ESTRELA: Automated Policy Enforcement Across Remote APIs

11/20/2018
by   Abhishek Bichhawat, et al.
0

Web applications routinely access sensitive and confidential data of users through remote APIs, the privacy of which is governed by different policies specified by the application developer and implemented as checks across application code and database queries. Given the complexity of the code, it is often the case that missing policy checks cause unauthorized information leaks. To address this issue of policy compliance, we present ESTRELA, a framework that allows specification of privacy policies separately from the code and enforces it on the interfaces that access the sensitive data. One of the major concerns that this work addresses is the specification of rich and expressive stateful policies that allow applications to function seamlessly while preventing unauthorized leaks of data. At the same time, ESTRELA applies only selected policies based on the usage of sensitive data, limiting the number of policies being applied. The idea is to associate policies, written in a higher-order language, with different remote interfaces that are enforced on their outputs instead of having a fixed set of policies for different database fields, leveraging the features of the widely-used REST architectural style. ESTRELA is database-agnostic and does not require any modification to the database. We implement ESTRELA in Python, on top of Django, and evaluate its performance and effectiveness by showing its application to a social-networking application, a healthcare system and a conference management system. ESTRELA adds reasonably low overhead to existing applications that run without any policy checks, and almost negligible overheads to applications running with policy checks as part of the API code.

READ FULL TEXT

page 1

page 2

page 3

page 4

research
05/13/2022

Blockaid: Data Access Policy Enforcement for Web Applications

Modern web applications serve large amounts of sensitive user data, acce...
research
09/26/2019

Fine-Grained, Language-Based Access Control for Database-Backed Applications

Context: Database-backed applications often run queries with more author...
research
12/09/2020

PrivFramework: A System for Configurable and Automated Privacy Policy Compliance

Today's massive scale of data collection coupled with recent surges of c...
research
04/16/2020

Sieve: A Middleware Approach to Scalable Access Control for Database Management Systems

Current approaches of enforcing FGAC in Database Management Systems (DBM...
research
12/04/2017

Search-based Tier Assignment for Optimising Offline Availability in Multi-tier Web Applications

Web programmers are often faced with several challenges in the developme...
research
03/22/2022

ANOSY: Approximated Knowledge Synthesis with Refinement Types for Declassification

Non-interference is a popular way to enforce confidentiality of sensitiv...
research
12/05/2022

Extending Expressive Access Policies with Privacy Features

Authentication, authorization, and trust verification are central parts ...

Please sign up or login with your details

Forgot password? Click here to reset