東華大學圖書館 |

語系: 繁體中文

說明(常見問題)

回圖書館首頁

手機版館藏查詢

登入

回首頁

切換: 標籤 | MARC模式 | ISBD

Security and privacy hazards of soft...

Wang, Rui.

FindBook

Google Book

Amazon

博客來

Security and privacy hazards of software-as-a-service: Analyses and mitigations.

紀錄類型:	書目-電子資源 : Monograph/item
正題名/作者:	Security and privacy hazards of software-as-a-service: Analyses and mitigations./
作者:	Wang, Rui.
出版者:	Ann Arbor : ProQuest Dissertations & Theses, : 2013,
面頁冊數:	253 p.
附註:	Source: Dissertation Abstracts International, Volume: 75-02(E), Section: B.
Contained By:	Dissertation Abstracts International75-02B(E).
標題:	Computer science. -
電子資源:	http://pqdd.sinica.edu.tw/twdaoapp/servlet/advanced?query=3601847
ISBN:	9781303535680

Security and privacy hazards of software-as-a-service: Analyses and mitigations.
Wang, Rui.

Security and privacy hazards of software-as-a-service: Analyses and mitigations. - Ann Arbor : ProQuest Dissertations & Theses, 2013 - 253 p.

Source: Dissertation Abstracts International, Volume: 75-02(E), Section: B.

Thesis (Ph.D.)--Indiana University, 2013.

A decisive trend of today's web is to enable developers to deliver software functionalities as web services, a.k.a. Software-as-a-Service (SaaS). Early websites can only host static pages, which are not suitable for supporting software functionalities. Therefore, the web has been significantly advanced to boost SaaS developments. First, typical applications are no longer static pages, but stateful two-party programs. Second, the industry is adopting a common programming practice called web service integration , in which web applications integrate 3rd-party web services. Third, other than browsers, mobile apps also become mainstream in delivering web content. Different from traditional software, functionalities of web applications are often implemented in distributed manner, whose code spread across different trust boundaries, i.e., browser webpages, mobile apps, and web servers. The three advancements of the web significantly complicate cross-boundary communications of distributed functionalities, whose security and privacy implications can be pretty serious, but are unclear to the web industry. This dissertation reports an extensive study across three years on real-world applications to systematically understand this emerging risk. The study discovered three serious threats, which all seem industry-wide problems. First, side-channel leaks in web applications become realistic and serious threats to user privacy despite encryption such as HTTPS because cross-boundary communications between the client and server expose functionality states and state transitions associated with sensitive data through side channels. Second, service integrations bring in complexities of securely coordinating functionality states across services. Consequently, logic flaws are frequently present in security-critical integrations, allowing attackers to shop for free, or log into others' accounts. Third, origin-based protection (e.g., same origin policy) is standard for browsers to protect cross-boundary communications among webpages and servers, but such an important mechanism is not available for mobile apps, rendering cross-origin attacks very effective on Android and iOS. These threats are concretely demonstrated by serious flaws discovered in high-profile applications of leading companies, including Amazon, PayPal, Facebook, Google, Dropbox, Yahoo!, Microsoft, and several others. The dissertation also elaborates great efforts to mitigate these threats, including analyzing difficulties of mitigating side-channel leaks, studying complexities of reasoning logic correctness of service integrations, and developing the mobile origin-based protection mechanism.

ISBN: 9781303535680Subjects--Topical Terms:

523869
Computer science.

Security and privacy hazards of software-as-a-service: Analyses and mitigations.
LDR:03621nmm a2200301 4500 001 2125646
005 20171113102614.5
008 180830s2013 ||||||||||||||||| ||eng d
020 $a 9781303535680
035 $a (MiAaPQ)AAI3601847
035 $a AAI3601847
040 $a MiAaPQ $c MiAaPQ
100 1 $a Wang, Rui. $3 866052
245 1 0 $a Security and privacy hazards of software-as-a-service: Analyses and mitigations.
260 1 $a Ann Arbor : $b ProQuest Dissertations & Theses, $c 2013
300 $a 253 p.
500 $a Source: Dissertation Abstracts International, Volume: 75-02(E), Section: B.
500 $a Advisers: XiaoFeng Wang; Shuo Chen.
502 $a Thesis (Ph.D.)--Indiana University, 2013.
520 $a A decisive trend of today's web is to enable developers to deliver software functionalities as web services, a.k.a. Software-as-a-Service (SaaS). Early websites can only host static pages, which are not suitable for supporting software functionalities. Therefore, the web has been significantly advanced to boost SaaS developments. First, typical applications are no longer static pages, but stateful two-party programs. Second, the industry is adopting a common programming practice called web service integration , in which web applications integrate 3rd-party web services. Third, other than browsers, mobile apps also become mainstream in delivering web content. Different from traditional software, functionalities of web applications are often implemented in distributed manner, whose code spread across different trust boundaries, i.e., browser webpages, mobile apps, and web servers. The three advancements of the web significantly complicate cross-boundary communications of distributed functionalities, whose security and privacy implications can be pretty serious, but are unclear to the web industry. This dissertation reports an extensive study across three years on real-world applications to systematically understand this emerging risk. The study discovered three serious threats, which all seem industry-wide problems. First, side-channel leaks in web applications become realistic and serious threats to user privacy despite encryption such as HTTPS because cross-boundary communications between the client and server expose functionality states and state transitions associated with sensitive data through side channels. Second, service integrations bring in complexities of securely coordinating functionality states across services. Consequently, logic flaws are frequently present in security-critical integrations, allowing attackers to shop for free, or log into others' accounts. Third, origin-based protection (e.g., same origin policy) is standard for browsers to protect cross-boundary communications among webpages and servers, but such an important mechanism is not available for mobile apps, rendering cross-origin attacks very effective on Android and iOS. These threats are concretely demonstrated by serious flaws discovered in high-profile applications of leading companies, including Amazon, PayPal, Facebook, Google, Dropbox, Yahoo!, Microsoft, and several others. The dissertation also elaborates great efforts to mitigate these threats, including analyzing difficulties of mitigating side-channel leaks, studying complexities of reasoning logic correctness of service integrations, and developing the mobile origin-based protection mechanism.
590 $a School code: 0093.
650 4 $a Computer science. $3 523869
650 4 $a Computer engineering. $3 621879
650 4 $a Web studies. $3 2122754
690 $a 0984
690 $a 0464
690 $a 0646
710 2 $a Indiana University. $b Informatics. $3 1680747
773 0 $t Dissertation Abstracts International $g 75-02B(E).
790 $a 0093
791 $a Ph.D.
792 $a 2013
793 $a English
856 4 0 $u http://pqdd.sinica.edu.tw/twdaoapp/servlet/advanced?query=3601847