Track: Security I: Misc
Better Abstractions for Secure Server-Side Scripting
- Dachuan Yu(DoCoMo Communications Laboratories USA, Inc.)
- Ajay Chander(DoCoMo Communications Laboratories USA, Inc.)
- Hiroshi Inamura(DoCoMo Communications Laboratories USA, Inc.)
- Igor Serikov(DoCoMo Communications Laboratories USA, Inc.)
It is notoriously difficult to program a solid web application. Besides addressing web interactions, state maintenance, and whimsical user navigation behaviors, programmers must also avoid a minefield of security vulnerabilities. The problem is twofold. First, we lack a clear understanding of the new computation model underlying web applications. Second, we lack proper abstractions for hiding common and subtle coding details that are orthogonal to the business functionalities of specific web applications. This paper addresses both issues. First, we present a language BASS for declarative server-side scripting. BASS allows programmers to work in an ideal world, using new abstractions to tackle common but problematic aspects of web programming. The meta properties of BASS provide useful security guarantees. Second, we present a language MOSS reflecting realistic web programming concepts and scenarios, thus articulating the computation model behind web programming. Finally, we present a translation from BASS to MOSS, demonstrating how the ideal programming model and security guarantees of BASS can be implemented in practice.
Inquiries can be sent to: