(EPSRC "Pathway to Impact" Grant EP/I501053)
Web applications in areas such as healthcare, financial processing and government services must selectively expose sensitive data to authorised sets of web users. For example, a cancer researcher may want to query a centralised patient database over the web for anonymised health records of patients that have a given type of cancer. The costs of inadvertently disclosing confidential data to the wrong users due to implementation errors in web applications are highhospitals and medical practitioners in the UK are legally liable for unauthorised disclosure of patient data without prior consent. Enforcing a data protection policy end-to-end, i.e. across an entire multi-tier web application, is challenging. An implementation error in any tier of a web application may result in unauthorised data disclosure. Developers may introduce software bugs inadvertently, or based on misunderstandings of requirements. Achieving correctness is even more challenging for web applications that process different types of data from multiple domains, such as hospitals, laboratories and insurance providers, each with their own security requirements.
Our solution is to propose a middleware that implements a safety net by providing a data-centric security approach that integrates well with multi-tier web applications. Our middleware is based on two key ideas: It decouples the processing of confidential data from the handling of web requests. In addition, it tracks data as it flows through the web application in order to ensure its confidentiality and integrity. This means that implementation bugs in the web request handling logic cannot cause any unauthorised confidential data to be disclosed. By tracking data propagation by means of security labels, the middleware performs automatic and appropriate compliance checks at the boundaries between application components, without relying on developer support. This reduces the effort required for security audits.
SafeWeb consists of two parts: an event processing backend (left), which realises the application logic, and a web frontend (right), which handles users requests based on processing results.
Application logic in SafeWeb is implemented in an event-based fashion through one or more processing units, which produce and/or consume events. This architecture largely decouples the processing of confidential data from the handling of web requests and creates a unidirectional data flow from the backend to the frontend. The event processing backend hosts the application logic for processing confidential data. Events are created from confidential data retrieved from a data source (illustrated as the Main Database in the figure) and labelled appropriately. Event Processing Units act as generators, filters or processors of events and exchange labelled events through an IFC-aware Event Broker. Units are constrained in their operation by the Event Processing Engine. Its IFC Jail controls communication of units with the environment and preserves labels during event communication. Privileges for units over specific labels are configured through a data flow Policy. Result events are stored with appropriate labels in an Application Database after processing.
The web frontend serves synchronous web requests from users by accessing the application database. State that is specific to a given web session is stored in a separate Web Database to isolate it from application data. Labels from the application database are propagated in the web application by SafeWebs runtime Taint Tracking library and are checked when generating responses. As a result, security labels are associated with data throughout the processing pipeline and checked at boundaries between components with respect to the application policy.
The list of SmartFlow related publications can be found in the corresponding section of this website.
This work was supported by grants EP/F042469 and EP/F044216 (``SmartFlow: Extendable Event-Based Middleware'') and EP/I501053 ("Pathway to Impact") from the UK Engineering and Physical Sciences Research Council (EPSRC).