%0 Book Section
%A Caires, Luis
%A Pérez, Jorge A.
%A Seco, João C.
%A Torres Vieira, Hugo 
%A Ferrão, Lúcio
%B Programming Languages and Systems
%D 2011
%F eprints:2719
%I Springer
%N 6602
%P 136-155
%S Lecture Notes in Computer Science
%T Type-based access control in data-centric systems
%U http://eprints.imtlucca.it/2719/
%X Data-centric multi-user systems, such as web applications, require flexible yet fine-grained data security mechanisms. Such mechanisms are usually enforced by a specially crafted security layer, which adds extra complexity and often leads to error prone coding, easily causing severe security breaches. In this paper, we introduce a programming language approach for enforcing access control policies to data in data-centric programs by static typing. Our development is based on the general concept of refinement type, but extended so as to address realistic and challenging scenarios of permission-based data security, in which policies dynamically depend on the database state, and flexible combinations of column- and row-level protection of data are necessary. We state and prove soundness and safety of our type system, stating that well-typed programs never break the declared data access control policies.
%Z Proceedings of the 20th European Symposium on Programming, ESOP 2011, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2011, Saarbrücken, Germany, March 26–April 3, 2011