1. Authorization in Oracle Part 2 Ji-Won Mahesh

2. Stored Procedures If A gives B insert on t with no grant option
Can only B can insert into t?
No – must consider whether B has the “create procedure” (or “create any procedure”) system privilege.

3. Examples create or replace procedure inv(x number, y number)
authid current_user as
begin
insert into alice.t1 values (x,y);
commit;
end; /
Bob.inv
create or replace procedure def(x number, y number)
[authid definer] as
begin
insert into alice.t1 values (x,y);
commit;
end; /
Bob.def

4. Definer’s rights procedure
“A user…requires only the privilege to execute the procedure and no privileges on the underlying objects…”
“…operates under the security domain of the user who owns the procedure…”
“At runtime, the privileges of the owner…are always checked…”

5. Invoker’s rights procedure
“…executes with all of the invoker’s privileges…”
“…invoker needs privileges at runtime to access…DML or dynamic SQL statements, because they are effectively recompiled at runtime.”
“For…direct PL/SQL function calls, the owner’s privileges are checked at compile time, and no runtime check is made. Therefore, the user…needs no privileges…outside DML or dynamic SQL statements.”

6. Examples Similarly: Carl.inv_inv, Carl.inv_def, …
create or replace procedure
def_inv(x number, y number) as
begin
bob.inv(x,y);
end; /
Carl.def_inv
Similarly: Carl.inv_inv, Carl.inv_def, …

7. def_inv A B
inv
def_inv C D

8. inv_inv A B
inv
inv_inv C D

9. inv_def A B
def
inv_def C D

10. Understanding Java Stack InspectionOS
Trusted
Java
“The system”
Untrusted
Java

11. Java Access Control Consequences of type safety Old approach: sandbox
New approach: stack inspection
Assume access matrix, with subjects = signors/classes (?), and objects = resources

12. Stack Inspection Frame has: Arguments Local vars. Ret. Addr.
Annotated with:
enable_privs(t)
(Assumptions about
who may do this)
Newest frame,
Or current frame

13. Primitives enable_privilege(t) disable_privilege(t)
Explicit denial
revert_privilege(t)
Removal of annotation
check_privilege(t)

14. check_privilegeF(t) check_privilege(t) { foreach stackFrame {
if (local policy forbits access to t by
the class executing in stackFrame)
deny access;
if (stackFrame has enabled priv. for t)
return; // allow access
if (stackFrame has disabled priv. for t) }
Default:
Netscape: deny
Sun/Microsoft: allow

15. ABLP Logic
If s is an instance of a theorem in propositional logic, then s is true in ABLP
(Atomic) principals, statements
Connectives:
says, , , ∧, |
Statement: eg. Ok(t)
E.g. axiom: (A says (B  A))  (B  A)

16. Decision Problem check_privilegeF(t) ≈ EF  Ok(t) ?
EF = (, AVM(F), BF)
 = set of frame credentials
frame  signer
AVM(F) = access matrix entries
P  t
BF = belief set for the frame F

17. Constructing belief set
Example from the paper…

18. Decision Procedure Collects all statements from (, AVM(F), BF)
Considers “type 1” statements: Ok(u)
Then considers “type 2” statements (P  Q) and builds a di-graph.
Then considers “type 3” statements (F1 | F2 | … | Fk says Ok(u) ). True if both:
For all 1, …, k, Fi  t in the di-graph
u = t

19. Decision Procedure (contd.)
Terminates
Is sound
Conjectured to be complete
Is “equivalent” to java stack inspection

20. Other stuff E.g., when does call to enable_privilege(t) succeed?
Canonical form for belief set
P1 | P2  P2 | P1
P | P  P
Pushdown automata
Security-passing style: carrying around belief set in a “hidden” parameter

21. Other stuff (contd.) RPC: Caller sends to callee: Callee prepends:
Belief set
Frame credentials
Callee prepends:
Kcaller | to every entry in belief set