ComputingReviews.com

Semantics-based analysis of content security policy deployment
Calzavara S., Rabitti A., Bugliesi M. ACM Transactions on the Web12(2):1-36,2018.Type:Article

Date Reviewed: 07/11/18

Security is one of the biggest concerns in digital societies. Without reasonable levels of security, people will never really embrace the use of technology for tasks that they consider sensitive or risky. Only with a reasonable guarantee of security will users have confidence in a technology.

The web offers many services. Web applications offer friendly interfaces for end users that make them a very interesting means of interaction, such as for enterprises and their clients. However, website security is compromised by content injection. Content Security Policy (CSP) is a World Wide Web Consortium (W3C) standard that provides guidelines to prevent and mitigate the effects of this type of attack.

Calzavara et al. analyze the use and effectiveness of CSP as a security mechanism for websites against these attacks. The analysis covers four key aspects: (1) browser support, (2) website adoption, (3) correct configuration, and (4) constant maintenance. Their approach introduces a formal semantics to represent the contents of CSP, and then uses this semantics to formalize and reason about the support of each of these four aspects. For each, the methodology followed in the experimental study is presented, with experimental results on more than 16000 websites.

The paper includes a brief introduction to CSP--enough to understand its main issues and thus the presented study. A formal analysis of the standard follows, including syntax and semantics, and formal reasoning on CSP policies. After this formalization is applied to the standard, the authors present their methodology to test each of the four aspects under study in a formal manner, and comment on the results obtained. The main weaknesses for each aspect are then listed and characterized. Therefore, the authors identify the main issues that need work in order to improve CSP support. They first suggest working on better exploiting the reporting facilities of CSP. Second, they claim that more research is needed on issues related to CSP design.

This paper presents solid research. The use of formal semantics makes it appropriate for researchers, that is, readers with a solid background in formal languages and logic. This is not a wide audience, but this type of work is absolutely necessary to consolidate the advances in such an important area as security.

Reviewer: Mercedes Martínez González

Review #: CR146139 (1811-0608)

Reproduction in whole or in part without permission is prohibited. Copyright 2024 ComputingReviews.com™
Terms of Use | Privacy Policy