1
views
0
recommends
+1 Recommend
0 collections
    0
    shares
      • Record: found
      • Abstract: found
      • Article: found
      Is Open Access

      ESTRELA: Automated Policy Enforcement Across Remote APIs

      Preprint
      , , ,

      Read this article at

      Bookmark
          There is no author summary for this article yet. Authors can add summaries to their articles on ScienceOpen to make them more accessible to a non-specialist audience.

          Abstract

          Web applications routinely access sensitive and confidential data of users through remote APIs, the privacy of which is governed by different policies specified by the application developer and implemented as checks across application code and database queries. Given the complexity of the code, it is often the case that missing policy checks cause unauthorized information leaks. To address this issue of policy compliance, we present ESTRELA, a framework that allows specification of privacy policies separately from the code and enforces it on the interfaces that access the sensitive data. One of the major concerns that this work addresses is the specification of rich and expressive stateful policies that allow applications to function seamlessly while preventing unauthorized leaks of data. At the same time, ESTRELA applies only selected policies based on the usage of sensitive data, limiting the number of policies being applied. The idea is to associate policies, written in a higher-order language, with different remote interfaces that are enforced on their outputs instead of having a fixed set of policies for different database fields, leveraging the features of the widely-used REST architectural style. ESTRELA is database-agnostic and does not require any modification to the database. We implement ESTRELA in Python, on top of Django, and evaluate its performance and effectiveness by showing its application to a social-networking application, a healthcare system and a conference management system. ESTRELA adds reasonably low overhead to existing applications that run without any policy checks, and almost negligible overheads to applications running with policy checks as part of the API code.

          Related collections

          Most cited references9

          • Record: found
          • Abstract: not found
          • Conference Proceedings: not found

          A language for automatically enforcing privacy policies

            Bookmark
            • Record: found
            • Abstract: not found
            • Conference Proceedings: not found

            Bootstrapping Privacy Compliance in Big Data Systems

              Bookmark
              • Record: found
              • Abstract: not found
              • Conference Proceedings: not found

              Improving application security with data flow assertions

                Bookmark

                Author and article information

                Journal
                20 November 2018
                Article
                1811.08234
                41cabde5-0f6f-4b10-a27f-d65a314837f2

                http://arxiv.org/licenses/nonexclusive-distrib/1.0/

                History
                Custom metadata
                cs.CR

                Security & Cryptology
                Security & Cryptology

                Comments

                Comment on this article