Secure RDTs: Enforcing Access Control Policies for Offline Available JSON Data

Research output: Contribution to journalArticlepeer-review

160 Downloads (Pure)

Abstract

Replicated Data Types (RDTs) are a type of data structure that can be replicated over a network, where each replica can be kept (eventually) consistent with the other replicas. They are used in applications with intermittent network connectivity, since local (offline) edits can later be merged with the other replicas. Applications that want to use RDTs often have an inherent security component that restricts data access for certain clients. However, access control for RDTs is difficult to enforce for clients that are not running within a secure environment, e.g., web applications where the client-side software can be freely tampered with. In essence, an application cannot prevent a client from reading data which they are not supposed to read, and any malicious changes will also affect well-behaved clients. This paper proposes Secure RDTs (SRDTs), a data type that specifies role-based access control for offline-available JSON data. In brief, a trusted application server specifies a security policy based on roles with read and write privileges for certain fields of an SRDT. The server enforces read privileges by projecting the data and security policy to omit any non-readable fields for the user's given role, and it acts as an intermediary to enforce write privileges. The approach is presented as an operational semantics engineered in PLT Redex, which is validated by formal proofs and randomised testing in Redex to ensure that the formal specification is secure.
Original languageEnglish
Article number227
Pages (from-to)1-27
Number of pages27
JournalProc. ACM Program. Lang.
Volume7
Issue numberOOPSLA2
DOIs
Publication statusPublished - 16 Oct 2023
EventSPLASH 2023: ACM SIGPLAN conference on Systems, Programming, Languages, and Applications: Software for Humanity - Hotel Cascais Miragem, Cascais, Portugal
Duration: 22 Oct 202327 Oct 2023
Conference number: 2023
https://2023.splashcon.org/

Bibliographical note

Funding Information:
Sam Van den Vonder was funded by the Flanders Innovation & Entrepreneurship (VLAIO) "Cybersecurity Initiative Flanders" program. Thierry Renaux was partly funded by the Flanders Innovation & Entrepreneurship (VLAIO) "Cybersecurity Initiative Flanders" program, and the Innoviris "SWAMP" project.

Publisher Copyright:
© 2023 Owner/Author.

Keywords

  • replicated data types
  • role-based access control
  • security
  • conflict-free replicated data types

Fingerprint

Dive into the research topics of 'Secure RDTs: Enforcing Access Control Policies for Offline Available JSON Data'. Together they form a unique fingerprint.

Cite this