Saturday, November 14, 2009

Web Security Tool Copies Apps' Moves

Via MIT Technology Review -

Nowadays, it's easy for developers to build fully fledged applications that run inside the browser. Keeping these applications safe from hackers is another matter.

With this in mind, scientists at Microsoft Research have unveiled a new way to secure complex Web applications by effectively cloning the user's browser and running it remotely.

Many of the latest Web applications split their executable code between the server and the client. The problem is detecting whether the code running on the user's home PC has been compromised in some way. The new Microsoft solution, known as Ripley, was announced on Tuesday at the Association for Computing Machinery's Computer and Communications Security Conference in Chicago.

Ripley goes further than previous efforts to secure the integrity of Web applications. "It takes integrity protection to its logical extreme," says Adam Barth, a researcher at the University of California, Berkeley who specializes in the security of Web applications. He was not involved with the project. "Instead of just verifying that a request came from the proper website, Ripley verifies that the user's actions are actually allowed by the application's user interface."

Ripley prevents a malicious user or remote hacker from altering the behavior of code running inside a Web browser by creating an exact copy of the computational environment and running that copy on the server. Ripley then sends all of the user's actions, including mouse clicks, keystrokes, and any other inputs, in a compressed "event stream" from the client to the server. This stream is run through the cloned client application on the server, and the behavior of that virtual doppelganger is compared to that of the application running on the user's browser at home. If there are any discrepancies, Ripley disconnects the client.


If I am reading this correctly, then using an attack proxy to test the security of web application would become much much much more difficult.

No comments:

Post a Comment