StoreQL - SysSec @ DPSS.INESC-ID

MSc Proposal 2024-25

Name

StoreQL

Title

Dissertation: Designing a GDPR Compliance Verification Tool for Data Storage Policies in MERN Web Applications

Advisor

Nuno Santos, José Fragoso Santos

Objectives

Personal data protection has become a critical concern for organizations, especially since the European Union introduced the General Data Protection Regulation (GDPR). While web developers commonly use full-stack development frameworks like MERN to build web applications, these frameworks do not inherently support specifying and enforcing personal data protection policies. This often leads to GDPR compliance issues, particularly with personal data storage guidelines, such as failing to impose storage limitations or not ensuring adequate storage retention policies.

The goal of this thesis project is to design and implement StoreQL, a GDPR compliance verification tool specifically for monitoring personal data storage practices in MERN web applications. StoreQL will be the first tool to automatically detect potential GDPR violations related to data storage by statically analyzing the source code of web applications written in JavaScript. The tool will utilize a graph-based source code model named code property graph (CPG) to identify specific patterns that indicate violations of storage limitations and retention policies. By allowing the specification of these patterns in the form of queries, StoreQL will be both configurable and extensible, capable of identifying a range of storage-related GDPR violations.

StoreQL will integrate into CI/CD pipelines, providing developers with immediate feedback to help identify and rectify costly GDPR compliance issues regarding data storage. The thesis project will focus on pinpointing types of GDPR storage violations and crafting precise queries that can accurately detect these violations, ensuring low false positives and false negatives. The tool will be evaluated using a dataset of real-world open-source MERN applications.

Leveraging previous work on enforcing GDPR-compliant access control policies and vulnerability analysis tools for JavaScript, this project aims to make original scientific contributions. The outcome will be StoreQL, a tool that specifically targets and prevents potential GDPR violations related to personal data storage in MERN web applications, helping organizations adhere to GDPR regulations and protect personal data.

Requirements

Interest in software security and programming languages.

Location

IST-Alameda (INESC-ID) or IST-Tagus

Observations

This work will be performed in collaboration with other Ph.D. students with expertise in GDPR and static code analysis tools.