Yogesh Mundada and Anirudh Ramachandran‘s SilverLine system was accepted to the 2013 Annual Computer Security Applications Conference (ACSAC). SilverLine is an SDN-based system that protects against data leaks from multi-tier Web applications that access sensitive data but are nonetheless vulnerable to various attacks such as SQL injection and insecure direct object reference that might ultimately leak sensitive data.
In SilverLine, an application developer who writes a Web application can apply security labels to data in a database. When a Web application issues a query against the database to retrieve data, the query is rewritten so that the records include security labels. All network connections associated with that result are also associated with both labels and the intended recipient of the data. A declassifier (a special SDN controller) inspects the security labels associated with each flow and determines whether to allow the flow based on the recipient of the data and the security labels associated with that flow.
SilverLine is one of the first systems to step into the space of Software Defined Security. Congratulations to Yogesh and Anirudh on this pioneering effort! An abstract of the work is below.
SilverLine: Preventing Data Leaks from Compromised Web Applications
Yogesh Mundada, Anirudh Ramachandran, Nick Feamster
Web applications can have vulnerabilities that result in server- side data leaks. Securing sensitive data from Web applications while ensuring reasonable performance and without requiring developers to rewrite applications is challenging. We present SilverLine, which prevents data leaks from compromised Web applications. SilverLine uses login information to associate a user with each Web session; it then taints each file and database record applies information-flow tracking to the data associated with each session to ensure that application data is released only to sessions of authorized users. We have implemented SilverLine on Linux; our implementation demonstrates that SilverLine can protect a PHP-based Web application from many of the most common server-side Web application attacks, with only minor application modifications and reasonable performance overhead.