[kige06]	Daniel Kifer and J. E. Gehrke. Injecting utility into anonymized datasets. In Proc. ACM SIGMOD International Conference on Management of Data (SIGMOD'06), June 2006. [ bib \| .pdf \| .pdf ]
[mage06]	Ashwin Machanavajjhala, Johannes Gehrke, Daniel Kifer, and Muthuramakrishnan Venkitasubramaniam. l-diversity: Privacy beyond k-anonymity. In Proc. IEEE International Conference on Data Engineering (ICDE'06), April 2006. [ bib \| .pdf \| .pdf ]
[kara06]	Govind Kabra, Ravishankar Ramamurthy, and S. Sudarshan. Redundancy and information leakage in fine-grained access control. In Proc. ACM SIGMOD international Conference on Management of Data (SIGMOD'06), pages 133-144, 2006. [ bib \| .pdf ]
[yusr04]	Ting Yu, Divesh Srivastava, Laks V. S. Lakshmanan, and H. V. Jagadish. A compressed accessibility map for XML. ACM Transactions on Database Systems (TODS), 29(2):363-402, June 2004. [ bib ] This is the journal version of [yusr02].
[fach04]	Wenfei Fan, Chee Yong Chan, and Minos Garofalakis. Secure xml querying with security views. In Proceedings of the ACM SIGMOD International Conference on Management of Data (SIGMOD'04), 2004. [ bib \| .pdf \| .pdf ] Deals with subset of Xpath that is more general than twig queries. Defines a language for specifying access controls by annotating the document DTD, an algorithm for automatically deriving the security view (including a view DTD) from the access control specification, and an algorithm for rewriting queries defined over the view so that they can be evaluated against the base data.
[rime04]	Shariq Rizvi, Alberto O. Mendelzon, S. Sudarshan, and Prasan Roy. Extending query rewriting techniques for fine-grained access control. In Proceedings of the ACM SIGMOD International Conference on Management of Data (SIGMOD'04), 2004. [ bib \| .pdf ] Defines parameterized, user-specific authorization views over relational tables. Unlike [fach04], argues that query processing should be authorization transparent - that is, queries are expressed against the base tables, not the authorization views. Such a query is said to be valid if it can be rewritten using only authorization views. Invalid queries are rejected, so this is a go/no-go security model, like that SQL. Validity testing is undecidable unless the query language is restricted, e.g., to conjunctive queries.
[rowi04]	Arnon Rosenthal and Marianne Winslett. Security of shared data in large systems. In Proceedings of the ACM SIGMOD International Conference on Management of Data (SIGMOD'04), 2004. tutorial presentation. [ bib \| http \| .pdf ]
[cham02]	SungRan Cho, Sihem Amer-Yahia, Laks V. S. Lakshmanan, and Divesh Srivastava. Optimizing the secure evaluation of twig queries. In Proceedings of the 28th International Conference on Very Large Data Bases (VLDB), pages 490-501, August 2002. [ bib \| .pdf \| .pdf ]
[yusr02]	Ting Yu, Divesh Srivastava, Laks V. S. Lakshmanan, and H. V. Jagadish. Compressed accessibility map: Efficient access control for XML. In Proceedings of the 28th International Conference on Very Large Data Bases (VLDB), pages 478-489, August 2002. [ bib \| .pdf \| .pdf ]
[stfa02]	Andrei Stoica and Csilla Farkas. Secure XML views. In Research Directions in Data and Applications Security, IFIP WG 11.3 Sixteenth International Conference on Data and Applications Security, volume 256 of IFIP Conference Proceedings, pages 133-146. Kluwer, July 2002. [ bib \| .pdf ]
[swee02]	Latanya Sweeney. k-anonymity: A model for protecting privacy. International Journal on Uncertainty, Fuzziness and Knowledge-based Systems, 10(5):557-570, 2002. [ bib \| .pdf \| .pdf ]
[motr89]	A. Motro. An access authorization model for relational databases based on algebraic manipulation of view definitions. In International Conference on Data Engineering (ICDE'89), pages 339-347, 1989. [ bib ]
[lamp71]	Butler W. Lampson. Protection. In Proc. Fifth Princeton Symposium on Information Sciences and Systems, pages 437-443, March 1971. Reprinted in Operating Systems Review, 8, 1, January 1974, pp. 18-24. [ bib \| .pdf ]