Blockaid: Data Access Policy Enforcement for Web Applications

Wen Zhang; Eric Sheng; Michael Chang; Aurojit Panda; Mooly Sagiv; Scott Shenker

Blockaid: Data Access Policy Enforcement for Web Applications

Wen Zhang, Eric Sheng, Michael Chang, Aurojit Panda, Mooly Sagiv, Scott Shenker

School of Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

3 Scopus citations

Abstract

Modern web applications serve large amounts of sensitive user data, access to which is typically governed by data-access policies. Enforcing such policies is crucial to preventing improper data access, and prior work has proposed many enforcement mechanisms. However, these prior methods either alter application semantics or require adopting a new programming model; the former can result in unexpected application behavior, while the latter cannot be used with existing web frameworks. Blockaid is an access-policy enforcement system that preserves application semantics and is compatible with existing web frameworks. It intercepts database queries from the application, attempts to verify that each query is policy-compliant, and blocks queries that are not. It verifies policy compliance using SMT solvers and generalizes and caches previous compliance decisions for better performance. We show that Blockaid supports existing web applications while requiring minimal code changes and adding only modest overheads.

Original language	English
Title of host publication	Proceedings of the 16th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2022
Publisher	USENIX Association
Pages	701-718
Number of pages	18
ISBN (Electronic)	9781939133281
State	Published - 2022
Event	16th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2022 - Carlsbad, United States Duration: 11 Jul 2022 → 13 Jul 2022

Publication series

Name	Proceedings of the 16th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2022

Conference

Conference	16th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2022
Country/Territory	United States
City	Carlsbad
Period	11/07/22 → 13/07/22

Funding

Funders	Funder number
National Science Foundation	2145471, 1817116
Intel Corporation
VMware

Cite this

Zhang, W., Sheng, E., Chang, M., Panda, A., Sagiv, M., & Shenker, S. (2022). Blockaid: Data Access Policy Enforcement for Web Applications. In Proceedings of the 16th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2022 (pp. 701-718). (Proceedings of the 16th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2022). USENIX Association.

@inproceedings{82054b4f4e954208ac7653cc3c52af35,

title = "Blockaid: Data Access Policy Enforcement for Web Applications",

abstract = "Modern web applications serve large amounts of sensitive user data, access to which is typically governed by data-access policies. Enforcing such policies is crucial to preventing improper data access, and prior work has proposed many enforcement mechanisms. However, these prior methods either alter application semantics or require adopting a new programming model; the former can result in unexpected application behavior, while the latter cannot be used with existing web frameworks. Blockaid is an access-policy enforcement system that preserves application semantics and is compatible with existing web frameworks. It intercepts database queries from the application, attempts to verify that each query is policy-compliant, and blocks queries that are not. It verifies policy compliance using SMT solvers and generalizes and caches previous compliance decisions for better performance. We show that Blockaid supports existing web applications while requiring minimal code changes and adding only modest overheads.",

author = "Wen Zhang and Eric Sheng and Michael Chang and Aurojit Panda and Mooly Sagiv and Scott Shenker",

note = "Publisher Copyright: {\textcopyright} 2022 by The USENIX Association. All rights reserved.; 16th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2022 ; Conference date: 11-07-2022 Through 13-07-2022",

year = "2022",

language = "אנגלית",

series = "Proceedings of the 16th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2022",

publisher = "USENIX Association",

pages = "701--718",

booktitle = "Proceedings of the 16th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2022",

}

Zhang, W, Sheng, E, Chang, M, Panda, A, Sagiv, M & Shenker, S 2022, Blockaid: Data Access Policy Enforcement for Web Applications. in Proceedings of the 16th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2022. Proceedings of the 16th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2022, USENIX Association, pp. 701-718, 16th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2022, Carlsbad, United States, 11/07/22.

Blockaid: Data Access Policy Enforcement for Web Applications. / Zhang, Wen; Sheng, Eric; Chang, Michael et al.
Proceedings of the 16th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2022. USENIX Association, 2022. p. 701-718 (Proceedings of the 16th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2022).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Blockaid

T2 - 16th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2022

AU - Zhang, Wen

AU - Sheng, Eric

AU - Chang, Michael

AU - Panda, Aurojit

AU - Sagiv, Mooly

AU - Shenker, Scott

PY - 2022

Y1 - 2022

N2 - Modern web applications serve large amounts of sensitive user data, access to which is typically governed by data-access policies. Enforcing such policies is crucial to preventing improper data access, and prior work has proposed many enforcement mechanisms. However, these prior methods either alter application semantics or require adopting a new programming model; the former can result in unexpected application behavior, while the latter cannot be used with existing web frameworks. Blockaid is an access-policy enforcement system that preserves application semantics and is compatible with existing web frameworks. It intercepts database queries from the application, attempts to verify that each query is policy-compliant, and blocks queries that are not. It verifies policy compliance using SMT solvers and generalizes and caches previous compliance decisions for better performance. We show that Blockaid supports existing web applications while requiring minimal code changes and adding only modest overheads.

AB - Modern web applications serve large amounts of sensitive user data, access to which is typically governed by data-access policies. Enforcing such policies is crucial to preventing improper data access, and prior work has proposed many enforcement mechanisms. However, these prior methods either alter application semantics or require adopting a new programming model; the former can result in unexpected application behavior, while the latter cannot be used with existing web frameworks. Blockaid is an access-policy enforcement system that preserves application semantics and is compatible with existing web frameworks. It intercepts database queries from the application, attempts to verify that each query is policy-compliant, and blocks queries that are not. It verifies policy compliance using SMT solvers and generalizes and caches previous compliance decisions for better performance. We show that Blockaid supports existing web applications while requiring minimal code changes and adding only modest overheads.

UR - http://www.scopus.com/inward/record.url?scp=85141067788&partnerID=8YFLogxK

M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???

AN - SCOPUS:85141067788

T3 - Proceedings of the 16th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2022

SP - 701

EP - 718

BT - Proceedings of the 16th USENIX Symposium on Operating Systems Design and Implementation, OSDI 2022

PB - USENIX Association

Y2 - 11 July 2022 through 13 July 2022

ER -

Blockaid: Data Access Policy Enforcement for Web Applications

Abstract

Publication series

Conference

Funding

Other files and links

Fingerprint

Cite this