Our society relies on the web to support the economic, governmental, and military infrastructure. Billions of devices from printers to smart TVs and cars routinely run web servers and clients, forming a heterogeneous Web of Things. Web security is thus critical for Cybersecurity and Information Security at large. The project WebSec: Securing Web-driven Systems sets out to develop a principled security platform for the web. WebSec is a unique opportunity to break away from temporary patches and short-term mitigations and tackle the challenge of web security at scale.
WebSec will result in:
- Comprehensive framework for detection, mitigation, and prevention of cross-site scripting (XSS) attacks, encompassing
- Crawling 2.0 and advanced string constraint solving for XSS detection,
- flexible Content Security Policy (CSP) for XSS mitigation, and
- a server-side template framework separating data from code for XSS prevention.
- Principled framework for system-wide security, enabling confinement, tainting, and information-flow control mechanisms across web component boundaries.
- Industrial demonstrators FlowGuard: Secure integration and testing platform (with Assured AB), SecAppStore: Secure in-car app store architecture (with OmegaPoint AB and Volvo Car Corporation), and BrowSec: Security-enhanced browser platform (with Google).