‹Programming› 2020
Mon 23 - Thu 26 March 2020 Porto, Portugal
Wed 25 Mar 2020 16:30 - 17:00 at Auditorium - Thinking about Data Chair(s): Jonathan Edwards

Database-backed applications often run queries with more authority than necessary. Since programs can access more data than they legitimately need, flaws in security checks at the application level can enable malicious or buggy code to view or modify data in violation of intended access control policies. Although database management systems provide tools to control access to data, these tools are not well-suited for modern applications which often have many users and consist of many different software components. First, databases are unaware of application users, and creating a new database user for each application user is impractical for applications with many users. Second, different components of the same application may require different authority, which would require creating different database users for different software components. Thus, it is difficult to properly limit the authority an application has when executing queries.

We propose ShillDB, a language for writing secure database-backed applications. ShillDB enables reasoning about database access at the language level through capabilities, which limit which database tables a program can access, and contracts, which limit what operations a program can perform on those tables. ShillDB contracts are expressed as part of function interfaces, making it easy to specify different access control policies for different components. Contracts act as executable security documentation for ShillDB programs and are enforced by the language runtime. Further, ShillDB provides database access control guarantees independent of (and in addition to) the security mechanisms of the underlying database management system.

We have implemented a prototype of ShillDB and have used it to implement the backend for a lending library reservation system with contracts for each endpoint. Our experience indicates that ShillDB is a practical language for enforcing database access control policies in realistic, multi-user applications and has reasonable performance overhead.

Wed 25 Mar

Displayed time zone: Belfast change

16:00 - 17:30
Thinking about DataResearch Papers at Auditorium
Chair(s): Jonathan Edwards
16:00
30m
Research paper
Bacatá: Notebooks for DSLs, Almost for Free
Research Papers
Mauricio Verano Merino Technische Universiteit Eindhoven, Jurgen Vinju CWI, Netherlands, Tijs van der Storm CWI & University of Groningen, Netherlands
Link to publication DOI Pre-print
16:30
30m
Research paper
Fine-Grained, Language-Based Access Control for Database-Backed Applications
Research Papers
Ezra Zigmond Harvard University, Stephen Chong Harvard University, Christos Dimoulas PLT @ Northwestern University, Scott Moore Galois, Inc
Link to publication DOI Pre-print
17:00
30m
Research paper
Foundations of a live data exploration environment
Research Papers
Tomas Petricek University of Kent
Link to publication DOI Pre-print