Improving web site security with data flow management

Thesis (Ph. D.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 2009.Cataloged from PDF version of thesis.Includes bibliographical references (p. 91-98).This dissertation describes two systems, RESIN and BFLow, whose goal is to help Web developers build more secure Web sites. RESIN and BFLOW use data flow management to help reduce the security risks of using buggy or malicious code. RESIN provides programmers with language-level mechanisms to track and manage the flow of data within the server. These mechanisms make it easy for programmers to catch server-side data flow bugs that result in security vulnerabilities, and prevent these bugs from being exploited. BFLow is a system that adds information flow control, a restrictive form of data flow management, both to the Web browser and to the interface between a browser and a server. BFLOW makes it possible for a Web site to combine confidential data with untrusted JavaScript in its Web pages, without risking leaks of that data. This work makes a number of contributions. RESIN introduces the idea of a data flow assertion and demonstrates how to build them using three language-level mechanisms, policy objects, data tracking, and filter objects. We built prototype implementations of RESIN in both the PHP and Python runtimes. We adapt seven real off-the-shelf applications and implement 11 different security policies in RESIN which thwart at least 27 real security vulnerabilities. BFLow introduces an information flow control model that fits the JavaScript communication mechanisms, and a system that maps that model to JavaScript's existing isolation system.(cont.) Together, these techniques allow untrusted JavaScript to read, compute with, and display confidential data without the risk of leaking that data, yet requires only minor changes to existing software. We built a prototype of the BFLow system and three different applications including a social networking application, a novel shared-data Web platform, and BFlogger, a third-party JavaScript platform similar to that of Blogger.com. We ported several untrusted JavaScript extensions from Blogger.com to BFlogger, and show that the extensions cannot leak data as they can in Blogger.com.by Alexander Siumann Yip.Ph.D

Marshfield Clinic: Health Information Technology Paves the Way for Population Health Management

Highlights Fund-defined attributes of an ideal care delivery system and best practices, including an internal electronic health record, primary care teams, physician quality metrics and mentors, and standardized care processes for chronic care management

E-commerce and its impact in logistic management: A state of art

Logistics management is defined as that part of the supply chain process that plans, implements, and controls the efficient, effective flow and storage of goods, services, and related information from the point of origin to the point of consumption in order to meet customers' requirements. Traditional logistical issues may be amplified by an e-commerce venture. Adopting e-commerce may greatly expand the marketplace. The organization needs to be concerned with its ability to deliver its product to potential customers. Realizing the importance of E-commerce in logistic management, an attempt has been made in this paper to review the existing literature with the objective to gain insights into the impact of E-commerce in logistic management. The advantages of the E-commerce in logistic management are offered. Finally, summary of findings and calculations are presented

E-Government Applications And Methodologies: Turkey on the E-Government Way

The recent changes in the technology, especially the use of Internet and the World Wide Web resulted in a new way of doing business for the governments. Governments worldwide face with the challenge of transformation and the need to reinvent government systems, which are based to deliver more efficient and cost effective services for the citizens. The developments and the studies in Information and Communication Technologies (ICT) resulted in E-Government projects and applications. This paper tries to analyze E-Government projects by analyzing their methodologies and strategies; and it is mainly based on the underlying key points in success stories. Also within this paper the reader will get information on E-Government projects in Turkey, successes and failures, IT vision of the administrations and the future plans.

SciTokens: Capability-Based Secure Access to Remote Scientific Data

The management of security credentials (e.g., passwords, secret keys) for computational science workflows is a burden for scientists and information security officers. Problems with credentials (e.g., expiration, privilege mismatch) cause workflows to fail to fetch needed input data or store valuable scientific results, distracting scientists from their research by requiring them to diagnose the problems, re-run their computations, and wait longer for their results. In this paper, we introduce SciTokens, open source software to help scientists manage their security credentials more reliably and securely. We describe the SciTokens system architecture, design, and implementation addressing use cases from the Laser Interferometer Gravitational-Wave Observatory (LIGO) Scientific Collaboration and the Large Synoptic Survey Telescope (LSST) projects. We also present our integration with widely-used software that supports distributed scientific computing, including HTCondor, CVMFS, and XrootD. SciTokens uses IETF-standard OAuth tokens for capability-based secure access to remote scientific data. The access tokens convey the specific authorizations needed by the workflows, rather than general-purpose authentication impersonation credentials, to address the risks of scientific workflows running on distributed infrastructure including NSF resources (e.g., LIGO Data Grid, Open Science Grid, XSEDE) and public clouds (e.g., Amazon Web Services, Google Cloud, Microsoft Azure). By improving the interoperability and security of scientific workflows, SciTokens 1) enables use of distributed computing for scientific domains that require greater data protection and 2) enables use of more widely distributed computing resources by reducing the risk of credential abuse on remote systems.Comment: 8 pages, 6 figures, PEARC '18: Practice and Experience in Advanced Research Computing, July 22--26, 2018, Pittsburgh, PA, US

Redesigning More Resilent Sahana System For Disaster Information In Indonesia

This application is a disaster information system in Indonesia using Sahana platform that has many unique features of the integration Sahana disaster with some applications that have been built independently in the previous year of mudflow in Sidoarjo, Solo in Bojonegoro Flood, and Forest Fires in Kalimantan. Addition, this application provides a virtual feature class that is learning GIS and Sahana, complete with an online test and the results. Since the system is web-based, then use the appropriate technology that is MapServer as web server, php, html, and javascript as a system builder and PostgreSQL for data storage. To improve the security of these applications also added SSL and Mod Security. SSL to secure data line and mod security to prevent attacks SQL Injection and Cross Site Scripting. Two of these securities will keep the system from attack, so the important data such as victims of disasters, infrastructure and map safe. With this integration, these applications into a complete information system, safely and in accordance with local conditions of each disaster. Keywords : Disaster Management, Sahana, Virtual Class, Integration System