Abstract
Data-centric multi-user systems, such as web applications, require flexible yet fine-grained data security mechanisms. Such mechanisms are usually enforced by a specially crafted security layer, which adds extra complexity and often leads to error prone coding, easily causing severe security breaches. In this paper, we introduce a programming language approach for enforcing access control policies to data in data-centric programs by static typing. Our development is based on the general concept of refinement type, but extended so as to address realistic and challenging scenarios of permission-based data security, in which policies dynamically depend on the database state, and flexible combinations of column- and row-level protection of data are necessary. We state and prove soundness and safety of our type system, stating that well-typed programs never break the declared data access control policies.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Abadi, M.: Protection in Programming-Language Translations. In: Larsen, K.G., Skyum, S., Winskel, G. (eds.) ICALP 1998. LNCS, vol. 1443, pp. 868–883. Springer, Heidelberg (1998)
Abadi, M.: Access Control in a Core Calculus of Dependency. In: Reppy, J.H., Lawall, J.L. (eds.) Proc. of ICFP 2006, pp. 263–273. ACM, New York (2006)
Abadi, M.: Logic in Access Control (Tutorial Notes). In: Proc. of FOSAD. LNCS, vol. 5705, pp. 145–165. Springer, Heidelberg (2009)
Abadi, M., Burrows, M., Lampson, B.W., Plotkin, G.D.: A Calculus for Access Control in Distributed Systems. ACM Trans. Program. Lang. Syst. 15(4), 706–734 (1993)
Baltopoulos, I.G., Gordon, A.D.: Secure Compilation of a Multi-Tier Web Language. In: Proc. of TLDI 2009, pp. 27–38. ACM, New York (2009)
Bengtson, J., Bhargavan, K., Fournet, C., Gordon, A.D., Maffeis, S.: Refinement Types for Secure Implementations. In: Proc. of CSF 2008, pp. 17–32. IEEE Computer Society, Los Alamitos (2008)
Bierman, G.M., Gordon, A.D., Hritcu, C., Langworthy, D.: Semantic Subtyping with an SMT Solver. In: Proc. of ICFP 2010, pp. 105–116. ACM, New York (2010)
Bierman, G., Meijer, E., Schulte, W.: The Essence of Data Access in Cω. In: Gao, X.-X. (ed.) ECOOP 2005. LNCS, vol. 3586, pp. 287–311. Springer, Heidelberg (2005)
Caires, L., Pérez, J.A., Seco, J.C., Vieira, H.T., Ferrão, L.: Type-based Access Control in Data-Centric Systems. Technical Report DIFCTUNL 3/10, U. Nova de Lisboa (2010)
Chlipala, A.: Static Checking of Dynamically-Varying Security Policies in Database-Backed Applications. In: Proc. of OSDI 2010, USENIX Association (2010)
Cooper, E., Lindley, S., Wadler, P., Yallop, J.: Links: Web Programming Without Tiers. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, W.-P. (eds.) FMCO 2006. LNCS, vol. 4709, pp. 266–296. Springer, Heidelberg (2007)
Corcoran, B.J., Swamy, N., Hicks, M.W.: Cross-Tier, Label-Based Security Enforcement for Web Applications. In: SIGMOD Conference 2009, pp. 269–282. ACM, New York (2009)
Freeman, T., Pfenning, F.: Refinement Types for ML. In: Proc. of PLDI 1991, pp. 268–277. ACM, New York (1991)
Garg, D., Bauer, L., Bowers, K.D., Pfenning, F., Reiter, M.K.: A Linear Logic of Authorization and Knowledge. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) ESORICS 2006. LNCS, vol. 4189, pp. 297–312. Springer, Heidelberg (2006)
Gordon, A.D., Fournet, C.: Principles and Applications of Refinement Types. Technical Report MSR-TR-2009-147, Microsoft Research (2009)
Meijer, E., Beckman, B., Bierman, G.: LINQ: Reconciling Object, Relations and XML in the .NET Framework. In: SIGMOD Conference 2006, pp. 706–706. ACM, New York (2006)
Swamy, N., Chen, J., Chugh, R.: Enforcing Stateful Authorization and Information Flow Policies in Fine. In: Gordon, A.D. (ed.) ESOP 2010. LNCS, vol. 6012, pp. 529–549. Springer, Heidelberg (2010)
Swamy, N., Corcoran, B.J., Hicks, M.: Fable: A Language for Enforcing User-defined Security Policies. In: Proc. of IEEE S&P 2008, pp. 369–383. IEEE Computer Society, Los Alamitos (2008)
Wright, A.K., Felleisen, M.: A Syntactic Approach to Type Soundness. Information and Computation 115, 38–94 (1994)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Caires, L., Pérez, J.A., Seco, J.C., Vieira, H.T., Ferrão, L. (2011). Type-Based Access Control in Data-Centric Systems. In: Barthe, G. (eds) Programming Languages and Systems. ESOP 2011. Lecture Notes in Computer Science, vol 6602. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-19718-5_8
Download citation
DOI: https://doi.org/10.1007/978-3-642-19718-5_8
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-19717-8
Online ISBN: 978-3-642-19718-5
eBook Packages: Computer ScienceComputer Science (R0)