SaTC: CORE: Medium: WebSheets: A New Privacy-Centric Framework for Web Applications

SaTC：核心：媒介：WebSheets：一种新的以隐私为中心的 Web 应用程序框架

• 批准号: 2153056
• 负责人: Ramasubramanian Sekar
• 金额: $ 101.93万
• 依托单位: SUNY at Stony Brook
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2022
• 资助国家: 美国
• 起止时间: 2022-10-01 至 2026-09-30
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2153056&HistoricalAwards=false
• 关键词: SaTC; CORE; Medium; WebSheets; New

The success of spreadsheets stems from an average user's ability to create applications in a tabular format without needing traditional programming skills. This project develops a novel formulation of spreadsheets called WebSheets for developing privacy-centric web applications. A WebSheets user need only master a skill set comparable to a conventional spreadsheet user in order to develop web applications centered around organizing and interacting with sensitive, tabular data. Key outcomes will include a WebSheet formula language and compiler, a secure and efficient evaluation engine for this language, and novel analysis and learning techniques to help users understand and improve policies and debug policy errors.WebSheets addresses many key intellectual challenges in securing today's web applications. As defenses against lower-level vulnerabilities (e.g., SQL injection) are more widely deployed, attackers target higher-level errors such as missing or incorrect access policies and their enforcement. These attacks are effective because today's data owners cannot directly express their desired policies. Moreover, ensuring the correct placement of all necessary security checks is a hard problem. Finally, implementation vulnerabilities may be exploited by attackers to bypass policies. WebSheets addresses these challenges by globally enforcing data owners' privacy policies, and using least-privilege evaluation to bound damage from vulnerabilities. Data privacy and security are important problems facing the society. This project provides a technical basis for data owners to gain control over the use and dissemination of institutional and/or personal data. Project results will be disseminated via publications and open-source software hosted at http://seclab.cs.stonybrook.edu/This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

电子表格的成功源于普通用户能够以表格格式创建应用程序，而不需要传统的编程技能。该项目开发了一种新的电子表格公式，称为WebSheets，用于开发以隐私为中心的Web应用程序。WebSheets用户只需要掌握与传统电子表格用户相当的技能，就可以开发以组织敏感的表格数据并与之交互为中心的Web应用程序。主要成果将包括WebSheet公式语言和编译器、针对该语言的安全高效的评估引擎，以及帮助用户理解和改进策略并调试策略错误的新颖分析和学习技术。WebSheets解决了当今Web应用程序安全方面的许多关键智力挑战。作为对较低级别漏洞的防御（例如，SQL注入）被更广泛地部署，攻击者的目标是更高级别的错误，如丢失或不正确的访问策略及其实施。这些攻击是有效的，因为今天的数据所有者无法直接表达他们想要的策略。此外，确保所有必要的安全检查的正确位置是一个难题。最后，攻击者可能会利用实现漏洞绕过策略。WebSheets通过在全球范围内强制执行数据所有者的隐私政策，并使用最小特权评估来限制漏洞造成的损害，从而解决了这些挑战。数据隐私和安全是社会面临的重要问题。该项目为数据所有者控制机构和/或个人数据的使用和传播提供了技术基础。项目成果将通过www.example.com上的出版物和开源软件传播http://seclab.cs.stonybrook.edu/This奖项反映了NSF的法定使命，并通过使用基金会的知识价值和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

SAFER: Efficient and Error-Tolerant Binary Instrumentation

• 发表时间: 2023
• 作者: S. Priyadarshan;Huan Nguyen;Rohit Chouhan;R. Sekar

WebSheets: A New Privacy-Centric Framework for Web Applications

WebSheets：一种新的以隐私为中心的 Web 应用程序框架

• DOI: 10.1145/3589608.3593816
• 发表时间: 2023
• 期刊: Proceedings of the 28th ACM Symposium on Access Control Models and Technologies (SACMAT 2023
• 作者: Stoller, Scott D.