Practical End-to-End Privacy Enforcement with Sesame and Tahini

Presented by Kinan Dak Albab.

Abstract

Data privacy has become a focal point for public discourse, and high profile privacy violations are commonplace, in part because complying with privacy regulations and policies is challenging for applications and developers. This highlights a lack of practical systems and tooling that help well-intentioned organizations ensure their applications meet their stated privacy requirements.

This talk presents Sesame (SOSP24), a system for end-to-end compliance with privacy policies in web applications. To provide practical guarantees, Sesame combines a new static analysis for data leakage with advances in memory safe languages, lightweight sandboxing, and engineering practices around code review. Sesame successfully enforces a variety of policies, including access control, user consent, purpose limitation, cryptographic key security, in real Rust web applications.

The talk overviews Tahini, an ongoing follow up work aimed at providing end-to-end guarantees for applications that rely on remote services from external organizations, including the design of a novel, light-weight runtime attestation protocol.