Abstract: In one embodiment, a method includes receiving a request for an object; retrieving one or more rules to evaluate whether to allow or deny access to the object, wherein a first rule is of an allow-type or a deny-type; evaluating the first rule by executing one or more of its operations, wherein when any of the executed operations of the first rule returns a result that is not definitive, if the first rule is of the allow-type, assigning a final result as an indication to skip evaluation of the rule, and if the rule is of the deny-type, assigning the final result to the first rule as an indication to deny access to the object; determining final results for the one or more rules; and based on the final results, allowing or denying access to the object.

Abstract: In one embodiment, a method includes storing code defining access control rules for an object, the code defining each of the access control rules as a set of operations that each returns (1) when resolved, a predetermined result, and (2) when not resolved, a not definitive result indicating that it should be skipped if it is not necessary for determining the access control rule; compiling the code; compiling and loading the code; receiving a query for the object; executing the code to evaluate the corresponding operations; determining, for each access control rule, a rule-result comprising a value representing a true or a false value; determining a final result based on the one or more rule-results of the one or more access control rules, the final result indicating an allow-result or a deny-result; and sending the object when the final result evaluates to an allow-result.

Abstract: In one embodiment, a method includes receiving a request for an object; retrieving one or more rules to evaluate whether to allow or deny access to the object, wherein a first rule is of an allow-type or a deny-type; evaluating the first rule by executing one or more of its operations, wherein when any of the executed operations of the first rule returns a result that is not definitive, if the first rule is of the allow-type, assigning a final result as an indication to skip evaluation of the rule, and if the rule is of the deny-type, assigning the final result to the first rule as an indication to deny access to the object; determining final results for the one or more rules; and based on the final results, allowing or denying access to the object.

Abstract: Systems and methods for protecting the privacy of users by controlling access to the users' data. In particular, some embodiments provide for a higher-level declarative language for expressing privacy policies which can be verified using a computer-aided verification tool. The verification tool uses the expressed privacy policies along with language-level assumptions and assertions in the verification process. For example, high-level models of the privacy policies can be reduced to a simpler verification representation (e.g., a Boolean representation) based on a set of assertions. This verification representation can then be submitted to a constraint solver (e.g., Satisfiability Modulo Theories solver) for verification.

Abstract: In one embodiment, a storage and privacy system stores and manages information associated with users and ensures and enforces access-control rules specified for the stored information.

Abstract: In one embodiment, a method includes storing code defining access control rules for an object, the code defining each of the access control rules as a set of operations that each returns (1) when resolved, a predetermined result, and (2) when not resolved, a not definitive result indicating that it should be skipped if it is not necessary for determining the access control rule; compiling the code; compiling and loading the code; receiving a query for the object; executing the code to evaluate the corresponding operations; determining, for each access control rule, a rule-result comprising a value representing a true or a false value; determining a final result based on the one or more rule-results of the one or more access control rules, the final result indicating an allow-result or a deny-result; and sending the object when the final result evaluates to an allow-result.

Abstract: In one embodiment, a storage and privacy system stores and manages information associated with users and ensures and enforces access-control rules specified for the stored information.

Abstract: In one embodiment, a storage and privacy system stores and manages information associated with users and ensures and enforces access-control rules specified for the stored information.

Abstract: In one embodiment, a storage and privacy system stores and manages information associated with users and ensures and enforces access-control rules specified for the stored information.

Abstract: Systems and methods for protecting the privacy of users by controlling access to the users' data. In particular, some embodiments provide for a higher-level declarative language for expressing privacy policies which can be verified using a computer-aided verification tool. The verification tool uses the expressed privacy policies along with language-level assumptions and assertions in the verification process. For example, high-level models of the privacy policies can be reduced to a simpler verification representation (e.g., a Boolean representation) based on a set of assertions. This verification representation can then be submitted to a constraint solver (e.g., Satisfiability Modulo Theories solver) for verification.

Abstract: Systems and methods for protecting the privacy of users by controlling access to the users' data. In particular, some embodiments provide for a higher-level declarative language for expressing privacy policies which can be verified using a computer-aided verification tool. The verification tool uses the expressed privacy policies along with language-level assumptions and assertions in the verification process. For example, high-level models of the privacy policies can be reduced to a simpler verification representation (e.g., a Boolean representation) based on a set of assertions. This verification representation can then be submitted to a constraint solver (e.g., Satisfiability Modulo Theories solver) for verification.

Abstract: Systems and methods for protecting the privacy of users by controlling access to the users' data. In particular, some embodiments provide for a higher-level declarative language for expressing privacy policies which can be verified using a computer-aided verification tool. The verification tool uses the expressed privacy policies along with language-level assumptions and assertions in the verification process. For example, high-level models of the privacy policies can be reduced to a simpler verification representation (e.g., a Boolean representation) based on a set of assertions. This verification representation can then be submitted to a constraint solver (e.g., Satisfiability Modulo Theories solver) for verification.