Enforcing Configurable Trust in Client-side Software Stacks by Splitting Information Flow

Show full item record

Please use this identifier to cite or link to this item: http://hdl.handle.net/1853/20070

Title: Enforcing Configurable Trust in Client-side Software Stacks by Splitting Information Flow
Author: Singaravelu, Lenin ; Kauer, Bernhard ; Boettcher, Alexander ; Härtig, Hermann ; Pu, Calton ; Jung, Gueyoung ; Weinhold, Carsten
Abstract: Current client-server applications such as online banking employ the same client-side software stack to handle information with differing security and functionality requirements, thereby increasing the size and complexity of software that needs to be trusted. While the high complexity of existing software is a significant hindrance to testing and analysis, existing software and interfaces are too widely used to be entirely abandoned. We present a proxy-based approach called FlowGuard to address the problem of large and complex client-side software stacks. FlowGuard’s proxy employs mappings from sensitiveness of information to trustworthiness of software stacks to demultiplex incoming messages amongst multiple client-side software stacks. One of these stacks is a fully-functional legacy software stack and another is a small and simple stack designed to handle sensitive information. In contrast to previous approaches, FlowGuard not only reduces the complexity of software handling sensitive information but also minimizes modifications to legacy software stacks. By allowing users and service providers to define the mappings, FlowGuard also provides flexibility in determining functionality-security tradeoffs. We demonstrate the feasibility of our approach by implementing a FlowGuard, called BLAC, for https-based applications. BLAC relies on text patterns to identify sensitive information in HTTP responses and redirects such responses to a small and simple TrustedViewer, with an unmodified legacy software stack handling the rest of the responses. We developed a prototype implementation that works with a prominent bank’s online banking site. Our evaluation shows that BLAC reduces size and complexity of software that needs to be trusted by an order of magnitude, with a manageable overhead of few tens of milliseconds per HTTP response.
Type: Technical Report
URI: http://hdl.handle.net/1853/20070
Date: 2007
Relation: CERCS; GIT-CERCS-07-11
Publisher: Georgia Institute of Technology
Subject: Application-level software
Client-server application
FlowGuard
Information flow
Interface
Software
Splitting
Trusted Computing Bases

All materials in SMARTech are protected under U.S. Copyright Law and all rights are reserved, unless otherwise specifically indicated on or in the materials.

Files in this item

Files Size Format View
git-cercs-07-11.pdf 348.0Kb PDF View/ Open

This item appears in the following Collection(s)

Show full item record