论文信息 - Enforcing Privacy in Web Applications

Enforcing Privacy in Web Applications

The development of web applications is typically done oblivious to privacy precautions. Largely, this is due to lack of technical knowledge and appropriate tools for enforcing privacy. As a result, web users’ personal information is constantly at risk. We introduce a solution that protects arbitrary web applications from several dangerous privacy threats. It is easy to install, usable (e.g., in terms of expressiveness and appropriate enforcement), and requires no changes to the web application’s code. Its main functionality is given by modules that are situated between web server and user, and between web server and APIs. These modules assign a privacy tag to inbound data according to its origin (e.g., received through a web form field or stored in an internal database); and block outbound data according to its privacy tag, what is its destination, and its syntax. This allows us, for example, to block private data from being exposed to users. We have implemented a prototype for the PHP platform that is efficient in terms of CPU and memory usage. We also verified that it enforces privacy in several potentially-vulnerable scenarios. Furthermore, we provide a plug-in for web browsers that lets users visualize the privacy policy in action.

Ariel Waissbein | Ariel Futoransky

[1] Ka-Ping Yee,et al. User Interaction Design for Secure Systems , 2002, ICICS.

[2] Alain J. Mayer,et al. Security of Web Browser Scripting Languages: Vulnerabilities, Attacks, and Remedies , 1998, USENIX Security Symposium.

[3] Athman Bouguettaya,et al. Preserving privacy in web services , 2002, WIDM '02.

[4] Mandy Andress. Web Application Security , 2007, Information Security Management Handbook, 6th ed..

[5] Marc Langheinrich,et al. The platform for privacy preferences 1.0 (p3p1.0) specification , 2002 .

[6] Lisa Lopuck. Web Design For Dummies , 2001 .

[7] David H. Ackley,et al. Randomized instruction set emulation to disrupt binary code injection attacks , 2003, CCS '03.

[8] Ravi S. Sandhu. Good-Enough Security: Toward a Pragmatic Business-Driven Discipline , 2003, IEEE Internet Comput..

[9] Lorrie Faith Cranor,et al. Use of a P3P user agent by early adopters , 2002, WPES '02.

[10] Angelos D. Keromytis,et al. SQLrand: Preventing SQL Injection Attacks , 2004, ACNS.