Type-Based Access Control in Data-Centric Systems

Caires, Luís; Pérez, Jorge A.; Seco, João Costa; Vieira, Hugo Torres; Ferrão, Lúcio

doi:10.1007/978-3-642-19718-5_8

Cited by 9 publications

(9 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Moreover, the tool could also automate the process to obtain the basic metadata to access databases on a table basis as O/RM tools and LINQ do. Additionally, tools similar to those presented in [25] could also be used to validate the authorized CRUD expressions. Usability: tools similar to JDBC are very poor regarding their usability [20] [21].…”

Section: Discussionmentioning

confidence: 99%

Role-Based Access control mechanisms

Pereira

Regateiro

Aguiar

2014

2014 IEEE Symposium on Computers and Communications (ISCC)

View full text Add to dashboard Cite

Abstract-Most of the security threats in relational database applications have their source in client-side systems when they issue requests formalized by Create, Read, Update and Delete (CRUD) expressions. If tools such as ODBC and JDBC are used to develop business logics, then there is another source of threats. In some situations the content of data sets retrieved by Select expressions can be modified and then committed into the host databases. These tools are agnostic regarding not only database schemas but also regarding the established access control policies. This situation can hardly be mastered by programmers of business logics in database applications with many and complex access control policies. To overcome this gap, we extend the basic Role-Based Access policy to support and supervise the two sources of security threats. This extension is then used to design the correspondent RBAC model. Finally, we present a software architectural model from which static RBAC mechanisms are automatically built, this way relieving programmers from mastering any schema. We demonstrate empirical evidence of the effectiveness of our proposal from a use case based on Java and JDBC.

show abstract

Section: Discussionmentioning

confidence: 99%

Role-Based Access control mechanisms

Pereira

Regateiro

Aguiar

2014

2014 IEEE Symposium on Computers and Communications (ISCC)

View full text Add to dashboard Cite

show abstract

“…Caires et al [15] are interested in type-based access control in data-centric systems. They apply refinement types to express permission-based security, including cases when policies dynamically depend on the state of the database.…”

Section: Related Workmentioning

confidence: 99%

SeLINQ

Schoepe

Hedin

Sabelfeld

2014

Proceedings of the 19th ACM SIGPLAN International Conference on Functional Programming

View full text Add to dashboard Cite

The root cause for confidentiality and integrity attacks against computing systems is insecure information flow. The complexity of modern systems poses a major challenge to secure end-to-end information flow, ensuring that the insecurity of a single component does not render the entire system insecure. While information flow in a variety of languages and settings has been thoroughly studied in isolation, the problem of tracking information across component boundaries has been largely out of reach of the work so far. This is unsatisfactory because tracking information across component boundaries is necessary for end-to-end security.This paper proposes a framework for uniform tracking of information flow through both the application and the underlying database. Key enabler of the uniform treatment is recent work by Cheney et al., which studies database manipulation via an embedded language-integrated query language (with Microsoft's LINQ on the backend). Because both the host language and the embedded query languages are functional F#-like languages, we are able to leverage information-flow enforcement for functional languages to obtain information-flow control for databases "for free", synergize it with information-flow control for applications and thus guarantee security across application-database boundaries. We develop the formal results in the form of a security type system that includes a treatment of algebraic data types and pattern matching, and establish its soundness. On the practical side, we implement the framework and demonstrate its usefulness in a case study with a realistic movie rental database.

show abstract

“…However, these predicates are not checked against the access control policies, potentially leaking protected information. λ DB [20] is a programming language that enforces access control policies to data by static typing for data-centric programs. It allows the definition of entities that are checked at compile-time with the defined access control policies.…”

Section: Related Workmentioning

confidence: 99%

Secure, Dynamic and Distributed Access Control Stack for Database Applications

Pereira

Regateiro

Aguiar

2015

International Conferences on Software Engineering and Knowledge Engineering

View full text Add to dashboard Cite

Abstract-In database applications, access control security layers are mostly developed from tools provided by vendors of database management systems and deployed in the same servers containing the data to be protected. This solution conveys several drawbacks. Among them we emphasize: 1) if policies are complex, their enforcement can lead to performance decay of database servers; 2) when modifications in the established policies implies modifications in the business logic (usually deployed at the client-side), there is no other possibility than modify the business logic in advance and, finally, 3) malicious users can issue CRUD expressions systematically against the DBMS expecting to identify any security gap. In order to overcome these drawbacks, in this paper we propose an access control stack characterized by: most of the mechanisms are deployed at the client-side; whenever security policies evolve, the security mechanisms are automatically updated at runtime and, finally, client-side applications do not handle CRUD expressions directly. We also present an implementation of the proposed stack to prove its feasibility. This paper presents a new approach to enforce access control in database applications, this way expecting to contribute positively to the state of the art in the field.

show abstract

Type-Based Access Control in Data-Centric Systems

Cited by 9 publications

References 17 publications

Role-Based Access control mechanisms

Role-Based Access control mechanisms

SeLINQ

Secure, Dynamic and Distributed Access Control Stack for Database Applications

Contact Info

Product

Resources

About