1. Field of the Invention
This invention relates to establishing and enforcing security and privacy policies in web-based applications by controlling the way in which data is represented and handled by the web application and by controlling the communication of the data between web browsers and the various components of the web application.
2. Related Art
In the last few decades, society has experienced an explosive development in information technology and its application in both government and corporate sectors. Computer systems and computer networks are being increasingly used to manage, communicate, and manipulate information, and to establish all sorts of transactions. This boom in computer systems and computer technology and, in particular, the establishment of the World-wide Web (WWW or “Web”), which is part of the Internet, as a pervasive medium of communication have contributed to create an environment in which web-based applications act as key components of government agencies and corporations. The technology boom and the new role of the WWW in society have all contributed to the growth of various disciplines associated with web development. Under such disciplines, static, brochure-oriented websites have given way to web-based applications that dynamically interact with web users via integrated, heterogeneous applications in multi-tier web environments.
The global nature of the WWW, and the increasing dependence organizations have on web-based applications, has also revealed its shortcomings. Web-based applications run vital processes, store sensitive information, and are accessible 24 hours a day, seven days a week, to potential attackers. For example, sensitive data, which is typically accessed within web-based applications as proprietary information, financial records, etc., can be stolen, deleted, and/or modified by an attacker. Hence, there is a need for web-based applications having reliable security and that are capable of enforcing privacy policies.
Web security violations are occurring with increasing frequency, as shown by various statistics, including, for example, at www.cert.org, which is the website for the Computer Emergency Response Team (CERT) at the Software Engineering Institute (SEI), Carnegie Mellon University, Pittsburgh, Pa. Moreover, we are presented with a non-stop flood of security advisories, which makes it apparent that the necessary security precautions and concerns were not taken sufficient consideration during the recent expansion of the Web and web development technologies.
These security problems have been addressed with certain infrastructure security solutions, such as, for example, firewalls, network or host-based intrusion detection systems (IDS), and intrusion prevention systems (IPS). It is however, apparent from the statistics discussed above, that present web-based applications are not completely protected by these mechanisms.
These problems have also been addressed by tailoring and enforcing security policies for each web application in order to restrict the access that users have to the application program interfaces (APIs) in the back end of a web application, which are discussed in further detail below. However, if a web application does not establish sufficiently restrictive access policies, any user could forward data, e.g., by crafting a special page request or cookie, to the web application, which in turn would be formatted and forwarded to one of the APIs in the back end of the web application, where it might be interpreted as a compliant (but security-policy-violating) instruction and result in a successful attack. The impact of such web application attacks can be critical, as the attacker might be able to control the databases at will, bypass authentication mechanisms, execute arbitrary code on the web applications' server, or even on other users' computers (e.g., by cross-site scripting attacks), etc.
Many conventional security modules for addressing web application security are lacking in functionality and do not completely and reliably prevent the types of attacks discussed above. Such modules combine signature-based attack detection with certain additional statistic-based methods. Often they are provided as stand-alone computers installed between the firewall/IDS and the web server (i.e., they must be run on a computer separate from the one on which the servers are hosted). These conventional approaches tend to be expensive, because they must run on very fast and efficient machines, so as not to slow down the web application. These conventional security modules are also difficult to configure, because a specialized technician is often required to adapt the security system to the custom configuration of the web application. Moreover, these approaches are largely unable to distinguish between permitted and forbidden operations with an acceptable incidence of false-positives and false-negative alerts—so that some attacks will go through undetected and some compliant commands will be blocked.
Another aspect of the web application problematic concerns the privacy of data stored in web applications that one wishes to protect, e.g., personal, confidential, financial, health-related, or other types of sensitive information, transmitted between users and web applications. Such data may be the target of the exploitation methods discussed above, as well as other types of attacks. Typically, a web application may require personal data for processing by the back end web application, but such information should be handled in accordance with a preset privacy policy.
For example, credit card information for clients of a web-based retailer, i.e., an “e-tailer,” should be available to the business application that processes the sales transactions, and it may also be available to its owner during use of the web application, e.g., so the owner can store and modify such information for use in making future purchases. However, no user should be able to access another user's credit-card information.
Conventional web scripting languages, such as those mentioned above, do not include explicit mechanisms to prevent the theft of private information. As a result, an attacker may take advantage of a development error in the presentation layer (i.e., front end) or logical layer (i.e., middle end) of the web-based application to obtain, delete, or manipulate sensitive information. For example, in the case of a web-based e-tailer, an attacker may be able to steal the complete credit card database and/or process unauthorized purchase orders. Such development flaws and/or errors are far more complex than described above, and in fact, can be very difficult to detect and eradicate. Moreover, improper implementation and enforcement of privacy policies may result in immediate harm to users and may also damage the reputation of the organization that owns the web-based application.
To our knowledge, today, no other solutions have been proposed for enforcing privacy policies in web applications. However, some conventional security products serve this purpose implicitly. These conventional products for and approaches to enforcing privacy policies generally lack flexibility and expressiveness. The “Privacy Bird,” relates to privacy policy visualization (Lorrie Faith Cranor, Manjula Arjula, and Praveen Guduru, “Use of a P3P user agent by early adopters”, WPES '02: Proceedings of the 2002 ACM workshop on Privacy in the Electronic Society, Washington, D.C., ACM Press, pp. 1-10, 2002, ISBN 1-58113-633-1); as well as the efforts of the World Wide Web Consortium to establish a common language for describing privacy policies (“The Platform for Privacy Preferences 1.0 ({P3P1.0}) Specification”, L. F. Cranor, M. Langheinrich, M. Marchiori, M. Presler-Marshal, and J. Reagle, World Wide Web Consortium Recommendation. URL: http://www.owasp.org; see also Lorrie Faith Cranor, “Web Privacy with P3P Web privacy with P3P”, O'Reilly & Associates, 2002).
Thus, current solutions for web application security are often inadequate. Conventional application development languages are inherently insecure, and many web developers are not skilled enough to produce sufficiently secure products based on these languages. Moreover, conventional attack-prevention solutions are far from infallible, and in some instances, may actually have the effect of degrading security.
Current solutions for web-based privacy are also inadequate, as there currently are no solutions for allowing an individual who is responsible for web-based privacy, e.g., a “security officer,” to define a privacy policy with sufficient flexibility and expressiveness and to enforce this policy consistently. Therefore, under conventional approaches, both security and privacy need to be enforced through careful implementation and require constant auditing.
Security and privacy measures must be properly designed and implemented in order to prevent unauthorized manipulation of commands or data. As a result, web applications have become increasingly difficult to protect. In view of the shortcomings discussed above, there is a need for a system and method for maintaining security in web-applications that overcomes the drawbacks of the conventional technologies.