Network Operations and Internet Security @ UChicago

Software Defined Security: Data Leak Prevention System to Appear at ACSAC

Leave a comment

Yogesh Mundada and Anirudh Ramachandran‘s SilverLine system was accepted to the 2013 Annual Computer Security Applications Conference (ACSAC).  SilverLine is an SDN-based system that protects against data leaks from multi-tier Web applications that access sensitive data but are nonetheless vulnerable to various attacks such as SQL injection and insecure direct object reference that might ultimately leak sensitive data.

SilverLine Architecture

In SilverLine, an application developer who writes a Web application can apply security labels to data in a database.  When a Web application issues a query against the database to retrieve data, the query is rewritten so that the records include security labels.  All network connections associated with that result are also associated with both labels and the intended recipient of the data.  A declassifier (a special SDN controller) inspects the security labels associated with each flow and determines whether to allow the flow based on the recipient of the data and the security labels associated with that flow.

SilverLine is one of the first systems to step into the space of Software Defined Security.  Congratulations to Yogesh and Anirudh on this pioneering effort!  An abstract of the work is below.

SilverLine: Preventing Data Leaks from Compromised Web Applications 
Yogesh Mundada, Anirudh Ramachandran, Nick Feamster
Web applications can have vulnerabilities that result in server- side data leaks. Securing sensitive data from Web applications while ensuring reasonable performance and without requiring developers to rewrite applications is challenging. We present SilverLine, which prevents data leaks from compromised Web applications. SilverLine uses login information to associate a user with each Web session; it then taints each file and database record applies information-flow tracking to the data associated with each session to ensure that application data is released only to sessions of authorized users. We have implemented SilverLine on Linux; our implementation demonstrates that SilverLine can protect a PHP-based Web application from many of the most common server-side Web application attacks, with only minor application modifications and reasonable performance overhead.

Author: Nick Feamster

Nick Feamster is a professor in the Department of Computer Science at Princeton University. Before joining the faculty at Princeton, he was a professor in the School of Computer Science at Georgia Tech. He received his Ph.D. in Computer science from MIT in 2005, and his S.B. and M.Eng. degrees in Electrical Engineering and Computer Science from MIT in 2000 and 2001, respectively. His research focuses on many aspects of computer networking and networked systems, including the design, measurement, and analysis of network routing protocols, network operations and security, and anonymous communication systems. In December 2008, he received the Presidential Early Career Award for Scientists and Engineers (PECASE) for his contributions to cybersecurity, notably spam filtering. His honors include the Technology Review 35 "Top Young Innovators Under 35" award, a Sloan Research Fellowship, the NSF CAREER award, the IBM Faculty Fellowship, and award papers at SIGCOMM 2006 (network-level behavior of spammers), the NSDI 2005 conference (fault detection in router configuration), Usenix Security 2002 (circumventing web censorship using Infranet), and Usenix Security 2001 (web cookie analysis).

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s