Sciweavers

SIGMOD
2009
ACM

Cross-tier, label-based security enforcement for web applications

15 years 20 days ago
Cross-tier, label-based security enforcement for web applications
This paper presents SELinks, a programming language focused on building secure multi-tier web applications. SELinks provides a uniform programming model, in the style of LINQ and Ruby on Rails, with language syntax for accessing objects residing either on the database or at the server. Object-level security policies are expressed as labels, which are fully-customizable, first-class objects and may themselves be subject to security policies. Access to labeled data is mediated via trusted, user-provided policy enforcement functions. SELinks has two novel features that ensure security policies are enforced correctly and efficiently. First, SELinks implements a previously proposed type system called Fable that allows a protected object's type to refer to its protecting label. The type system can check that labeled data is never accessed directly by the program without first passing through the appropriate policy enforcement function. Second, SELinks compiles policy enforcement code t...
Brian J. Corcoran, Nikhil Swamy, Michael W. Hicks
Added 05 Dec 2009
Updated 05 Dec 2009
Type Conference
Year 2009
Where SIGMOD
Authors Brian J. Corcoran, Nikhil Swamy, Michael W. Hicks
Comments (0)