Application-Screen Masking: A Hybrid Approach

Large organizations often face difficult tradeoffs in balancing the need to share information with the need to safeguard sensitive data. A prominent way to deal with this tradeoff is on-the-fly screen masking of sensitive data in applications. A proposed hybrid approach for masking Web application screens combines the advantages of the context available at the presentation layer with the flexibility and low overhead of masking at the network layer. This solution can identify sensitive information in the visual context of the application screen and then automatically generate the masking rules to enforce at run time. This approach supports the creation of highly expressive masking rules, while keeping rule authoring easy and intuitive, resulting in an easy to use, effective system. This article is part of a special issue on Security and Privacy on the Web. The Web extra at https://youtu.be/4u2FLqjaIiI is a short demonstration of a proposed hybrid approach for masking Web application screens that combines the advantages of the context available at the presentation layer with the flexibility and low overhead of masking at the network layer. The second Web extra at https://youtu.be/-Hz3P_H0UnU is a full-length demonstration of a proposed hybrid approach for masking Web application screens that combines the advantages of the context available at the presentation layer with the flexibility and low overhead of masking at the network layer.

[1]  J. Dumortier Directive 98/48/EC of the European Parliament and of the Council , 2006 .

[2]  Anil Kumar,et al.  Constructing secure web applications with proper data validations , 2014, International Conference on Recent Advances and Innovations in Engineering (ICRAIE-2014).

[3]  Stanley Oliveira,et al.  An Efficient One-Scan Sanitization For Improving The Balance Between Privacy And Knowledge Discovery , 2003 .

[4]  John C. Mitchell,et al.  State of the Art: Automated Black-Box Web Application Vulnerability Testing , 2010, 2010 IEEE Symposium on Security and Privacy.

[5]  Somesh Jha,et al.  Retrofitting legacy code for authorization policy enforcement , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[6]  Achim D. Brucker,et al.  Extending access control models with break-glass , 2009, SACMAT '09.

[7]  Christopher Krügel,et al.  Pixy: a static analysis tool for detecting Web application vulnerabilities , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[8]  Muthu Ramachandran Software Security Engineering: Design and Applications , 2011 .

[9]  Tzilla Elrad,et al.  Aspect-oriented programming: Introduction , 2001, CACM.

[10]  Beat Liver,et al.  Privacy Application Infrastructure: Confidential Data Masking , 2009, 2009 IEEE Conference on Commerce and Enterprise Computing.

[11]  Vicenç Torra,et al.  Data privacy , 2014, Advanced Research in Data Privacy.

[12]  Robert E. Filman,et al.  What Is Aspect-Oriented Programming , 2001 .

[13]  David W. Binkley,et al.  Source Code Analysis: A Road Map , 2007, Future of Software Engineering (FOSE '07).

[14]  Dieter Gollmann,et al.  ICT Systems Security and Privacy Protection , 2015, IFIP Advances in Information and Communication Technology.

[15]  H. S. Chandrashekar,et al.  Packet sniffing: a brief introduction , 2003 .

[16]  Rui Wang,et al.  Side-Channel Leaks in Web Applications: A Reality Today, a Challenge Tomorrow , 2010, 2010 IEEE Symposium on Security and Privacy.

[17]  Amir Geva,et al.  Dynamic masking of application displays using OCR technologies , 2009, IBM J. Res. Dev..

[18]  Christopher Krügel,et al.  Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[19]  Miguel Correia,et al.  Automatic detection and correction of web application vulnerabilities using data mining to predict false positives , 2014, WWW.

[20]  Alberto Cerpa,et al.  Internet Content Adaptation Protocol (ICAP) , 2003, RFC.

[21]  Jaap-Henk Hoepman,et al.  PDF hosted at the Radboud Repository of the Radboud University Nijmegen , 2022 .

[22]  Andrew C. Myers,et al.  SIF: Enforcing Confidentiality and Integrity in Web Applications , 2007, USENIX Security Symposium.