Cross-tier, label-based security enforcement for web applications

SIGMOD-PODS'09 - Proceedings of the International Conference on Management of Data and 28th Symposium on Principles of Database Systems

Volumn , Issue , 2009, Pages 269-281

  Corcoran, Brian J ^a   Swamy, Nikhil ^b   Hicks, Michael ^a  

^a UNIVERSITY OF MARYLAND   (United States)

^b MICROSOFT RESEARCH   (United States)

Author keywords

Compilers; Database programming; Security enforcement; Type systems; Web applications

Indexed keywords

CLASS LABELS; CUSTOMIZABLE; LABELED DATA; LANGUAGE SYNTAX; MULTI-TIER; ORDER OF MAGNITUDE; POLICY ENFORCEMENT; PROGRAMMING LANGUAGE; PROGRAMMING MODELS; PROTECTED OBJECT; RUBY ON RAILS; SECURITY ENFORCEMENT; SECURITY POLICY; TYPE SYSTEMS; WEB APPLICATION;

COMPUTER AIDED SOFTWARE ENGINEERING; COMPUTER SYSTEMS PROGRAMMING; CORUNDUM; LABELS; LINGUISTICS; NETWORK SECURITY; PROGRAM COMPILERS; SECURITY SYSTEMS; WORLD WIDE WEB;

DATABASE SYSTEMS;

EID: 70849107905     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1559845.1559875     Document Type: Conference Paper

References (39)

1. S. Ambler. Agile Database Techniques. John Wiley and Sons, 2006.
2. D. An. XTOLS: Cross-tier Oracle label security. Technical Report CS-TR-4934, University of Maryland, College Park, 2009.
3. D. Aspinall and M. Hoffimann. Advanced Topics in Types and Programming Languages, chapter Dependent Types. MIT Press, 2004.
4. R. Boland. Network centricity requires more than circuits and wires. SIGNAL, Sept. 2006.
5. P. Buneman, A. Chapman, and J. Cheney. Provenance management in curated databases. In Proc. SIGMOD, 2006.
6. W.-J. Chen, I. Rytir, P. Read, and R. Odeh. DB2 security and compliance solutions for Linux, UNIX, and Windows. http://www.redbooks.ibm.com/redbooks/ pdfs/sg247555.pdf, Mar. 2008.
7. S. Chong, J. Liu, A. C. Myers, X. Qi, K. Vikram, L. Zheng, and X. Zheng. Secure web application via automatic partitioning. In Proc. SOSP, 2007.
8. S. Chong, A. C. Myers, N. Nystrom, L. Zheng, and S. Zdancewic. Jif: Java + information ow. Software release, version 3.3. Located at http://www.cs. cornell.edu/jif, 2009.
9. S. Chong, K. Vikram, and A. C. Myers. Sif: Enforcing conffidentiality and integrity in web applications. In Proc. USENIX Security, 2007.
10. E. Cooper, S. Lindley, P. Wadler, and J. Yallop. Links: Web programming without tiers. In Proc. FMCO, 2006.
11. B. Corcoran, N. Swamy, and M. Hicks. Combining provenance and security policies in a web-based document management system. In On-line Proceedings of the Workshop on Principles of Provenance (PrOPr), Nov. 2007.
12. D. E. Denning. A lattice model of secure information ow. Communications of the ACM, 19(5):236-243, May 1976.
13. G. Dubochet. The SLinks Language. Technical report, University of Edinburgh, School of Informatics, 2005.
14. D. R. Engler, M. F. Kaashoek, and J. O'Toole, Jr. Exokernel: an operating system architecture for application-level resource management. In Proc. SOSP, 1995.
15. J. J. Garrett. Ajax: A new approach to web applications. http://www.adaptivepath.com/publications/essays/archives/000385.php, feb 2005.
16. Google Web Toolkit. http://code.google.com/webtoolkit/.
17. The Hop Programming Language. http://hop.inria.fr/.
18. Java EE at a glance. http://java.sun.com/javaee/, 2008.
19. The LINQ project. http://msdn.microsoft.com/en-us/netframework/aa904594. aspx, 2008.
20. E. Meijer, B. Beckman, and G. Bierman. LINQ: Reconciling object, relations and XML in the .NET framework. In Proc. SIGMOD, 2006.
21. E. Müller, P. Dadam, J. Enderle, and M. Feltes. Tuning an SQL-based PDM system in a worldwide client/server environment. In Proc. ICDE, 2001.
22. A. C. Myers and B. Liskov. Protecting privacy using the decentralized label model. ACM Transactions on Software Engineering and Methodology, 9(4):410-442, 2000.
23. Security privileges provided by MySQL. http://dev.mysql.com/doc/refman/5. 1/en/privileges-provided.html.
24. National Health Service. Spine. http://www.connectingforhealth.nhs.uk/ systemsandservices/spine.
25. OASIS XACML TC. XACML 2.0 interop scenarios. http://docs.oasis-open.org/ xacml/xacml-2.0-core-interop-draft-12-04.doc.
26. Oracle Corporation. Oracle 10g release documentation, 2007. Available at http://www.oracle.com/technology/documentation/database10g.html.
27. B. Parno, J. M. McCune, D. Wendlandt, D. G. Andersen, and A. Perrig. CLAMP: Practical prevention of large-scale data leaks. In IEEE Symposium on Security and Privacy, 2009.
28. PostgreSQL Global Development Group. Postgresql 8.2.1 software release, 2007. Available at http://www.postgresql.org.
29. Security privileges provided by PostgreSQL. http://www.postgresql.org/ docs/8.2/static/ddl-priv.html.
30. Ruby on rails. http://www.rubyonrails.org/, 2008.
31. A. Rask, D. Rubin, and B. Neumann. Implementing row- and cell-level security in classiffied databases using SQL Server 2005. http://www.microsoft. com/technet/prodtechnol/sql/2005/multisec.mspx.
32. Reuters, October 2006. U.S. Intelligence Unveils Spy Version of Wikipedia.
33. S. Rizvi, A. Mendelzon, S. Sudarshan, and P. Roy. Extending query rewriting techniques for ffine-grained access control. In Proc. SIGMOD, 2004.
34. V. Simonet. FlowCaml in a nutshell. In G. Hutton, editor, APPSEM-II, pages 152-165, Mar. 2003.
35. Authorization and permissions in SQL Server. http://msdn2.microsoft.com/ en-us/library/bb669084.aspx.
36. N. Swamy. Language-based Enforcement of User-deffined Security Policies. PhD thesis, University of Maryland, College Park, August 2008.
37. N. Swamy, B. Corcoran, and M. Hicks. Fable: A language for enforcing user-deffined security policies. In IEEE Symposium on Security and Privacy, 2008.
38. Volta. http://livelabs.com/volta, 2008.
39. L. Wong. Kleisli, a functional query system. Journal of Functional Programming, 10(1), 2000.