重新设计网站访问控制系统.pdfVIP

Re-designing the Web’s Access Control System (Extended Abstract) Wenliang Du, Xi Tan, Tongbo Luo, Karthick Jayaraman, and Zutao Zhu Department of Electrical Engineering and Computer Science, Syracuse University, Syracuse, New York, 13244, USA Tel.: +1 315 443-9180 wedu@ Abstract. The Web is playing a very important role in our lives, and is becom- ing an essential element of the computing infrastructure. With such a glory come the attacks–the Web has become criminals’ preferred targets. Web-based vulnera- bilities now outnumber traditional computer security concerns. Although various security solutions have been proposed to address the problems on the Web, few have addressed the root causes of why web applications are so vulnerable to these many attacks. We believe that the Web’s current access control models are fun- damentally inadequate to satisfy the protection needs of today’s web, and they need to be redesigned. In this extended abstract, we explain our position, and summarize our efforts in redesigning the Web’s access control systems. Keywords: web security; access control model. 1 Introduction The Web is playing a very important role in our lives, and is becoming an essential element of the computing infrastructure. Because of its ubiquity, the Web has become attackers’ preferred targets. Web-based vulnerabilities now outnumber traditional com- puter security concerns [2, 4]. SQL injection, cross-site scripting (XSS), and cross-site request forgery are among the most common attacks on web applications. A recent re- port shows that over 80 percent of websites have had at least one serious vulnerability, and the average number of serious vulnerabilities pe