Database-backed applications often run queries with more authority than necessary. Since programs can access more data than they legitimately need, flaws in security checks at the application level can enable malicious or buggy code to view or modify data in violation of intended access control policies. Although database management systems provide tools to control access to data, these tools are not well-suited for modern applications which often have many users and consist of many different software components. First, databases are unaware of application users, and creating a new database user for each application user is impractical for applications with many users. Second, different components of the same application may require different authority, which would require creating different database users for different software components. Thus, it is difficult to properly limit the authority an application has when executing queries.

We propose ShillDB, a language for writing secure database-backed applications. ShillDB enables reasoning about database access at the language level through capabilities, which limit which database tables a program can access, and contracts, which limit what operations a program can perform on those tables. ShillDB contracts are expressed as part of function interfaces, making it easy to specify different access control policies for different components. Contracts act as executable security documentation for ShillDB programs and are enforced by the language runtime. Further, ShillDB provides database access control guarantees independent of (and in addition to) the security mechanisms of the underlying database management system.

We have implemented a prototype of ShillDB and have used it to implement the backend for a lending library reservation system with contracts for each endpoint. Our experience indicates that ShillDB is a practical language for enforcing database access control policies in realistic, multi-user applications and has reasonable performance overhead.