CPL - Chalmers Publication Library
| Utbildning | Forskning | Styrkeområden | Om Chalmers | In English In English Ej inloggad.

SeLINQ: Tracking information across application-database boundaries

Daniel Schoepe (Institutionen för data- och informationsteknik, Datavetenskap, Algoritmer (Chalmers)) ; Daniel Hedin (Institutionen för data- och informationsteknik, Datavetenskap (Chalmers)) ; Andrei Sabelfeld (Institutionen för data- och informationsteknik, Datavetenskap (Chalmers))
Proceedings of the ACM SIGPLAN International Conference on Functional Programming, ICFP (0362-1340). Vol. 49 (2014), 9, p. 25-38.
[Konferensbidrag, refereegranskat]

The root cause for confidentiality and integrity attacks against computing systems is insecure information flow. The complexity of modern systems poses a major challenge to secure end-to-end information flow, ensuring that the insecurity of a single component does not render the entire system insecure. While information flow in a variety of languages and settings has been thoroughly studied in isolation, the problem of tracking information across component boundaries has been largely out of reach of the work so far. This is unsatisfactory because tracking information across component boundaries is necessary for end-to-end security. This paper proposes a framework for uniform tracking of information flow through both the application and the underlying database. Key enabler of the uniform treatment is recent work by Cheney et al., which studies database manipulation via an embedded language-integrated query language (with Microsoft's LINQ on the backend). Because both the host language and the embedded query languages are functional F#-like languages, we are able to leverage information-flow enforcement for functional languages to obtain information-flow control for databases "for free", synergize it with information-flow control for applications and thus guarantee security across application-database boundaries. We develop the formal results in the form of a security type system that includes a treatment of algebraic data types and pattern matching, and establish its soundness. On the practical side, we implement the framework and demonstrate its usefulness in a case study with a realistic movie rental database.

Nyckelord: end-to-end security, information flow, language-integrated queries, static analysis



Denna post skapades 2014-09-23. Senast ändrad 2015-12-17.
CPL Pubid: 203167

 

Läs direkt!


Länk till annan sajt (kan kräva inloggning)