Application-screen Masking: A Hybrid Approach Abigail Goldsteen, Ksenya Kveler, Tamar Domany, Igor Gokhman, Boris Rozenberg, Ariel Farkash Information

Application-screen Masking:

A Hybrid Approach

Abigail Goldsteen, Ksenya Kveler, Tamar Domany, Igor Gokhman, Boris Rozenberg, Ariel Farkash

Information Privacy and Security, IBM Research – Haifa

Presented by Abigail Goldsteen W2SP Workshop, San Jose, May 2014

© 2014 IBM Corporation


Agenda• Problem• Existing approaches• Our approach• Challenges and limitations• Comparison between approaches• Summary• Questions




Problem• How to share information while safeguarding the

privacy and security of sensitive data

Existing applications

New users/use cases

• Need to prevent users from viewing information they are not authorized to see


Example

Data CenterOutsourced

Call Center

Germany India

Balance

:

John Smith

35

127.50$

National

ID:Name:




Existing approaches1. Redesign application

o Can be very complicated and costlyo Not always possible due to lack of skills

2. Mask values in databaseo Difficult to maintain several copieso May “break” the application

3. Mask application-screenso Sensitive values are removed/masked after the

application has constructed the visual layout of the screen

Application server

ClientMasking


Rule typesContent-based

• Based on the text value or its format

• Can be defined usingo Regular expressionso Natural Language

Processing (NLP)o Other data classification

techniques

• Example: o A regular expression

depicting email addresses

Context-based• Based on the visual

structure of the screen• Can be defined using

o UI constructs (labeled fields, table columns, drop-down boxes, etc.)

o A relationship between two entities on the screen

o Absolute locations

• Example: o Mask all labeled fields in

which the label is “Email Address”


Existing application-screen masking approaches (1)

At the network level:

Fast Secure× Simplistic content-based rules

Application server

ClientWeb Proxy

HTTP request

HTTP response Masked HTTP response

HTTP request

Masking

Masked screen



At the presentation level:

Context-based rules defined on screen× Difficulties in handling complex screens× Severe performance issues

Application server

Client

VNC ServerHTTP request

HTTP response Masked RFB

Remote Framebuffer

(RFB)

Masking

OCRMasked screenUnmasked



At the operating system level

Context-based rules defined on screen× Installation on every end-user machine× Security issues

Application server

ClientHTTP request

HTTP response

Masked screen

Masking




Hybrid approach• Masking at the network level

Fast Secure

• Easy rule definition at the presentation level Context-based rules defined on screen Content-based rules are also supported


Some features• All sensitive information is removed from the

message and does not reach the browsero Cannot be viewed on screen or in page source

• Masking server and proxy are placed within the enterprise’s internal networko Sensitive information does not leave the premises

• Client requests are also intercepted to check if they contain masked datao The request is reconstructed with the original data

before sending to the server


Masking rules• Rules are expressed in Javascript

1 .Mozilla Spidermonkey, https://developer.mozilla.org/en-US/docs/SpiderMonkey

• Each rule is executed on a specific HTTP messageo Can be filtered based on URL, server or client IP and username

• Several possible masking methodso Remove, Replace, Encrypt, etc.

o Powerful• Can define any type of

context-based ruleo Flexible

• Can work on many payload formats (e.g., HTML, XML, JSON, etc.)

o Fast• Executed using

existing, optimized engine1


Visual rule authoring• Creating Javascript rules for individual HTTP

messages is very difficulto Each displayed element (e.g., table) may originate from

several different messages• May have different formats• May come from AJAX requests

o Need to use several tools to inspect network traffic, understand the underlying DOM and associate between the displayed element and the messages that created it

o Need to write scripts that are syntactically correct and validate that masking is performed correctly

• Need some tool to facilitate rule authoring process


“Selection tool”


“Selection tool” close-up

• Web-based tool, implemented in Javascript

• A floating panel attached to the original application

• Intercepts mouse hovering and click events to enable selection




Technical challenges (1)

• Automatically creating scripts from user selections



• Our solution: We devised an algorithm for detecting the origin of each screen element while the page is loadingo Monitors all web page modifications, compares the DOM before and

after the modifications and captures the changes that were initiated by HTTP messages

o Creates a map between each visual element and the message it came from, including the message’s URL and the location of the element within the message (e.g., Xpath)



• Interacting with the target application without changing ito Need to catch DOM changes and add listeners for mouse events in the

target applicationo Browsers’ same-origin policy prevents pages/frames from different

origins from manipulating each others’ DOMs2

This prevents the naïve solution of presenting the target application in its own frame within a larger rule-authoring tool page

o Possible solutions:• Browser add-on• Standalone tool

• Our solution is based on hidden frames and “injecting” the selection tool code into the application messages using the runtime proxy

2 .J. Ruderman, “The same origin policy”, http://www.mozilla.org/projects/security/components/same-origin.html

Both require installation on the rule-author’s machine


Limitations1. Cannot mask information that does not flow over

the network, i.e., generated on the client-sideo Example: an average that is calculated in the browser using Javascript

2. Cannot mask information that flows in binary formato Examples: images, Java applets, Adobe Flash objects, etc.

3. May fail client-side validationo Example: a field that checks for a valid email addresso Solution: use format-preserving masking techniques




Comparison of approaches (1)

• Rule strength and granularityo We compare our context-based approach with content-based rules and

database masking, based on 4 criteria:• Masking granularity – the ability to mask exactly what is needed• Logical rule coverage - the ability to describe a rule by its logical

content (e.g., mask only patient emails)• Visual rule coverage - the ability to mask all or part of the

elements in a given area of the screen• Visual screen context - the ability to create rules in the context

of the presentation layer


Examples• Masking granularity:

o A content-based rule will always mask all phone numbers in the application

• Cannot mask only patient phone numbers and not physician phone numbers

• Logical rule coverage:o At the DB layer, any data item can be specified for masking only once,

even if it appears on several pages or has several different formats• Cannot support cases where a data item in a table appears in two

different contexts, one that should be masked and one that shouldn’t

• Visual rule coverageo Our approach enables masking all items in a given area of the screen,

even though there may not be any correlation in the format or database table


Comparison of approaches (2)

• Rule enforcement mechanismso We compare our network-level enforcement with masking at the

database level and the at the presentation-layer (using OCR), based on 3 criteria:

• Application integrity – effects on the proper functioning of the application

• Role-based masking – different masking based on user roles• Impact of screen complexity – do complex screens make

masking more difficult?


Examples• Application integrity

o At the DB layer, illegal or missing values can result in “breaking” the application

o At the network layer, client-side validation or calculations may be compromised

• Impact of screen complexity o Masking at the presentation layer is directly correlated to screen

complexity• Overlapping or partially visible windows pose a significant

challengeo Network-based masking is somewhat affected by application

complexity, e.g., a screen constructed from many different messages• Masking is still possible, but rule definition is more complicated




Summary• We showed a hybrid approach that combines

context-based rule creation at the presentation level with enforcement at the network level

• This enables: o Powerful and flexible rule language o Easy and straight-forward rule authoring processo Minimal performance impact at runtime

• Masking rules are defined in a simple and intuitive manner while navigating the target application and clicking on sensitive areas

• Requires minimal changes to the existing environment – no changes to the application or database




Questions?


Thank you

Documents

Application-screen Masking: A Hybrid Approach Abigail Goldsteen, Ksenya Kveler, Tamar Domany, Igor Gokhman, Boris Rozenberg, Ariel Farkash Information