Sensitive-dataProtectionforToday'sWebApplications

WenZhang

ElectricalEngineeringandComputerSciencesUniversityofCalifornia,Berkeley

TechnicalReportNo.UCB/EECS-2025-149

/Pubs/TechRpts/2025/EECS-2025-149.html

August11,2025

Copyright?2025,bytheauthor(s).

Allrightsreserved.

Permissiontomakedigitalorhardcopiesofallorpartofthisworkfor

personalorclassroomuseisgrantedwithoutfeeprovidedthatcopiesare

notmadeordistributedforprofitorcommercialadvantageandthatcopiesbearthisnoticeandthefullcitationonthefirstpage.Tocopyotherwise,torepublish,topostonserversortoredistributetolists,requirespriorspecificpermission.

Sensitive-dataProtectionforToday’sWebApplications

by

WenZhang

Adissertationsubmittedinpartialsatisfactionofthe

requirementsforthedegreeof

DoctorofPhilosophy

in

ComputerScience

inthe

GraduateDivision

ofthe

UniversityofCalifornia,Berkeley

Committeeincharge:

ProfessorScottShenker,Chair

AssistantProfessorAurojitPanda

ProfessorSylviaRatnasamy

AssociateProfessorAlvinCheung

Summer2025

Sensitive-dataProtectionforToday’sWebApplications

Copyright2025

by

WenZhang

1

Abstract

Sensitive-dataProtectionforToday’sWebApplications

by

WenZhang

DoctorofPhilosophyinComputerScience

UniversityofCalifornia,Berkeley

ProfessorScottShenker,Chair

Aswebapplicationsincreasinglyhandlesensitiveuserdata,protectingthatdatafromunautho-rizedaccessismorecriticalthanever.Yet,despitedecadesofresearchonaccesscontrol,dataleaksremainprevalent—notduetoalackofsolutions,butbecauseexistingsolutionsarediffi-culttoadoptbytoday’sdeployedapplications.Twokeychallengeshinderadoption:(1)manysolutionsrequirenonstandardprogrammingmodelsthatareincompatiblewithmainstreamwebframeworks,and(2)developersmustmanuallydefineaccess-controlpolicies—atime-consuminganderror-pronetask,particularlyforlegacyapplicationsthatlacksuchpolicies.

Ifwewanttosolvethesocietalproblemofsensitive-dataprotection,wemustmeettoday’sap-plicationswheretheyare.Thisdissertationfocusesondevelopingaccess-controltechniquesthatcanbeeasilyappliedtoexistingapplications.Wewillpresenttwosystems:Blockaid,whichper-formsfine-grainedaccesscontrolonexistingwebapplicationswithminimalmodification,andOte,whichaidsinpolicycreationbyextractingimplicitpoliciesembeddedinlegacycode.Bysupportingtoday’sapplicationswithoutrequiringaredesign,ourapproachaimstobringpracti-caldataprotectiontoreal-worlddeployments.

i

Tomyfamily.

ii

Contents

Contents

ii

ListofFigures

v

ListofTables

vi

Acknowledgements

vii

1Introduction

1

1.1TheProblem

1

1.2TheStatusQuo

2

1.3PastResearch

3

1.4OurContributions

4

1.5PreviousPublications

5

2Blockaid:Access-controlEnforcement

6

2.1Introduction

6

2.2RelatedWork

7

2.3SystemDesign

8

2.3.1ApplicationAssumptionsandThreatModel

8

2.3.2SystemOverview

9

2.3.3ApplicationRequirements

10

2.4View-basedPolicyandCompliance

10

2.4.1SpecifyingPoliciesasViews

11

2.4.2CompliancetoView-basedPolicy

11

2.4.3FromQueryCompliancetoNoninterference

13

2.5ComplianceCheckingwithSMT

16

2.5.1TranslatingNoncompliancetoSMT

16

2.5.2HandlingPracticalSQLQueries

17

2.5.3OptimizationsandSMTEncoding

19

2.6DecisionGeneralizationandCaching

21

2.6.1Example

23

iii

2.6.2DefinitionsandGoals

23

2.6.3GeneratingDecisionTemplates

25

2.6.4DecisionCacheandTemplateMatching

29

2.7Implementation

30

2.8Evaluation

30

2.8.1Constraints,Policies,andAnnotations

30

2.8.2CodeModifications

31

2.8.3ExperimentSetupandBenchmark

33

2.8.4PageLoadTimes

33

2.8.5FetchLatency

34

2.8.6SolverComparison

35

2.8.7TemplateGeneralization

35

2.8.8Artifact

37

2.9AdditionalIssues

39

2.9.1Comparisontorow-andcell-levelpolicy

39

2.9.2Falserejections

40

2.9.3Off-pathdeployment

40

2.9.4WhatifBlockaidcouldissueitsownqueries?

40

2.9.5Optimaltemplates

40

2.10Conclusion

41

3ADecidableCaseofQueryDeterminacy:Project-SelectViews

42

3.1Introduction

42

3.2Setup

42

3.3Reducingdeterminacytoalogicalformula

43

3.3.1StatementofTheorem

43

3.3.2ProofofTheorem

44

4Ote:Access-policyExtraction

48

4.1Introduction

48

4.2MotivationandBackground

49

4.2.1WhyPolicyExtraction?

49

4.2.2PolicyasSQLViewDefinitions

50

4.3Overview

51

4.3.1Workflow

52

4.3.2AssumptionsandScope

54

4.4ExploringExecutions

55

4.4.1Observation:SimpleQuery-issuingCores

55

4.4.2ConcolicExecution:WhatandWhy

56

4.4.3SystemArchitecture

56

4.4.4SymbolicModelingandInputGeneration

56

4.4.5InstrumentationandTracking

58

iv

4.5GeneratingaPolicy

58

4.5.1PreprocessingIntoConditionedQueries

58

4.5.2SimplifyingConditionedQueries

59

4.5.3GeneratingSQLViewDefinitions

59

4.5.4PruningViewsviaEnforcement

63

4.6Discussion

63

4.7ImplementationalandPracticalAspects

64

4.7.1DriverandPolicyGenerator

64

4.7.2Executors

64

4.7.3Tooling

65

4.8Evaluation

65

4.8.1SettingUpApplicationsforOte

66

4.8.2ExperimentSetup

68

4.8.3Paths,ConditionedQueries,andViews

68

4.8.4Performance

70

4.8.5FindingsFromtheExtractedPolicies

70

4.8.6BroadeningtheExtractedPolicy

71

4.9RelatedWork

72

4.10ConclusionandFutureWork

73

5FutureDirections

74

5.1PolicyTesting

74

5.1.1Challenge:EvaluatingaPolicyforSensitive-dataDisclosure

74

5.1.2ExistingWork:BayesianPrivacy

75

5.1.3Proposal:Prior-agnosticPrivacy

75

5.2ViolationDiagnosis

76

5.2.1Challenge:TroubleshootingViolations

76

5.2.2Proposal:PatchGeneration

77

5.3PolicyComprehension

78

5.4DecidableComplianceChecking

79

Bibliography

80

v

ListofFigures

1.1Asimplifiedarchitectureofatypicalwebapplication

2

2.1AnoverviewofBlockaid

9

2.2Fromcompliancetostrongcompliance

20

2.3URLfetchlatency

34

2.4Fractionofwinsbyeachsolver

35

4.1Policyextractionworkflow

53

vi

ListofTables

2.1Summaryofschemas,policies,andcodechanges

31

2.2Applicationbenchmarkdescriptionandloadtime

32

2.3Whereartifactcontentsarehosted

38

3.1Databasenotations

43

3.2Othermathematicalnotations

43

4.1Numberofdatabaseconstraints

67

4.2Statisticsandperformanceforpathexplorationandpolicygeneration

69

4.3Viewcountinextractedvshandwrittenpolicies

71

vii

Acknowledgments

Myfirstanddeepestthanksgotomyadvisor,ScottShenker.ScottwasthereasonIchoseBerkeley,andlookingback,Icertainlymadetherightchoice.Heis,simplyput,thebestadvisorIcouldhaveaskedfor.FromScott,Ilearnedtolookbeyondlow-hangingfruitandinsteadto“takeastepback”,askfundamentalquestions,relentlesslyseeksimplicityandclarity,andfindtherightwaytosolveaproblem—thewaythatchangeshowpeoplethink.IalwaysfeelcomfortablewalkingintoScott’sofficetodiscussanyideathatpopsintomyhead,whetherrelatedtomyresearchorinacompletelydifferentarea,whetherwell-formedor(asisoftenthecase)half-baked.EvenwhenIhavenoideawhatI’mtalkingabout,Scottalwayshumorsme,listenspatientlytomyramblings,andskillfullyfindsthenuggetsofgoldwithin.Hismentorshiptranscendsanysingleresearchtopicandhasemboldenedmetoventureintoanynewareathatinterestsme.

IowetremendousgratitudetoAurojitPanda,myunofficialsecondadvisor.Pandaisawalk-ingencyclopediaofcomputerscience(andmanyotherthings).NomatterwhatsubjectIbringup—athornyresearchproblem,aquestionaboutarandompaperI’veread,oranewindustrytechnology—Pandaalwayshassomethingintelligenttooffer.IhavehadtheprivilegeofworkingwithhimsincemyfirstdayatBerkeley,andIamstillamazedbyhisgenerositywithhistimeandknowledge.Mostofall,workingwithPandahasmaderesearchinfinitelymoreenjoyable.

Iamalsodeeplygratefultomyothercommitteemembers,SylviaRatnasamyandAlvinCheung.Overtheyears,Sylviahasgivenmeinvaluablefeedbackonmyresearch.Myonlyregretisnothavingtheopportunitytoworkwithhermoreclosely,butwheneverIneededhelp,shewasalwaysthereforme.Alvinbroughtuniqueexpertisefrombothdatabaseandprogramming-languageresearch.Hewouldpatientlydissectmynascentideasandsharpenthemintosomethingconcrete—Ihavelearnedagreatdealfromhim.

IfirstmetNatachaCrookswhenItookherclassondistributedsystemsandhavesincehadtheprivilegeofcollaboratingwithher.Asanewcomertodistributedsystems,Ialwayshavecountlessbasicquestions—orworse,vagueconfusionthatIcannotevenarticulate.Natachawouldpatientlylisten,helpmeframemythoughts,andguidemetothepreciseanswersIamseeking.IalsothankNatachaforherendlessencouragementasInavigatemycareerpath.

IbeganworkingwithMoolySagivatthestartoftheBlockaidproject.HesinglehandedlyintroducedmetobothdatabasetheoryandtheamazingcapabilitiesofSMTsolvers.WheneverIwasstuck,Moolycouldpointthewaytowardsprogress,whetherbysharpeningadefinitionorbyleveragingasuitabletool.Evenafterourpaperwaspublished,Moolycontinuedtosupportmycareer,makingtimetomeetevenwhenhewasbusiestwithhiscompany.IlearnedsomuchfromMoolyandtrulyappreciatehisguidance.

IinternedwithIreneZhangatMicrosoftResearchinthesummerof2019;westartedthePersimmonprojectthenandextendedourcollaborationbeyondtheinternship.IreneskillfullylocatedthreeserverswithIntel?Optane?DCPersistentMemory,whichwereessentialforourexperiments.Butmoreimportantly,sheintroducedmetotheworldofdatacentercomputingandtaughtmethevaluableskillofthinkingaboutproblemsatahighlevelandpresentingthebigpicture.

viii

ThroughoutmyPhD,IhavebeenfortunatetocollaboratewithmanypeopleatBerkeley:DevBali,EricSheng,JamisonKerney,MateiZaharia,MicahMurray,MichaelAlanChang,NarekGalstyan,PeterXiangGao,RishabhIyer,SamSon,SilveryFu,ZhihongLuo,JiwonPark,andShadajLaddad.Ihavelearnedalotfromeachofthem,andIthankthemforputtingupwithmyincessantquestions.

IgivespecialthankstoSilveryFu.SilveryandIstartedasgraduatestudentsintheNetSysLabatthesametime;hehasalwaysbeenthereformewhenIneedsomeonetotalkto,andevenwhenIdon’trealizeIdo.IhavefoundinSilveryatruefriend,andIamconfidentthatourfriendshipwillextendwellbeyondgraduateschool.

Ihaveenjoyedthecompanyofmanyothers—friendsfromtheNetSysLab:AishaMushtaq,AkshayNarayan,AlexanderKrentsel,AminTootoonchian,AmyOusterhout,AnwarHithnawi,ChangLan,ChristopherBranner-Augmon,EdwardOakes,EmilyMarx,EmmanuelAmaro,Ethan

J.Jackson,HannahB.Pasandi,LloydBrown,MurphyMcCauley,RadhikaMittal,SarahMcClure,TenzinSamtenUkyab,TessDespres,YotamHarchol,andZimingMao;andfriendsfromtheRISE-Lab/SkyComputingLabandbeyond:GengZhao,ZonghengYang,SamKumar,Conor&LauraPower,DavidChu,EyalSela,JaewanHong,Jean-LucWatson,JennyHuang,JulienPiet,JustinWong,PeterSchafhalter,SamyuYagati,ShishirPatil,ShuLiu,StephanieWang,TianXia,TianjunZhang,WenshuoGuo,andmanymore!

Iamgratefultoourlab’sadministrativestaff—IvanOrtega,JonKuroda,KaileeTruong,KatttAtchley,TramVu,AngieGoodwin,BobanZarkovich,DaveSchonenberg,andShaneKnapp—whohaveskillfullykeptthelabrunningsmoothly.

IbeganmyresearchjourneyasanundergraduateatStanfordUniversity,whereIhadthegreatfortunetoworkwithElliottSlaughterandAlexAiken.ElliottandAlexwerethereasonwhyIchosetopursueaPhD.Theyintroducedmetothefunandexcitementofresearchandencouragedmetoapplytograduateschool,believinginmypotentialevenwhenIdidnot.Iamprofoundlygratefultothemforsettingmeonapaththathasturnedouttobesorewarding.

***

Iwouldnotbeherewithoutmyparents,YanLangandZhuoZhang,whohaveuncondi-tionallylovedandsupportedmefromthebeginning,consistentlyputmyneedsbeforetheirown,andkeptmybestinterestsinmindineverythingtheydid.TheyalsohadtheincredibleforesighttorecognizetheimportanceofmasteringbothcomputertechnologyandtheEnglishlanguageearlyinmyeducation,whichhascertainlypreparedmewellforwritingthisComputerSciencedissertationinEnglish.

Lastbutcertainlynotleast,Ithankmywife,VivianFang.Shehasbeenmyconstantcom-paniononthisjourney,possessingtheremarkableabilitytopullmeawayfrommydesk—outoftheapartment,even—formuch-neededbreaksthatIdidn’trealizeIneeded.ProudasIamoftheworkinthisdissertation,themostpreciousthingIhavegainedduringmyPhDisundoubtedlymyrelationshipwithVivian.Ithankherforbeingaloyalandlovingpartner,foraddingcolortomylife,andforbringingintoourlivesourtwocats,NattoandMini,whohaveprovidedimmeasurablejoyandsupportthroughoutthisjourney.

1

Chapter1

Introduction

Weusemanywebapplicationsinoureverydaylives,applicationsthatstoreandservesensi-tiveuserdata.Studentslogintouniversityportalstocheckgrades,patientsaccesshealthcaredashboardstoreviewmedicalrecords,andbillionsofpeoplerelyonmessagingplatformstostayconnectedwithfriendsandfamily.Ineverycase,usersexpectthattheirpersonaldataremainsconfidentialandisrevealedonlytoauthorizedparties.

Protectingsuchdataisthereforeamatterofbothsocialimportanceand,inmanydomains,legalobligation.Governmentshavelongregulatedthedisclosureofinformationdeemedpar-ticularlysensitive—e.g.,FERPAforeducationrecordsandHIPAAformedicalrecords.Butevenoutsidestrictlyregulatedsettings,platformoperatorsfacecontractual,reputational,andethicalpressuretoavoidunauthorizeddisclosures.

Yetdataleakscontinueunabated,suggestingthatthestatusquofordata-protectioninwebapplicationsiswoefullyinadequate.Toexplainwhy,wewilldefinetheproblem(§

1.1

),discusswhytheprevailingapproachesfordataprotectionareinsufficient(§

1.2

),andhighlightwherepastresearchfallsshort(§

1.3

).Wewillthenoutlineourcontributions—twocomplementarysystemsthat,takentogether,formaholisticsolutionforprotectingsensitivedatainwebapplicationstoday(§

1.4

).

1.1TheProblem

Figure

1.1

showsthesimplifiedarchitectureofatypicalwebapplication.Auserinteractswiththeapplication—say,acalendar—backedbyadatabaseholdingrecordsforallusers.Thebrowsersendsan

HTTPrequesttotheapplication

,whichissuesaseriesofqueriestothedatabaseandusestheresultstoconstructaresponsetosendbacktotheuser.Boththeapplicationandthedatabasearecontrolledbythewebapplication’soperator,whereastheuserisfreetocraftarbi-traryrequests.

Underthissetting,wesetouttotackleoneproblem:

Howshouldtheoperatorensurethattheuserseesonlythedatatheyareallowedtosee?

CHAPTER1.INTRODUCTION2

User

HTTPrequest

HTTPresponse

ControlledbyOperator

SQL

?

Application

Database

Figure1.1:Asimplifiedarchitectureofatypicalwebapplication.

Forexample,theusershouldbeabletoseethecalendareventsthattheyareinvitedto,butnottheprivateeventsofothers.

Remark1.1.Sensitive-dataprotectionisabroaddomain,underwhichtherearemanyotherprob-lemsthatarejustasimportantbutwewillnotbeaddressinginthisdissertation.Forexample,wewillnottrytoprotecttheuser’sdatafromtheoperator,forwhichmanygoodcryptographictechniqueshavebeendeveloped.Andwewillnottrytopreventtheidentificationofpersonalrecordsfromaggregatestatistics,forwhichdifferentialprivacy[

49

]isagoodsolution.Rather,wearesolelytakingtheperspectiveoftheoperator,andmakingsurethattheuserisshowntherightdata.

1.2TheStatusQuo

Atfirstglance,thisproblemdoesn’tseemhardtosolve:Sincetheuserinteractsonlywiththeapplicationlayer,whynotjustimplementtheapplicationlogictorevealonlythealloweddata?

Indeed,today’sstatusquoistolimitdatadisclosurewithintheapplicationcode.Therearetwocommoncodepatternsforachievingthis:

QueryfiltersToserveageneralrequestfordata,thedevelopercarefullycraftsaSQLquerytoreturnonlydatathattheuserisallowedtosee.Forexample,inourcalendarapplication,toimplementthe

HTTPendpoint/all_eventsthedevelopermaywritethequery:

SELECT*

FROMEvents

JOINAttendance

ONAttendance.EId=Events.EId

WHEREAttendance.UId=?MyUId

Thisqueryreturnsonlythoseeventsthatthecurrentuserisattending.

CHAPTER1.INTRODUCTION3

AccesschecksToservearequestforaspecificdataitem,thedevelopermaywriteanifstatementtocheckiftheuserisallowedtoseeit.Forexample,toimplementthe

HTTPendpoint

/event/{eid},whichdisplaysthedetailsofanevent,thedevelopermaywritethecode:

ifnotcurr_user.is_attending(eid):

raise

Http404

("Eventnotfound")

event=Event.find(eid)

returnformat_html(event)

Here,theifblockraisesanerrorwhenthereisnoeventthatthecurrentuserisattendingwiththerequestedeventID.

Thisapproachiseffective,aslongasthedeveloperiscarefultoputtheappropriatefiltersandchecksineveryplacetheyareneeded.Theproblemisthatifthedevelopermakesasinglemistake,adataleakmayensue.Forexample,ifthedeveloperforgottheaccesscheckinthe/event/{eid}endpoint,thenauserwouldbeabletoaccessanotheruser’sdatasimplybyrequestinganeventwithanarbitraryID.

Thisexamplemaylookcontrived,butintherealworld,suchmistakeshappenallthetime:

?Fiserv,atopproviderforbankingsolutions,allowedacustomertoviewothercustomers’personaldetailsbysimplymakingan

HTTPrequestforanotificationIDbelongingtosome

-oneelse[

124

].

?TheU.S.PostalServiceexposedanAPIthatletanylogged-inuserquerytheaccountdetailsforanyotheruser[

75

].

?OpenEMR,amedicalrecordsportal,containedadefectiveaccesscheckthatallowedausertoaccessotherpatients’medicalprofiles[

163

].

?HotCRP,aconferencemanagementsystem,hadabugthatleakedhiddenpapertags,notonthemainwebpage,butinthesearchautocompletedropdown[

134

].

Infact,suchmistakesaresoprevalentthat“brokenaccesscontrol”islistedasthetopweb-securityriskintheOWASPTop10[

103

].

Tobeclear,thedevelopersarelikelynotbeingmaliciousinthesecases.Theyarelikelyjustmakingmistakes—mistakesthatareverylikelytooccurinanysoftwareaboveacertainsize.

1.3PastResearch

Sensitive-dataexposureisnotanewproblem.Therehasbeendecadesofresearchonaccesscon-trolfordatabaseapplications—ofwhichwebapplicationsisaprominentclass—tryingtoaddressthisproblem.Thefoundationalworkinthisareawaslaidoutinthedatabaseliterature[

135

],butsolutionsapplyingdatabaseaccesscontroltoapplicationshaveappearedinmanyresearchcommunities[

32

,

80

,

81

,

90

,

92

,

97

,

151

].Thesesolutionstypicallyworkasfollows:

CHAPTER1.INTRODUCTION4

1.Ahumanwritesanaccess-controlpolicydefiningwhatdatatheuserisallowedtoaccess.

2.Then,anenforcementmechanismensuresthatthepolicyisrespectedbytheapplication.

Unfortunately,thesesolutionssufferfromacommondrawback:Theyaredifficulttoapplytoexistingwebcodebases,duetotwokeyissues:

1.Pastsolutionsareincompatiblewithtoday’swebprogrammingmodel.Broadly

speaking,pastsolutionsfallintoafewcategories(whichwediscussindetailin§

2.2

):

View-basedauthorizationManydatabasesallowadministratorstodefineviews,whicharevirtualtablesdenotingsubsetsofthedatabasetoberevealed.Theuseristhenallowedtoqueryonlytheviews,nottheunderlyingtables.Buttoapplythisapproachtoanexistingwebapplication,wewouldhavetorewriteeverySQLquerytousetheviewsinstead,asignificantundertaking.

ContentfilteringThedatabasetransparentlymodifiestheapplication’squeryresultstore-moveanyinformationthattheuserisnotallowedtosee.Butsuchmodificationcancauseanexistingapplication’squeriestoreturnmisleadingorwrongresults[

119

,

142

],andcaneasilybreaktheapplication’sfunctionality.

StaticverificationOnceadeveloperimplementsthewebapplicationinaspecializedlan-guage,theycanuseaverifiertocatchaccess-controlbugsatcompiletime.Again,thisapproachisnotdesigntoworkwithexistingapplications,whichareoverwhelminglywritteninmainstreamlanguageslikePHPandRuby,whicharenotamenabletosuchverification.

2.Pastsolutionsrequirewritingapolicyfromscratch.Asweexplainin§

4.2.1

,writingapolicyforanexistingcodebaseisfarfromtrivial,andtherequirementofwritingapolicyfromscratchisamajorbarriertoadoptionforaccesscontrol.

Thus,mostpriorresearchonsensitive-dataprotectiontargetseithergreenfieldapplications—thosebuiltfromscratchusingnoveltechnology—orexistingapplicationsthatareextensivelyrewritten.Buttoday’swebispoweredbylarge,entrenchedcodebasesthatcannotfeasiblyberewrittenfromthegroundup.Theselegacysystemsaretheonesthatpeoplerelyondaily,andarguablytheonesmostinneedofrobustdataprotection.Yet,theyarelargelyoverlookedbytheaccess-controlliterature.Itshouldbeclearthatsensitivedataprotectionisfartoourgentaproblemtodemandacompleterewriteofthemodernwebtoachieve.

1.4OurContributions

Theworkpresentedinthisdissertationhasonegoal:

Tobringdataprotectiontotoday’sinstalledbaseofwebapplications.

CHAPTER1.INTRODUCTION5

Oursolutionconsistsoftwosystems,addressingthetwoissuesmentionedabove:

1.Blockaid:anaccess-controlenforcerthatiscompatiblewithtoday’swebprogrammingmodel.BlockaidchecksSQLqueriesissuedbytheapplicationusinganovelcriterioncalledtracedeterminacy,whichworkswiththewayqueriesareissuedbyexistingwebapplica-tions.Thekeychallengeistocheckthiscriterionfast;todoso,wedevelopedageneral-izationcachingsolutionontopofSMTsolving.WedescribeBlockaidinChapter

2

,andanassociatedtheoreticalresultinChapter

3

.

2.Ote:atoolthathelpshumanscreateapolicyforalegacywebapplicationbyextractingthepolicyembeddedinitscode.Themainchallengeisthatweb-applicationcodeisoftenwrittenindynamiclanguages,whichmakesitdifficulttoanalyze.Ourapproachistoadoptconcolicexecution,atechniquefromsoftwaretesting,whichprovedeffectiveinexploringcodepathsthroughthepartsoftheapplicationthataffectwhatdataisbeingqueried.Otethengeneralizestheindividualqueriesencounteredintoapolicyforhumanreview.WedescribeOteinChapter

4

.

Inbuildingthesesystems,wetakeafirststepinprovidingaholisticsolutionforprotectingsensi-tivedatainwebapplicationstoday.WepointoutseveralavenuesforfutureresearchinChapter

5

.

1.5PreviousPublications

BlockaidwaspublishedatOSDI’22[

159

].Oteandourresultonquerydeterminacywerepos