TY - GEN
T1 - SCUTA
T2 - 17th ACM Symposium on Access Control Models and Technologies, SACMAT'12
AU - Tan, Xi
AU - Du, Wenliang
AU - Luo, Tongbo
AU - Soundararaj, Karthick D.
PY - 2012
Y1 - 2012
N2 - The Web is playing a very important role in our lives, and is becoming an essential element of the computing infrastructure. Unfortunately, its importance makes it the preferred target of attacks. Web-based vulnerabilities now outnumber traditional computer security concerns. A recent study shows that over 80 percent of web sites have had at least one serious vulnerability. We believe that the Web's problems, to a large degree, are caused by the inadequacy of its underlying access control systems. To reduce the number of vulnerabilities, it is essential to provide web applications with better access control models that can adequately address the protection needs of the current Web. As a part of the efforts to develop a better access control system for the Web, we focus on the server-side access control in this paper. We introduce a new concept called subsession, based on which, we have developed a ring-based access control system (called Scuta) for web servers. Scuta provides a fine-grained and backward-compatible access control mechanism for web applications. We have implemented Scuta in PHP, and have conducted comprehensive case studies to evaluate its benefits.
AB - The Web is playing a very important role in our lives, and is becoming an essential element of the computing infrastructure. Unfortunately, its importance makes it the preferred target of attacks. Web-based vulnerabilities now outnumber traditional computer security concerns. A recent study shows that over 80 percent of web sites have had at least one serious vulnerability. We believe that the Web's problems, to a large degree, are caused by the inadequacy of its underlying access control systems. To reduce the number of vulnerabilities, it is essential to provide web applications with better access control models that can adequately address the protection needs of the current Web. As a part of the efforts to develop a better access control system for the Web, we focus on the server-side access control in this paper. We introduce a new concept called subsession, based on which, we have developed a ring-based access control system (called Scuta) for web servers. Scuta provides a fine-grained and backward-compatible access control mechanism for web applications. We have implemented Scuta in PHP, and have conducted comprehensive case studies to evaluate its benefits.
KW - Server-side access control
KW - Web security
UR - http://www.scopus.com/inward/record.url?scp=84864067465&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84864067465&partnerID=8YFLogxK
U2 - 10.1145/2295136.2295152
DO - 10.1145/2295136.2295152
M3 - Conference contribution
AN - SCOPUS:84864067465
SN - 9781450312950
T3 - Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT
SP - 71
EP - 82
BT - SACMAT'12 - Proceedings of the 17th ACM Symposium on Access Control Models and Technologies
Y2 - 20 June 2012 through 22 June 2012
ER -