ACM Transactions on Computer Systems (TOCS)
A calculus for cryptographic protocols: the spi calculus
Proceedings of the 4th ACM conference on Computer and communications security
JFlow: practical mostly-static information flow control
Proceedings of the 26th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Extended static checking for Java
PLDI '02 Proceedings of the ACM SIGPLAN 2002 Conference on Programming language design and implementation
A Type-Based Approach to Program Security
TAPSOFT '97 Proceedings of the 7th International Joint Conference CAAP/FASE on Theory and Practice of Software Development
Securing web application code by static analysis and runtime protection
Proceedings of the 13th international conference on World Wide Web
Extending query rewriting techniques for fine-grained access control
SIGMOD '04 Proceedings of the 2004 ACM SIGMOD international conference on Management of data
Simplify: a theorem prover for program checking
Journal of the ACM (JACM)
Practical Information-flow Control in Web-Based Information Systems
CSFW '05 Proceedings of the 18th IEEE workshop on Computer Security Foundations
Labels and event processes in the asbestos operating system
Proceedings of the twentieth ACM symposium on Operating systems principles
AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks
Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering
Making information flow explicit in HiStar
OSDI '06 Proceedings of the 7th USENIX Symposium on Operating Systems Design and Implementation - Volume 7
Static detection of security vulnerabilities in scripting languages
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Secure web applications via automatic partitioning
Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
Information flow control for standard OS abstractions
Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
SIF: enforcing confidentiality and integrity in web applications
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Cross-tier, label-based security enforcement for web applications
Proceedings of the 2009 ACM SIGMOD International Conference on Management of data
Improving application security with data flow assertions
Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles
Links: web programming without tiers
FMCO'06 Proceedings of the 5th international conference on Formal methods for components and objects
Ur: statically-typed metaprogramming with type-level record computation
PLDI '10 Proceedings of the 2010 ACM SIGPLAN conference on Programming language design and implementation
Type-based access control in data-centric systems
ESOP'11/ETAPS'11 Proceedings of the 20th European conference on Programming languages and systems: part of the joint European conferences on theory and practice of software
CryptDB: protecting confidentiality with encrypted query processing
SOSP '11 Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles
A language for automatically enforcing privacy policies
POPL '12 Proceedings of the 39th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
CryptDB: processing queries on an encrypted database
Communications of the ACM
Hails: protecting data privacy in untrusted web applications
OSDI'12 Proceedings of the 10th USENIX conference on Operating Systems Design and Implementation
Rubicon: bounded verification of web applications
Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering
How languages can save distributed computing
POPL '13 Proceedings of the 40th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languages
WEBLOG: a declarative language for secure web development
Proceedings of the Eighth ACM SIGPLAN workshop on Programming languages and analysis for security
Faceted execution of policy-agnostic programs
Proceedings of the Eighth ACM SIGPLAN workshop on Programming languages and analysis for security
IFDB: decentralized information flow control for databases
Proceedings of the 8th ACM European Conference on Computer Systems
A survey on server-side approaches to securing web applications
ACM Computing Surveys (CSUR)
Building web applications on top of encrypted data using Mylar
NSDI'14 Proceedings of the 11th USENIX Conference on Networked Systems Design and Implementation
| Hi-index | 0.02 |
We present a system for sound static checking of security policies for database-backed Web applications. Our tool checks a combination of access control and information flow policies, where the policies vary based on database contents. For instance, one or more database tables may represent an access control matrix, controlling who may read or write which cells of these and other tables. Using symbolic evaluation and automated theorem-proving, our tool checks these policies statically, requiring no program annotations (beyond the policies themselves) and adding no run-time overhead. Specifications come in the form of SQL queries as policies: for instance, an application's confidentiality policy is a fixed set of queries, whose results provide an upper bound on what information may be released to the user. To provide userdependent policies, we allow queries to depend on what secrets the user knows. We have used our prototype implementation to check several programs representative of the data-centric Web applications that are common today.