Jefferson's Wheel » GuardRails

Congratulations Jonathan!

David Evans — Tue, 07 May 2013 00:08:21 +0000

Jonathan Burket has been recognized with a CRA Outstanding Undergraduate Researcher Honorable Mention. This award recognizes outstanding research by undergraduate students in North America.

Jonathan joined our research group as a first year student (recruited from cs1120) and has done several research projects focused on web security including working on GuardRails and leading a new research project on correlating web application state and requests with behavior such as database requests.

Congratulations to Jonathan!

Austin DeVinney featured in Radford News

David Evans — Tue, 07 Feb 2012 21:41:01 +0000

Austin DeVinney, who worked with us on GuardRails last summer and presented a poster at USENIX Security Symposium, was featured in Radford’s College of Science and Technology newsletter.

Information technology student Austin DeVinney’s interest and curiosity has paid off with a summer internship opportunity with cybersecurity expert and Associate Professor of Computer Science at the University of Virginia David Evans.

The full article is here:
IT Student Presents Research at Prestigious Conference [PDF].

USENIX WebApps Paper

David Evans — Wed, 04 May 2011 18:27:54 +0000

Our USENIX WebApps 2011 Paper is now available:

Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans. GuardRails: A Data-Centric Web Application Security Framework. 2nd USENIX Conference on Web Application Development (WebApps 2011). Portland, Oregon, 15-16 June 2011.

Abstract
Modern web application frameworks have made it easy to create powerful web applications. Developing a secure web application, however, still requires a developer to posses a deep understanding of security vulnerabilities and attacks. Even for experienced developers it is tedious, if not impossible, to find and eliminate all vulnerabilities. This paper presents GuardRails, a source-to-source tool for Ruby on Rails that helps developers build secure web applications. GuardRails works by attaching security policies defined using annotations to the data model itself. GuardRails produces a version of the input application that automatically enforces the specified policies. GuardRails helps developers prevent a myriad of security problems including cross-site scripting attacks and access control violations while providing a large degree of flexibility to support a range of policies and development styles.

Full paper (12 pages): [PDF]
GuardRails website

GuardRails now available!

David Evans — Fri, 22 Apr 2011 17:48:20 +0000

The first release of the GuardRails source code is now available at https://github.com/guardrails/guardrails. GuardRails was developed by Jonathan Burket, Patrick Mutchler, Michael Weaver, and Muzzammil Zaveri.

GuardRails is a web application framework that extends Ruby on Rails to provide automatic support for data-centric security policies. Developers add annotations to their data models to describe their security policies, and GuardRails performs a source-to-source transformation to enforce those policies throughout the application. There will be a paper at USENIX WebApps 2011, GuardRails: A Data-Centric Web Application Security Framework, available soon, that provides more details.