skip to main content
10.1145/3191697.3213791acmotherconferencesArticle/Chapter ViewAbstractPublication PagesprogrammingConference Proceedingsconference-collections
extended-abstract

Fine-grained, dynamic access control for database-backed applications

Published: 09 April 2018 Publication History

Abstract

Flaws in access control checks in database-backed applications frequently lead to security vulnerabilities. I present a new language, ShillDB, for writing secure, database-backed applications. ShillDB supports writing declarative database security policies as part of program interfaces, and the language runtime enforces these security policies.

References

[1]
Luís Caires, Jorge A Pérez, João Costa Seco, Hugo Torres Vieira, and Lúcio Ferrão. 2011. Type-Based Access Control in Data-Centric Systems. In ESOP. Springer, 136–155.
[2]
Adam Chlipala. 2010. Static Checking of Dynamically-Varying Security Policies in Database-Backed Applications. In OSDI. 105–118.
[3]
Christos Dimoulas, Scott Moore, Aslan Askarov, and Stephen Chong. 2014. Declarative policies for capability control. In Computer Security Foundations Symposium (CSF), 2014 IEEE 27th. IEEE, 3–17.
[4]
Robert Bruce Findler and Matthias Felleisen. 2002. Contracts for higher-order functions. In ACM SIGPLAN Notices, Vol. 37. ACM, 48–59.
[5]
Matthew Flatt and PLT. 2010. Reference: Racket. Technical Report PLT-TR-2010-1. PLT Design Inc. https://racket-lang.org/tr1/.
[6]
Phillip Heidegger, Annette Bieniusa, and Peter Thiemann. 2012. Access permission contracts for scripting languages. ACM SIGPLAN Notices 47, 1 (2012), 111–122.
[7]
Bertrand Meyer. 1992. Applying ’design by contract’. Computer 25, 10 (1992), 40–51.
[8]
M Miller. 2006. Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control. Johns Hopkins: Baltimore, MD (2006), 302.
[9]
Scott Moore, Christos Dimoulas, Dan King, and Stephen Chong. 2014. SHILL: A Secure Shell Scripting Language. In OSDI. 183–199.
[10]
Scott David Moore. 2016. Software Contracts for Security. Ph.D. Dissertation.
[11]
OWASP. 2017. OWASP Top Ten Project. https://www.owasp.org/index.php/ Category:OWASP_Top_Ten_Project
[12]
Jean Yang, Travis Hance, Thomas H Austin, Armando Solar-Lezama, Cormac Flanagan, and Stephen Chong. 2016. Precise, dynamic information flow for database-backed applications. In ACM SIGPLAN Notices, Vol. 51. ACM, 631–647. Abstract 1 Introduction 2 Contracts & Capabilities for Security 3 Designing Applications in ShillDB 4 Evaluation 5 Related Work Acknowledgments References

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
Programming '18: Companion Proceedings of the 2nd International Conference on the Art, Science, and Engineering of Programming
April 2018
244 pages
ISBN:9781450355131
DOI:10.1145/3191697
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

In-Cooperation

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 April 2018

Check for updates

Author Tags

  1. capabilities
  2. contracts
  3. language-based security

Qualifiers

  • Extended-abstract

Conference

<Programming> 2018

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • 0
    Total Citations
  • 76
    Total Downloads
  • Downloads (Last 12 months)0
  • Downloads (Last 6 weeks)0
Reflects downloads up to 08 Feb 2025

Other Metrics

Citations

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media