TY - GEN
T1 - SafeWeb
T2 - 12th ACM/IFIP/USENIX International Middleware Conference, Middleware 2011
AU - Hosek, Petr
AU - Migliavacca, Matteo
AU - Papagiannis, Ioannis
AU - Eyers, David M.
AU - Evans, David
AU - Shand, Brian
AU - Bacon, Jean
AU - Pietzuch, Peter
PY - 2011
Y1 - 2011
N2 - Web applications in many domains such as healthcare and finance must process sensitive data, while complying with legal policies regarding the release of different classes of data to different parties. Currently, software bugs may lead to irreversible disclosure of confidential data in multi-tier web applications. An open challenge is how developers can guarantee these web applications only ever release sensitive data to authorised users without costly, recurring security audits. Our solution is to provide a trusted middleware that acts as a "safety net" to event-based enterprise web applications by preventing harmful data disclosure before it happens. We describe the design and implementation of SafeWeb, a Ruby-based middleware that associates data with security labels and transparently tracks their propagation at different granularities across a multi-tier web architecture with storage and complex event processing. For efficiency, maintainability and ease-of-use, SafeWeb exploits the dynamic features of the Ruby programming language to achieve label propagation and data flow enforcement. We evaluate SafeWeb by reporting our experience of implementing a web-based cancer treatment application and deploying it as part of the UK National Health Service (NHS).
AB - Web applications in many domains such as healthcare and finance must process sensitive data, while complying with legal policies regarding the release of different classes of data to different parties. Currently, software bugs may lead to irreversible disclosure of confidential data in multi-tier web applications. An open challenge is how developers can guarantee these web applications only ever release sensitive data to authorised users without costly, recurring security audits. Our solution is to provide a trusted middleware that acts as a "safety net" to event-based enterprise web applications by preventing harmful data disclosure before it happens. We describe the design and implementation of SafeWeb, a Ruby-based middleware that associates data with security labels and transparently tracks their propagation at different granularities across a multi-tier web architecture with storage and complex event processing. For efficiency, maintainability and ease-of-use, SafeWeb exploits the dynamic features of the Ruby programming language to achieve label propagation and data flow enforcement. We evaluate SafeWeb by reporting our experience of implementing a web-based cancer treatment application and deploying it as part of the UK National Health Service (NHS).
UR - http://www.scopus.com/inward/record.url?scp=83755174097&partnerID=8YFLogxK
U2 - 10.1007/978-3-642-25821-3_25
DO - 10.1007/978-3-642-25821-3_25
M3 - Conference contribution
AN - SCOPUS:83755174097
SN - 9783642258206
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 491
EP - 511
BT - Middleware 2011 - ACM/IFIP/USENIX 12th International Middleware Conference, Proceedings
Y2 - 12 December 2011 through 16 December 2011
ER -
