Paper Introduces New Type-Based Access Control in Data-Centric Systems
This paper was writen by 5 people, Luís Caires, João Costa Seco, Jorge Perez and Hugo Vieira, from CITI and Faculdade de Ciências e Tecnologia da Universidade Nova de Lisboa (FCTUNL), with Lúcio Ferrão, from the OutSystems company. This is the industrial partner of the INTERFACES project which aims at the development of new techniques for enforcing security, integrity, and correctness requirements on distributed extendable web‐based applications. It introduces novel, semantically rich notions of interface description languages, based on advanced type systems and logics. ESOP is an annual conference dedicated to fundamental issues in the specification, design, analysis, and implementation of programming languages and systems.
In the paper the authors introduce a new programming language approach for enforcing access control policies in data-centric programs by static typing. According to the paper’s abstract, this language “is based on the general concept of refinement type, but extended so as to address realistic and challenging scenarios of permission-based data security, in which policies dynamically depend on the database state, and flexible combinations of column- and row-level protection of data are necessary”. Throughout this paper the authors state and prove the soundness and safety of their system, maintaining that “well-typed programs never break the declared data access control policies.”