Disjunctive Policies for Database-Backed Programs
2024 (English)In: 2024 IEEE 37TH Computer Security Foundations Symposium, CSF 2024, Institute of Electrical and Electronics Engineers (IEEE) , 2024, p. 388-402Conference paper, Published paper (Refereed)
Abstract [en]
When specifying security policies for databases, it is often natural to formulate disjunctive dependencies, where a piece of information may depend on at most one of two dependencies P-1 or P-2, but not both. A formal semantic model of such disjunctive dependencies, the Quantale of Information, was recently introduced by Hunt and Sands as a generalization of the Lattice of Information. In this paper, we seek to contribute to the understanding of disjunctive dependencies in database-backed programs and introduce a practical framework to statically enforce disjunctive security policies. To that end, we introduce the Determinacy Quantale, a new query-based structure which captures the ordering of disjunctive information in databases. This structure can be understood as a query-based counterpart to the Quantale of Information. Based on this structure, we design a sound enforcement mechanism to check disjunctive policies for database-backed programs. This mechanism is based on a type-based analysis for a simple imperative language with database queries, which is precise enough to accommodate a variety of row- and column-level database policies flexibly while keeping track of disjunctions due to control flow. We validate our mechanism by implementing it in a tool, DIVERT, and demonstrate its feasibility on a number of use cases.
Place, publisher, year, edition, pages
Institute of Electrical and Electronics Engineers (IEEE) , 2024. p. 388-402
Series
Proceedings IEEE Computer Security Foundations Symposium, ISSN 1940-1434
National Category
Computer Sciences Computer Systems
Identifiers
URN: urn:nbn:se:kth:diva-356018DOI: 10.1109/CSF61375.2024.00017ISI: 001322679500026Scopus ID: 2-s2.0-85205942253OAI: oai:DiVA.org:kth-356018DiVA, id: diva2:1912036
Conference
37th IEEE Computer Security Foundations Symposium (CSF), JUL 08-12, 2024, Enschede, NETHERLANDS
Note
Part of ISBN 979-8-3503-6204-6, 979-8-3503-6203-9
QC 20241111
2024-11-112024-11-112024-11-11Bibliographically approved