Updatable security views

JN Foster, BC Pierce… - 2009 22nd IEEE Computer …, 2009 - ieeexplore.ieee.org
2009 22nd IEEE Computer Security Foundations Symposium, 2009ieeexplore.ieee.org
Security views are a flexible and effective mechanism for controlling access to confidential
information. Rather than allowing untrusted users to access source data directly, they are
instead provided with are restricted view, from which all confidential information has been
removed. The program that generates the view effectively embodies a confidentiality policy
for the underlying source data. However, this approach has a significant drawback: it
prevents users from updating the data in the view. To address the" view update problem" in …
Security views are a flexible and effective mechanism for controlling access to confidential information. Rather than allowing untrusted users to access source data directly, they are instead provided with are restricted view, from which all confidential information has been removed. The program that generates the view effectively embodies a confidentiality policy for the underlying source data. However, this approach has a significant drawback: it prevents users from updating the data in the view.To address the "view update problem" in general, a number of bidirectional languages have been proposed. Programs in these languages---often called lenses---can be run in two directions: read from left to right, they map sources to views; from right to left,they map updated views back to updated sources. However, existing bidirectional languages do not deal adequately with security. In particular, they do not provide a way to ensure the integrity of source data as it is manipulated by untrusted users of the view.We propose a novel framework of secure lenses that addresses these shortcomings. We enrich the types of basic lenses with equivalence relations capturing notions of confidentiality and integrity, and formulate the essential security conditions as non-interference properties. We then instantiate this framework in the domain of string transformations, developing syntax for bidirectional string combinators with security-annotated regular expressions as their types.
ieeexplore.ieee.org