Disjunctive Policies for Database-Backed Programs
Amir M. Ahmadian, Matvey Soloviev, Musard Balliu
TL;DR
This work addresses enforcing disjunctive security policies for database-backed programs by developing a semantic framework that models disjunctive dependencies and their security implications. It introduces the Determinacy Lattice (DL) and its extension, the Determinacy Quantale (DQ), to capture how query results may reveal information from one of several branches, and relates these to the Quantale of Information (QoI). The authors provide a type-based, path-sensitive dependency analysis and a query abstraction (symbolic tuples) that, together with a static enforcement mechanism, prove sound with respect to a knowledge-based security condition. The approach is implemented in a prototype tool, DiVerT, and evaluated on a suite of tests and practical use cases including privacy-preserving location, data publishing, secret sharing, and online item access. The framework unifies database security and information-flow perspectives and offers a scalable, sound method for enforcing complex disjunctive policies in real database-backed applications.
Abstract
When specifying security policies for databases, it is often natural to formulate disjunctive dependencies, where a piece of information may depend on at most one of two dependencies P1 or P2, but not both. A formal semantic model of such disjunctive dependencies, the Quantale of Information, was recently introduced by Hunt and Sands as a generalization of the Lattice of Information. In this paper, we seek to contribute to the understanding of disjunctive dependencies in database-backed programs and introduce a practical framework to statically enforce disjunctive security policies. To that end, we introduce the Determinacy Quantale, a new query-based structure which captures the ordering of disjunctive information in databases. This structure can be understood as a query-based counterpart to the Quantale of Information. Based on this structure, we design a sound enforcement mechanism to check disjunctive policies for database-backed programs. This mechanism is based on a type-based analysis for a simple imperative language with database queries, which is precise enough to accommodate a variety of row- and column-level database policies flexibly while keeping track of disjunctions due to control flow. We validate our mechanism by implementing it in a tool, DiVerT, and demonstrate its feasibility on a number of use cases.