SaTC: CORE: Medium: WebSheets: A New Privacy-Centric Framework for Web Applications

SaTC：核心：媒介：WebSheets：一种新的以隐私为中心的 Web 应用程序框架

基本信息

批准号：
2153056
负责人：
Ramasubramanian Sekar
金额：
$ 101.93万
依托单位：
SUNY at Stony Brook
依托单位国家：
美国
项目类别：
Standard Grant
财政年份：
2022
资助国家：
美国
起止时间：
2022-10-01 至 2026-09-30
项目状态：
未结题

来源：
https://www.nsf.gov/awardsearch/showAward?AWD_ID=2153056&HistoricalAwards=false
关键词：
SaTC CORE Medium WebSheets New

项目摘要

The success of spreadsheets stems from an average user's ability to create applications in a tabular format without needing traditional programming skills. This project develops a novel formulation of spreadsheets called WebSheets for developing privacy-centric web applications. A WebSheets user need only master a skill set comparable to a conventional spreadsheet user in order to develop web applications centered around organizing and interacting with sensitive, tabular data. Key outcomes will include a WebSheet formula language and compiler, a secure and efficient evaluation engine for this language, and novel analysis and learning techniques to help users understand and improve policies and debug policy errors.WebSheets addresses many key intellectual challenges in securing today's web applications. As defenses against lower-level vulnerabilities (e.g., SQL injection) are more widely deployed, attackers target higher-level errors such as missing or incorrect access policies and their enforcement. These attacks are effective because today's data owners cannot directly express their desired policies. Moreover, ensuring the correct placement of all necessary security checks is a hard problem. Finally, implementation vulnerabilities may be exploited by attackers to bypass policies. WebSheets addresses these challenges by globally enforcing data owners' privacy policies, and using least-privilege evaluation to bound damage from vulnerabilities. Data privacy and security are important problems facing the society. This project provides a technical basis for data owners to gain control over the use and dissemination of institutional and/or personal data. Project results will be disseminated via publications and open-source software hosted at http://seclab.cs.stonybrook.edu/This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

电子表格的成功源于普通用户无需传统编程技能即可以表格格式创建应用程序的能力。该项目开发了一种称为 WebSheets 的新型电子表格形式，用于开发以隐私为中心的 Web 应用程序。 WebSheets 用户只需掌握与传统电子表格用户相当的技能，即可开发以敏感表格数据的组织和交互为中心的 Web 应用程序。主要成果将包括 WebSheet 公式语言和编译器、该语言的安全高效评估引擎以及帮助用户理解和改进策略并调试策略错误的新颖分析和学习技术。WebSheets 解决了保护当今 Web 应用程序的许多关键智力挑战。随着针对较低级别漏洞（例如 SQL 注入）的防御措施得到更广泛的部署，攻击者会瞄准较高级别的错误，例如缺少或不正确的访问策略及其执行。这些攻击之所以有效，是因为当今的数据所有者无法直接表达他们想要的策略。此外，确保正确设置所有必要的安全检查也是一个难题。最后，攻击者可能会利用实施漏洞来绕过策略。 WebSheets 通过在全球范围内执行数据所有者的隐私策略并使用最小权限评估来限制漏洞造成的损害来解决这些挑战。数据隐私和安全是社会面临的重要问题。该项目为数据所有者控制机构和/或个人数据的使用和传播提供了技术基础。项目结果将通过 http://seclab.cs.stonybrook.edu/ 上托管的出版物和开源软件传播。该奖项反映了 NSF 的法定使命，并通过使用基金会的智力优点和更广泛的影响审查进行评估，被认为值得支持标准。