Security views are a flexible and effective means of controlling access to confidential information. Rather than allowing untrusted users to access the source data directly, they can instead be provided with a restricted view, from which all confidential information has been removed. The program that generates the view effectively embodies a confidentiality policy for the underlying source data. However, this approach has a significant drawback: it prevents users from updating the data in the view. To address the “view update problem ” in general, a number of bidirectional languages have been proposed. Programs in these languages—often called lenses—can be run in two directions: read from left to right, they map sources to views; read from right to left, they map updated views back to updated sources. However, existing bidirectional languages do not deal adequately with security issues. In particular, they do not provide a way to ensure the integrity of data in the source as it is manipulated by untrusted users of the view. We propose a novel framework of secure lenses that addresses these shortcomings. We first enrich the types of basic lenses with equivalence relations capturing notions of confidentiality and integrity and formulate the essential security conditions on source data as non-interference properties. We then offer a concrete instantiation of our framework in the domain of string transformations, developing concrete syntax for security-annotated regular expressions as well as a collection of bidirectional string combinators with annotated expressions as their types.

The need to edit data through a view arises in a host of applications across many different areas of computing. Unfortunately, few existing systems provide support for updatable views. In practice, when they are needed, updatable views are usually implemented using two separate programs: one to compute the view from the source and another to handle updates. This rudimentary design is tedious for programmers, dif�cult to reason about, and a nightmare to maintain. This dissertation describes bidirectional programming languages, which provide an elegant mechanism for describing updatable views. Unlike programs written in an ordinary language, which only work in one direction, programs written in a bidirectional language can be run both forwards and backwards: from left to right, they describe functions that map sources to views, and from right to left, they describe functions that map updated views back to updated sources. Besides eliminating redundancy, these languages can be designed to ensure correctness, guaranteeing by construction that the two functions work well together.

This paper presents SELinks, an extension of the Links web programming language, that allows a database and web server to collaboratively enforce a security policy with high assurance. Our approach has a number of benefits. First, the relationship between data and its security label is made explicit by the SELinks type system, which allows the compiler to ensure that a policy is always correctly enforced. Next, application-specific logic is communicated seamlessly to the database by compiling SELinks code and values to user-defined functions and custom datatypes, respectively, to be stored in the database. As a result, application-specific security policies can be enforced at the database while processing queries, improving both the overall efficiency of the application, as well as ensuring that sensitive data never leaves the database needlessly. Our experience with two sizeable web applications indicates that cross-tier policy enforcement in SELinks is flexible, relatively easy to use and improves efficiency, in terms of increased throughput, by as much as an order of magnitude. 1.

Abstract. Workflow provenance is an important supportive component that encompasses knowledge sharing, product reusability and process verification. The emerging cloud computing paradigm offers new application opportunities but also raises research challenges, such as integrity, privacy, security and legal related issues. In this paper, we propose a Colored Petri Net (CPN) model for diagnosis based on Open Provenance Model (OPM). An illustrative application is presented: a workflow is expressed as a composition of services deployed in the Cloud, and security is implemented by means of Web Service Security policies (WS-S). Keywords: provenance, OPM, workflow, cloud computing, WS-S, CPN, diagnosis