Updatable Security Views

Security views are a flexible and effective mechanism for controlling access to confidential information. Rather than allowing untrusted users to access source data directly, they are instead provided with are restricted view, from which all confidential information has been removed. The program that generates the view effectively embodies a confidentiality policy for the underlying source data. However, this approach has a significant drawback: it prevents users from updating the data in the view.To address the "view update problem" in general, a number of bidirectional languages have been proposed. Programs in these languages---often called lenses---can be run in two directions: read from left to right, they map sources to views; from right to left,they map updated views back to updated sources. However, existing bidirectional languages do not deal adequately with security. In particular, they do not provide a way to ensure the integrity of source data as it is manipulated by untrusted users of the view.We propose a novel framework of secure lenses that addresses these shortcomings. We enrich the types of basic lenses with equivalence relations capturing notions of confidentiality and integrity, and formulate the essential security conditions as non-interference properties. We then instantiate this framework in the domain of string transformations, developing syntax for bidirectional string combinators with security-annotated regular expressions as their types.

[1]  Benjamin C. Pierce,et al.  Relational lenses: a language for updatable views , 2006, PODS '06.

[2]  James Cheney,et al.  Provenance as dependency analysis† , 2007, Mathematical Structures in Computer Science.

[3]  Lambert Meertens,et al.  Designing Constraint Maintainers for User Interaction , 1998 .

[4]  Peng Li Yun Mao Steve Zdancewic Information Integrity Policies , 2003 .

[5]  Manu Sridharan,et al.  TAJ: effective taint analysis of web applications , 2009, PLDI '09.

[6]  Benjamin C. Pierce,et al.  Combinators for bi-directional tree transformations: a linguistic approach to the view update problem , 2005, POPL '05.

[7]  Larry Wall,et al.  Programming Perl , 1991 .

[8]  Csilla Farkas,et al.  Secure XML Views , 2002, DBSec.

[9]  Robert Gruber,et al.  PADS: a domain-specific language for processing ad hoc data , 2005, PLDI '05.

[10]  Scott Boag,et al.  XQuery 1.0 : An XML Query Language , 2007 .

[11]  Giuseppe Castagna,et al.  Information Flow Security for XML Transformations , 2003, ASIAN.

[12]  Michael Hicks,et al.  Fable: A Language for Enforcing User-defined Security Policies , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[13]  Dominique Perrin,et al.  Codes and Automata , 2009, Encyclopedia of mathematics and its applications.

[14]  Umeshwar Dayal,et al.  On the correct translation of update operations on relational views , 1982, TODS.

[15]  Dan Suciu,et al.  Managing Integrity for Data Exchanged on the Web , 2005, WebDB.

[16]  Wenfei Fan,et al.  SMOQE: a system for providing secure access to XML , 2006, VLDB.

[17]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[18]  Stephen McCamant,et al.  Quantitative information flow as network flow capacity , 2008, PLDI '08.

[19]  Benjamin C. Pierce,et al.  Quotient lenses , 2008, ICFP.

[20]  Shin-Cheng Mu,et al.  An Algebraic Approach to Bi-directional Updating , 2004, APLAS.

[21]  Shin-Cheng Mu,et al.  A programmable editor for developing structured documents based on bidirectional transformations , 2008, High. Order Symb. Comput..

[22]  François Pottier,et al.  Information flow inference for ML , 2003, TOPL.

[23]  Jean Berstel,et al.  Transductions and context-free languages , 1979, Teubner Studienbücher : Informatik.

[24]  Nicolas Spyratos,et al.  Update semantics of relational views , 1981, TODS.

[25]  Perdita Stevens,et al.  Bidirectional model transformations in QVT: semantic issues and open questions , 2007, MODELS'07.

[26]  Benjamin C. Pierce,et al.  Boomerang: resourceful lenses for string data , 2008, POPL '08.

[27]  K J Biba,et al.  Integrity Considerations for Secure Computer Systems , 1977 .

[28]  Shin-Cheng Mu,et al.  A programmable editor for developing structured documents based on bidirectional transformations , 2004, PEPM '04.

[29]  Zhendong Su,et al.  Sound and precise analysis of web applications for injection vulnerabilities , 2007, PLDI '07.

[30]  Dan Suciu,et al.  A formal analysis of information disclosure in data exchange , 2004, SIGMOD '04.

[31]  Georg Gottlob,et al.  Properties and update semantics of consistent views , 1988, TODS.

[32]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[33]  Janis Voigtländer Bidirectionalization for free! (Pearl) , 2009, POPL '09.

[34]  Wenfei Fan,et al.  Secure XML querying with security views , 2004, SIGMOD '04.

[35]  Val Tannen,et al.  Annotated XML: queries and provenance , 2008, PODS.

[36]  Michael Greenberg Brown Declarative, composable views , 2008 .

[37]  Andy Schürr,et al.  Specification of Graph Translators with Triple Graph Grammars , 1994, WG.

[38]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[39]  Michiharu Kudo,et al.  XML document security based on provisional authorization , 2000, CCS.

[40]  Wenfei Fan,et al.  Rewriting Regular XPath Queries on XML Views , 2007, 2007 IEEE 23rd International Conference on Data Engineering.

[41]  Shinya Kawanaka,et al.  biXid: a bidirectional transformation language for XML , 2006, ICFP '06.

[42]  Claus Brabrand,et al.  Dual syntax for XML languages , 2005, Inf. Syst..

[43]  Paul Barry,et al.  Programming Perl 3rd Edition , 2000 .

[44]  Scott F. Smith,et al.  Dynamic Dependency Monitoring to Secure Information Flow , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[45]  Michael Hicks,et al.  Combining Provenance and Security Policies in a Web-based Document Management System , 2007 .

[46]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[47]  J DenningPeter,et al.  Certification of programs for secure information flow , 1977 .

[48]  Andrew C. Myers,et al.  Dynamic security labels and static information flow control , 2007, International Journal of Information Security.