SafeWeb: A middleware for securing Ruby-based web applications

Petr Hosek; Matteo Migliavacca; Ioannis Papagiannis; David M. Eyers; David Evans; Brian Shand; Jean Bacon; Peter Pietzuch

doi:10.1007/978-3-642-25821-3_25

SafeWeb: A middleware for securing Ruby-based web applications

Petr Hosek^*
, Matteo Migliavacca
, Ioannis Papagiannis
, David M. Eyers
, David Evans
, Brian Shand
, Jean Bacon
, Peter Pietzuch

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

8 Citations (Scopus)

Abstract

Web applications in many domains such as healthcare and finance must process sensitive data, while complying with legal policies regarding the release of different classes of data to different parties. Currently, software bugs may lead to irreversible disclosure of confidential data in multi-tier web applications. An open challenge is how developers can guarantee these web applications only ever release sensitive data to authorised users without costly, recurring security audits. Our solution is to provide a trusted middleware that acts as a "safety net" to event-based enterprise web applications by preventing harmful data disclosure before it happens. We describe the design and implementation of SafeWeb, a Ruby-based middleware that associates data with security labels and transparently tracks their propagation at different granularities across a multi-tier web architecture with storage and complex event processing. For efficiency, maintainability and ease-of-use, SafeWeb exploits the dynamic features of the Ruby programming language to achieve label propagation and data flow enforcement. We evaluate SafeWeb by reporting our experience of implementing a web-based cancer treatment application and deploying it as part of the UK National Health Service (NHS).

Original language	English
Title of host publication	Middleware 2011 - ACM/IFIP/USENIX 12th International Middleware Conference, Proceedings
Pages	491-511
Number of pages	21
DOIs	https://doi.org/10.1007/978-3-642-25821-3_25
Publication status	Published - 2011
Externally published	Yes
Event	12th ACM/IFIP/USENIX International Middleware Conference, Middleware 2011 - Lisbon, Portugal Duration: 12 Dec 2011 → 16 Dec 2011

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	7049 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	12th ACM/IFIP/USENIX International Middleware Conference, Middleware 2011
Country/Territory	Portugal
City	Lisbon
Period	12/12/11 → 16/12/11

UN SDGs

This output contributes to the following UN Sustainable Development Goals (SDGs)

SDG 3 Good Health and Well-being

Access to Document

10.1007/978-3-642-25821-3_25

Cite this

Hosek, P., Migliavacca, M., Papagiannis, I., Eyers, D. M., Evans, D., Shand, B., Bacon, J., & Pietzuch, P. (2011). SafeWeb: A middleware for securing Ruby-based web applications. In Middleware 2011 - ACM/IFIP/USENIX 12th International Middleware Conference, Proceedings (pp. 491-511). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 7049 LNCS). https://doi.org/10.1007/978-3-642-25821-3_25

Hosek, Petr ; Migliavacca, Matteo ; Papagiannis, Ioannis et al. / SafeWeb : A middleware for securing Ruby-based web applications. Middleware 2011 - ACM/IFIP/USENIX 12th International Middleware Conference, Proceedings. 2011. pp. 491-511 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{b229082c61134eed8550fcf2ed985d4d,

title = "SafeWeb: A middleware for securing Ruby-based web applications",

abstract = "Web applications in many domains such as healthcare and finance must process sensitive data, while complying with legal policies regarding the release of different classes of data to different parties. Currently, software bugs may lead to irreversible disclosure of confidential data in multi-tier web applications. An open challenge is how developers can guarantee these web applications only ever release sensitive data to authorised users without costly, recurring security audits. Our solution is to provide a trusted middleware that acts as a {"}safety net{"} to event-based enterprise web applications by preventing harmful data disclosure before it happens. We describe the design and implementation of SafeWeb, a Ruby-based middleware that associates data with security labels and transparently tracks their propagation at different granularities across a multi-tier web architecture with storage and complex event processing. For efficiency, maintainability and ease-of-use, SafeWeb exploits the dynamic features of the Ruby programming language to achieve label propagation and data flow enforcement. We evaluate SafeWeb by reporting our experience of implementing a web-based cancer treatment application and deploying it as part of the UK National Health Service (NHS).",

author = "Petr Hosek and Matteo Migliavacca and Ioannis Papagiannis and Eyers, \{David M.\} and David Evans and Brian Shand and Jean Bacon and Peter Pietzuch",

year = "2011",

doi = "10.1007/978-3-642-25821-3\_25",

language = "English",

isbn = "9783642258206",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

pages = "491--511",

booktitle = "Middleware 2011 - ACM/IFIP/USENIX 12th International Middleware Conference, Proceedings",

note = "12th ACM/IFIP/USENIX International Middleware Conference, Middleware 2011 ; Conference date: 12-12-2011 Through 16-12-2011",

}

Hosek, P, Migliavacca, M, Papagiannis, I, Eyers, DM, Evans, D, Shand, B, Bacon, J & Pietzuch, P 2011, SafeWeb: A middleware for securing Ruby-based web applications. in Middleware 2011 - ACM/IFIP/USENIX 12th International Middleware Conference, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 7049 LNCS, pp. 491-511, 12th ACM/IFIP/USENIX International Middleware Conference, Middleware 2011, Lisbon, Portugal, 12/12/11. https://doi.org/10.1007/978-3-642-25821-3_25

SafeWeb: A middleware for securing Ruby-based web applications. / Hosek, Petr; Migliavacca, Matteo; Papagiannis, Ioannis et al.
Middleware 2011 - ACM/IFIP/USENIX 12th International Middleware Conference, Proceedings. 2011. p. 491-511 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 7049 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - SafeWeb

T2 - 12th ACM/IFIP/USENIX International Middleware Conference, Middleware 2011

AU - Hosek, Petr

AU - Migliavacca, Matteo

AU - Papagiannis, Ioannis

AU - Eyers, David M.

AU - Evans, David

AU - Shand, Brian

AU - Bacon, Jean

AU - Pietzuch, Peter

PY - 2011

Y1 - 2011

N2 - Web applications in many domains such as healthcare and finance must process sensitive data, while complying with legal policies regarding the release of different classes of data to different parties. Currently, software bugs may lead to irreversible disclosure of confidential data in multi-tier web applications. An open challenge is how developers can guarantee these web applications only ever release sensitive data to authorised users without costly, recurring security audits. Our solution is to provide a trusted middleware that acts as a "safety net" to event-based enterprise web applications by preventing harmful data disclosure before it happens. We describe the design and implementation of SafeWeb, a Ruby-based middleware that associates data with security labels and transparently tracks their propagation at different granularities across a multi-tier web architecture with storage and complex event processing. For efficiency, maintainability and ease-of-use, SafeWeb exploits the dynamic features of the Ruby programming language to achieve label propagation and data flow enforcement. We evaluate SafeWeb by reporting our experience of implementing a web-based cancer treatment application and deploying it as part of the UK National Health Service (NHS).

AB - Web applications in many domains such as healthcare and finance must process sensitive data, while complying with legal policies regarding the release of different classes of data to different parties. Currently, software bugs may lead to irreversible disclosure of confidential data in multi-tier web applications. An open challenge is how developers can guarantee these web applications only ever release sensitive data to authorised users without costly, recurring security audits. Our solution is to provide a trusted middleware that acts as a "safety net" to event-based enterprise web applications by preventing harmful data disclosure before it happens. We describe the design and implementation of SafeWeb, a Ruby-based middleware that associates data with security labels and transparently tracks their propagation at different granularities across a multi-tier web architecture with storage and complex event processing. For efficiency, maintainability and ease-of-use, SafeWeb exploits the dynamic features of the Ruby programming language to achieve label propagation and data flow enforcement. We evaluate SafeWeb by reporting our experience of implementing a web-based cancer treatment application and deploying it as part of the UK National Health Service (NHS).

UR - https://www.scopus.com/pages/publications/83755174097

U2 - 10.1007/978-3-642-25821-3_25

DO - 10.1007/978-3-642-25821-3_25

M3 - Conference contribution

AN - SCOPUS:83755174097

SN - 9783642258206

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 491

EP - 511

BT - Middleware 2011 - ACM/IFIP/USENIX 12th International Middleware Conference, Proceedings

Y2 - 12 December 2011 through 16 December 2011

ER -

Hosek P, Migliavacca M, Papagiannis I, Eyers DM, Evans D, Shand B et al. SafeWeb: A middleware for securing Ruby-based web applications. In Middleware 2011 - ACM/IFIP/USENIX 12th International Middleware Conference, Proceedings. 2011. p. 491-511. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-642-25821-3_25

SafeWeb: A middleware for securing Ruby-based web applications

Abstract

Publication series

Conference

UN SDGs

Access to Document

Other files and links

Fingerprint

Cite this