Hails: Protecting Data Privacy in Untrusted Web Applications
نویسندگان
چکیده
Modern extensible web platforms like Facebook and Yammer depend on third-party software to offer a rich experience to their users. Unfortunately, users running a third-party “app” have little control over what it does with their private data. Today’s platforms offer only ad-hoc constraints on app behavior, leaving users an unfortunate trade-off between convenience and privacy. A principled approach to code confinement could allow the integration of untrusted codewhile enforcing flexible, end-to-end policies on data access. This paper presents a new web framework, Hails, that adds mandatory access control and a declarative policy language to the familiar MVC architecture. We demonstrate the flexibility of Hails through GitStar.com, a code-hosting website that enforces robust privacy policies on user data even while allowing untrusted apps to deliver extended features to users.
منابع مشابه
Hails: Protecting Data Privacy in Untrusted Web Application
Many modern web platforms are no longer written by a single entity, such as a company or individual, but consist of a trusted core that can be extended by untrusted third-party authors. Examples of this approach include Facebook, Yammer, and Salfesforce. Unfortunately, users running a third-party “app” have little control over what it does with their private data. Today’s platforms offer only a...
متن کاملDeian Stefan – Research Statement
My research interests span the areas of systems, programming languages, and security. I particularly enjoy building secure systems that can see adoption. My efforts are generally guided by two goals: (1) to enable average developers to build secure systems and applications, and (2) to leverage the benefits of formal semantics when reasoning about the security properties of a system. For example...
متن کاملPrincipled and Practical Web Application Security a Dissertation Submitted to the Department of Computer Science and the Committee on Graduate Studies of Stanford University in Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy
Large-scale private user data theft has become a common occurrence on the web. A huge factor in these privacy breaches is that developers specify and enforce data security policies by strewing checks throughout their application code. Overlooking even a single check can lead to vulnerabilities. Unfortunately, even if developers manage to get all the checks right, most web applications rely on t...
متن کاملProtecting Private Web Content from Embedded Scripts
Many web pages display personal information provided by users. The goal of this work is to protect that content from untrusted scripts that are embedded in host pages. We present a browser modification that provides fine-grained control over what parts of a document are visible to different scripts, and executes untrusted scripts in isolated environments where private information is not accessi...
متن کاملProtecting Users by Confining JavaScript with COWL
Modern web applications are conglomerations of JavaScript written by multiple authors: application developers routinely incorporate code from third-party libraries, and mashup applications synthesize data and code hosted at different sites. In current browsers, a web application’s developer and user must trust third-party code in libraries not to leak the user’s sensitive information from withi...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
- Journal of Computer Security
دوره 25 شماره
صفحات -
تاریخ انتشار 2012