Hails: Protecting Data Privacy in Untrusted Web Applications
Paper in proceedings, 2012

Modern extensible web platforms like Facebook and Yammer depend on third-party software to offer a rich experience to their users. Unfortunately, users running a third-party “app” have little control over what it does with their private data. Today’s platforms offer only ad-hoc constraints on app behavior, leaving users an unfortunate trade-off between convenience and privacy. A principled approach to code confinement could allow the integration of untrusted code while enforcing flexible, end-to-end policies on data access. This paper presents a new web framework, Hails, that adds mandatory access control and a declarative policy language to the familiar MVC architecture. We demonstrate the flexibility of Hails through GitStar.com, a code-hosting website that enforces robust privacy policies on user data even while allowing untrusted apps to deliver extended features to users.

Author

Daniel B. Giffin

Amit Levy

Deian Stefan

David Terei

David Mazières

John Mitchell

Alejandro Russo

Chalmers, Computer Science and Engineering (Chalmers), Software Technology (Chalmers)

Symposium on Operating Systems Design and Implementation

Areas of Advance

Information and Communication Technology

Subject Categories

Language Technology (Computational Linguistics)

Computer and Information Science

Information Science