GuardRails: A Data-Centric Web Application Security Framework

Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans
2nd USENIX Conference on Web Application Development (WebApps 2011)
Portland, Oregon, 15-16 June 2011

Abstract

Modern web application frameworks have made it easy to create powerful web applications. Developing a secure web application, however, still requires a developer to posses a deep understanding of security vulnerabilities and attacks. Even for experienced developers it is tedious, if not impossible, to find and eliminate all vulnerabilities. This paper presents GuardRails, a source-to-source tool for Ruby on Rails that helps developers build secure web applications. GuardRails works by attaching security policies defined using annotations to the data model itself. GuardRails produces a version of the input application that automatically enforces the specified policies. GuardRails helps developers prevent a myriad of security problems including cross-site scripting attacks and access control violations while providing a large degree of flexibility to support a range of policies and development styles.

Paper

Full paper (12 pages): [PDF]

Talk slides: [PPTX] [PDF]

Code: https://github.com/guardrails/guardrails