Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Framework for Reflective Database Access Control Policies Lars E. Olson, Carl A. Gunter, and P. Madhusudan University of Illinois at Urbana-Champaign.

Published byMarian Baker Modified over 9 years ago

Similar presentations

Presentation on theme: "A Framework for Reflective Database Access Control Policies Lars E. Olson, Carl A. Gunter, and P. Madhusudan University of Illinois at Urbana-Champaign."— Presentation transcript:

1 A Framework for Reflective Database Access Control Policies Lars E. Olson, Carl A. Gunter, and P. Madhusudan University of Illinois at Urbana-Champaign

2 2 Outline Motivation for Reflective Database Access Control Oracle Virtual Private Database: A First Step Formal Modeling for RDBAC –Transaction Datalog –Safety Analysis Prototype Description

3 3 Introduction Database Alice BobCarolDavid

4 4 View-Based Access Control Employees NameSSNSalaryDeptPosition Alice12345678980000HRCPA Bob23456789070000SalesSales Rep Carol34567890190000SalesManager David45678901290000HRManager ACL Alice David

5 5 View-Based Access Control Employees NameSSNSalaryDeptPosition Alice12345678980000HRCPA Bob23456789070000SalesSales Rep Carol34567890190000SalesManager David45678901290000HRManager

6 6 View-Based Access Control Sales_Employees BobSales Carol Sales Rep Manager ACL Bob Carol

7 7 VBAC Weaknesses Employees NameSSNSalaryDeptPosition Alice12345678980000HRCPA Bob23456789070000SalesSales Rep Carol34567890190000SalesManager David45678901290000HRManager Alice Bob Carol David456789012 345678901 234567890 12345678980000 70000 90000 HR Sales HRManager Sales Rep CPA

8 8 VBAC Weaknesses Complicated policies can be awkward to define “Every employee can access their own records” “Every employee can view the name and position of every other employee in their department”

9 9 Motivation ACLs describe extent, rather than intent Decision support data is often already in the database –Redundancy –Possibility of update anomalies

10 10 Reflective Database Access Control Solution: access policies should contain queries –Not limited to read-only operations –Policies not assumed to be “omniscient” Is this a secure solution? Database

11 11 Database Reflective Database Access Control ACL Reflective Access Policy ? Alice

12 12 Oracle Virtual Private Database User-defined function as query filter –Access to current user –Access to other table data (excluding current table) –Non-omniscient— subject to policies protecting other data Flexible— a little too flexible…

13 13 Pitfalls in Reflective AC create or replace function leakInfoFilter (p_schema varchar2, p_obj varchar2) return varchar2 as begin for allowedVal in (select * from alice.employees) loop insert into logtable values (sysdate, 'name:' || allowedVal.name || ', ssn:' || allowedVal.ssn || ', salary:' || allowedVal.salary); end loop; commit; return ''; end;

14 14 Not Necessarily a Problem Note: –Only privileged users can define VPD policies. –Using POLICY_INVOKER instead of SESSION_USER in the employees table would solve this problem. Still, centralized policy definers not ideal –Scalability –Difficulty in understanding subtle policy interactions …and you have to deal with surly DB admins

15 15 Pitfalls in Reflective AC Queries within policies must be executed under someone’s permissions. Cyclic policies cause infinite loop. Long chains of policies may use the database inefficiently. Determining safety is undecidable, in general.

16 16 Transaction Datalog Datalog extended with assertion and retraction semantics Inference process extended to track modifications Concurrency and atomicity Implicit rollback on failure

17 17 Transaction Datalog Example State: emp(alice, 1234, 80000, hr, manager). emp(bob, 2345, 60000, hr, accountant). Transaction Base: changeSalary(Name, OldSalary, NewSalary) :- emp(Name, SSN, OldSalary, Dept, Pos), del.emp(Name, SSN, OldSalary, Dept, Pos), ins.emp(Name, SSN, NewSalary, Dept, Pos). Runtime queries: changeSalary(alice, 50000, 100000)? No. changeSalary(alice, 80000, 100000)? Yes.

18 18 TD as a Policy Language Allow users to access their own records: view.emp(User, Name, SSN, Salary, Dept, Pos) :- emp(Name, SSN, Salary, Dept, Pos), User=Name. Allow users to view names of employees in their own department: view.emp(User, Name, null, null, Dept, Pos) :- emp(User, _, _, Dept, _), emp(Name, _, _, Dept, Pos).

19 19 TD as a Policy Language Restrict and audit sensitive accesses: view.emp(User, Name, SSN, Salary, Dept, Pos) :- emp(User, _, _, hr, _), emp(Name, SSN, Salary, Dept, Pos), ins.auditLog(User, Name, cur_time). Chinese Wall policy: view.bank1(User, Data1, Data2) :- cwUsers(User, 1, OldValue), bank1(Data1, Data2), del.cwUsers(User, 1, OldValue), ins.cwUsers(User, 1, 0).

20 20 Fixing the Leak Policies must always run under the definer’s privileges: view.a(User,...) :- view.b(alice,...), view.c(alice,...). Basic table owner privileges can be generated automatically. view.a(alice,...) :- a(...).

21 21 Formal Safety Analysis Efficiency of answering the question “Can user u ever gain access right r to object o ?” –Excludes actions taken by trusted users TD can implement HRU model Consequence: safety is undecidable in general

22 22 Decidable Class #1 Read-only policies Check whether subject s can access object o initially Ignore irrelevant tables Infrequent updates –Polynomial-time safety check –Unsafe configurations can be rolled back

23 23 Decidable Class #2 Retraction-free “Safe rewritability” –Rewrite policies to calculate their effect on the database, e.g.: Original policy rule: p(X) :- q(X, Y), ins.r(X, Y), s(Y, Z). Rewritten rules: r(X, Y) :- q(X, Y). p(X) :- q(X, Y), r(X, Y), s(Y, Z). –Rewritten rules must be range-restricted to ensure efficient computation

24 24 Proving Safety Decidability Database never shrinks Rewritten rules provide upper bound on database Every sequence of operations reaches fixed point Finitely many operations Too ugly? –Use upper bound as conservative estimate –No negation semantics in TD

25 25 Proof-of-Concept Prototype SWI-Prolog Memory-resident database state Evaluated queries: –Baseline: direct table access –Table owner –View record of self –Manager access of all employees in the department –Audit access –Chinese Wall Calculated safety check (Class #1) for one user, all users Scalability with increased database size and number of users

26 26 Prototype Evaluation QueryDatabase 1 (100 empl.) Database 2 (1000 empl.) Baseline0.42 ms4.82 ms Table owner0.43 ms4.84 ms Non-manager access0.44 ms4.97 ms Manager access0.66 ms7.51 ms Audit access0.57 ms6.01 ms Without Chinese Wall0.12 ms1.22 ms Chinese Wall0.13 ms1.43 ms Security check, one user1.67 ms17.27 ms Security check, all users171.80 ms17,390.00 ms

27 27 Conclusion Reflective Database Access Control is a more flexible model than View-Based Access Control. –Easier to model policy intent –Subtle data interactions create new dangers Transaction Datalog provides a reasonable theoretical basis for RDBAC. –Expressive semantics for describing policy intent –Safety analysis

28 28 Future Research Possibilities Including retraction in formal analysis State-independent security analysis Negation semantics in TD Atomic policies for updates Optimizations

Download ppt "A Framework for Reflective Database Access Control Policies Lars E. Olson, Carl A. Gunter, and P. Madhusudan University of Illinois at Urbana-Champaign."

Similar presentations

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
WIMS 2014, June 2-4Thessaloniki, Greece1 Optimized Backward Chaining Reasoning System for a Semantic Web Hui Shi, Kurt Maly, and Steven Zeil Contact:

WIMS 2014, June 2-4Thessaloniki, Greece1 Optimized Backward Chaining Reasoning System for a Semantic Web Hui Shi, Kurt Maly, and Steven Zeil Contact:
Module 12: Auditing SQL Server Environments

Module 12: Auditing SQL Server Environments
Manipulating Data Schedule: Timing Topic 60 minutes Lecture

Manipulating Data Schedule: Timing Topic 60 minutes Lecture
Implementing Reflective Access Control in SQL Lars E. Olson 1, Carl A. Gunter 1, William R. Cook 2, and Marianne Winslett 1 1 University of Illinois at.

Implementing Reflective Access Control in SQL Lars E. Olson 1, Carl A. Gunter 1, William R. Cook 2, and Marianne Winslett 1 1 University of Illinois at.
Database Security CS461/ECE422 Spring 2012. Overview Database model – Relational Databases Access Control Inference and Statistical Databases Database.

Database Security CS461/ECE422 Spring Overview Database model – Relational Databases Access Control Inference and Statistical Databases Database.
A Medical Database Case Study for Reflective Database Access Control Lars E. Olson 1, Carl A. Gunter 1, and Sarah Peterson Olson 2 1 University of Illinois.

A Medical Database Case Study for Reflective Database Access Control Lars E. Olson 1, Carl A. Gunter 1, and Sarah Peterson Olson 2 1 University of Illinois.
Some slides were taken from 463.5.1 Database Access Control Tutorial, Lars Olson, UIUC CS463, Computer Security.

Some slides were taken from Database Access Control Tutorial, Lars Olson, UIUC CS463, Computer Security.
Database Management System

Database Management System
Transactions and Locking Rose-Hulman Institute of Technology Curt Clifton.

Transactions and Locking Rose-Hulman Institute of Technology Curt Clifton.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
1 8. Safe Query Languages Safe program – its semantics can be at least partially computed on any valid database input. Safety is tied to program verification,

1 8. Safe Query Languages Safe program – its semantics can be at least partially computed on any valid database input. Safety is tied to program verification,
Ch1: File Systems and Databases Hachim Haddouti

Ch1: File Systems and Databases Hachim Haddouti
1 1 File Systems and Databases Chapter 1 The Worlds of Database Systems Prof. Sin-Min Lee Dept. of Computer Science.

1 1 File Systems and Databases Chapter 1 The Worlds of Database Systems Prof. Sin-Min Lee Dept. of Computer Science.
Mid-term Class Review.

Mid-term Class Review.
1 Introduction Introduction to database systems Database Management Systems (DBMS) Type of Databases Database Design Database Design Considerations.

1 Introduction Introduction to database systems Database Management Systems (DBMS) Type of Databases Database Design Database Design Considerations.
Cs3431 Triggers vs Constraints Section 7.5. cs3431 Triggers (Make DB Active) Trigger: A procedure that starts automatically if specified changes occur.

Cs3431 Triggers vs Constraints Section 7.5. cs3431 Triggers (Make DB Active) Trigger: A procedure that starts automatically if specified changes occur.
1 1 File Systems and Databases Chapter 1 Prof. Sin-Min Lee Dept. of Computer Science.

1 1 File Systems and Databases Chapter 1 Prof. Sin-Min Lee Dept. of Computer Science.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
ORACLE DATABASE SECURITY

ORACLE DATABASE SECURITY

Similar presentations

Ads by Google