By: João Costa Seco
Data-centric multi-user systems, such as web applications, require flexible yet fine-grained data security mechanisms. Such mechanisms are usually enforced by a specially crafted security layer, which adds extra complexity and often leads to error prone coding, easily causing severe security breaches. In this talk, we introduce a programming language approach for enforcing access control policies to data in data-centric programs by static typing.
Our development is based on the general concept of refinement type, but extended so as to address realistic and challenging scenarios of permission-based data security, in which policies dynamically depend on the database state, and flexible combinations of column- and row-level protection of data are necessary.
We present our type system and corresponding safety properties that ensure that well-typed programs never break the declared data access control policies. We also present a prototype of a development environment for web applications that includes an implementation of our type system.
(joint work with: Luís Caires, Hugo T. Vieira, Jorge A. Perez, Lucio Ferrão, Luísa Lourenço and Miguel Domingues )