SaTC: CORE: Medium: WebSheets: A New Privacy-Centric Framework for Web Applications

SaTC：核心：媒介：WebSheets：一种新的以隐私为中心的 Web 应用程序框架

• 批准号: 2153056
• 负责人: Ramasubramanian Sekar
• 金额: $ 101.93万
• 依托单位: SUNY at Stony Brook
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2022
• 资助国家: 美国
• 起止时间: 2022-10-01 至 2026-09-30
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2153056&HistoricalAwards=false
• 关键词: SaTC; CORE; Medium; WebSheets; New

The success of spreadsheets stems from an average user's ability to create applications in a tabular format without needing traditional programming skills. This project develops a novel formulation of spreadsheets called WebSheets for developing privacy-centric web applications. A WebSheets user need only master a skill set comparable to a conventional spreadsheet user in order to develop web applications centered around organizing and interacting with sensitive, tabular data. Key outcomes will include a WebSheet formula language and compiler, a secure and efficient evaluation engine for this language, and novel analysis and learning techniques to help users understand and improve policies and debug policy errors.WebSheets addresses many key intellectual challenges in securing today's web applications. As defenses against lower-level vulnerabilities (e.g., SQL injection) are more widely deployed, attackers target higher-level errors such as missing or incorrect access policies and their enforcement. These attacks are effective because today's data owners cannot directly express their desired policies. Moreover, ensuring the correct placement of all necessary security checks is a hard problem. Finally, implementation vulnerabilities may be exploited by attackers to bypass policies. WebSheets addresses these challenges by globally enforcing data owners' privacy policies, and using least-privilege evaluation to bound damage from vulnerabilities. Data privacy and security are important problems facing the society. This project provides a technical basis for data owners to gain control over the use and dissemination of institutional and/or personal data. Project results will be disseminated via publications and open-source software hosted at http://seclab.cs.stonybrook.edu/This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

电子表格的成功源于普通用户以表格格式创建应用程序而无需传统编程技能的能力。该项目开发了一个新颖的电子表格表格，称为Websheets，用于开发以隐私为中心的Web应用程序。 Websheets用户只需要掌握与传统电子表格用户相当的技能集，以开发以组织和与敏感的表格数据进行组织和互动的Web应用程序。关键结果将包括网络表公式语言和编译器，该语言的安全有效评估引擎以及新颖的分析和学习技巧，以帮助用户理解和改善策略和调试策略错误。WebSheets解决了确保当今网络应用程序的许多关键知识挑战。随着防御较低漏洞（例如，SQL注入）的防御能力更广泛地部署，攻击者针对较高级别的错误，例如丢失或不正确的访问策略及其执行。这些攻击之所以有效，是因为当今的数据所有者无法直接表达其所需的政策。此外，确保正确放置所有必要的安全检查是一个难题。最后，攻击者可以利用实施漏洞来绕过政策。网络表通过全球执行数据所有者的隐私政策，并使用最小特权评估来解决这些挑战，以限制漏洞的损害。数据隐私和安全是社会面临的重要问题。该项目为数据所有者提供了对机构和/或个人数据的使用和传播的控制的技术基础。项目结果将通过出版物和开源软件进行传播标准。

项目成果

SAFER: Efficient and Error-Tolerant Binary Instrumentation

• 发表时间: 2023
• 作者: S. Priyadarshan;Huan Nguyen;Rohit Chouhan;R. Sekar

WebSheets: A New Privacy-Centric Framework for Web Applications

WebSheets：一种新的以隐私为中心的 Web 应用程序框架

• DOI: 10.1145/3589608.3593816
• 发表时间: 2023
• 期刊: Proceedings of the 28th ACM Symposium on Access Control Models and Technologies (SACMAT 2023
• 作者: Stoller, Scott D.