‘Enhanced Encryption and Fine-Grained Authorization for Database Systems

The aim of this research is to enhance fine-grained authorization and encryption so that database systems are equipped with the controls necessary to help enterprises adhere to zero-trust security more effectively. For fine-grained authorization, this thesis has extended database systems with three new concepts: Row permissions, column masks and trusted contexts. Row permissions and column masks provide data-centric security so the security policy cannot be bypassed as with database views, for example. They also coexist in harmony with the rest of the database core tenets so that enterprises are not forced to compromise neither security nor database functionality. Trusted contexts provide applications in multitiered environments with a secure and controlled manner to propagate user identities to the database and therefore enable such applications to delegate the security policy to the database system where it is enforced more effectively. Trusted contexts also protect against application bypass so the application credentials cannot be abused to make database changes outside the scope of the application’s business logic. For encryption, this thesis has introduced a holistic database encryption solution to address the limitations of traditional database encryption methods. It too coexists in harmony with the rest of the database core tenets so that enterprises are not forced to choose between security and performance as with column encryption, for example. Lastly, row permissions, column masks, trusted contexts and holistic database encryption have all been implemented IBM DB2, where they are relied upon by thousands of organizations from around the world to protect critical data and adhere to zero-trust security more effectively

Delegatable access control for fine-grained XML

The access control mechanisms are critical to ensure security in XML (eXtensible Markup Language). Several such mechanisms have been used or proposed; however, the notion of delegation in XML has not been studied in the literature. In this paper, we propose an access control model encapsuling delegation authorization rules for XML documents that allow flexible data granularity and limited inference protection. Our access control policy specification is basically DTD-based. It can also be considered to be document-based

Towards access control for visual Web model management

2004-2005 > Academic research: refereed > Refereed conference paperVersion of RecordPublishe

An authorization model for XML databases

Université de Pau et des Pays de l’Adou

Before-Commit Client State Management Services for AJAX Applications

Heavily script-based browser applications change the manner in which users interact with Web browsers. Instead of downloading a succession of HTML pages, users download a single application and use that application for a long period of time. The application is not a set of HTML pages, but rather a single page that can possible modify its own presentation based on data exchanged with a server. In such an environment, it is necessary to provide some means for the client to manage its own state. We describe the initial results of our work in providing client-side state management services for these script-based applications. We focus on browser-based services that can help the user before any data is committed on the server. Our services include state checkpointing, property binding, operation logging, operational replay, ATOM/RSS data updates, and application-controlled persistence

Improving understanding of website privacy policies

Machine-readable privacy policies have been developed to help reduce user effort in understanding how websites will use personally identifiable information (PII). The goal of these policies is to enable the user to make informed decisions about the disclosure of personal information in web-based transactions. However, these privacy policies are complex, requiring that a user agent evaluate conformance between the user’s privacy preferences and the site’s privacy policy, and indicate this conformance information to the user. The problem addressed in this thesis is that even with machine-readable policies and current user agents, it is still difficult for users to determine the cause and origin of a conflict between privacy preferences and privacy policies. The problem arises partly because current standards operate at the page level: they do not allow a fine-grained treatment of conformance down to the level of a specific field in a web form. In this thesis the Platform for Privacy Preferences (P3P) is extended to enable field-level comparisons, field-specific conformance displays, and faster access to additional field-specific conformance information. An evaluation of a prototype agent based on these extensions showed that they allow users to more easily understand how the website privacy policy relates to the user’s privacy preferences, and where conformance conflicts occur