BUILDING A FRAMEWORK FOR INFORMATION FLOW AWARE WEB APPLICATIONS

Open Access
Author:
Sreenivasan, Yogesh Raju
Graduate Program:
Computer Science
Degree:
Master of Science
Document Type:
Master Thesis
Date of Defense:
June 25, 2008
Committee Members:
  • Trent Ray Jaeger, Thesis Advisor
  • Dr Patrick Mc Daniel, Thesis Advisor
Keywords:
  • security
  • virtual machines
  • web applications
  • MAC
  • SELinux
Abstract:
Web has profoundly changed the way people share information and is being used extensively by organizations to share sensitive information. For such distributed web-based environments, multilevel classification of information has become an essential requirement. Information flow policies that ensure multilevel classification of information are currently being enforced independently at different layers in a distributed system using technologies such as mandatory access control based operating systems and security-typed languages. In this thesis, we focus on designing a framework to unify the enforcement of information flow policies across different layers leveraging security-enhanced linux, xen virtual machine monitor and labeled IPsec mechanisms. We use selinux and labeled IPsec mechanisms to convey and enforce information flow policies at different layers and xen virtual machines to sandbox browser instances to isolate different web applications. Each virtual machine instance serves a single web-application at a pre-defined secrecy/integrity range. Our work focuses on bootstrapping the virtual machines with necessary policies and enforcing these policies during the run-time. In addition, we also propose an approach based on pre-loaded virtual machines to reduce the browser start-up latency. Our analysis demonstrates that despite the overhead of virtualization, IPsec processing and policy enforcement, the proposed approach achieves throughput and latency that is reasonable for most web applications used for sharing sensitive information. Through the abovementioned mechanisms, we build a distributed web-based system that can provide strict information flow guarantees.