The paper addresses the challenge of enforcing disjunctive security policies in database-backed programs. Disjunctive policies state that an entity may learn one of two pieces of information, but not both. This is common in scenarios like medical databases, where releasing too many parameters about a participant could deanonymize them.
The authors introduce the Determinacy Lattice (DL) and Determinacy Quantale (DQ) as formal models for reasoning about disjunctive dependencies in database queries. The DL captures the ordering of information based on query determinacy, while the DQ extends this to represent disjunctive dependencies.
Using the DQ model, the authors define a security condition that relates the disjunctive dependencies in a program to the allowed disjunctive policy. They then propose a static type-based enforcement mechanism that can soundly check if a program satisfies this security condition.
The key aspects of the enforcement are:
The authors implement this enforcement mechanism in a tool called DIVERT and demonstrate its feasibility on a number of use cases.
To Another Language
from source content
arxiv.org
Głębsze pytania