SafeWeb: A Middleware for Securing Ruby-Based Web Applications

Web applications in many domains such as healthcare and finance must process sensitive data, while complying with legal policies regarding the release of different classes of data to different parties. Currently, software bugs may lead to irreversible disclosure of confidential data in multi-tier web applications. An open challenge is how developers can guarantee these web applications only ever release sensitive data to authorised users without costly, recurring security audits. Our solution is to provide a trusted middleware that acts as a "safety net" to event-based enterprise web applications by preventing harmful data disclosure before it happens. We describe the design and implementation of SafeWeb, a Ruby-based middleware that associates data with security labels and transparently tracks their propagation at different granularities across a multi-tier web architecture with storage and complex event processing. For efficiency, maintainability and ease-of-use, SafeWeb exploits the dynamic features of the Ruby programming language to achieve label propagation and data flow enforcement. We evaluate SafeWeb by reporting our experience of implementing a web-based cancer treatment application and deploying it as part of the UK National Health Service (NHS).

[1]  Patrick Mutchler,et al.  GuardRails: A Data-Centric Web Application Security Framework , 2011, WebApps.

[2]  Úlfar Erlingsson,et al.  Engineering Secure Software and Systems , 2011, Lecture Notes in Computer Science.

[3]  Xi Wang,et al.  Improving application security with data flow assertions , 2009, SOSP '09.

[4]  Hans-Arno Jacobsen,et al.  Event Exposure for Web Services: A Grey-Box Approach to Compose and Evolve Web Services , 2010, The Smart Internet.

[5]  Donald E. Porter,et al.  Laminar: practical fine-grained decentralized information flow control , 2009, PLDI '09.

[6]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[7]  Alan Bundy,et al.  Constructing Induction Rules for Deductive Synthesis Proofs , 2006, CLASE.

[8]  Tadeusz Pietraszek,et al.  Defending Against Injection Attacks Through Context-Sensitive String Evaluation , 2005, RAID.

[9]  Avik Chaudhuri,et al.  Symbolic security analysis of ruby-on-rails web applications , 2010, CCS '10.

[10]  LiskovBarbara,et al.  Protecting privacy using the decentralized label model , 2000 .

[11]  Mark Chignell,et al.  The Smart Internet - Current Research and Future Applications , 2010, The Smart Internet.

[12]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[13]  David A. Wagner,et al.  Efficient character-level taint tracking for Java , 2009, SWS '09.

[14]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[15]  P. Cochat,et al.  Et al , 2008, Archives de pediatrie : organe officiel de la Societe francaise de pediatrie.

[16]  Andrew S. Tanenbaum,et al.  A Virtual Machine Based Information Flow Control System for Policy Enforcement , 2008, Electron. Notes Theor. Comput. Sci..

[17]  Michiharu Kudo,et al.  Dynamic Information Flow Control Architecture for Web Applications , 2007, ESORICS.

[18]  Wei Xu,et al.  Taint-Enhanced Policy Enforcement: A Practical Approach to Defeat a Wide Range of Attacks , 2006, USENIX Security Symposium.

[19]  Wouter Joosen,et al.  Middleware Support for Complex and Distributed Security Services in Multi-tier Web Applications , 2011, ESSoS.

[20]  Christopher Krügel,et al.  Pixy: a static analysis tool for detecting Web application vulnerabilities , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[21]  Jean Bacon,et al.  Enforcing User Privacy in Web Applications using Erlang , 2010 .

[22]  David M. Eyers,et al.  DEFCON: High-Performance Event Processing with Information Security , 2010, USENIX Annual Technical Conference.

[23]  Joachim Biskup,et al.  Computer Security - ESORICS 2007, 12th European Symposium On Research In Computer Security, Dresden, Germany, September 24-26, 2007, Proceedings , 2007, ESORICS.

[24]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[25]  Tzi-cker Chiueh,et al.  Dynamic multi-process information flow tracking for web application security , 2007, MC '07.

[26]  Ryusuke Masuoka,et al.  World-Wide Web (WWW) , 1995 .

[27]  Prateek Saxena,et al.  An Empirical Analysis of XSS Sanitization in Web Application Frameworks , 2011 .

[28]  P. S. Tasker,et al.  DEPARTMENT OF DEFENSE TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA , 1985 .

[29]  Dawn Xiaodong Song,et al.  A Systematic Analysis of XSS Sanitization in Web Application Frameworks , 2011, ESORICS.

[30]  Hans-Arno Jacobsen,et al.  A Policy Management Framework for Content-Based Publish/Subscribe Middleware , 2007, Middleware.

[31]  Anne-Marie Kermarrec,et al.  The many faces of publish/subscribe , 2003, CSUR.