Information Flow Control on a Multi-paradigm Web Application for SQL Injection Prevention

  • Meriam Ben-Ghorbel-Talbi
  • François LesueurEmail author
  • Gaetan Perrin
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9482)


In this paper, we propose an integrated framework to control information flows in order to prevent security attacks, namely, SQL injections threatening data confidentiality. This framework is based on the Prerequisite TBAC model, a new Tuple-Based Access Control model designed to control data dissemination in databases, and that guarantees a controlled declassification. To track information flow in the application part, we propose to propagate dynamically security labels through the system using Paragon, a typed-security language that extends Java with information flow policy specification.


Information flow TBAC Declassification 



This work has been partially funded by the French ANR KISS project under grant No. ANR-11-INSE-0005.


  1. 1.
    Thion, R., Lesueur, F., Talbi, M.: Tuple-based access control: a provenance-based information flow control for relational data. In: SEC@SAC (2015)Google Scholar
  2. 2.
    Myers, A.C., Liskov, B.: A decentralized model for information flow control. In: SOSP (1997)Google Scholar
  3. 3.
    Broberg, N., van Delft, B., Sands, D.: Paragon for practical programming with information-flow control. In: Shan, C. (ed.) APLAS 2013. LNCS, vol. 8301, pp. 217–232. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  4. 4.
    Lunt, T.F., Denning, D.E., Schell, R.R., Heckman, M., Shockley, W.R.: The seaview security model. IEEE Trans. Softw. Eng. 16(6), 593–607 (1990)CrossRefGoogle Scholar
  5. 5.
    Sandhu, R., Chen, F.: The multilevel relational data model. ACM Trans. Inf. Syst. Secur. 1, 93–132 (1998)CrossRefGoogle Scholar
  6. 6.
    Smith, K., Winslett, M.: Entity modeling in the MLS relational model. In: VLDB (1992)Google Scholar
  7. 7.
    Jeloka, S.: Oracle Label Security Administrator’ s Guide, 11g Release 2 (11.2). Technical report, ORACLE (2013)Google Scholar
  8. 8.
    PostgreSQL Global Development Group: PostgreSQL 9.1 Documentation (2011)Google Scholar
  9. 9.
    Sybase Inc. Building Applications for Secure SQL Server: Sybase Secure SQL Server Release 10.0. Technical report (1993)Google Scholar
  10. 10.
    Simonet, V.: FlowCaml in a nutshell. In: Proceedings of the first APPSEM-II Workshop (2003)Google Scholar
  11. 11.
    Myers, A.C.: JFlow: practical mostly-static information flow control. In: POPL (1999)Google Scholar
  12. 12.
    Broberg, N., Sands, D.: Paralocks - role-based information flow control and beyond. In: POPL (2010)Google Scholar
  13. 13.
    Schultz, D., Liskov, B.: IFDB: decentralized information flow control for databases. In: CCS (2013)Google Scholar
  14. 14.
    Schoepe, D., Hedin, D., Sabelfeld, A.: SeLINQ: tracking information across application-database boundaries. In: ICFP (2014)Google Scholar
  15. 15.
    Davis, B., Chen, H.: DBTaint: cross-application information flow tracking via databases. In: WebApps (2010)Google Scholar
  16. 16.
    Peng, L., Zdancewic, S.: Practical information flow control in web-based information systems. In: CSFW (2005)Google Scholar
  17. 17.
    Chinis, G., Pratikakis, P., Athanasopoulos, E., Ioannidis, S.: Practical information flow for legacy web applications. In: ICOOOLPS. ACM (2013)Google Scholar
  18. 18.
    Green, T.J., Karvounarakis, G., Tannen, V.: Provenance semirings. In: Proceeding of the 26th Symposium on Principles of Database Systems (PODS) (2007)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Meriam Ben-Ghorbel-Talbi
    • 1
  • François Lesueur
    • 1
    Email author
  • Gaetan Perrin
    • 1
  1. 1.Université de Lyon, CNRS, INSA-Lyon, LIRIS, UMR5205LyonFrance

Personalised recommendations