App photo

Mylar

Mylar is a platform for building secure web applications.

Web applications rely on servers to store and process confidential information. However, anyone who gains access to the server (e.g., an attacker, a curious administrator, or a government) can obtain all of the data stored there. Mylar protects data confidentiality even when an attacker gets full access to servers. Mylar stores only encrypted data on the server, and decrypts data only in users' browsers. Simply encrypting each user's data with a user key does not suffice, and Mylar addresses three challenges in making this approach work. First, Mylar allows the server to perform keyword search over encrypted documents, even if the documents are encrypted with different keys. Second, Mylar allows users to share keys and data securely in the presence of an active adversary. Finally, Mylar ensures that client-side application code is authentic, even if the server is malicious. Results with a prototype of Mylar built on top of the Meteor framework are promising: porting 6 applications required changing just 35 lines of code on average, and the performance overheads are modest, amounting to a 17% throughput loss and a 50 msec latency increase for sending a message in a chat application.

People Publications Software Applications

People

Publications

Software

Play with Mylar! Download it using git, and then follow the instructions in README.md.

git clone -b public git://g.csail.mit.edu/mylar

Our initial software (above) is based on an old version of Meteor, and hasn't been updated to Meteor's latest release. Thomas Steinhauer has ported Mylar to recent Meteor releases, which you can obtain here:

https://github.com/strikeout/mylar

Contact

For more information on Mylar, contact raluca AT csail DOT mit DOT edu.

Applications

We secured real applications with Mylar including a medical application (performing a survey of patients suffering from endometriosis) led by surgeons from Mass. General and Newton-Wellesley hospitals. This application is currently under IRB approval and in alpha deployment. We also secured a chat application, a class assignment submission website (for the MIT class 6.858), a calendar, a forum application and a photo sharing application.


App photo     App photo