Security views are a flexible and effective means of controlling access to confidential information. Rather than allowing untrusted users to access the source data directly, they can instead be provided with a restricted view, from which all confidential information has been removed. The program that generates the view effectively embodies a confidentiality policy for the underlying source data. However, this approach has a significant drawback: it prevents users from updating the data in the view. To address the “view update problem ” in general, a number of bidirectional languages have been proposed. Programs in these languages—often called lenses—can be run in two directions: read from left to right, they map sources to views; read from right to left, they map updated views back to updated sources. However, existing bidirectional languages do not deal adequately with security issues. In particular, they do not provide a way to ensure the integrity of data in the source as it is manipulated by untrusted users of the view. We propose a novel framework of secure lenses that addresses these shortcomings. We first enrich the types of basic lenses with equivalence relations capturing notions of confidentiality and integrity and formulate the essential security conditions on source data as non-interference properties. We then offer a concrete instantiation of our framework in the domain of string transformations, developing concrete syntax for security-annotated regular expressions as well as a collection of bidirectional string combinators with annotated expressions as their types.

Abstract. Data integrity is an assurance that data has not been modified in an unknown or unauthorized manner. The goal of this paper is to allow a user to leverage a small amount of trusted client-side computation to achieve guarantees of integrity when interacting with a vulnerable or untrusted database server. To achieve this goal we describe a novel relational hash tree, designed for efficient database processing, and evaluate the performance penalty for integrity guarantees. We show that strong cryptographic guarantees of integrity can be provided in a relational database with modest overhead. 1