Automatic and robust client-side protection for cookie-based sessions

Bugliesi, M.; Calzavara, S.; Focardi, R.; Khan, W.

doi:10.1007/978-3-319-04897-0_11

ARCA è l'archivio istituzionale ad accesso aperto della ricerca dell'Università Ca' Foscari Venezia e nasce nel 2014 con lo scopo di raccogliere, diffondere e conservare la produzione scientifica dell'Università. Costituisce di fatto il catalogo della ricerca di Ateneo.
Mentre il precedente U-Gov Catalogo era un database chiuso, ARCA è un sistema Open Access: è non solo consultabile da tutti e visibile nei motori di ricerca, ma anche interoperabile con il portale cerCa. In questo modo vengono valorizzate la produzione scientifica dell'Ateneo e la visibilità dei ricercatori.

Session cookies constitute one of the main attack targets against client authentication on the Web. To counter that, modern web browsers implement native cookie protection mechanisms based on the Secure and HttpOnly flags. While there is a general understanding about the effectiveness of these defenses, no formal result has so far been proved about the security guarantees they convey. With the present paper we provide the first such result, with a mechanized proof of noninterference assessing the robustness of the Secure and HttpOnly cookie flags against both web and network attacks. We then develop CookiExt, a browser extension that provides client-side protection against session hijacking based on appropriate flagging of session cookies and automatic redirection over HTTPS for HTTP requests carrying such cookies. Our solution improves over existing client-side defenses by combining protection against both web and network attacks, while at the same time being designed so as to minimise its effects on the user’s browsing experience.

Utilizza questo identificativo per citare o creare un link a questo documento: http://hdl.handle.net/10278/42442

Titolo:	Automatic and robust client-side protection for cookie-based sessions
Autori interni:	BUGLIESI, Michele CALZAVARA, STEFANO FOCARDI, Riccardo KHAN, WILAYAT
Data di pubblicazione:	2014
Serie:	LECTURE NOTES IN COMPUTER SCIENCE
Abstract:	Session cookies constitute one of the main attack targets against client authentication on the Web. To counter that, modern web browsers implement native cookie protection mechanisms based on the Secure and HttpOnly flags. While there is a general understanding about the effectiveness of these defenses, no formal result has so far been proved about the security guarantees they convey. With the present paper we provide the first such result, with a mechanized proof of noninterference assessing the robustness of the Secure and HttpOnly cookie flags against both web and network attacks. We then develop CookiExt, a browser extension that provides client-side protection against session hijacking based on appropriate flagging of session cookies and automatic redirection over HTTPS for HTTP requests carrying such cookies. Our solution improves over existing client-side defenses by combining protection against both web and network attacks, while at the same time being designed so as to minimise its effects on the user’s browsing experience.
Handle:	http://hdl.handle.net/10278/42442
ISBN:	9783319048963
Appare nelle tipologie:	4.1 Articolo in Atti di convegno

File in questo prodotto:

File	Descrizione	Dimensione	Formato	Tipologia	Licenza
essos14.pdf		354.39 kB	Adobe PDF	Pre-print		Riservato

Citazioni
ND

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.