Cross-tier, Label-based Security Enforcement for Web Applications

This paper presents SELINKS, a programming language focused on building secure multi-tier web applications. SELINKS provides a uniform programming model, in the style of LINQ and Ruby on Rails, with language syntax for accessing objects residing either in the database or at the server. Object-level security policies are expressed as fully-customizable, first-class labels which may themselves be subject to security policies. Access to labeled data is mediated via trusted, user-provided policy enforcement functions. SELINKS has two novel features that ensure security policies are enforced correctly and efficiently. First, SELINKS implements a type system called Fable that allows a protected object's type to refer to its protecting label. The type system can check that labeled data is never accessed directly by the program without, first consulting the appropriate policy enforcement function. Second, SELINKS compiles policy enforcement code to database-resident user-defined functions that can be called directly during query processing. Database-side checking avoids transferring data to the server needlessly, while still allowing policies to be expressed in a customizable and portable manner. Our experience with two sizable web applications, a model health-care database and a secure wiki with fine-grained security policies, indicates that cross-tier policy enforcement in SELINKS is flexible, relatively easy to use, and, when compared to a single-tier approach, improves throughput by nearly an order of magnitude. SELINKS is freely available.