Designing security policies and frameworks for web applications

There are multiple players that participate in forming policies to determine the security of content on the Web. These players include web applications that determine who can access their content, users of these applications desiring control over security policies that determine sharing of their contributed content, and the clientside software such as web browsers that have mandatory enforcement of their security policies. The current web security policies do not satisfy the end-to-end security requirements imposed by this multi-player environment. For example, while average users desire control over security policies that determine sharing of their contributed content, the applications still control what access control policies are available to the users for controlling access to that content. Moreover, even if web security policies are improved to satisfy the new requirements, their enforcement still leaves much to be desired in the current web infrastructure. Existing mechanisms are ineffective in enforcing security and privacy policies in the evolving web environment thereby undermining the security of content on the Web.;In this dissertation, we explore ways to improve end-to-end security for web access by design and analysis of effective web security policies and enforcement frameworks. Our contributions cover end-to-end security solutions that are aligned with the multiplayer setup of Web 2.0 and include a framework for users to specify security policies, a platform to enforce user policies for third-party applications, an analysis of browser policy issues, and a mechanism to provide improved end-to-end security/integrity guarantees.;We advocate the use of user-defined access control for the user-centric Web 2.0 environment and develop a generalized framework, called xAccess , for a user to specify policies on how data seekers can access the user's data in the context of web applications. xAccess is analogous to the single sign-on mechanism, however, instead of providing login capability, it provides the user with a single point for defining his access control models and policies for one or multiple applications. We subsequently extend our enforcement mechanism to develop a framework for application platforms to enforce user-defined policies with third-party applications, in particular to control flow of data. We use social networking as representative application and design a novel framework, called xBook, for building social networking platforms that uses information flow control models to enforce user's privacy policies.;We evaluate client-side security by performing a systematic analysis of the incoherencies in current browser security policies. Given that wide-scale adoption of any new browser policy, even if it is for improving security, is marked with concerns for backward compatibility, we also present the results of a large-scale compatibility study to analyze the cost of, and thus ultimately motivate, the adoption of secure browser policies.;Any meaningful security on the web browser platform cannot be ensured without achieving end-to-end security between a users web browser and web sites. Although HTTPS can help achieve end-to-end security by preventing man-in-the-middle attacks, it does not satisfy the requirements of web applications that desire improved performance at the cost of reduced security guarantees. To this end, we develop a new protocol, HTTPi, which offers only end-to-end authentication and integrity and seamlessly enable caching at intermediate servers (such as CDN servers and cache proxies). We subsequently propose mechanisms that allow web applications to place integrity policy requirements on the content embedded on their sites.