@incollection{eprints2719,
            year = {2011},
          series = {Lecture Notes in Computer Science},
           title = {Type-based access control in data-centric systems},
           pages = {136--155},
          number = {6602},
       booktitle = {Programming Languages and Systems},
          author = {Luis Caires and Jorge A. P{\'e}rez and Jo{\~a}o C. Seco and Hugo  Torres Vieira and L{\'u}cio Ferr{\~a}o},
       publisher = {Springer},
            note = {Proceedings of the 20th European Symposium on Programming, ESOP 2011, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2011, Saarbr{\"u}cken, Germany, March 26?April 3, 2011},
             url = {http://eprints.imtlucca.it/2719/},
        abstract = {Data-centric multi-user systems, such as web applications, require flexible yet fine-grained data security mechanisms. Such mechanisms are usually enforced by a specially crafted security layer, which adds extra complexity and often leads to error prone coding, easily causing severe security breaches. In this paper, we introduce a programming language approach for enforcing access control policies to data in data-centric programs by static typing. Our development is based on the general concept of refinement type, but extended so as to address realistic and challenging scenarios of permission-based data security, in which policies dynamically depend on the database state, and flexible combinations of column- and row-level protection of data are necessary. We state and prove soundness and safety of our type system, stating that well-typed programs never break the declared data access control policies.}
}