FML, un approccio semplice alla sicurezza web
-
Upload
travelingsw -
Category
Technology
-
view
245 -
download
0
Transcript of FML, un approccio semplice alla sicurezza web
FMLUn linguaggio semplice per la creazione di form web
Valentina De RosaCorso di laurea triennale in Informatica
a.a. 2010/2011
The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead–lined room with armed guards.
— E. Spafford“
“ WEB & APP: Welcome, please enjoy our user’s data!
Siti vulnerabili
84%
Almeno una vulnerabilitàfra le 3 più pericolose
64%
ALCUNE STATISTICHE WhiteHat Website Security Statistics ReportOWASP Top Ten Project 1 / 2
Numero medio di vulnerabilitàcritiche (per sito)
230
ALCUNE STATISTICHE WhiteHat Website Security Statistics ReportOWASP Top Ten Project 2 / 2
+-Soluzioni esistenti
Abilità di programmazione
<email> <configuration> <from>[email protected]</from> <to>$email</to> <subject>Reservation made by $surname</subject> <text>Mr./Ms. $surname reserved a table for $people people in date$date and time $time. Notes: $notes.</text> <success>Thank you for reserving a table on $date. We'll send you a confirmation email soon.</success> </configuration> <form> <name id="surname"> <label>Surname</label> <optional>false</optional> </name> <email id="email"> <label>Email</label> <optional>false</optional> </email> <date id="date"> <label>Reservation date</label> <optional>false</optional> </date> <time id="time"> <label>Reservation time</label> <interval step="15">12:00-15:00</interval> <interval step="15">20:00-23:00</interval> <optional>false</optional> </time> <singleChoice id="people"> <label>How many people?</label> <optional>false</optional> <choiceRange>1-10</choiceRange> </singleChoice> <textarea id="notes"> <label>Notes</label> <optional>true</optional> </textarea> </form></email>
• perme"e di descrivere un’interazione• linguaggio simile ad HTML• stru"ura semanticaFML
<email> <configuration> <from>[email protected]</from> <to>$email</to> <subject>Reservation made by $surname</subject> <text>Mr./Ms. $surname reserved a table for $people people in date$date and time $time. Notes: $notes.</text> <success>Thank you for reserving a table on $date. We'll send you a confirmation email soon.</success> </configuration> <form> <name id="surname"> <label>Surname</label> <optional>false</optional> </name> <email id="email"> <label>Email</label> <optional>false</optional> </email> <date id="date"> <label>Reservation date</label> <optional>false</optional> </date> <time id="time"> <label>Reservation time</label> <interval step="15">12:00-15:00</interval> <interval step="15">20:00-23:00</interval> <optional>false</optional> </time> <singleChoice id="people"> <label>How many people?</label> <optional>false</optional> <choiceRange>1-10</choiceRange> </singleChoice> <textarea id="notes"> <label>Notes</label> <optional>true</optional> </textarea> </form></email>
non èFML
in de!aglioFML
1 2 3
<!-- email_form.fml --><email> <configuration> <to>...</to> <subject>...</subject>
... </configuration> <form> <telephone> <label>...</label> </telephone> <singleChoice> <choice>...</choice> <choice>...</choice> </singleChoice>
... </form></email><!-- end -->
123456789
10111213141516171819
<!-- email_form.fml --><email> <configuration> <to>...</to> <subject>...</subject>
... </configuration> <form> <telephone> <label>...</label> </telephone> <singleChoice> <choice>...</choice> <choice>...</choice> </singleChoice>
... </form></email><!-- end -->
123456789
10111213141516171819
<!-- email_form.fml --><email> <configuration> <to>...</to> <subject>...</subject>
... </configuration> <form> <telephone> <label>...</label> </telephone> <singleChoice> <choice>...</choice> <choice>...</choice> </singleChoice>
... </form></email><!-- end -->
123456789
10111213141516171819
<!-- email_form.fml --><email> <configuration> <to>...</to> <subject>...</subject>
... </configuration> <form> <telephone> <label>...</label> </telephone> <singleChoice> <choice>...</choice> <choice>...</choice> </singleChoice>
... </form></email><!-- end -->
123456789
10111213141516171819
1
HTTP
Richiesta pagina
PROCESSO Richiesta della pagina 1 / 1
FML !le Parser FMTree
Translator
Evaluator Mail
DatabaseCon!guration
XHTML
Javascript
WWW
2
HTTP+
DATI
Invio dei dati
PROCESSO Invio dei dati 1 / 1
FML !le Parser FMTree
Translator
Evaluator Mail
DatabaseCon!guration
XHTML
Javascript
WWW
In conclusione
Each time we create a fool–proof systemthe universe creates a be!er fool
Verso l’infinito...
Grazie