references.
The paper is suitable for both advanced researchers and beginners. It is very well written, with many examples and detailed explanations. Furthermore, it provides a very detailed treatment of the application-level security and the proposed system. In fact, this is the most thorough and comprehensive conference paper that I have ever encountered.