ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Cross-tier, label-based security enforcement for web applications
Full text PdfPdf (589 KB)
Source
International Conference on Management of Data archive
Proceedings of the 35th SIGMOD international conference on Management of data table of contents
Providence, Rhode Island, USA
SESSION: Research session 7: testing and security table of contents
Pages 269-282  
Year of Publication: 2009
ISBN:978-1-60558-551-2
Authors
Brian J. Corcoran  University of Maryland, College Park, MD, USA
Nikhil Swamy  Microsoft Research, Redmond, WA, USA
Michael Hicks  University of Maryland, College Park, MD, USA
Sponsors
ACM: Association for Computing Machinery
SIGMOD: ACM Special Interest Group on Management of Data
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 41,   Downloads (12 Months): 153,   Citation Count: 0
Additional Information:

abstract   references   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1559845.1559875
What is a DOI?

ABSTRACT

This paper presents SELinks, a programming language focused on building secure multi-tier web applications. SELinks provides a uniform programming model, in the style of LINQ and Ruby on Rails, with language syntax for accessing objects residing either in the database or at the server. Object-level security policies are expressed as fully-customizable, first-class labels which may themselves be subject to security policies. Access to labeled data is mediated via trusted, user-provided policy enforcement functions.

SELinks has two novel features that ensure security policies are enforced correctly and efficiently. First, SELinks implements a type system called Fable that allows a protected object's type to refer to its protecting label. The type system can check that labeled data is never accessed directly by the program without first consulting the appropriate policy enforcement function. Second, SELinks compiles policy enforcement code to database-resident user-defined functions that can be called directly during query processing. Database-side checking avoids transferring data to the server needlessly, while still allowing policies to be expressed in a customizable and portable manner.

Our experience with two sizable web applications, a modelhealth-care database and a secure wiki with fine-grained security policies, indicates that cross-tier policy enforcement in SELinks is flexible, relatively easy to use, and, when compared to a single-tier approach, improves throughput by nearly an order of magnitude. SELinks is freely available.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
S. Ambler. Agile Database Techniques. John Wiley and Sons, 2006.
 
2
D. An. XTOLS: Cross-tier Oracle label security. Technical Report CS-TR-4934, University of Maryland, College Park, 2009.
 
3
Benjamin C. Pierce, Advanced Topics in Types and Programming Languages, The MIT Press, 2004
 
4
R. Boland. Network centricity requires more than circuits and wires. SIGNAL, Sept. 2006.
5
Peter Buneman , Adriane Chapman , James Cheney, Provenance management in curated databases, Proceedings of the 2006 ACM SIGMOD international conference on Management of data, June 27-29, 2006, Chicago, IL, USA  [doi>10.1145/1142473.1142534]
 
6
W.-J. Chen, I. Rytir, P. Read, and R. Odeh. DB2 security and compliance solutions for Linux, UNIX, and Windows. http://www.redbooks.ibm.com/redbooks/pdfs/sg247555.pdf, Mar. 2008.
7
Stephen Chong , Jed Liu , Andrew C. Myers , Xin Qi , K. Vikram , Lantian Zheng , Xin Zheng, Secure web applications via automatic partitioning, Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles, October 14-17, 2007, Stevenson, Washington, USA
 
8
S. Chong, A. C. Myers, N. Nystrom, L. Zheng, and S. Zdancewic. Jif: Java + information ow. Software release, version 3.3. Located at http://www.cs.cornell.edu/jif, 2009.
 
9
Stephen Chong , K. Vikram , Andrew C. Myers, SIF: enforcing confidentiality and integrity in web applications, Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, p.1-16, August 06-10, 2007, Boston, MA
 
10
E. Cooper, S. Lindley, P. Wadler, and J. Yallop. Links: Web programming without tiers. In Proc. FMCO, 2006.
 
11
B. Corcoran, N. Swamy, and M. Hicks. Combining provenance and security policies in a web-based document management system. In On-line Proceedings of the Workshop on Principles of Provenance (PrOPr), Nov. 2007.
12
Dorothy E. Denning, A lattice model of secure information flow, Communications of the ACM, v.19 n.5, p.236-243, May 1976  [doi>10.1145/360051.360056]
 
13
G. Dubochet. The SLinks Language. Technical report, University of Edinburgh, School of Informatics, 2005.
14
D. R. Engler , M. F. Kaashoek , J. O'Toole, Jr., Exokernel: an operating system architecture for application-level resource management, Proceedings of the fifteenth ACM symposium on Operating systems principles, p.251-266, December 03-06, 1995, Copper Mountain, Colorado, United States
 
15
J. J. Garrett. Ajax: A new approach to web applications. http://www.adaptivepath.com/publications/essays/archives/000385.php, feb 2005.
 
16
Google Web Toolkit. http://code.google.com/webtoolkit/.
 
17
The Hop Programming Language. http://hop.inria.fr/.
 
18
Java EE at a glance. http://java.sun.com/javaee/, 2008.
 
19
The LINQ project. http://msdn.microsoft.com/en-us/netframework/aa904594.aspx, 2008.
20
Erik Meijer , Brian Beckman , Gavin Bierman, LINQ: reconciling object, relations and XML in the .NET framework, Proceedings of the 2006 ACM SIGMOD international conference on Management of data, June 27-29, 2006, Chicago, IL, USA  [doi>10.1145/1142473.1142552]
 
21
Erich Müller , Peter Dadam , Jost Enderle , M. Feltes, Tuning an SQL-Based PDM System in a Worldwide Client/Server Environment, Proceedings of the 17th International Conference on Data Engineering, p.99-108, April 02-06, 2001
22
Andrew C. Myers , Barbara Liskov, Protecting privacy using the decentralized label model, ACM Transactions on Software Engineering and Methodology (TOSEM), v.9 n.4, p.410-442, Oct. 2000  [doi>10.1145/363516.363526]
 
23
Security privileges provided by MySQL. http://dev.mysql.com/doc/refman/5.1/en/privileges-provided.html.
 
24
National Health Service. Spine. http://www.connectingforhealth.nhs.uk/systemsandservices/spine.
 
25
OASIS XACML TC. XACML 2.0 interop scenarios. http://docs.oasis-open.org/xacml/xacml-2. 0-core-interop-draft-12-04.doc.
 
26
Oracle Corporation. Oracle 10g release documentation, 2007. Available at http://www.oracle.com/technology/documentation/database10g.html.
 
27
Bryan Parno , Jonathan M. McCune , Dan Wendlandt , David G. Andersen , Adrian Perrig, CLAMP: Practical Prevention of Large-Scale Data Leaks, Proceedings of the 2009 30th IEEE Symposium on Security and Privacy, p.154-169, May 17-20, 2009  [doi>10.1109/SP.2009.21]
 
28
PostgreSQL Global Development Group. Postgresql 8.2.1 software release, 2007. Available at http://www.postgresql.org.
 
29
Security privileges provided by PostgreSQL. http://www.postgresql.org/docs/8.2/static/ddl-priv.html.
 
30
Ruby on rails. http://www.rubyonrails.org/, 2008.
 
31
A. Rask, D. Rubin, and B. Neumann. Implementing row- and cell-level security in classified databases using SQL Server 2005. http://www.microsoft.com/technet/prodtechnol/sql/2005/multisec.mspx
 
32
Reuters, October 2006. U.S. Intelligence Unveils Spy Version of Wikipedia.
33
Shariq Rizvi , Alberto Mendelzon , S. Sudarshan , Prasan Roy, Extending query rewriting techniques for fine-grained access control, Proceedings of the 2004 ACM SIGMOD international conference on Management of data, June 13-18, 2004, Paris, France  [doi>10.1145/1007568.1007631]
 
34
V. Simonet. FlowCaml in a nutshell. In G. Hutton, editor, APPSEM-II, pages 152--165, Mar. 2003.
 
35
Authorization and permissions in SQL Server. http://msdn2.microsoft.com/en-us/library/bb669084.aspx.
 
36
Nikhil Swamy , Michael W. Hicks, Language-based enforcement of user-defined security policies: as applied to multi-tier web programs, University of Maryland at College Park, College Park, MD, 2008
 
37
Nikhil Swamy , Brian J. Corcoran , Michael Hicks, Fable: A Language for Enforcing User-defined Security Policies, Proceedings of the 2008 IEEE Symposium on Security and Privacy, p.369-383, May 18-21, 2008  [doi>10.1109/SP.2008.29]
 
38
Volta. http://livelabs.com/volta, 2008.
 
39
Limsoon Wong, Kleisli, a functional query system, Journal of Functional Programming, v.10 n.1, p.19-56, January 2000  [doi>10.1017/S0956796899003585]

INDEX TERMS

Primary Classification:
  D. Software
  D.2 SOFTWARE ENGINEERING
      D.2.4 Software/Program Verification
          Subjects: Validation

Additional Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.4 Distributed Systems
          Subjects: Client/server

  H. Information Systems
  H.2 DATABASE MANAGEMENT
      H.2.0 General
          Subjects: Security, integrity, and protection**


General Terms:
Languages, Performance, Security


Keywords:
compilers, database programming, security enforcement, type systems, web applications

Collaborative Colleagues:
Brian J. Corcoran: colleagues
Nikhil Swamy: colleagues
Michael Hicks: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player