Hails: Protecting Data Privacy in Untrusted Web Applications

Modern extensible web platforms like Facebook and Yammer depend on third-party software to offer a rich experience to their users. Unfortunately, users running a third-party "app" have little control over what it does with their private data. Today's platforms offer only ad-hoc constraints on app behavior, leaving users an unfortunate trade-off between convenience and privacy. A principled approach to code confinement could allow the integration of untrusted codewhile enforcing flexible, end-to-end policies on data access. This paper presents a new web framework, Hails, that adds mandatory access control and a declarative policy language to the familiar MVC architecture. We demonstrate the flexibility of Hails through GitStar.com, a code-hosting website that enforces robust privacy policies on user data even while allowing untrusted apps to deliver extended features to users.

[1]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[2]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[3]  Martín Abadi,et al.  A Calculus for Access Control in Distributed Systems , 1991, CRYPTO.

[4]  Eugenio Moggi,et al.  Notions of Computation and Monads , 1991, Inf. Comput..

[5]  Daniel F. Sterne,et al.  Practical Domain and Type Enforcement for UNIX , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[6]  Joan Feigenbaum,et al.  Decentralized trust management , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[7]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[8]  Joan Feigenbaum,et al.  The KeyNote Trust-Management System , 1998 .

[9]  David Mosberger,et al.  httperf—a tool for measuring web server performance , 1998, PERV.

[10]  J. Feigenbaum,et al.  The KeyNote trust management system version2, IETF RFC 2704 , 1999 .

[11]  Joan Feigenbaum,et al.  The KeyNote Trust-Management System Version 2 , 1999, RFC.

[12]  Edward W. Felten,et al.  Timing attacks on Web privacy , 2000, CCS.

[13]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[14]  Andrew C. Myers,et al.  Untrusted hosts and confidentiality , 2001, SOSP.

[15]  David Evans,et al.  Statically Detecting Likely Buffer Overflow Vulnerabilities , 2001, USENIX Security Symposium.

[16]  John DeTreville,et al.  Binder, a logic-based security language , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[17]  Sun Meifeng,et al.  KeyNote Trust Management System , 2002 .

[18]  Ninghui Li,et al.  RT: a Role-based Trust-management framework , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[19]  Andrew C. Myers,et al.  Using replication and partitioning to build secure distributed systems , 2003, 2003 Symposium on Security and Privacy, 2003..

[20]  Ninghui Li,et al.  Distributed Credential Chain Discovery in Trust Management , 2003, J. Comput. Secur..

[21]  Maxwell N. Krohn,et al.  Building Secure High-Performance Web Services with OKWS , 2004, USENIX Annual Technical Conference, General Track.

[22]  Peng Li,et al.  Practical information flow control in Web-based information systems , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[23]  Drummond Reed,et al.  OpenID 2.0: a platform for user-centric identity management , 2006, DIM '06.

[24]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[25]  Eddie Kohler,et al.  Information flow control for standard OS abstractions , 2007, SOSP.

[26]  Dan Boneh,et al.  Exposing private information by timing web applications , 2007, WWW '07.

[27]  Michael Walfish,et al.  World Wide Web Without Walls , 2007, HotNets.

[28]  Andrew C. Myers,et al.  SIF: Enforcing Confidentiality and Integrity in Web Applications , 2007, USENIX Security Symposium.

[29]  Xin Zheng,et al.  Secure web applications via automatic partitioning , 2007, SOSP.

[30]  Silas Boyd-Wickizer,et al.  Securing Distributed Systems with Information Flow Control , 2008, NSDI.

[31]  Patrick Maxim Rondon,et al.  Liquid types , 2008, PLDI '08.

[32]  Swarat Chaudhuri,et al.  Subcubic algorithms for recursive state machines , 2008, POPL '08.

[33]  Xin Qi,et al.  Fabric: a platform for secure distributed computation and storage , 2009, SOSP '09.

[34]  Brian Shackel,et al.  Usability - Context, framework, definition, design and evaluation , 1991, Interact. Comput..

[35]  Donald E. Porter,et al.  Laminar: practical fine-grained decentralized information flow control , 2009, PLDI '09.

[36]  Xi Wang,et al.  Improving application security with data flow assertions , 2009, SOSP '09.

[37]  Ankur Taly,et al.  Language-Based Isolation of Untrusted JavaScript , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[38]  Adam Chlipala,et al.  Static Checking of Dynamically-Varying Security Policies in Database-Backed Applications , 2010, OSDI.

[39]  Kristina Chodorow,et al.  MongoDB: The Definitive Guide , 2010 .

[40]  A. W. Roscoe,et al.  Security and Usability: Analysis and Evaluation , 2010, 2010 International Conference on Availability, Reliability and Security.

[41]  Nickolai Zeldovich,et al.  Separating Web Applications from User Data Storage with BSTORE , 2010, WebApps.

[42]  Lisa Dusseault,et al.  PATCH Method for HTTP , 2010, RFC.

[43]  Úlfar Erlingsson,et al.  Automated Analysis of Security-Critical JavaScript APIs , 2011, 2011 IEEE Symposium on Security and Privacy.

[44]  Emin Gün Sirer,et al.  Logical attestation: an authorization architecture for trustworthy computing , 2011, SOSP.

[45]  Deian Stefan,et al.  Disjunction Category Labels , 2011, NordSec.

[46]  David A. Wagner,et al.  Diesel: applying privilege separation to database access , 2011, ASIACCS '11.

[47]  Hari Balakrishnan,et al.  CryptDB: protecting confidentiality with encrypted query processing , 2011, SOSP.

[48]  Deian Stefan,et al.  Flexible dynamic information flow control in Haskell , 2012, Haskell '11.

[49]  Adam Barth,et al.  The Web Origin Concept , 2011, RFC.

[50]  Oscar Mauricio Serrano Jaimes,et al.  EVALUACION DE LA USABILIDAD EN SITIOS WEB, BASADA EN EL ESTANDAR ISO 9241-11 (International Standard (1998) Ergonomic requirements For office work with visual display terminals (VDTs)-Parts II: Guidance on usability , 2012 .

[51]  Andrei Sabelfeld,et al.  A Perspective on Information-Flow Control , 2012, Software Safety and Security.

[52]  John C. Mitchell,et al.  Third-Party Web Tracking: Policy and Technology , 2012, 2012 IEEE Symposium on Security and Privacy.

[53]  Deian Stefan,et al.  Addressing covert termination and timing channels in concurrent information flow systems , 2012, ICFP '12.

[54]  Armando Solar-Lezama,et al.  A language for automatically enforcing privacy policies , 2012, POPL '12.

[55]  Michael Snoyman Developing Web Applications with Haskell and Yesod , 2012 .

[56]  Simon L. Peyton Jones,et al.  Safe haskell , 2013, Haskell '12.

[57]  Benjamin C. Pierce,et al.  Exceptionally Available Dynamic IFC , 2012 .

[58]  Winnie Cheng,et al.  Abstractions for Usable Information Flow Control in Aeolus , 2012, USENIX Annual Technical Conference.

[59]  Deian Stefan,et al.  Eliminating Cache-Based Timing Attacks with Instruction-Based Scheduling , 2013, ESORICS.

[60]  Luís Caires,et al.  Information Flow Analysis for Valued-Indexed Data Security Compartments , 2013, TGC.

[61]  Alejandro Russo,et al.  Lazy Programs Leak Secrets , 2013, NordSec.

[62]  Benjamin C. Pierce,et al.  A Theory of Information-Flow Labels , 2013, 2013 IEEE 26th Computer Security Foundations Symposium.

[63]  Deian Stefan,et al.  Toward Principled Browser Security , 2013, HotOS.

[64]  Barbara Liskov,et al.  IFDB: decentralized information flow control for databases , 2013, EuroSys '13.

[65]  Karthikeyan Bhargavan,et al.  Language-based Defenses Against Untrusted Browser Origins , 2013, USENIX Security Symposium.

[66]  Benjamin C. Pierce,et al.  All Your IFCException Are Belong to Us , 2013, 2013 IEEE Symposium on Security and Privacy.

[67]  Andrei Sabelfeld,et al.  SeLINQ , 2014, ICFP.

[68]  Jon Howell,et al.  Radiatus : Strong User Isolation for Scalable Web Applications , 2014 .

[69]  Thomas H. Austin,et al.  Typed Faceted Values for Secure Information Flow in Haskell , 2014 .

[70]  Deian Stefan,et al.  Protecting Users by Confining JavaScript with COWL , 2014, OSDI.

[71]  Michael J. Freedman,et al.  Automating Isolation and Least Privilege in Web Services , 2014, 2014 IEEE Symposium on Security and Privacy.

[72]  Hari Balakrishnan,et al.  Building Web Applications on Top of Encrypted Data Using Mylar , 2014, NSDI.

[73]  James Lee Parker,et al.  LMonad: Information flow control for Haskell web applications , 2014 .