Detail

Publication date: 1 de June, 2021

Type-based Access Control in Data-Centric Systems

Data-centric multi-user systems, such as web applications, require
flexible yet fine-grained data security mechanisms. Such mechanisms
are usually enforced by a specially crafted security layer, which
adds extra complexity and often leads to error prone coding, easily
causing severe security breaches. In this talk, we introduce a
programming language approach for enforcing access control policies
to data in data-centric programs by static typing.

Our development is based on the general concept of refinement type,
but extended so as to address realistic and challenging scenarios of
permission-based data security, in which policies dynamically depend
on the database state, and flexible combinations of column- and row-level
protection of data are necessary.

We present our type system and corresponding safety properties that ensure that
well-typed programs never break the declared data access control policies.
We also present a prototype of a development environment for web applications
that includes an implementation of our type system.

(joint work with: Luís Caires, Hugo T. Vieira, Jorge A. Perez, Lucio Ferrão, Luísa Lourenço and Miguel Domingues )

Presenter


Date 08/06/2011
State Concluded