[1] E. Hammer-Lahav, “Oauth core 1.0 revision a,” 2009.
[Online]. Available: http://oauth.net/core/1.0a
[2] J. Hodges, C. Jackson, and A. Barth, “Strict
transport security,” 2009. [Online]. Available:
http://lists.w3.org/Archives/Public/www-archive/2009Sep/
att-0051/draft-hodges-strict-transport-sec-05.plain.html
[3] A. van Kesteren, “Cross-origin resource sharing,” 2009.
[Online]. Available: http://www.w3.org/TR/cors/
[4] S. Stamm, “Content security policy,” 2009. [Online].
Available: https://wiki.mozilla.org/Security/CSP/Spec
[5] Microsoft Inc., “Xdomainrequest object,” 2009. [Online].
Available: http://msdn.microsoft.com/en-us/library/
cc288060%28VS.85%29.aspx
[6] A. Inc., “Cross-domain policy file specification,” 2008.
[Online]. Available: http://www.adobe.com/devnet/articles/
crossdomain policy file spec.html
[7] E. Hammer-Lahav, “Acknowledgement of the oauth security
issue,” 2009. [Online]. Available: http://blog.oauth.net/2009/
04/22/acknowledgement-of-the-oauth-security-issue/
[8] T. Klose, “Confused deputy attack on cors,”
2009. [Online]. Available: http://lists.w3.org/Archives/Public/
public-webapps/2009AprJun/1324.html
[9] E. Nava and D. Lindsay, “Abusing internet explorer 8’s
XSS filters,” in BlackHat Europe, 2010. [Online]. Available:
http://p42.us/ie8xss/Abusing IE8s XSS Filters.pdf
[10] Daniel Jackson, Software Abstractions: Logic, Language, and
Analysis. The MIT Press, 2006.
[11] A. Barth, C. Jackson, and J. C. Mitchell, “Robust defenses for
cross-site request forgery,” in In Proc. of the 15th ACM Conf.
on Computer and Communications Security (CCS 2008).
ACM, 2008, pp. 75–88.
[12] A. Barth, C. Jackson, and J. Mitchell, “Securing frame
communication in browsers,” Commun. ACM, vol. 52, no. 6,
pp. 83–91, 2009.
[13] C. Jackson, A. Barth, A. Bortz, W. Shao, and D. Boneh, “Protecting
browsers from dns rebinding attacks,” ACM Trans.
Web, vol. 3, no. 1, pp. 1–26, 2009.
[14] C. Jackson and A. Barth, “Forcehttps: protecting high-security
web sites from network attacks,” in WWW ’08: Proceeding of
the 17th international conference on World Wide Web. New
York, NY, USA: ACM, 2008, pp. 525–534.
[15] D. Jackson, “Alloy: a lightweight object modelling notation,”
ACM Transactions on Software Engineering and Methodology
(TOSEM), vol. 11, no. 2, pp. 256–290, 2002.
[16] F. Kerschbaum, “Simple cross-site attack prevention,” in
Proceedings of the Third international workshop on Security
and Privacy in Communication networks, 2007.
[17] J. Mitchell, M. Mitchell, and U. Stern, “Automated analysis
of cryptographic protocols using Mur',” in Proc. IEEE Symp.
Security and Privacy, 1997, pp. 141–151.
[18] J. C. Mitchell, V. Shmatikov, and U. Stern, “Finite-state
analysis of ssl 3.0,” in Proceedings of the Seventh USENIX
Security Symposium, 1998, pp. 201–216.
[19] A. W. Roscoe, “Modelling and verifying key-exchange protocols
using CSP and FDR,” in 8th IEEE Computer Security
Foundations Workshop. IEEE Computer Soc Press, 1995,
pp. 98–107.
[20] D. X. Song, “Athena: a new efficient automatic checker for
security protocol analysis,” in Proceedings of the Twelfth
IEEE Computer Security Foundations Workshop, June 1999,
pp. 192–202.
[21] J. Millen and V. Shmatikov, “Constraint solving for boundedprocess
cryptographic protocol analysis,” in CCS ’01: Proceedings
of the 8th ACM conference on Computer and Communications
Security. New York, NY, USA: ACM, 2001,
pp. 166–175.
[22] M. Burrows, M. Abadi, and R. Needham, “A logic of authentication,”
ACM Transactions on Computer Systems, vol. 8,
no. 1, pp. 18–36, 1990.
[23] G. Bella and L. C. Paulson, “Kerberos version IV: Inductive
analysis of the secrecy goals,” in Proceedings of the 5th
European Symposium on Research in Computer Security, J.-
J. Quisquater, Ed. Louvain-la-Neuve, Belgium: Springer-
Verlag LNCS 1485, 1998, pp. 361–375.
[24] A. Datta, A. Derek, J. C. Mitchell, and A. Roy, “Protocol
Composition Logic (PCL),” Electronic Notes in Theoretical
Computer Science, vol. 172, pp. 311–358, 2007.
[25] A. Datta, A. Derek, J. C. Mitchell, V. Shmatikov, and M. Turuani,
“Probabilistic polynomial-time semantics for a protocol
security logic.” in Proceedings of the 32nd International Colloquium
on Automata, Languages and Programming (ICALP
’05), ser. Lecture Notes in Computer Science. Springer-
Verlag, 2005, pp. 16–29.
[26] Adam Barth and Collin Jackson and John Mitchell, “Securing
frame communication in browsers,” in SS’08: Proceedings of
the 17th conference on Security symposium. Berkeley, CA,
USA: USENIX Association, 2008, pp. 17–30.
[27] K. Bhargavan, C. Fournet, and A. Gordon, “Verified reference
implementations of ws-security protocols,” Lecture Notes in
Computer Science, vol. 4184, p. 88, 2006.
[28] A. Gordon and R. Pucella, “Validating a web service security
abstraction by typing,” Formal Aspects of Computing, vol. 17,
no. 3, pp. 277–318, 2005.
[29] J. Howell, C. Jackson, H. J. Wang, and X. Fan, “Mashupos:
operating system abstractions for client mashups,” in HOTOS’
07: Proceedings of the 11th USENIX workshop on Hot
topics in operating systems. Berkeley, CA, USA: USENIX
Association, 2007, pp. 1–7.
[30] J. Magazinius, A. Askarov, and A. Sabelfeld, “A lattice-based
approach to mashup security,” in In Proc. of the 5th ACM
Symposium on Information, Computer and Communications
Security (ASIACCS 2010). ACM, 2010.
[31] C. Grier, S. Tang, and S. T. King, “Secure web browsing with
the op web browser,” in SP ’08: Proceedings of the 2008 IEEE
Symposium on Security and Privacy. Washington, DC, USA:
IEEE Computer Society, 2008, pp. 402–416.
[32] J. Meseguer, R. Sasse, H. J. Wang, and Y.-M. Wang, “A
systematic approach to uncover security flaws in gui logic,” in
SP ’07: Proceedings of the 2007 IEEE Symposium on Security
and Privacy. Washington, DC, USA: IEEE Computer
Society, 2007, pp. 71–85.
[33] GWT Team, “Security for gwt applications,”
2008. [Online]. Available: http://groups.google.com/group/
Google-Web-Toolkit/web/security-for-gwt-applications
[34] A. Barth, J. Caballero, and D. Song, “Secure content sniffing
for web browsers, or how to stop papers from reviewing
themselves,” in SP ’09: Proceedings of the 2009 30th IEEE
Symposium on Security and Privacy. Washington, DC, USA:
IEEE Computer Society, 2009, pp. 360–371.
[35] A. Barth and C. Jackson, “Beware of finer-grained origins,”
in Proc. of Web 2.0 Security and Privacy 2008 (W2SP 2008).
IEEE Computer Society, 2008.
[36] M. Zawelski, “Browser security handbook,” 2009. [Online].
Available: http://code.google.com/p/browsersec/wiki/Main
[37] Apple Inc., “Remote scripting with IFRAME,” 2010.
[Online]. Available: http://developer.apple.com/internet/
webcontent/iframe.html
[38] E. Felten, D. Balfanz, D. Dean, and D. Wallach, “Web
spoofing: An internet con game,” Software World, vol. 28,
no. 2, pp. 6–8, 1997.
[39] R. Dhamija, J. Tygar, and M. Hearst, “Why phishing works,”
in Proceedings of the SIGCHI conference on Human Factors
in computing systems. ACM, 2006, p. 590.
[40] D. Akhawe, A. Barth, P. E. Lam, J. C. Mitchell, and
D. Song, “Web security model implementation,” 2010.
[Online]. Available: http://code.google.com/p/websecmodel
[41] L. Momtahan, “A simple small model theorem for Alloy,”
Oxford University Computing Laboratory, Tech. Rep. RR-
04-11, June 2004.
[42] M. W. Moskewicz, C. F. Madigan, Y. Zhao, L. Zhang, and
S. Malik, “Chaff: engineering an efficient sat solver,” in
DAC ’01: Proceedings of the 38th annual Design Automation
Conference. New York, NY, USA: ACM, 2001, pp. 530–535.
[43] Software Design Group, MIT, “Alloy analyzer 4,” 2010.
[Online]. Available: http://alloy.mit.edu/alloy4/
[44] A. Barth, C. Jackson, and I. Hickson, “The http origin
header,” 2009. [Online]. Available: http://tools.ietf.org/html/
draft-abarth-origin
[45] A. van Kesteren, “Cross-origin resource sharing (editors
draft),” 2009. [Online]. Available: http://dev.w3.org/2006/
waf/access-control
[46] A. Barth, “<form method=”delete”> and 307 redirects,”
2009. [Online]. Available: http://www.mail-archive.com/
whatwg@lists.whatwg.org/msg19379.html
[47] R. Schemers and R. Allbery, “Webauth v3 technical
specification,” 2009. [Online]. Available: http://webauth.
stanford.edu/protocol.html
[48] D. Mazurek, “CAS protocol,” 2005. [Online]. Available:
http://www.jasig.org/cas/protocol
[49] JASIG, “CAS deployment,” 2010. [Online]. Available:
http://www.jasig.org/cas/deployments
[Online]. Available: http://oauth.net/core/1.0a
[2] J. Hodges, C. Jackson, and A. Barth, “Strict
transport security,” 2009. [Online]. Available:
http://lists.w3.org/Archives/Public/www-archive/2009Sep/
att-0051/draft-hodges-strict-transport-sec-05.plain.html
[3] A. van Kesteren, “Cross-origin resource sharing,” 2009.
[Online]. Available: http://www.w3.org/TR/cors/
[4] S. Stamm, “Content security policy,” 2009. [Online].
Available: https://wiki.mozilla.org/Security/CSP/Spec
[5] Microsoft Inc., “Xdomainrequest object,” 2009. [Online].
Available: http://msdn.microsoft.com/en-us/library/
cc288060%28VS.85%29.aspx
[6] A. Inc., “Cross-domain policy file specification,” 2008.
[Online]. Available: http://www.adobe.com/devnet/articles/
crossdomain policy file spec.html
[7] E. Hammer-Lahav, “Acknowledgement of the oauth security
issue,” 2009. [Online]. Available: http://blog.oauth.net/2009/
04/22/acknowledgement-of-the-oauth-security-issue/
[8] T. Klose, “Confused deputy attack on cors,”
2009. [Online]. Available: http://lists.w3.org/Archives/Public/
public-webapps/2009AprJun/1324.html
[9] E. Nava and D. Lindsay, “Abusing internet explorer 8’s
XSS filters,” in BlackHat Europe, 2010. [Online]. Available:
http://p42.us/ie8xss/Abusing IE8s XSS Filters.pdf
[10] Daniel Jackson, Software Abstractions: Logic, Language, and
Analysis. The MIT Press, 2006.
[11] A. Barth, C. Jackson, and J. C. Mitchell, “Robust defenses for
cross-site request forgery,” in In Proc. of the 15th ACM Conf.
on Computer and Communications Security (CCS 2008).
ACM, 2008, pp. 75–88.
[12] A. Barth, C. Jackson, and J. Mitchell, “Securing frame
communication in browsers,” Commun. ACM, vol. 52, no. 6,
pp. 83–91, 2009.
[13] C. Jackson, A. Barth, A. Bortz, W. Shao, and D. Boneh, “Protecting
browsers from dns rebinding attacks,” ACM Trans.
Web, vol. 3, no. 1, pp. 1–26, 2009.
[14] C. Jackson and A. Barth, “Forcehttps: protecting high-security
web sites from network attacks,” in WWW ’08: Proceeding of
the 17th international conference on World Wide Web. New
York, NY, USA: ACM, 2008, pp. 525–534.
[15] D. Jackson, “Alloy: a lightweight object modelling notation,”
ACM Transactions on Software Engineering and Methodology
(TOSEM), vol. 11, no. 2, pp. 256–290, 2002.
[16] F. Kerschbaum, “Simple cross-site attack prevention,” in
Proceedings of the Third international workshop on Security
and Privacy in Communication networks, 2007.
[17] J. Mitchell, M. Mitchell, and U. Stern, “Automated analysis
of cryptographic protocols using Mur',” in Proc. IEEE Symp.
Security and Privacy, 1997, pp. 141–151.
[18] J. C. Mitchell, V. Shmatikov, and U. Stern, “Finite-state
analysis of ssl 3.0,” in Proceedings of the Seventh USENIX
Security Symposium, 1998, pp. 201–216.
[19] A. W. Roscoe, “Modelling and verifying key-exchange protocols
using CSP and FDR,” in 8th IEEE Computer Security
Foundations Workshop. IEEE Computer Soc Press, 1995,
pp. 98–107.
[20] D. X. Song, “Athena: a new efficient automatic checker for
security protocol analysis,” in Proceedings of the Twelfth
IEEE Computer Security Foundations Workshop, June 1999,
pp. 192–202.
[21] J. Millen and V. Shmatikov, “Constraint solving for boundedprocess
cryptographic protocol analysis,” in CCS ’01: Proceedings
of the 8th ACM conference on Computer and Communications
Security. New York, NY, USA: ACM, 2001,
pp. 166–175.
[22] M. Burrows, M. Abadi, and R. Needham, “A logic of authentication,”
ACM Transactions on Computer Systems, vol. 8,
no. 1, pp. 18–36, 1990.
[23] G. Bella and L. C. Paulson, “Kerberos version IV: Inductive
analysis of the secrecy goals,” in Proceedings of the 5th
European Symposium on Research in Computer Security, J.-
J. Quisquater, Ed. Louvain-la-Neuve, Belgium: Springer-
Verlag LNCS 1485, 1998, pp. 361–375.
[24] A. Datta, A. Derek, J. C. Mitchell, and A. Roy, “Protocol
Composition Logic (PCL),” Electronic Notes in Theoretical
Computer Science, vol. 172, pp. 311–358, 2007.
[25] A. Datta, A. Derek, J. C. Mitchell, V. Shmatikov, and M. Turuani,
“Probabilistic polynomial-time semantics for a protocol
security logic.” in Proceedings of the 32nd International Colloquium
on Automata, Languages and Programming (ICALP
’05), ser. Lecture Notes in Computer Science. Springer-
Verlag, 2005, pp. 16–29.
[26] Adam Barth and Collin Jackson and John Mitchell, “Securing
frame communication in browsers,” in SS’08: Proceedings of
the 17th conference on Security symposium. Berkeley, CA,
USA: USENIX Association, 2008, pp. 17–30.
[27] K. Bhargavan, C. Fournet, and A. Gordon, “Verified reference
implementations of ws-security protocols,” Lecture Notes in
Computer Science, vol. 4184, p. 88, 2006.
[28] A. Gordon and R. Pucella, “Validating a web service security
abstraction by typing,” Formal Aspects of Computing, vol. 17,
no. 3, pp. 277–318, 2005.
[29] J. Howell, C. Jackson, H. J. Wang, and X. Fan, “Mashupos:
operating system abstractions for client mashups,” in HOTOS’
07: Proceedings of the 11th USENIX workshop on Hot
topics in operating systems. Berkeley, CA, USA: USENIX
Association, 2007, pp. 1–7.
[30] J. Magazinius, A. Askarov, and A. Sabelfeld, “A lattice-based
approach to mashup security,” in In Proc. of the 5th ACM
Symposium on Information, Computer and Communications
Security (ASIACCS 2010). ACM, 2010.
[31] C. Grier, S. Tang, and S. T. King, “Secure web browsing with
the op web browser,” in SP ’08: Proceedings of the 2008 IEEE
Symposium on Security and Privacy. Washington, DC, USA:
IEEE Computer Society, 2008, pp. 402–416.
[32] J. Meseguer, R. Sasse, H. J. Wang, and Y.-M. Wang, “A
systematic approach to uncover security flaws in gui logic,” in
SP ’07: Proceedings of the 2007 IEEE Symposium on Security
and Privacy. Washington, DC, USA: IEEE Computer
Society, 2007, pp. 71–85.
[33] GWT Team, “Security for gwt applications,”
2008. [Online]. Available: http://groups.google.com/group/
Google-Web-Toolkit/web/security-for-gwt-applications
[34] A. Barth, J. Caballero, and D. Song, “Secure content sniffing
for web browsers, or how to stop papers from reviewing
themselves,” in SP ’09: Proceedings of the 2009 30th IEEE
Symposium on Security and Privacy. Washington, DC, USA:
IEEE Computer Society, 2009, pp. 360–371.
[35] A. Barth and C. Jackson, “Beware of finer-grained origins,”
in Proc. of Web 2.0 Security and Privacy 2008 (W2SP 2008).
IEEE Computer Society, 2008.
[36] M. Zawelski, “Browser security handbook,” 2009. [Online].
Available: http://code.google.com/p/browsersec/wiki/Main
[37] Apple Inc., “Remote scripting with IFRAME,” 2010.
[Online]. Available: http://developer.apple.com/internet/
webcontent/iframe.html
[38] E. Felten, D. Balfanz, D. Dean, and D. Wallach, “Web
spoofing: An internet con game,” Software World, vol. 28,
no. 2, pp. 6–8, 1997.
[39] R. Dhamija, J. Tygar, and M. Hearst, “Why phishing works,”
in Proceedings of the SIGCHI conference on Human Factors
in computing systems. ACM, 2006, p. 590.
[40] D. Akhawe, A. Barth, P. E. Lam, J. C. Mitchell, and
D. Song, “Web security model implementation,” 2010.
[Online]. Available: http://code.google.com/p/websecmodel
[41] L. Momtahan, “A simple small model theorem for Alloy,”
Oxford University Computing Laboratory, Tech. Rep. RR-
04-11, June 2004.
[42] M. W. Moskewicz, C. F. Madigan, Y. Zhao, L. Zhang, and
S. Malik, “Chaff: engineering an efficient sat solver,” in
DAC ’01: Proceedings of the 38th annual Design Automation
Conference. New York, NY, USA: ACM, 2001, pp. 530–535.
[43] Software Design Group, MIT, “Alloy analyzer 4,” 2010.
[Online]. Available: http://alloy.mit.edu/alloy4/
[44] A. Barth, C. Jackson, and I. Hickson, “The http origin
header,” 2009. [Online]. Available: http://tools.ietf.org/html/
draft-abarth-origin
[45] A. van Kesteren, “Cross-origin resource sharing (editors
draft),” 2009. [Online]. Available: http://dev.w3.org/2006/
waf/access-control
[46] A. Barth, “<form method=”delete”> and 307 redirects,”
2009. [Online]. Available: http://www.mail-archive.com/
whatwg@lists.whatwg.org/msg19379.html
[47] R. Schemers and R. Allbery, “Webauth v3 technical
specification,” 2009. [Online]. Available: http://webauth.
stanford.edu/protocol.html
[48] D. Mazurek, “CAS protocol,” 2005. [Online]. Available:
http://www.jasig.org/cas/protocol
[49] JASIG, “CAS deployment,” 2010. [Online]. Available:
http://www.jasig.org/cas/deployments
No comments:
Post a Comment