SlideShare a Scribd company logo

Group meeting: Identifying Information Disclosure in Web Applications with Retroactive Auditing

Yu-Hsin Hung
Yu-Hsin Hung

Rail is a system that uses record and replay techniques to precisely identify data items that were disclosed after a vulnerability is fixed in a web application. It records the execution of the application along with dependencies between actions and shared objects. During replay, it replays actions and compares the outputs to determine if any additional data items were disclosed. Rail provides APIs for developers to integrate object versioning and tracking of data sent to clients. An evaluation shows Rail can precisely identify disclosed data with low performance overhead and requiring few changes from developers.

Software
1 of 47
Download to read offline
Identifying Information Disclosure in Web Applications with Retroactive Auditing Haogang Chen, Taesoo Kim, Xi Wang, Nickolai Zeldovich, and M. Frans Kaashoek MIT CSAIL Computer Systems Security Group Parallel & Distributed Operating Systems Group
Outline • Introduction • Related Work • Using Rail • System Overview • Replay • Evaluation • Conclusion
Introduction
What to do about it? • Before data breach: prevention techniques • privilege separation • encryption • information flow control • After data breach: damage control
Damage control is costly • Notify the victims • Data Breach Notification Laws (40/50 states) • Pay for credit monitoring & fraud protection
University of Maryland paid for 5 years of credit monitoring for 309,079 potentially affected users
Opportunity: Some data might not be leaked • The vulnerability might not have been exploited yet • Attackers might not steal all data that they can • Goal: precisely identify breached data items • Target damage control at real victims only
State of the art • Log all accesses to sensitive data • Inspect logs after an intrusion • Problems • Need to know what is sensitive data beforehand • Hard to tell legal vs. illegal accesses • May take a long time
Solution: Rail • Goal: precisely identify previously breached data after a vulnerability is fixed
Solution: Rail • Goal: precisely identify previously breached data after a vulnerability is fixed
Solution: Rail • Goal: precisely identify previously breached data after a vulnerability is fixed
Solution: Rail • Goal: precisely identify previously breached data after a vulnerability is fixed
Solution: Rail • Goal: precisely identify previously breached data after a vulnerability is fixed
Solution: Rail • Goal: precisely identify previously breached data after a vulnerability is fixed
Solution: Rail • Goal: precisely identify previously breached data after a vulnerability is fixed • Contribution: apply record and replay to identify improper disclosures • State during replay can diverge from the original execution • Prior systems use record and replay for integrity • Rail focuses on confidentiality • Provide APIs for application developers • For precision, Rail must match up state and minimize state divergence between the two executions
Related Work
Related Work • Focus on logging all accesses to confidential data • Keypad [EuroSys ’11], Pasture [OSDI ’12] • Information flow control and taint tracking • TaintDroid [OSDI ’10], TightLip [NSDI ’07] • Record and replay • MIT CSAIL (see next slide)
Undo Computing • Intrusion Recovery Using Selective Re-execution [OSDI ’10] • Intrusion Recovery for Database-backed Web Applications [SOSP ’11] • Efficient patch-based auditing for web application vulnerabilities [OSDI ’12] • Asynchronous intrusion recovery for interconnected web services [SOSP ’13] • Identifying information disclosure in web applications with retroactive auditing [OSDI ’14’]
Ideas • Action history graph and selective replay • Retro [OSDI ’10] • Comparison of normal execution and replay • Rad [APSys ’11], Poirot [OSDI ’12] • Prior replay systems were focused on restoring integrity
Using Rail
real world mistake Rail will reproduce the same date and random number from the context
Basic approach • Record and replay the web application • Compare the outputs of two executions
Basic approach • Record and replay the web application • Compare the outputs of two executions
Basic approach • Record and replay the web application • Compare the outputs of two executions
Basic approach • Record and replay the web application • Compare the outputs of two executions
System Overview
Assumptions • Focus on web applications • prototype is based on, but not limited to, Meteor • Trusts the software stack below the web application • Requests do not change during replay, except for fixes • Deal only with data leaked through the web application, and assume mistakes lead to disclosures
Action APIs • Actions are the unit of dependency tracking • event (RPC request) -> action -> handler • Each action has a timestamp
Object APIs • Developer must wrap all global objects in the app using Rail’s object API • Most wrappers can be done once in the framework
Object APIs • For each shared object, Rail maintains • A set of dependencies between actions and objects • Multiple versions of the object’s state at different points in time
Tracking data items in output • Rail maintains a view object for every session • tracks all data items sent to the client • During replay, Rail reruns actions and re-compute the view objects for every session • if old_view − new_view ≠ ∅ ➜ Breach!
AHG: action history graph
Logs and dependency graph • Rail assumes that actions are atomic • the web framework provides serializability • Rail stores AHG in a persistent log • Objects that do not store actual state (i.e. just a placeholder) in the Rail’s shared object must maintain their own versioning outside of Rail’s log • time-travel database [SOSP ’11]
Replay
Selective re-execution • Inspired by Retro [OSDI ’10] • Rail replays each action sequentially in the time order • Replays an action if any of its inputs or outputs are changed • Replay is guaranteed to terminate
monotonically increase due to rollback, input changed => rerun reconstruct output patched code, args optimization for future actions consider Cin rollback to “right before”
Context matching • application stability: assign context identifiers
Evaluation
Developer effort • Most of the changes are related to non-deterministic inputs • Framework wrappers (422 lines in Meteor) offload most burdens from the application developer
Benchmarks
Auditing precision
Technique effectiveness Changed code is on the critical path of all login requests
Performance and overhead • Performance • 5% for an under-loaded server • 22% for an over-loaded server • Storage • ~ 0.5KB / request
Conclusion • Rail can precisely identify breached data items after a disclosure in web applications • Provide developers with APIs that help to identify data items, track dependencies, and match up states • Requires few changes to applications • Precise, efficient, and practical

Recommended

Control and monitor_microservices_with_microprofile
Control and monitor_microservices_with_microprofileControl and monitor_microservices_with_microprofile
Control and monitor_microservices_with_microprofile
Rudy De Busscher
 
Transactions in micro-services (fall 2019)
Transactions in micro-services (fall 2019)Transactions in micro-services (fall 2019)
Transactions in micro-services (fall 2019)
Rudy De Busscher
 
Reducing MTTR and False Escalations: Event Correlation at LinkedIn
Reducing MTTR and False Escalations: Event Correlation at LinkedInReducing MTTR and False Escalations: Event Correlation at LinkedIn
Reducing MTTR and False Escalations: Event Correlation at LinkedIn
Michael Kehoe
 
Advanced Automated Analytics Using OSS Tools
Advanced Automated Analytics Using OSS ToolsAdvanced Automated Analytics Using OSS Tools
Advanced Automated Analytics Using OSS Tools
Grid Protection Alliance
 
Batch Process Analytics
Batch Process Analytics Batch Process Analytics
Batch Process Analytics
Emerson Exchange
 
PLNOG 17 - Elisa Jasinska - Network Automation - Design your Systems
PLNOG 17 - Elisa Jasinska - Network Automation - Design your SystemsPLNOG 17 - Elisa Jasinska - Network Automation - Design your Systems
PLNOG 17 - Elisa Jasinska - Network Automation - Design your SystemsPROIDEA
 
Cody_Zeng_HPE_Intern_Poster
Cody_Zeng_HPE_Intern_PosterCody_Zeng_HPE_Intern_Poster
Cody_Zeng_HPE_Intern_PosterCody Zeng
 
Docker Sydney: 5 Patterns for App Transformation with Containers
Docker Sydney: 5 Patterns for App Transformation with ContainersDocker Sydney: 5 Patterns for App Transformation with Containers
Docker Sydney: 5 Patterns for App Transformation with Containers
Elton Stoneman
 

Recommended

Control and monitor_microservices_with_microprofile
Control and monitor_microservices_with_microprofileControl and monitor_microservices_with_microprofile
Control and monitor_microservices_with_microprofile
Rudy De Busscher
 
Transactions in micro-services (fall 2019)
Transactions in micro-services (fall 2019)Transactions in micro-services (fall 2019)
Transactions in micro-services (fall 2019)
Rudy De Busscher
 
Reducing MTTR and False Escalations: Event Correlation at LinkedIn
Reducing MTTR and False Escalations: Event Correlation at LinkedInReducing MTTR and False Escalations: Event Correlation at LinkedIn
Reducing MTTR and False Escalations: Event Correlation at LinkedIn
Michael Kehoe
 
Advanced Automated Analytics Using OSS Tools
Advanced Automated Analytics Using OSS ToolsAdvanced Automated Analytics Using OSS Tools
Advanced Automated Analytics Using OSS Tools
Grid Protection Alliance
 
Batch Process Analytics
Batch Process Analytics Batch Process Analytics
Batch Process Analytics
Emerson Exchange
 
PLNOG 17 - Elisa Jasinska - Network Automation - Design your Systems
PLNOG 17 - Elisa Jasinska - Network Automation - Design your SystemsPLNOG 17 - Elisa Jasinska - Network Automation - Design your Systems
PLNOG 17 - Elisa Jasinska - Network Automation - Design your SystemsPROIDEA
 
Cody_Zeng_HPE_Intern_Poster
Cody_Zeng_HPE_Intern_PosterCody_Zeng_HPE_Intern_Poster
Cody_Zeng_HPE_Intern_PosterCody Zeng
 
Docker Sydney: 5 Patterns for App Transformation with Containers
Docker Sydney: 5 Patterns for App Transformation with ContainersDocker Sydney: 5 Patterns for App Transformation with Containers
Docker Sydney: 5 Patterns for App Transformation with Containers
Elton Stoneman
 
Automating the cip compliance test lab
Automating the cip compliance test labAutomating the cip compliance test lab
Automating the cip compliance test lab
Chuck Reynolds
 
Siebel monitoring
Siebel monitoringSiebel monitoring
Siebel monitoring
Sarnindar Purewal
 
Closing the door on application performance problems
Closing the door on application performance problemsClosing the door on application performance problems
Closing the door on application performance problems
ManageEngine, Zoho Corporation
 
Cashing in on logging and exception data
Cashing in on logging and exception dataCashing in on logging and exception data
Cashing in on logging and exception data
Stackify
 
Couchbase Connect 2016: Monitoring Production Deployments The Tools – LinkedIn
Couchbase Connect 2016: Monitoring Production Deployments The Tools – LinkedInCouchbase Connect 2016: Monitoring Production Deployments The Tools – LinkedIn
Couchbase Connect 2016: Monitoring Production Deployments The Tools – LinkedIn
Michael Kehoe
 
Flux architecture
Flux architectureFlux architecture
Flux architecture
Badr Zaman [Front End , J2EE ]
 
Database ingest with Apache NiFi and MiNiFi
Database ingest with Apache NiFi and MiNiFiDatabase ingest with Apache NiFi and MiNiFi
Database ingest with Apache NiFi and MiNiFi
Lucian Neghina
 
Introduction to developing modern web apps
Introduction to developing modern web appsIntroduction to developing modern web apps
Introduction to developing modern web apps
Fabricio Epaminondas
 
SOAP Monitoring
SOAP MonitoringSOAP Monitoring
SOAP Monitoring
Site24x7
 
Using SaltStack to Auto Triage and Remediate Production Systems
Using SaltStack to Auto Triage and Remediate Production SystemsUsing SaltStack to Auto Triage and Remediate Production Systems
Using SaltStack to Auto Triage and Remediate Production Systems
Michael Kehoe
 
Software cracking and patching
Software cracking and patchingSoftware cracking and patching
Software cracking and patching
Mayank Gavri
 
Apache Kafka : Monitoring vs Alerting
Apache Kafka : Monitoring vs AlertingApache Kafka : Monitoring vs Alerting
Apache Kafka : Monitoring vs Alerting
Ratish Ravindran
 
Flux and React.js
Flux and React.jsFlux and React.js
Flux and React.js
sara stanford
 
Motor vehicle emission checker danu-lap
Motor vehicle emission checker danu-lapMotor vehicle emission checker danu-lap
Motor vehicle emission checker danu-lap
aidsdatahub
 
It meet up 1 0 лебедева, лоханов
It meet up 1 0 лебедева, лохановIt meet up 1 0 лебедева, лоханов
It meet up 1 0 лебедева, лоханов
Victoria Astapenko
 
Dashboards, widgets, business views & 3D-data centre
Dashboards, widgets, business views & 3D-data centreDashboards, widgets, business views & 3D-data centre
Dashboards, widgets, business views & 3D-data centre
ManageEngine, Zoho Corporation
 
Data science at scale with Kafka and Flink (Razorpay)
Data science at scale with Kafka and Flink (Razorpay)Data science at scale with Kafka and Flink (Razorpay)
Data science at scale with Kafka and Flink (Razorpay)
KafkaZone
 
Siebel Monitoring Tools
Siebel Monitoring ToolsSiebel Monitoring Tools
Siebel Monitoring Tools
Alceu Rodrigues de Freitas Junior
 
Building an event system on top MongoDB
Building an event system on top MongoDBBuilding an event system on top MongoDB
Building an event system on top MongoDB
BigPanda
 
Monitoring and Scaling Redis at DataDog - Ilan Rabinovitch, DataDog
Monitoring and Scaling Redis at DataDog - Ilan Rabinovitch, DataDog Monitoring and Scaling Redis at DataDog - Ilan Rabinovitch, DataDog
Monitoring and Scaling Redis at DataDog - Ilan Rabinovitch, DataDog
Redis Labs
 
The differing ways to monitor and instrument
The differing ways to monitor and instrumentThe differing ways to monitor and instrument
The differing ways to monitor and instrument
Jonah Kowall
 
Azure Application insights - An Introduction
Azure Application insights - An IntroductionAzure Application insights - An Introduction
Azure Application insights - An Introduction
Matthias Güntert
 

More Related Content

What's hot

Automating the cip compliance test lab
Automating the cip compliance test labAutomating the cip compliance test lab
Automating the cip compliance test lab
Chuck Reynolds
 
Siebel monitoring
Siebel monitoringSiebel monitoring
Siebel monitoring
Sarnindar Purewal
 
Closing the door on application performance problems
Closing the door on application performance problemsClosing the door on application performance problems
Closing the door on application performance problems
ManageEngine, Zoho Corporation
 
Cashing in on logging and exception data
Cashing in on logging and exception dataCashing in on logging and exception data
Cashing in on logging and exception data
Stackify
 
Couchbase Connect 2016: Monitoring Production Deployments The Tools – LinkedIn
Couchbase Connect 2016: Monitoring Production Deployments The Tools – LinkedInCouchbase Connect 2016: Monitoring Production Deployments The Tools – LinkedIn
Couchbase Connect 2016: Monitoring Production Deployments The Tools – LinkedIn
Michael Kehoe
 
Flux architecture
Flux architectureFlux architecture
Flux architecture
Badr Zaman [Front End , J2EE ]
 
Database ingest with Apache NiFi and MiNiFi
Database ingest with Apache NiFi and MiNiFiDatabase ingest with Apache NiFi and MiNiFi
Database ingest with Apache NiFi and MiNiFi
Lucian Neghina
 
Introduction to developing modern web apps
Introduction to developing modern web appsIntroduction to developing modern web apps
Introduction to developing modern web apps
Fabricio Epaminondas
 
SOAP Monitoring
SOAP MonitoringSOAP Monitoring
SOAP Monitoring
Site24x7
 
Using SaltStack to Auto Triage and Remediate Production Systems
Using SaltStack to Auto Triage and Remediate Production SystemsUsing SaltStack to Auto Triage and Remediate Production Systems
Using SaltStack to Auto Triage and Remediate Production Systems
Michael Kehoe
 
Software cracking and patching
Software cracking and patchingSoftware cracking and patching
Software cracking and patching
Mayank Gavri
 
Apache Kafka : Monitoring vs Alerting
Apache Kafka : Monitoring vs AlertingApache Kafka : Monitoring vs Alerting
Apache Kafka : Monitoring vs Alerting
Ratish Ravindran
 
Flux and React.js
Flux and React.jsFlux and React.js
Flux and React.js
sara stanford
 
Motor vehicle emission checker danu-lap
Motor vehicle emission checker danu-lapMotor vehicle emission checker danu-lap
Motor vehicle emission checker danu-lap
aidsdatahub
 
It meet up 1 0 лебедева, лоханов
It meet up 1 0 лебедева, лохановIt meet up 1 0 лебедева, лоханов
It meet up 1 0 лебедева, лоханов
Victoria Astapenko
 
Dashboards, widgets, business views & 3D-data centre
Dashboards, widgets, business views & 3D-data centreDashboards, widgets, business views & 3D-data centre
Dashboards, widgets, business views & 3D-data centre
ManageEngine, Zoho Corporation
 
Data science at scale with Kafka and Flink (Razorpay)
Data science at scale with Kafka and Flink (Razorpay)Data science at scale with Kafka and Flink (Razorpay)
Data science at scale with Kafka and Flink (Razorpay)
KafkaZone
 
Siebel Monitoring Tools
Siebel Monitoring ToolsSiebel Monitoring Tools
Siebel Monitoring Tools
Alceu Rodrigues de Freitas Junior
 
Building an event system on top MongoDB
Building an event system on top MongoDBBuilding an event system on top MongoDB
Building an event system on top MongoDB
BigPanda
 

What's hot (19)

Automating the cip compliance test lab
Automating the cip compliance test labAutomating the cip compliance test lab
Automating the cip compliance test lab
 
Siebel monitoring
Siebel monitoringSiebel monitoring
Siebel monitoring
 
Closing the door on application performance problems
Closing the door on application performance problemsClosing the door on application performance problems
Closing the door on application performance problems
 
Cashing in on logging and exception data
Cashing in on logging and exception dataCashing in on logging and exception data
Cashing in on logging and exception data
 
Couchbase Connect 2016: Monitoring Production Deployments The Tools – LinkedIn
Couchbase Connect 2016: Monitoring Production Deployments The Tools – LinkedInCouchbase Connect 2016: Monitoring Production Deployments The Tools – LinkedIn
Couchbase Connect 2016: Monitoring Production Deployments The Tools – LinkedIn
 
Flux architecture
Flux architectureFlux architecture
Flux architecture
 
Database ingest with Apache NiFi and MiNiFi
Database ingest with Apache NiFi and MiNiFiDatabase ingest with Apache NiFi and MiNiFi
Database ingest with Apache NiFi and MiNiFi
 
Introduction to developing modern web apps
Introduction to developing modern web appsIntroduction to developing modern web apps
Introduction to developing modern web apps
 
SOAP Monitoring
SOAP MonitoringSOAP Monitoring
SOAP Monitoring
 
Using SaltStack to Auto Triage and Remediate Production Systems
Using SaltStack to Auto Triage and Remediate Production SystemsUsing SaltStack to Auto Triage and Remediate Production Systems
Using SaltStack to Auto Triage and Remediate Production Systems
 
Software cracking and patching
Software cracking and patchingSoftware cracking and patching
Software cracking and patching
 
Apache Kafka : Monitoring vs Alerting
Apache Kafka : Monitoring vs AlertingApache Kafka : Monitoring vs Alerting
Apache Kafka : Monitoring vs Alerting
 
Flux and React.js
Flux and React.jsFlux and React.js
Flux and React.js
 
Motor vehicle emission checker danu-lap
Motor vehicle emission checker danu-lapMotor vehicle emission checker danu-lap
Motor vehicle emission checker danu-lap
 
It meet up 1 0 лебедева, лоханов
It meet up 1 0 лебедева, лохановIt meet up 1 0 лебедева, лоханов
It meet up 1 0 лебедева, лоханов
 
Dashboards, widgets, business views & 3D-data centre
Dashboards, widgets, business views & 3D-data centreDashboards, widgets, business views & 3D-data centre
Dashboards, widgets, business views & 3D-data centre
 
Data science at scale with Kafka and Flink (Razorpay)
Data science at scale with Kafka and Flink (Razorpay)Data science at scale with Kafka and Flink (Razorpay)
Data science at scale with Kafka and Flink (Razorpay)
 
Siebel Monitoring Tools
Siebel Monitoring ToolsSiebel Monitoring Tools
Siebel Monitoring Tools
 
Building an event system on top MongoDB
Building an event system on top MongoDBBuilding an event system on top MongoDB
Building an event system on top MongoDB
 

Similar to Group meeting: Identifying Information Disclosure in Web Applications with Retroactive Auditing

Monitoring and Scaling Redis at DataDog - Ilan Rabinovitch, DataDog
Monitoring and Scaling Redis at DataDog - Ilan Rabinovitch, DataDog Monitoring and Scaling Redis at DataDog - Ilan Rabinovitch, DataDog
Monitoring and Scaling Redis at DataDog - Ilan Rabinovitch, DataDog
Redis Labs
 
The differing ways to monitor and instrument
The differing ways to monitor and instrumentThe differing ways to monitor and instrument
The differing ways to monitor and instrument
Jonah Kowall
 
Azure Application insights - An Introduction
Azure Application insights - An IntroductionAzure Application insights - An Introduction
Azure Application insights - An Introduction
Matthias Güntert
 
Case Study: Migrating Hyperic from EJB to Spring from JBoss to Apache Tomcat
Case Study: Migrating Hyperic from EJB to Spring from JBoss to Apache TomcatCase Study: Migrating Hyperic from EJB to Spring from JBoss to Apache Tomcat
Case Study: Migrating Hyperic from EJB to Spring from JBoss to Apache Tomcat
VMware Hyperic
 
Better Deployments with Sub Environments Using Spring Cloud and Netflix Ribbon
Better Deployments with Sub Environments Using Spring Cloud and Netflix RibbonBetter Deployments with Sub Environments Using Spring Cloud and Netflix Ribbon
Better Deployments with Sub Environments Using Spring Cloud and Netflix Ribbon
VMware Tanzu
 
Thick client application security assessment
Thick client application security assessmentThick client application security assessment
Thick client application security assessment
Sanjay Kumar (Seeking options outside India)
 
Debugging Microservices - key challenges and techniques - Microservices Odesa...
Debugging Microservices - key challenges and techniques - Microservices Odesa...Debugging Microservices - key challenges and techniques - Microservices Odesa...
Debugging Microservices - key challenges and techniques - Microservices Odesa...
Lohika_Odessa_TechTalks
 
Tech talk microservices debugging
Tech talk microservices debuggingTech talk microservices debugging
Tech talk microservices debugging
Andrey Kolodnitsky
 
Flink Forward Berlin 2017: Hao Wu - Large Scale User Behavior Analytics by Flink
Flink Forward Berlin 2017: Hao Wu - Large Scale User Behavior Analytics by FlinkFlink Forward Berlin 2017: Hao Wu - Large Scale User Behavior Analytics by Flink
Flink Forward Berlin 2017: Hao Wu - Large Scale User Behavior Analytics by Flink
Flink Forward
 
Service quality monitoring system architecture
Service quality monitoring system architectureService quality monitoring system architecture
Service quality monitoring system architecture
Matsuo Sawahashi
 
AOUG_11Nov2016_Challenges_with_EBS12_2
AOUG_11Nov2016_Challenges_with_EBS12_2AOUG_11Nov2016_Challenges_with_EBS12_2
AOUG_11Nov2016_Challenges_with_EBS12_2Sean Braymen
 
performancetestinganoverview-110206071921-phpapp02.pdf
performancetestinganoverview-110206071921-phpapp02.pdfperformancetestinganoverview-110206071921-phpapp02.pdf
performancetestinganoverview-110206071921-phpapp02.pdf
MAshok10
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Denim Group
 
Tools. Techniques. Trouble?
Tools. Techniques. Trouble?Tools. Techniques. Trouble?
Tools. Techniques. Trouble?
Testplant
 
iOS viper presentation
iOS viper presentationiOS viper presentation
iOS viper presentation
Rajat Datta
 
How to create custom dashboards in Elastic Search / Kibana with Performance V...
How to create custom dashboards in Elastic Search / Kibana with Performance V...How to create custom dashboards in Elastic Search / Kibana with Performance V...
How to create custom dashboards in Elastic Search / Kibana with Performance V...
PerformanceVision (previously SecurActive)
 
Putting the Sec into DevOps
Putting the Sec into DevOpsPutting the Sec into DevOps
Putting the Sec into DevOps
Maytal Levi
 
Multi Layer Monitoring V1
Multi Layer Monitoring V1Multi Layer Monitoring V1
Multi Layer Monitoring V1Lahav Savir
 
Cloudify workshop at CCCEU 2014
Cloudify workshop at CCCEU 2014 Cloudify workshop at CCCEU 2014
Cloudify workshop at CCCEU 2014
Uri Cohen
 
Getting started with RISC-V verification what's next after compliance testing
Getting started with RISC-V verification what's next after compliance testingGetting started with RISC-V verification what's next after compliance testing
Getting started with RISC-V verification what's next after compliance testing
RISC-V International
 

Similar to Group meeting: Identifying Information Disclosure in Web Applications with Retroactive Auditing (20)

Monitoring and Scaling Redis at DataDog - Ilan Rabinovitch, DataDog
Monitoring and Scaling Redis at DataDog - Ilan Rabinovitch, DataDog Monitoring and Scaling Redis at DataDog - Ilan Rabinovitch, DataDog
Monitoring and Scaling Redis at DataDog - Ilan Rabinovitch, DataDog
 
The differing ways to monitor and instrument
The differing ways to monitor and instrumentThe differing ways to monitor and instrument
The differing ways to monitor and instrument
 
Azure Application insights - An Introduction
Azure Application insights - An IntroductionAzure Application insights - An Introduction
Azure Application insights - An Introduction
 
Case Study: Migrating Hyperic from EJB to Spring from JBoss to Apache Tomcat
Case Study: Migrating Hyperic from EJB to Spring from JBoss to Apache TomcatCase Study: Migrating Hyperic from EJB to Spring from JBoss to Apache Tomcat
Case Study: Migrating Hyperic from EJB to Spring from JBoss to Apache Tomcat
 
Better Deployments with Sub Environments Using Spring Cloud and Netflix Ribbon
Better Deployments with Sub Environments Using Spring Cloud and Netflix RibbonBetter Deployments with Sub Environments Using Spring Cloud and Netflix Ribbon
Better Deployments with Sub Environments Using Spring Cloud and Netflix Ribbon
 
Thick client application security assessment
Thick client application security assessmentThick client application security assessment
Thick client application security assessment
 
Debugging Microservices - key challenges and techniques - Microservices Odesa...
Debugging Microservices - key challenges and techniques - Microservices Odesa...Debugging Microservices - key challenges and techniques - Microservices Odesa...
Debugging Microservices - key challenges and techniques - Microservices Odesa...
 
Tech talk microservices debugging
Tech talk microservices debuggingTech talk microservices debugging
Tech talk microservices debugging
 
Flink Forward Berlin 2017: Hao Wu - Large Scale User Behavior Analytics by Flink
Flink Forward Berlin 2017: Hao Wu - Large Scale User Behavior Analytics by FlinkFlink Forward Berlin 2017: Hao Wu - Large Scale User Behavior Analytics by Flink
Flink Forward Berlin 2017: Hao Wu - Large Scale User Behavior Analytics by Flink
 
Service quality monitoring system architecture
Service quality monitoring system architectureService quality monitoring system architecture
Service quality monitoring system architecture
 
AOUG_11Nov2016_Challenges_with_EBS12_2
AOUG_11Nov2016_Challenges_with_EBS12_2AOUG_11Nov2016_Challenges_with_EBS12_2
AOUG_11Nov2016_Challenges_with_EBS12_2
 
performancetestinganoverview-110206071921-phpapp02.pdf
performancetestinganoverview-110206071921-phpapp02.pdfperformancetestinganoverview-110206071921-phpapp02.pdf
performancetestinganoverview-110206071921-phpapp02.pdf
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Tools. Techniques. Trouble?
Tools. Techniques. Trouble?Tools. Techniques. Trouble?
Tools. Techniques. Trouble?
 
iOS viper presentation
iOS viper presentationiOS viper presentation
iOS viper presentation
 
How to create custom dashboards in Elastic Search / Kibana with Performance V...
How to create custom dashboards in Elastic Search / Kibana with Performance V...How to create custom dashboards in Elastic Search / Kibana with Performance V...
How to create custom dashboards in Elastic Search / Kibana with Performance V...
 
Putting the Sec into DevOps
Putting the Sec into DevOpsPutting the Sec into DevOps
Putting the Sec into DevOps
 
Multi Layer Monitoring V1
Multi Layer Monitoring V1Multi Layer Monitoring V1
Multi Layer Monitoring V1
 
Cloudify workshop at CCCEU 2014
Cloudify workshop at CCCEU 2014 Cloudify workshop at CCCEU 2014
Cloudify workshop at CCCEU 2014
 
Getting started with RISC-V verification what's next after compliance testing
Getting started with RISC-V verification what's next after compliance testingGetting started with RISC-V verification what's next after compliance testing
Getting started with RISC-V verification what's next after compliance testing
 

More from Yu-Hsin Hung

IoT/M2M Security
IoT/M2M SecurityIoT/M2M Security
IoT/M2M Security
Yu-Hsin Hung
 
Android Binder IPC for Linux
Android Binder IPC for LinuxAndroid Binder IPC for Linux
Android Binder IPC for Linux
Yu-Hsin Hung
 
Project meeting: Android Graphics Architecture Overview
Project meeting: Android Graphics Architecture OverviewProject meeting: Android Graphics Architecture Overview
Project meeting: Android Graphics Architecture Overview
Yu-Hsin Hung
 
Project meeting: SVMP - Secure Virtual Mobile Platform
Project meeting: SVMP - Secure Virtual Mobile PlatformProject meeting: SVMP - Secure Virtual Mobile Platform
Project meeting: SVMP - Secure Virtual Mobile Platform
Yu-Hsin Hung
 
Group meeting: UniSan - Proactive Kernel Memory Initialization to Eliminate D...
Group meeting: UniSan - Proactive Kernel Memory Initialization to Eliminate D...Group meeting: UniSan - Proactive Kernel Memory Initialization to Eliminate D...
Group meeting: UniSan - Proactive Kernel Memory Initialization to Eliminate D...
Yu-Hsin Hung
 
Group meeting: TaintPipe - Pipelined Symbolic Taint Analysis
Group meeting: TaintPipe - Pipelined Symbolic Taint AnalysisGroup meeting: TaintPipe - Pipelined Symbolic Taint Analysis
Group meeting: TaintPipe - Pipelined Symbolic Taint Analysis
Yu-Hsin Hung
 
Group meeting: Polaris - Faster Page Loads Using Fine-grained Dependency Trac...
Group meeting: Polaris - Faster Page Loads Using Fine-grained Dependency Trac...Group meeting: Polaris - Faster Page Loads Using Fine-grained Dependency Trac...
Group meeting: Polaris - Faster Page Loads Using Fine-grained Dependency Trac...
Yu-Hsin Hung
 
DockerVC Hackathon Presentation
DockerVC Hackathon PresentationDockerVC Hackathon Presentation
DockerVC Hackathon Presentation
Yu-Hsin Hung
 

More from Yu-Hsin Hung (8)

IoT/M2M Security
IoT/M2M SecurityIoT/M2M Security
IoT/M2M Security
 
Android Binder IPC for Linux
Android Binder IPC for LinuxAndroid Binder IPC for Linux
Android Binder IPC for Linux
 
Project meeting: Android Graphics Architecture Overview
Project meeting: Android Graphics Architecture OverviewProject meeting: Android Graphics Architecture Overview
Project meeting: Android Graphics Architecture Overview
 
Project meeting: SVMP - Secure Virtual Mobile Platform
Project meeting: SVMP - Secure Virtual Mobile PlatformProject meeting: SVMP - Secure Virtual Mobile Platform
Project meeting: SVMP - Secure Virtual Mobile Platform
 
Group meeting: UniSan - Proactive Kernel Memory Initialization to Eliminate D...
Group meeting: UniSan - Proactive Kernel Memory Initialization to Eliminate D...Group meeting: UniSan - Proactive Kernel Memory Initialization to Eliminate D...
Group meeting: UniSan - Proactive Kernel Memory Initialization to Eliminate D...
 
Group meeting: TaintPipe - Pipelined Symbolic Taint Analysis
Group meeting: TaintPipe - Pipelined Symbolic Taint AnalysisGroup meeting: TaintPipe - Pipelined Symbolic Taint Analysis
Group meeting: TaintPipe - Pipelined Symbolic Taint Analysis
 
Group meeting: Polaris - Faster Page Loads Using Fine-grained Dependency Trac...
Group meeting: Polaris - Faster Page Loads Using Fine-grained Dependency Trac...Group meeting: Polaris - Faster Page Loads Using Fine-grained Dependency Trac...
Group meeting: Polaris - Faster Page Loads Using Fine-grained Dependency Trac...
 
DockerVC Hackathon Presentation
DockerVC Hackathon PresentationDockerVC Hackathon Presentation
DockerVC Hackathon Presentation
 

Recently uploaded

Pro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp BookPro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp Book
abdulrafaychaudhry
 
Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"
Donna Lenk
 
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Mind IT Systems
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
Paco van Beckhoven
 
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Globus
 
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Globus
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
AMB-Review
 
Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx
Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptxText-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx
Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx
ShamsuddeenMuhammadA
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
Juraj Vysvader
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdf
Cyanic lab
 
Introduction to Pygame (Lecture 7 Python Game Development)
Introduction to Pygame (Lecture 7 Python Game Development)Introduction to Pygame (Lecture 7 Python Game Development)
Introduction to Pygame (Lecture 7 Python Game Development)
abdulrafaychaudhry
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
informapgpstrackings
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
Globus
 
2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx
Georgi Kodinov
 
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteAI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
Google
 
May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
Adele Miller
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Globus
 
Understanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSageUnderstanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSage
Globus
 
GraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph TechnologyGraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph Technology
Neo4j
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
Max Andersen
 

Recently uploaded (20)

Pro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp BookPro Unity Game Development with C-sharp Book
Pro Unity Game Development with C-sharp Book
 
Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"
 
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
 
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
 
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
 
Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx
Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptxText-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx
Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdf
 
Introduction to Pygame (Lecture 7 Python Game Development)
Introduction to Pygame (Lecture 7 Python Game Development)Introduction to Pygame (Lecture 7 Python Game Development)
Introduction to Pygame (Lecture 7 Python Game Development)
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
 
Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024Globus Compute Introduction - GlobusWorld 2024
Globus Compute Introduction - GlobusWorld 2024
 
2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx
 
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteAI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
 
May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
 
Understanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSageUnderstanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSage
 
GraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph TechnologyGraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph Technology
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
 

Group meeting: Identifying Information Disclosure in Web Applications with Retroactive Auditing

  • 1. Identifying Information Disclosure in Web Applications with Retroactive Auditing Haogang Chen, Taesoo Kim, Xi Wang, Nickolai Zeldovich, and M. Frans Kaashoek MIT CSAIL Computer Systems Security Group Parallel & Distributed Operating Systems Group
  • 2. Outline • Introduction • Related Work • Using Rail • System Overview • Replay • Evaluation • Conclusion
  • 4.
  • 5. What to do about it? • Before data breach: prevention techniques • privilege separation • encryption • information flow control • After data breach: damage control
  • 6. Damage control is costly • Notify the victims • Data Breach Notification Laws (40/50 states) • Pay for credit monitoring & fraud protection
  • 7. University of Maryland paid for 5 years of credit monitoring for 309,079 potentially affected users
  • 8. Opportunity: Some data might not be leaked • The vulnerability might not have been exploited yet • Attackers might not steal all data that they can • Goal: precisely identify breached data items • Target damage control at real victims only
  • 9. State of the art • Log all accesses to sensitive data • Inspect logs after an intrusion • Problems • Need to know what is sensitive data beforehand • Hard to tell legal vs. illegal accesses • May take a long time
  • 10. Solution: Rail • Goal: precisely identify previously breached data after a vulnerability is fixed
  • 11. Solution: Rail • Goal: precisely identify previously breached data after a vulnerability is fixed
  • 12. Solution: Rail • Goal: precisely identify previously breached data after a vulnerability is fixed
  • 13. Solution: Rail • Goal: precisely identify previously breached data after a vulnerability is fixed
  • 14. Solution: Rail • Goal: precisely identify previously breached data after a vulnerability is fixed
  • 15. Solution: Rail • Goal: precisely identify previously breached data after a vulnerability is fixed
  • 16. Solution: Rail • Goal: precisely identify previously breached data after a vulnerability is fixed • Contribution: apply record and replay to identify improper disclosures • State during replay can diverge from the original execution • Prior systems use record and replay for integrity • Rail focuses on confidentiality • Provide APIs for application developers • For precision, Rail must match up state and minimize state divergence between the two executions
  • 18. Related Work • Focus on logging all accesses to confidential data • Keypad [EuroSys ’11], Pasture [OSDI ’12] • Information flow control and taint tracking • TaintDroid [OSDI ’10], TightLip [NSDI ’07] • Record and replay • MIT CSAIL (see next slide)
  • 19. Undo Computing • Intrusion Recovery Using Selective Re-execution [OSDI ’10] • Intrusion Recovery for Database-backed Web Applications [SOSP ’11] • Efficient patch-based auditing for web application vulnerabilities [OSDI ’12] • Asynchronous intrusion recovery for interconnected web services [SOSP ’13] • Identifying information disclosure in web applications with retroactive auditing [OSDI ’14’]
  • 20. Ideas • Action history graph and selective replay • Retro [OSDI ’10] • Comparison of normal execution and replay • Rad [APSys ’11], Poirot [OSDI ’12] • Prior replay systems were focused on restoring integrity
  • 22. real world mistake Rail will reproduce the same date and random number from the context
  • 23. Basic approach • Record and replay the web application • Compare the outputs of two executions
  • 24. Basic approach • Record and replay the web application • Compare the outputs of two executions
  • 25. Basic approach • Record and replay the web application • Compare the outputs of two executions
  • 26. Basic approach • Record and replay the web application • Compare the outputs of two executions
  • 28. Assumptions • Focus on web applications • prototype is based on, but not limited to, Meteor • Trusts the software stack below the web application • Requests do not change during replay, except for fixes • Deal only with data leaked through the web application, and assume mistakes lead to disclosures
  • 29.
  • 30. Action APIs • Actions are the unit of dependency tracking • event (RPC request) -> action -> handler • Each action has a timestamp
  • 31. Object APIs • Developer must wrap all global objects in the app using Rail’s object API • Most wrappers can be done once in the framework
  • 32. Object APIs • For each shared object, Rail maintains • A set of dependencies between actions and objects • Multiple versions of the object’s state at different points in time
  • 33.
  • 34. Tracking data items in output • Rail maintains a view object for every session • tracks all data items sent to the client • During replay, Rail reruns actions and re-compute the view objects for every session • if old_view − new_view ≠ ∅ ➜ Breach!
  • 36. Logs and dependency graph • Rail assumes that actions are atomic • the web framework provides serializability • Rail stores AHG in a persistent log • Objects that do not store actual state (i.e. just a placeholder) in the Rail’s shared object must maintain their own versioning outside of Rail’s log • time-travel database [SOSP ’11]
  • 38. Selective re-execution • Inspired by Retro [OSDI ’10] • Rail replays each action sequentially in the time order • Replays an action if any of its inputs or outputs are changed • Replay is guaranteed to terminate
  • 39. monotonically increase due to rollback, input changed => rerun reconstruct output patched code, args optimization for future actions consider Cin rollback to “right before”
  • 40. Context matching • application stability: assign context identifiers
  • 42. Developer effort • Most of the changes are related to non-deterministic inputs • Framework wrappers (422 lines in Meteor) offload most burdens from the application developer
  • 45. Technique effectiveness Changed code is on the critical path of all login requests
  • 46. Performance and overhead • Performance • 5% for an under-loaded server • 22% for an over-loaded server • Storage • ~ 0.5KB / request
  • 47. Conclusion • Rail can precisely identify breached data items after a disclosure in web applications • Provide developers with APIs that help to identify data items, track dependencies, and match up states • Requires few changes to applications • Precise, efficient, and practical