seminars
Detail
Publication date: 1 de June, 2021Type-based Access Control in Data-Centric Systems
Data-centric multi-user systems, such as web applications, require
flexible yet fine-grained data security mechanisms. Such mechanisms
are usually enforced by a specially crafted security layer, which
adds extra complexity and often leads to error prone coding, easily
causing severe security breaches. In this talk, we introduce a
programming language approach for enforcing access control policies
to data in data-centric programs by static typing.
Our development is based on the general concept of refinement type,
but extended so as to address realistic and challenging scenarios of
permission-based data security, in which policies dynamically depend
on the database state, and flexible combinations of column- and row-level
protection of data are necessary.
We present our type system and corresponding safety properties that ensure that
well-typed programs never break the declared data access control policies.
We also present a prototype of a development environment for web applications
that includes an implementation of our type system.
(joint work with: Luís Caires, Hugo T. Vieira, Jorge A. Perez, Lucio Ferrão, Luísa Lourenço and Miguel Domingues )
Date | 08/06/2011 |
---|---|
State | Concluded |