- DSpace Home
- →
- Università Ca' Foscari Venezia
- →
- Archivio delle tesi
- →
- Tesi di dottorato
- →
- View Item
JavaScript is disabled for your browser. Some features of this site may not work without it.
| dc.contributor.advisor | Bugliesi, Michele | it_IT |
| dc.contributor.author | Khan, Wilayat <1982> | it_IT |
| dc.date.accessioned | 2014-12-02 | it_IT |
| dc.date.accessioned | 2015-05-12T12:38:18Z | |
| dc.date.available | 2015-05-12T12:38:18Z | |
| dc.date.issued | 2015-02-13 | it_IT |
| dc.identifier.uri | http://hdl.handle.net/10579/5646 | |
| dc.description.abstract | Web applications are the dominant means to provide access to millions of on-line services and applications such as banking and e-commerce. To personalize users’ web experience, servers need to authenticate the users and then maintain their authentication state throughout a set of related HTTP requests and responses called a web session. As HTTP is a stateless protocol, the common approach, used by most of the web applications to maintain web session, is to use HTTP cookies. Each request belonging to a web session is authenticated by having the web browser to provide to the server a unique long random string, known as session identifier stored as cookie called session cookie. Taking over the session identifier gives full control over to the attacker and hence is an attractive target of the attacker to attack on the confidentiality and integrity of web sessions. The browser should take care of the web session security: a session cookie belonging to one source should not be corrupted or stolen or forced, to be sent with the requests, by any other source. This dissertation demonstrates that security policies can in fact be written down for both, confidentiality and integrity, of web sessions and enforced at the client side without getting any support from the servers and without breaking too many web applications. Moreover, the enforcement mechanisms designed can be proved correct within mathematical models of the web browsers. These claims are supported in this dissertation by 1) defining both, end-to-end and access control, security policies to protect web sessions; 2) introducing a new and using exiting mathematical models of the web browser extended with confidentiality and integrity security policies for web sessions; 3) offering mathematical proofs that the security mechanisms do enforce the security policies; and 4) designing and developing prototype browser extensions to test that real-life web applications are supported. | it_IT |
| dc.language.iso | en | it_IT |
| dc.publisher | Università Ca' Foscari Venezia | it_IT |
| dc.rights | © Wilayat Khan, 2015 | it_IT |
| dc.title | Web session security : formal verification, client-side enforcement and experimental analysis | it_IT |
| dc.title.alternative | it_IT | |
| dc.type | Doctoral Thesis | it_IT |
| dc.degree.name | Informatica | it_IT |
| dc.degree.level | Dottorato di ricerca | it_IT |
| dc.degree.grantor | Dipartimento di Scienze Ambientali, Informatica e Statistica | it_IT |
| dc.description.academicyear | 2013/2014, sessione 2013/2014 | it_IT |
| dc.description.cycle | 27 | it_IT |
| dc.degree.coordinator | Focardi, Riccardo | it_IT |
| dc.location.shelfmark | D001446 | it_IT |
| dc.location | Venezia, Archivio Università Ca' Foscari, Tesi Dottorato | it_IT |
| dc.rights.accessrights | openAccess | it_IT |
| dc.thesis.matricno | 955962 | it_IT |
| dc.format.pagenumber | XIV, 198 p. | it_IT |
| dc.subject.miur | INF/01 INFORMATICA | it_IT |
| dc.description.note | it_IT | |
| dc.degree.discipline | it_IT | |
| dc.contributor.co-advisor | it_IT | |
| dc.date.embargoend | it_IT | |
| dc.provenance.upload | Wilayat Khan (955962@stud.unive.it), 2014-12-02 | it_IT |
| dc.provenance.plagiarycheck | Michele Bugliesi (bugliesi@unive.it), 2015-01-19 | it_IT |
