Sensitive-data Protection for Today's Web Applications

Wen Zhang

EECS Department, University of California, Berkeley

Technical Report No. UCB/EECS-2025-149

August 11, 2025

http://www2.eecs.berkeley.edu/Pubs/TechRpts/2025/EECS-2025-149.pdf

As web applications increasingly handle sensitive user data, protecting that data from unauthorized access is more critical than ever. Yet, despite decades of research on access control, data leaks remain prevalent—not due to a lack of solutions, but because existing solutions are difficult to adopt by today’s deployed applications. Two key challenges hinder adoption: (1) many solutions require nonstandard programming models that are incompatible with mainstream web frameworks, and (2) developers must manually define access-control policies—a time-consuming and error-prone task, particularly for legacy applications that lack such policies.

If we want to solve the societal problem of sensitive-data protection, we must meet today’s applications where they are. This dissertation focuses on developing access-control techniques that can be easily applied to existing applications. We will present two systems: Blockaid, which performs fine-grained access control on existing web applications with minimal modification, and Ote, which aids in policy creation by extracting implicit policies embedded in legacy code. By supporting today’s applications without requiring a redesign, our approach aims to bring practical data protection to real-world deployments.

Advisors: Scott Shenker

BibTeX citation:

@phdthesis{Zhang:EECS-2025-149,
    Author= {Zhang, Wen},
    Title= {Sensitive-data Protection for Today's Web Applications},
    School= {EECS Department, University of California, Berkeley},
    Year= {2025},
    Month= {Aug},
    Url= {http://www2.eecs.berkeley.edu/Pubs/TechRpts/2025/EECS-2025-149.html},
    Number= {UCB/EECS-2025-149},
    Abstract= {As web applications increasingly handle sensitive user data, protecting that data from unauthorized access is more critical than ever. Yet, despite decades of research on access control, data leaks remain prevalent—not due to a lack of solutions, but because existing solutions are difficult to adopt by today’s deployed applications. Two key challenges hinder adoption: (1) many solutions require nonstandard programming models that are incompatible with mainstream web frameworks, and (2) developers must manually define access-control policies—a time-consuming and error-prone task, particularly for legacy applications that lack such policies.

If we want to solve the societal problem of sensitive-data protection, we must meet today’s applications where they are. This dissertation focuses on developing access-control techniques that can be easily applied to existing applications. We will present two systems: Blockaid, which performs fine-grained access control on existing web applications with minimal modification, and Ote, which aids in policy creation by extracting implicit policies embedded in legacy code. By supporting today’s applications without requiring a redesign, our approach aims to bring practical data protection to real-world deployments.},
}

EndNote citation:

%0 Thesis
%A Zhang, Wen 
%T Sensitive-data Protection for Today's Web Applications
%I EECS Department, University of California, Berkeley
%D 2025
%8 August 11
%@ UCB/EECS-2025-149
%U http://www2.eecs.berkeley.edu/Pubs/TechRpts/2025/EECS-2025-149.html
%F Zhang:EECS-2025-149