As web applications increasingly handle sensitive user data, protecting that data from unauthorized access is more critical than ever. Yet, despite decades of research on access control, data leaks remain prevalent—not due to a lack of solutions, but because existing solutions are difficult to adopt by today’s deployed applications. Two key challenges hinder adoption: (1) many solutions require nonstandard programming models that are incompatible with mainstream web frameworks, and (2) developers must manually define access-control policies—a time-consuming and error-prone task, particularly for legacy applications that lack such policies.

If we want to solve the societal problem of sensitive-data protection, we must meet today’s applications where they are. This dissertation focuses on developing access-control techniques that can be easily applied to existing applications. We will present two systems: Blockaid, which performs fine-grained access control on existing web applications with minimal modification, and Ote, which aids in policy creation by extracting implicit policies embedded in legacy code. By supporting today’s applications without requiring a redesign, our approach aims to bring practical data protection to real-world deployments.