A Datalog Semantics for Paralocks

Broberg and Sands (POPL’10) introduced a logic-based policy language, Paralocks, suitable for static information-flow control in programs. Although Paralocks comes with a precise information-flow semantics for programs, the logic-based semantics of policies, describing how policies are combined and compared, is less well developed. This makes the algorithms for policy comparison and computation ad-hoc, and their security guarantees less intuitive. In this paper we provide a new semantics for Paralocks policies based on Datalog. By doing so we are able to show that the ad-hoc semantics from earlier work coincides with the natural Datalog interpretation. Furthermore we show that by having a Datalog-inspired semantics, we can borrow language extensions and algorithms from Datalog for the benefit of Paralocks. We explore how these extensions and algorithms interact with the design and implementation of Paragon, a language combining Paralocks with Java.

[1]  Jeffrey D. Ullman,et al.  Principles Of Database And Knowledge-Base Systems , 1979 .

[2]  Jeffrey D. Ullman,et al.  Information integration using logical views , 1997, Theor. Comput. Sci..

[3]  Niklas Broberg,et al.  Practical, Flexible programming with Information Flow Control , 2011 .

[4]  Peter Buneman,et al.  Semistructured data , 1997, PODS.

[5]  Larry Wos,et al.  What Is Automated Reasoning? , 1987, J. Autom. Reason..

[6]  Anthony C. Klug On conjunctive queries containing inequalities , 1988, JACM.

[7]  David Maier,et al.  Magic sets and other strange ways to implement logic programs (extended abstract) , 1985, PODS '86.

[8]  Anand Rajaraman,et al.  Conjunctive query containment revisited , 2000, Theor. Comput. Sci..

[9]  Diego Calvanese,et al.  Dwq : Esprit Long Term Research Project, No 22469 on the Decidability of Query Containment under Constraints on the Decidability of Query Containment under Constraints , 2022 .

[10]  Jeffrey D. Ullman,et al.  Principles of Database and Knowledge-Base Systems, Volume II , 1988, Principles of computer science series.

[11]  Kathi Fisler,et al.  Specifying and Reasoning About Dynamic Access-Control Policies , 2006, IJCAR.

[12]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[13]  Ninghui Li,et al.  DATALOG with Constraints: A Foundation for Trust Management Languages , 2003, PADL.

[14]  Dan Suciu,et al.  Adding Structure to Unstructured Data , 1997, ICDT.

[15]  Ernest Teniente,et al.  Checking query containment with the CQC method , 2005, Data Knowl. Eng..

[16]  Ninghui Li,et al.  Design of a role-based trust-management framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[17]  Yehoshua Sagiv Optimizing Datalog Programs , 1988, Foundations of Deductive Databases and Logic Programming..

[18]  Oded Shmueli,et al.  Decidability and expressiveness aspects of logic queries , 1987, XP7.52 Workshop on Database Theory.

[19]  John DeTreville,et al.  Binder, a logic-based security language , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[20]  Georg Gottlob,et al.  Complexity and expressive power of logic programming , 2001, CSUR.

[21]  Yehoshua Sagiv,et al.  Optimizing datalog programs , 1987, Foundations of Deductive Databases and Logic Programming..

[22]  Letizia Tanca,et al.  What you Always Wanted to Know About Datalog (And Never Dared to Ask) , 1989, IEEE Trans. Knowl. Data Eng..

[23]  David Sands,et al.  Paralocks: role-based information flow control and beyond , 2010, POPL '10.

[24]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.