Sessions on the web are fragile. They have been attacked successfully in many ways, by network-level attacks, by direct attacks on session cookies (the main mechanism for implementing the session concept) and by application-level attacks where the integrity of sessions is violated by means of cross-site request forgery or malicious script inclusion. This paper defines a variant of non-interference-the classical security notion from information flow security-that can be used to formally define the notion of client-side application-level web session integrity. The paper also develops and proves correct an enforcement mechanism. Combined with state-of-the-art countermeasures for network-level and cookie-level attacks, this enforcement mechanism gives very strong assurance about the client-side preservation of session integrity for authenticated sessions.
CITATION STYLE
Khan, W., Calzavara, S., Bugliesi, M., De Groef, W., & Piessens, F. (2014). Client side web session integrity as a non-interference property. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 8880, pp. 89–108). Springer Verlag. https://doi.org/10.1007/978-3-319-13841-1_6
Mendeley helps you to discover research relevant for your work.