EECS assistant professor and member of the Computer Science and Artificial Intelligence Laboratory, CSAIL, Nickolai Zeldovich and his group have been studying the current state of web applications where, despite hundreds of security checks that are currently applied, a significant number of security holes remain, allowing potential malicious hacks.
As Zeldovich noted to the MIT News Office (Oct. 8, 2009), "these security checks cover the same data in all these hundreds of places."
So, Zeldovich and EECS grad students Alexander Yip and Xi Wang and EECS faculty member Frans Kaashoek, professor of computer science and engineering and principal investigator in CSAIL, have developed a system that associates security checks with particular chunks of data rather than with particular chunks of code. The security check is invoked on any attempt to access the data--by any imaginable route.
Zeldovich, Kaashoek and the team modified 12 existing applications written in the popular web programming languages Python and PHP so that they could apply their system which they have called RESIN. Not only did the modified applications repel attacks that exploited known security holes, but Resin was successful in thwarting additional attacks that the researchers devised.
Resin will also be easy to adopt--allowing programmers to write the sanitization code once (as opposed to applying it hundreds of times throughout their code) for each program to be 'treated'.
Resin, however relies on additional software to track data as they flow through an application to make sure that security rules remain associated with the information wherever it's being stored and however it's being used. This tracking software presents the biggest obstacle to commercial adoption of Resin.
Web applications need to be able to run on any type of computer, regardless of the operating system or web browser in use--necessitating an extra layer of software called a 'runtime' to ranslate code into the language spoken by a given machine--such as Phython or PHP. Resin, the new tracking system, would therefore have to be incorporated into several different languages' runtimes--without performance loss.
Zeldovich and his team are presenting their new system Resin at the 22nd Association for Computing Machinery, ACM Symposium on Operating Systems Principles held Oct. 11-14 in Big Sky, Montana.
Once Resin gets some real world traction in a heavily used service such as Facebook, says Eddie Kohler, assistant professor of computer science at UCLA, "I expect that...it would get deployed by individual companies first."
"Improving Application Security with Data Flow Assertions," Alexander Yip, Xi Wang, Nickolai Zeldovich, and M. Frans Kaashoek.