Hdl Handle:
http://hdl.handle.net/10545/304942
Title:
SafeWeb: a Middleware for securing Ruby-based web applications
Authors:
Hosek, Petr; Migliavacca, Matteo; Papagiannis, Ioannis; Eyers, David M.; Evans, David; Shand, Brian; Bacon, Jean; Pietzuch, Peter
Abstract:
Web applications in many domains such as healthcare and finance must process sensitive data, while complying with legal policies regarding the release of different classes of data to different parties. Currently, software bugs may lead to irreversible disclosure of confidential data in multi-tier web applications. An open challenge is how developers can guarantee these web applications only ever release sensitive data to authorised users without costly, recurring security audits. Our solution is to provide a trusted middleware that acts as a “safety net” to event-based enterprise web applications by preventing harmful data disclosure before it happens. We describe the design and implementation of SafeWeb, a Ruby-based middleware that associates data with security labels and transparently tracks their propagation at different granularities across a multi-tier web architecture with storage and complex event processing. For efficiency, maintainability and ease-of-use, SafeWeb exploits the dynamic features of the Ruby programming lan- guage to achieve label propagation and data flow enforcement. We evaluate SafeWeb by reporting our experience of implementing a web-based cancer treatment application and deploying it as part of the UK National Health Service (NHS).
Affiliation:
Imperial College London; University of Cambridge; ECRIC, National Health Service; University of Otago
Citation:
Petr Hosek, Matteo Migliavacca, Ioannis Papagiannis, David M. Eyers, David Evans, Brian Shand, Jean Bacon, and Peter Pietzuch. 2011. SafeWeb: a middleware for securing ruby-based web applications. In Proceedings of the 12th ACM/IFIP/USENIX international conference on Middleware (Middleware'11), Fabio Kon and Anne-Marie Kermarrec (Eds.). Springer-Verlag, Berlin, Heidelberg, 491-511. DOI=10.1007/978-3-642-25821-3_25 http://dx.doi.org/10.1007/978-3-642-25821-3_25
Publisher:
Springer
Journal:
ACM/IFIP/USENIX 12th International Middleware Conference, Lisbon, Portugal, December 12-16, 2011. Proceedings
Issue Date:
12-Dec-2011
URI:
http://hdl.handle.net/10545/304942
DOI:
10.1007/978-3-642-25821-3_25
Type:
Article
Language:
en
Sponsors:
EPSRC
Appears in Collections:
Department of Electronics, Computing & Maths

Full metadata record

DC FieldValue Language
dc.contributor.authorHosek, Petren
dc.contributor.authorMigliavacca, Matteoen
dc.contributor.authorPapagiannis, Ioannisen
dc.contributor.authorEyers, David M.en
dc.contributor.authorEvans, Daviden
dc.contributor.authorShand, Brianen
dc.contributor.authorBacon, Jeanen
dc.contributor.authorPietzuch, Peteren
dc.date.accessioned2013-11-04T14:21:59Z-
dc.date.available2013-11-04T14:21:59Z-
dc.date.issued2011-12-12-
dc.identifier.citationPetr Hosek, Matteo Migliavacca, Ioannis Papagiannis, David M. Eyers, David Evans, Brian Shand, Jean Bacon, and Peter Pietzuch. 2011. SafeWeb: a middleware for securing ruby-based web applications. In Proceedings of the 12th ACM/IFIP/USENIX international conference on Middleware (Middleware'11), Fabio Kon and Anne-Marie Kermarrec (Eds.). Springer-Verlag, Berlin, Heidelberg, 491-511. DOI=10.1007/978-3-642-25821-3_25 http://dx.doi.org/10.1007/978-3-642-25821-3_25en
dc.identifier.doi10.1007/978-3-642-25821-3_25-
dc.identifier.urihttp://hdl.handle.net/10545/304942en
dc.description.abstractWeb applications in many domains such as healthcare and finance must process sensitive data, while complying with legal policies regarding the release of different classes of data to different parties. Currently, software bugs may lead to irreversible disclosure of confidential data in multi-tier web applications. An open challenge is how developers can guarantee these web applications only ever release sensitive data to authorised users without costly, recurring security audits. Our solution is to provide a trusted middleware that acts as a “safety net” to event-based enterprise web applications by preventing harmful data disclosure before it happens. We describe the design and implementation of SafeWeb, a Ruby-based middleware that associates data with security labels and transparently tracks their propagation at different granularities across a multi-tier web architecture with storage and complex event processing. For efficiency, maintainability and ease-of-use, SafeWeb exploits the dynamic features of the Ruby programming lan- guage to achieve label propagation and data flow enforcement. We evaluate SafeWeb by reporting our experience of implementing a web-based cancer treatment application and deploying it as part of the UK National Health Service (NHS).en
dc.description.sponsorshipEPSRCen
dc.language.isoenen
dc.publisherSpringeren
dc.subjectMiddlewareen
dc.subjectSecurityen
dc.subjectInformation flow controlen
dc.titleSafeWeb: a Middleware for securing Ruby-based web applicationsen
dc.typeArticleen
dc.contributor.departmentImperial College Londonen
dc.contributor.departmentUniversity of Cambridgeen
dc.contributor.departmentECRIC, National Health Serviceen
dc.contributor.departmentUniversity of Otagoen
dc.identifier.journalACM/IFIP/USENIX 12th International Middleware Conference, Lisbon, Portugal, December 12-16, 2011. Proceedingsen
All Items in UDORA are protected by copyright, with all rights reserved, unless otherwise indicated.