CPL - Chalmers Publication Library
| Utbildning | Forskning | Styrkeområden | Om Chalmers | In English In English Ej inloggad.

Hails: Protecting data privacy in untrusted web applications

Daniel Giffin ; Amit Levy ; Deian Stefan ; David Terei ; David Mazieres ; John Mitchell ; Alejandro Russo (Institutionen för Data- och informationsteknik, Informationssäkerhet (Chalmers))
JOURNAL OF COMPUTER SECURITY (0926-227X). Vol. 25 (2017), 4-5, p. 427-461.
[Artikel, refereegranskad vetenskaplig]

Many modern web-platforms are no longer written by a single entity, such as a company or individual, but consist of a trusted core that can be extended by untrusted third-party authors. Examples of this approach include Facebook, Yammer, and Salesforce. Unfortunately, users running third-party "apps" have little control over what the apps can do with their private data. Today's platforms offer only ad hoc constraints on app behavior, leaving users an unfortunate trade-off between convenience and privacy. A principled approach to code confinement could allow the integration of untrusted code while enforcing flexible, end-to-end policies on data access. This paper presents a new framework, Hails, for building web platforms, that adds mandatory access control and a declarative policy language to the familiar MVC architecture. We demonstrate the flexibility of Hails by building several platforms, including GitStar, a code-hosting website that enforces robust privacy policies on user data even while allowing untrusted apps to deliver extended features to users.

Nyckelord: information, systems, model

Denna post skapades 2017-08-24.
CPL Pubid: 251386


Läs direkt!

Länk till annan sajt (kan kräva inloggning)