SilverLine: preventing data leaks from compromised web applications

Web applications can have vulnerabilities that result in server-side data leaks. Securing sensitive data from Web applications while ensuring reasonable performance and without requiring developers to rewrite entire applications is challenging. We present SilverLine, which prevents bulk data leaks caused due to code injection in Web applications as well as compromised user-level processes on the application server. SilverLine uses login information to associate a user with each Web session; it then taints each file and database record and applies information-flow tracking to the data associated with each session to ensure that application data is released only to sessions of authorized users. SilverLine focuses on isolating data between user sessions and is thus most suitable to applications that involve single user sessions (e.g., banking, e-commerce). We have implemented SilverLine on Linux; our implementation demonstrates that SilverLine can protect a PHP-based Web application from many of the most common server-side Web application attacks by modifying only about 60 lines of code from the original application. Our evaluation shows that SilverLine incurs a performance overhead of about 20-30% over unmodified applications.