Intelligent Enforcemen to fFine-Grained Access Control Policies for SQL Queries

Máster Interuniversitario en Métodos Formales en Ingeniería InformáticaRecently, we proposed a model-driven methodology to support fine-grained access control (FGAC) at the database level. More specifically, we defined a model transformation function that inputs SQL queries and generates so-called security-aware SQL stored-procedures. As part of the proposal, we developed an application prototype, called SQL Security Injector (SQLSI). In a nutshell, given an FGAC policy S, a user u, with role r, and a query q, SQLSI automatically generates a storedprocedure sp, such that: if the user u is authorized, according to the FGAC policy S, to execute the query q, then calling the stored-procedure sp will return the same result as executing the query q; otherwise, calling the stored-procedure sp will signal an error. As expected, there is a performance overhead when executing an (unsecured) SQL query via the corresponding (secured) stored-procedure generated by SQLSI. The reason is clear: FGAC policies require performing authorization checks on the current state of the system, which, in the case of executing SQL queries, will translate into performing authorization checks at execution-time on the database. SQLSI takes care of generating these checks and makes sure that they are called at execution-time when a protected resource is accessed. There are cases, however, where these authorization checks are unnecessary, and, therefore, the performance overhead can and should be avoided. For example: when the database integrity constraints guarantee that these checks will always be successful; or, when the current state of the database guarantees that these checks will be successful in this state. In this thesis, I propose to develop a formal, model-based methodology for enforcing FGAC policies when executing SQL queries in a smart, efficient way. First of all, I identify situations in which performing authorization checks when executing SQL queries seem unnecessary, based on the invariants of the underlying data model, or based on the known properties of the given scenario, or based on the known properties of the arguments of the given query. Secondly, I formally prove that performing authorization checks when executing SQL queries in these situations is indeed unnecessary. Thirdly, I develop a tool for detecting unnecessary authorization checks when executing SQL queries

PlexC: A Policy Language for Exposure Control

With the widespread use of online social networks and mobile devices, it is not uncommon for people to continuously broadcast contextual information such as their current location or activity. These technologies present both new opportunities for social engagement and new risks to privacy, and traditional static ‘write once’ disclosure policies are not well suited for controlling aggregate exposure risks in the current technological landscape. Therefore, we present PlexC, a new policy language designed for exposure control. We take advantage of several recent user studies to identify a set of language requirements and features, providing the expressive power to accommodate information sharing in dynamic environments. In our evaluation we show that PlexC can concisely express common policy idioms drawn from survey responses, in addition to more complex information sharing scenarios

Modelo de controlo de acesso para suportar orquestração de expressões CRUD

Mestrado em Engenharia de Computadores e TelemáticaAccess Control is a sensitive and crucial aspect when it comes to securing the data present in the databases. In an application which is driven by Create, Read, Update and Delete (CRUD) expressions, users can execute a single CRUD expression or a sequence of CRUD expressions to achieve the desired results. In such type of applications, the Access Control is not just Iimited to authorizing the subject for accessing the object, but it also aims to authorize and validate the operations that a subject can perform on the data after the authorization. Current Access Control models are generally concerned with restricting the access to the resources. However, once the subject is authorized, there are no restrictions on the actions a subject can perform on the resources. In this work an Access Control Model has been presented which extends current Access Control model's features to provide an environment where a set of predefined policies are implemented as graphs of CRUD expressions. The design of the access control policies is based on the CRUD expressions that a user needs to execute to complete a task. These graphs of CRUD expressions are hence used for controlling and validating the actions that can be performed on authorized information. In order to reuse the policies, presented model allows the inter execution of the policies based on some predefined rules. The aim of the present thesis work is to provide a structure which allows the application users to only execute the authorized sequences of CRUD expressions in a predefined order and allows the security experts to design the policies in a flexible way through the graph data structure. As a proof of concept, Role based Access Control model (RBAC) has been taken as a reference access control model and the base for this work is chosen as Secured, Distributed and Dynamic RBAC (S-DRACA) which allowed the sequence of CRUD expressions to be executed in single direction.O controlo de acesso é um aspecto sensível e crucial quando se fala de proteger dados presentes em base de dados. Em aplicações que assentam numa base de dados baseadas em expressões Creafe, Read, Update e Delefe (CRUD) , os utilizadores podem executar uma ou uma sequência de expressões CRUD para obter um dado resultado. Neste tipo de aplicações o controlo de acesso não é limitado apenas a autorizar o acesso a um objecto por um sujeito, mas também a autorizar e validar as operações que o sujeito pode fazer sobre os dados depois de obter autorização. Os modelos atuais de controlo de acesso geralmente focamse em restringir o acesso aos recursos CRUD a CRUD. No entanto, logo que o sujeito é autorizado, não há restrições sob as ações que este pode efetuar sobre esses recursos. Neste trabalho é apresentado um modelo de controlo de acesso que extende as funcionalidades dos modelos de controlo de acesso atuais para fornecer um ambiente onde um conjunto de politicas predefinidas são implementadas como grafos de expressões CRUD. Estes grafos de expressões CRUD são considerados como sequências que atuam como politicas guardadas e preconfiguradas. O design das sequências é baseado nas operações que o utilizador deseja efetuar para obter um dado resultado. Estas sequências de expressões CRUD são assim usadas para controlar e validar as ações que podem ser efetuadas sobre a informação armazenada. De forma a reusar estas políticas, o modelo apresentado define o uso de execuçao externa de políticas configuradas. O objetivo do trabalho nesta tese é fornecer uma estrutura que permite aos utilizadores de aplicações apenas executarem sequências autorizadas de expressões CRUD numa ordem predefinida e permitir aos administradores de sistema de desenharem politicas de uma forma flexível através de estruturas de grafos. Como prova de conceito, o modelo Role Based Access Control (RBAC) foi tido como referência para o modelo de controlo de acesso e para a base deste trabalho foi escolhido o S-DRACA que permite sequências de expressões CRUD de serem executadas por ordem

Quantifying Performance Costs of Database Fine-Grained Access Control

Fine-grained access control is a conceptual approach to addressing database security requirements. In relational database management systems, fine-grained access control refers to access restrictions enforced at the row, column, or cell level. While a number of commercial implementations of database fine-grained access control are available, there are presently no generalized approaches to implementing fine-grained access control for relational database management systems. Fine-grained access control is potentially a good solution for database professionals and system architects charged with designing database applications that implement granular security or privacy protection features. However, in the oral tradition of the database community, fine-grained access control is spoken of as imposing significant performance penalties, and is therefore best avoided. Regardless, there are current and emerging social, legal, and economic forces that mandate the need for efficient fine-grained access control in relational database management systems. In the study undertaken, the author was able to quantify the performance costs associated with four common implementations of fine-grained access control for relational database management systems. Security benchmarking was employed as the methodology to quantify performance costs. Synthetic data from the TPC-W benchmark as well as representative data from a real-world application were utilized in the benchmarking process. A simple graph-base performance model for Fine-grained Access Control Evaluation (FACE) was developed from benchmark data collected during the study. The FACE model is intended for use in predicting throughput and response times for relational database management systems that implement fine-grained access control using one of the common fine-grained access control mechanisms - authorization views, the Hippocratic Database, label-based access control, and transparent query rewrite. The author also addresses the issue of scalability for fine-grained access control mechanisms that were evaluated in the study

RBAC seguro, dinâmico e distribuído para aplicações relacionais

Mestrado em Engenharia de Computadores e TelemáticaNowadays, database application use tools like Java Database Connectivity, Hibernate or ADO.NET to access data stored in databases. These tools are designed to bring together the relational database and object-oriented programming paradigms, forsaking applied access control policies. Hence, the application developers must master the established policies as a means to develop software that is conformant with the established access control policies. Furthermore, there are situations where these policies can evolve dynamically. In these cases it becomes hard to adjust the access control mechanisms. This challenge has led to the development of an extension to the role based access control (RBAC) model where permissions are defined as a sequence of create, read, update and delete (CRUD) expressions that can be executed and the interfaces to access them. From these permissions it's possible to generate security artefacts on the client side, i.e. in a distributed manner, which allows the clients to access the stored data while satisfying the security policies defined. On top of this model extension, a security layer has also been created in order to make the access control secure and obligatory. For the RBAC model extension this work leverages a previous work that created a dynamic access control architecture for relational applications, here referred to as DACA (Dynamic Access Control Architecture). DACA uses business logic information and the defined access control policies to build dynamically the security artefacts for the applications. In situations where the access control policies can evolve dynamically, the security artefacts are adjusted automatically. This base work, however, defines as permissions CRUD expressions, which can be executed in any order, and needs an adequate security layer to authenticate users and protect the system form intruders. Hence, this work aims to create a new architecture, called “S-DRACA” (Secure, Dynamic and Distributed Role-based Access Control Architecture), which extends the work done with DACA so that it is capable of enforcing sequences of CRUD expressions that the applications can execute if the sequences are associated with their roles and the development of a security layer to make it secure. We discuss as well the performance of this system and its applicability to other environments outside of relational databases.Atualmente, aplicações que acedem a bases de dados utilizam ferramentas como o Java Database Connectivity, Hibernate ou ADO.NET para aceder aos dados nelas armazenados. Estas ferramentas estão desenhadas para unir os paradigmas das bases de dados relacionais e da programação orientada a objetos, mas não estão preocupados com as políticas de controlo de acesso a aplicar. Portanto, os programadores de aplicações têm de dominar as políticas estabelecidas a fim de desenvolver aplicações em conformidade com as políticas de controlo de acesso estabelecidas.. Além disso, existem situações em que as políticas de controlo de acesso podem evoluir dinamicamente. Nestes casos, torna-se difícil adequar os mecanismos de controlo de acesso. Este desafio motivou o desenvolvimento de uma extensão ao modelo de controlo de acesso baseado em papeis (RBAC) que define como permissões sequências de expressões para criar, ler, atualizar e apagar (CRUD) informação e as interfaces de acesso a cada uma delas. A partir destas permissões podem ser gerados artefactos de segurança do lado dos clientes, i.e. de uma forma distribuída, que lhes permitem aceder à informação armazenada na base de dados segundo as políticas definidas. Por cima desta extenção também foi criada uma camada de segurança para tornar o controlo de acesso seguro e obrigatório. Para a extensão do modelo RBAC este trabalho baseou-se num trabalho anterior que criou uma arquitectura dinâmica de controlo de acesso para aplicações de bases de dados relacionais, aqui referida como DACA (Dynamic Access Control Architecture). DACA utiliza informação da lógica de negócio e as políticas de controlo de acesso que foram definidos para criar dinamicamente os artefactos de segurança para as aplicações. Em situações onde as políticas de controle de acesso evoluem de forma dinâmica, os artefactos de segurança são ajustados automaticamente. Este trabalho base, no entanto, define como permissões as expressões CRUD, podendo estas ser executadas em qualquer ordem, e necessita de uma camada de segurança adequada para autenticar utilizadores e proteger os dados sensíveis de intrusos. Portanto, neste trabalho, pretende-se criar uma nova arquitectura, chamada “S-DRACA” (Secure, Dynamic and Distributed Role-based Access Control Architecture), que estende o trabalho feito no âmbito do DACA para que este seja capaz de garantir que sejam cumpridas sequência de expressões CRUD que as aplicações podem executar e que estão associados aos seus papéis nas políticas RBAC e desenvolver uma camada de segurança adequada para a tornar segura. Discutimos, também, o seu desempenho e aplicabilidade em outros ambientes sem ser em bases de dados relacionais

DACA: arquitetura para implementação de mecanismos dinâmicos de controlo de acesso em camadas de negócio

Doutoramento em Ciências da ComputaçãoAccess control is a software engineering challenge in database applications. Currently, there is no satisfactory solution to dynamically implement evolving fine-grained access control mechanisms (FGACM) on business tiers of relational database applications. To tackle this access control gap, we propose an architecture, herein referred to as Dynamic Access Control Architecture (DACA). DACA allows FGACM to be dynamically built and updated at runtime in accordance with the established fine-grained access control policies (FGACP). DACA explores and makes use of Call Level Interfaces (CLI) features to implement FGACM on business tiers. Among the features, we emphasize their performance and their multiple access modes to data residing on relational databases. The different access modes of CLI are wrapped by typed objects driven by FGACM, which are built and updated at runtime. Programmers prescind of traditional access modes of CLI and start using the ones dynamically implemented and updated. DACA comprises three main components: Policy Server (repository of metadata for FGACM), Dynamic Access Control Component (DACC) (business tier component responsible for implementing FGACM) and Policy Manager (broker between DACC and Policy Server). Unlike current approaches, DACA is not dependent on any particular access control model or on any access control policy, this way promoting its applicability to a wide range of different situations. In order to validate DACA, a solution based on Java, Java Database Connectivity (JDBC) and SQL Server was devised and implemented. Two evaluations were carried out. The first one evaluates DACA capability to implement and update FGACM dynamically, at runtime, and, the second one assesses DACA performance against a standard use of JDBC without any FGACM. The collected results show that DACA is an effective approach for implementing evolving FGACM on business tiers based on Call Level Interfaces, in this case JDBC.Controlo de acesso é um desafio para a engenharia de software nas aplicações de bases de dados. Atualmente, não há uma solução satisfatória para a implementação dinâmica de mecanismos finos e evolutivos de controlo de acesso (FGACM) ao nível das camadas de negócio de aplicações de bases de dados relacionais. Para solucionar esta lacuna, propomos uma arquitetura, aqui referida como Arquitetura Dinâmica de Controlo de Acesso (DACA). DACA permite que FGACM sejam dinamicamente construídos e atualizados em tempo de execução de acordo com as políticas finas de controlo de acesso (FGACP) estabelecidas. DACA explora e utiliza as características das Call Level Interfaces (CLI) para implementar FGACM ao nível das camadas de negócio. De entre as características das CLI, destacamos o seu desempenho e os diversos modos para acesso a dados armazenados em bases de dados relacionais. Na DACA, os diversos modos de acesso das CLI são envolvidos por objetos tipados derivados de FGACM, que são construídos e atualizados em tempo de execução. Os programadores prescindem dos modos tradicionais de acesso das CLI e passam a utilizar os dinamicamente construídos e atualizados. DACA compreende três componentes principais: Policy Server (repositório de meta-data dos FGACM), Dynamic Access Control Component (componente da camada de negócio que é responsável pela implementação dos FGACM) e Policy Manager (broker entre DACC e Policy Server). Ao contrário das soluções atuais, DACA não é dependente de qualquer modelo de controlo de acesso ou de qualquer política de controlo de acesso, promovendo assim a sua aplicabilidade a muitas e diversificadas situações. Com o intuito de validar DACA, foi concebida e desenvolvida uma solução baseada em Java, Java Database Connectivity (JDBC) e SQL Server. Foram efetuadas duas avaliações. A primeira avalia DACA quanto à sua capacidade para dinamicamente, em tempo de execução, implementar e atualizar FGACM e, a segunda, avalia o desempenho de DACA contra uma solução sem FGACM que utiliza o JDBC normalizado. Os resultados recolhidos mostram que DACA é uma solução válida para implementar FGACM evolutivos em camadas de negócio baseadas em CLI

Business Policy Modeling and Enforcement in Relational Database Systems

Database systems maintain integrity of the stored information by ensuring that modifications to the database comply with constraints designed by the administrators. As the number of users and applications sharing a common database increases, so does the complexity of the set of constraints that originate from higher level business processes. The lack of a systematic mechanism for integrating and reasoning about a diverse set of evolving and potentially interfering policies manifested as database level constraints makes corporate policy management within relational systems a chaotic process. In this thesis we present a systematic method of mapping a broad set of process centric business policies onto database level constraints. We exploit the observation that the state of a database represents the union of all the states of every ongoing business process and thus establish a bijective relationship between progression in individual business processes and changes in the database state space. We propose graphical notations that are equivalent to integrity constraints specified in linear temporal logic of the past. Furthermore we demonstrate how this notation can accommodate a wide array of workflow patterns, can allow for multiple policy makers to implement their own process centric constraints independently using their own logical policy models, and can model check these constraints within the database system to detect potential conflicting constraints across several different business processes. A major contribution of this thesis is that it bridges several different areas of research including database systems, temporal logics, model checking, and business workflow/policy management to propose an accessible method of integrating, enforcing, and reasoning about the consequences of process-centric constraints embedded in database systems. As a result, the task of ensuring that a database continuously complies with evolving business rules governed by hundreds of processes, which is traditionally handled by an army of database programmers regularly updating triggers and batch procedures, is made easier, more manageable, and more predictable