Affiliation:
1. Vrije Universiteit Brussel, Brussels, Belgium
Abstract
Replicated Data Types (RDTs) are a type of data structure that can be replicated over a network, where each replica can be kept (eventually) consistent with the other replicas. They are used in applications with intermittent network connectivity, since local (offline) edits can later be merged with the other replicas. Applications that want to use RDTs often have an inherent security component that restricts data access for certain clients. However, access control for RDTs is difficult to enforce for clients that are not running within a secure environment, e.g., web applications where the client-side software can be freely tampered with. In essence, an application cannot prevent a client from reading data which they are not supposed to read, and any malicious changes will also affect well-behaved clients.
This paper proposes Secure RDTs (SRDTs), a data type that specifies role-based access control for offline-available JSON data. In brief, a trusted application server specifies a security policy based on roles with read and write privileges for certain fields of an SRDT. The server enforces read privileges by projecting the data and security policy to omit any non-readable fields for the user's given role, and it acts as an intermediary to enforce write privileges. The approach is presented as an operational semantics engineered in PLT Redex, which is validated by formal proofs and randomised testing in Redex to ensure that the formal specification is secure.
Publisher
Association for Computing Machinery (ACM)
Subject
Safety, Risk, Reliability and Quality,Software
Reference51 articles.
1. Adobe. 2022. Adobe to Acquire Figma. https://web.archive.org/web/20230619114811/https://news.adobe.com/news/news-details/2022/Adobe-to-Acquire-Figma/default.aspx Accessed on 2023-06-19 Adobe. 2022. Adobe to Acquire Figma. https://web.archive.org/web/20230619114811/https://news.adobe.com/news/news-details/2022/Adobe-to-Acquire-Figma/default.aspx Accessed on 2023-06-19
2. Automerge Contributors. 2023. Automerge CRDT. http://web.archive.org/web/20230118145244/https://automerge.org/ Accessed on 2023-01-18 Automerge Contributors. 2023. Automerge CRDT. http://web.archive.org/web/20230118145244/https://automerge.org/ Accessed on 2023-01-18
3. Secure Conflict-free Replicated Data Types
4. Building secure web applications with automatic partitioning
5. James Clark and Steven DeRose. 1999. XML Path Language (XPath) Version 1.0. W3C. http://web.archive.org/web/20230209115333/https://www.w3.org/TR/1999/REC-xpath-19991116/ Accessed on 2023-02-09 James Clark and Steven DeRose. 1999. XML Path Language (XPath) Version 1.0. W3C. http://web.archive.org/web/20230209115333/https://www.w3.org/TR/1999/REC-xpath-19991116/ Accessed on 2023-02-09