P06A: Role based Access Control in BCHS Web Applications -- Kristaps Dzonsons

https://2018.asiabsdcon.org/

Web applications export an attractive attack surface. First, since they're open front-ends to valuable data sources. And second, since they usually accept a non-trivial set of inputs (forms, JPGs, etc.), perform complex tasks, and produce diverse outputs---where each step along the way may be manipulated by a skilled attacker. Or an unskilled one with well-built tools. A great deal of active research concerns itself with restricting system resources from attackers, but there remain few resources for protecting an application's internal data sources: most importantly, the database. In this talk, I describe recent developments in BCHS web applications that allow programmers to define, enforce, and audit access roles of the application and its data source. We'll show real-world applications with hard guarantees on access control.