Daniel B. Giffin, Amit Levy, Deian Stefan, David Terei, David Mazières, and John C. Mitchell, Stanford University; Alejandro Russo, Chalmers University
Abstract:
Modern extensible web platforms like Facebook and Yammer depend on third-party software to offer a rich experience to their users. Unfortunately, users running a third-party “app” have little control over what it does with their private data. Today’s platforms offer only ad-hoc constraints on app behavior, leaving users an unfortunate trade-off between convenience and privacy. A principled approach to code confinement could allow the integration of untrusted code while enforcing flexible, end-to-end policies on data access. This paper presents a new web framework, Hails, that adds mandatory access control and a declarative policy language to the familiar MVC architecture. We demonstrate the flexibility of Hails through GitStar.com, a code-hosting website that enforces robust privacy policies on user data even while allowing untrusted apps to deliver extended features to users.
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
BibTeX
@inproceedings {180253,
author = {Daniel B. Giffin and Amit Levy and Deian Stefan and David Terei and David Mazi{\`e}res and John C. Mitchell and Alejandro Russo},
title = {Hails: Protecting Data Privacy in Untrusted Web Applications},
booktitle = {10th USENIX Symposium on Operating Systems Design and Implementation (OSDI 12)},
year = {2012},
isbn = {978-1-931971-96-6},
address = {Hollywood, CA},
pages = {47--60},
url = {https://www.usenix.org/conference/osdi12/technical-sessions/presentation/giffin},
publisher = {USENIX Association},
month = oct
}
Twitter
Facebook
LinkedIn
Google+
YouTube
connect with us