A GDPR Compliance Verification Tool for MERN Web Applications

MSc Proposal 2023-24

Name

ComplyQL

Title

Dissertation: A GDPR Compliance Verification Tool for MERN Web Applications

Advisor

Nuno Santos, José Fragoso Santos

Objectives

Personal data protection has become a critical concern for organizations, particularly with the introduction of the General Data Protection Regulation (GDPR) by the European Union in 2018. While web developers often use full-stack development frameworks like MERN to build web applications, frameworks lack native support to specify and enforce personal data protection policies, leading to potential GDPR compliance bugs, such as failing to process the data exclusively for their advertised purposes or violating storage limitation restrictions.

The goal of this thesis project is to design and implement ComplyQL, a GDPR compliance verification tool for MERN web applications. ComplyQL will be the first tool to automatically detect potential GDPR violations by statically analyzing the source code of the web application written in JavaScript. The tool will construct a graph-based source code model named code property graph (CPG) and search for potential GDPR violations by identifying specific patterns in this model. To achieve this, the tool will enable the specification of patterns in the form of queries, making it configurable and extensible to represent numerous types of potential GDPR violations.

ComplyQL will be designed to incorporate CD/CI pipelines giving developers immediate feedback that will enable them to detect and fix costly GDPR compliance bugs. The thesis project will involve the identification of different types of GDPR violations and the specification of queries that can accurately detect these flaws, ensuring low false positives and low false negatives. The project will extend the CPG data structure with a model of the database and the client-side application to include the handling of cookies and other relevant personal data types. The tool will be evaluated by applying it to a dataset of real-world open-source MERN applications in the wild.

Leveraging prior work on enforcing GDPR-compliant access control policies and vulnerability analysis tools for JavaScript, this project is expected to make original scientific contributions. The outcome of this thesis project will be ComplyQL, a tool that can automatically detect and prevent potential GDPR violations in MERN web applications, helping organizations comply with GDPR regulations and protect personal data. For this project, we will leverage our prior work enforcing GDPR-compliant access control policies and vulnerability analysis tools for JavaScript. We expect this work to make original scientific contributions.

Requirements

Interest in software security and programming languages.

Location

IST-Alameda (INESC-ID) or IST-Tagus

Observations

This work will be performed in collaboration with other Ph.D. students with expertise in GDPR and static code analysis tools.