Skip to main content

SafeWeb: A Middleware for Securing Ruby-Based Web Applications

Hosek, Petr and Migliavacca, Matteo and Papagiannis, Ioannis and Eyers, David M. and Evans, David and Shand, Brian and Bacon, Jean and Pietzuch, Peter (2011) SafeWeb: A Middleware for Securing Ruby-Based Web Applications. In: Middleware 2011 ACM/IFIP/USENIX 12th International Middleware Conference. Lecture Notes in Computer Science . Springer, Berlin, Germany, pp. 491-511. ISBN 978-3-642-25820-6. E-ISBN 978-3-642-25821-3. (doi:10.1007/978-3-642-25821-3_25) (KAR id:31860)

PDF
Language: English
Download (407kB) Preview
[thumbnail of 11-middleware-safeweb.pdf]
Preview
This file may not be suitable for users of assistive technology.
Request an accessible format
Official URL:
http://dx.doi.org/10.1007/978-3-642-25821-3_25

Abstract

Web applications in many domains such as healthcare and finance must process sensitive data, while complying with legal policies regarding the release of different classes of data to different parties. Currently, software bugs may lead to irreversible disclosure of confidential data in multi-tier web applications. An open challenge is how developers can guarantee these web applications only ever release sensitive data to authorised users without costly, recurring security audits.

Our solution is to provide a trusted middleware that acts as a “safety net” to event-based enterprise web applications by preventing harmful data disclosure before it happens. We describe the design and implementation of SafeWeb, a Ruby-based middleware that associates data with security labels and transparently tracks their propagation at different granularities across a multi-tier web architecture with storage and complex event processing. For efficiency, maintainability and ease-of-use, SafeWeb exploits the dynamic features of the Ruby programming language to achieve label propagation and data flow enforcement. We evaluate SafeWeb by reporting our experience of implementing a web-based cancer treatment application and deploying it as part of the UK National Health Service (NHS).

Item Type: Book section
DOI/Identification number: 10.1007/978-3-642-25821-3_25
Uncontrolled keywords: National Health Service, Security Policy, Security Requirement, Access Control Model, Complex Event Processing
Subjects: Q Science > QA Mathematics (inc Computing science) > QA 76 Software, computer programming,
Divisions: Divisions > Division of Computing, Engineering and Mathematical Sciences > School of Computing
Depositing User: Matteo Migliavacca
Date Deposited: 23 Oct 2012 20:26 UTC
Last Modified: 16 Nov 2021 10:09 UTC
Resource URI: https://kar.kent.ac.uk/id/eprint/31860 (The current URI for this page, for reference purposes)
Migliavacca, Matteo: https://orcid.org/0000-0002-5684-4865
  • Depositors only (login required):

Downloads

Downloads per month over past year