CLAMP: Practical Prevention of Large-Scale Data Leaks Bryan Parno, Jonathan M
CLAMP: Practical Prevention of Large-Scale Data Leaks Bryan Parno, Jonathan M. McCune, Dan Wendlandt, David G. Andersen, Adrian Perrig CyLab, Carnegie Mellon University Abstract yet this code is often written by inexperienced program- mers and seldom subject to peer review. Unfortunately, Providing online access to sensitive data makes web the monolithic LAMP-style approach means that a single servers lucrative targets for attackers. A compromise of any vulnerability anywhere in a web application’s software of the web server’s scripts, applications, or operating sys- stack will often expose all user data. tem can leak the sensitive data of millions of customers. Un- In this work, we describe CLAMP, an architecture that fortunately, many systems for stopping data leaks require adds data Confidentiality to the LAMP model while retain- considerable effort from application developers, hindering ing the ease of use that has made it so popular. CLAMP their adoption. prevents web server compromises from leaking sensitive In this work, we investigate how such leaks can be pre- user data by (1) ensuring that a user’s sensitive data can vented with minimal developer effort. We propose CLAMP, only be accessed by code running on behalf of that user, an architecture for preventing data leaks even in the and (2) isolating code running on behalf of different users. presence of web server compromises or SQL injection While previous work has explored techniques to prevent attacks. CLAMP protects sensitive data by enforcing strong data leaks (Section 8), these approaches typically require access control on user data and by isolating code running significant programmer effort to port existing code to new on behalf of different users.
[Show full text]