Fine-grained access control policies in data-centric programming

Distributed data-centric systems such as web and cloud applications, in a multi-user setting, require specially tailored techniques to reason about fine-grained data security policies. In this talk we explore how language based techniques can be used to express access-control policies, centered on meta-information of the data repository. We present two approaches to solve this problem. We present a statically checked approach based on the general concept of refinement type, extended to address realistic and challenging scenarios of permission-based data security. We next present a dynamically checked instance of this security model, that extends a web development framework with the notion of data-role and user defined capabilities, two features that promote security by construction in the development of web enterprise applications. Both approaches ensure that checked applications never break the declared data access control policies.