However, the current state of the art does not allow a safe and efficient combination of static and dynamic enforcement of a shared set of security policies, forcing developers to reimplement and maintain the same policies and their enforcement code in both static and dynamic environments.
This thesis explores language-based access control and information flow control policies for securing client-side web applications.
Based on Guardia and Gifc, we develop a novel technique for deriving Static Application Security Testing (SAST) from an existing Runtime Application Security Protection (RASP) mechanism using a two-phase abstract interpretation approach. In our approach, the SAST component avoids duplicating the effort of specifying security policies and implement- ing their semantics. The RASP mechanism enforces security policies by instrumenting a base program to trap security-relevant operations and execute the required policy enforcement code. The first phase of the SAST mechanism computes a flow graph of the application by statically analyzing the base program without any traps. The results of this first phase are used in a second phase to detect trapped operations and abstractly execute the associated and unaltered RASP policy enforcement code. De- riving a SAST component from a RASP mechanism ensures equivalent semantics for the security policies across the static and dynamic contexts in which policies are verified during the software development life-cycle.
|Date of Award||21 Jun 2021|
|Supervisor||Elisa Gonzalez Boix (Promotor) & Jens Nicolay (Co-promotor)|