17th Annual Computer Security Applications Conference
December 10-14, 2001
New Orleans, Louisiana

Securing Web Servers against Insider Attack

Shan Jiang, Sean Smith, Kazuhiro Minami
Dartmouth College

Too often, 'security of Web transactions' reduces to 'encryption of the channel'---and neglects to address what happens at the server on the other end. This oversight forces clients to trust the good intentions and competence of the server operator---but gives clients no basis for that trust. In this paper, we apply secure coprocessing and cryptography to solve this real problem in Web technology. We present a vision: using secure coprocessors to establish trusted co-servers at Web servers and moving sensitive computations inside these co-servers; we present a prototype implementation of this vision that scales to realistic workloads; and we validate this approach by building a simple E-voting application on top of our prototype.

By showing the real potential of COTS secure coprocessing technology to establish trusted islands of computation in hostile environments---such as at web servers with risk of insider attack---this work also helps demonstrate that 'secure hardware' can be more than synonym for 'cryptographic accelerator.'

Keywords: secure coprocessors, SSL, insider attack, e-commerce

Read Paper Read Paper (in PDF)