Tuple-Based Access Control: a Provenance-Based Information Flow Control for Relational Data

This paper proposes a flexible control framework for relational personal data that enforces data originators' dissemination policies. Inspired by the sticky policy paradigm and mandatory access control, dissemination policies are linked with atomic data and are combined when different pieces of data are merged. The background setting of relational provenance guarantees that the policy combining operations behave accordingly to the operations carried out on the data. We show that the framework can capture a large class of policies similar to those of lattice-based access control models and that it can be integrated seamlessly into relational database management systems. In particular, we define a path oriented dissemination control model where policies define authorized chains of transfers between databases. Promising ongoing research work include the generalization of the theoretical framework to more expressive query languages including aggregation and difference operators as well as experiments on secure tokens.