Go to EurIPS 2025 Workshop AITD homepageEAM-SQL: Cryptographic Safety Envelopes for Table-Centric AI
Submission Type: Short paper (4 pages)
Keywords: Table-centric AI, NL2SQL, RAG-over-tables, ETL, capability-based authorization, macaroons (HMAC), canonical SQL / AST hashing, sequence integrity, replay & rate-limit enforcement, mandatory parameterization, tamper-evident audit logs, sidecar proxy, ex-ante guarantees, RBAC/RLS complement
Abstract: Table-centric AI systems, such as NL2SQL agents, RAG-over-tables, and ETL planners, turn model outputs into real database effects. Yet common defenses (filters, sandboxes, post-hoc audits) lack planner-to-DB, query-level ex-ante guarantees. We present EAM-SQL, a lightweight, HMAC (Hash-based Message Authentication Code)-only authorization layer that attaches a cryptographically verifiable “safety envelope’’ to every statement. EAM-SQL introduces (i) SQL-aware caveats over operations, tables/columns, joins, row predicates, and rate/time; (ii) normalized SQL content binding via hashes of a canonical AST (WHERE/PROJECTION/FROM graph), preventing prompt-level rewrites from smuggling different queries; and (iii) transaction-sequence integrity via a chained transaction hash that enforces order and blocks replay or splicing. A sidecar proxy performs mandatory parameterization, canonicalization with content-hash verification, caveat checking, and tamper-evident auditing, all at microsecond scale. On a SQL attack harness (≥800 attempts spanning injection, query splicing, unauthorized access, join escalation, broad exfiltration, replay, and tag manipulation), EAM-SQL achieved 0% unauthorized execution with 6–50 μs detection and <2 ms P99.9 verification overhead. By cryptographically binding statement content, scope, and order - rather than relying on mutable roles or heuristic filters - EAM-SQL provides verifiable safety for NL interfaces to databases, RAG-over-relational retrieval, and bounded ETL in enterprise and regulated settings.
Submission Number: 38
Loading