Securing Web Applications with Predicate Access Control

Part 6: Security in Networks and WebInternational audienceWeb application security is an increasingly important concern as we entrust these applications to handle sensitive user data. Security vulnerabilities in these applications are quite common, however, allowing malicious users to steal other application users’ data. A more reliable mechanism for enforcing application security policies is needed. Most applications rely on a database to store user data, making it a natural point to introduce additional access controls. Unfortunately, existing database access control mechanisms are too coarse-grained to express an application security policy. In this paper we propose and implement a fine-grained access control mechanism for controlling access to user data. Application access control policy is expressed using row-level access predicates, which allow an application’s access control policy to be extended to the database. These predicates are expressed using the SQL syntax familiar to developers, minimizing the developer effort necessary to take advantage of this mechanism. We implement our predicate access control system in the PostgreSQL 9.2 DBMS and evaluate our system by developing an access control policy for the Drupal 7 and Spree Commerce. Our mechanism protected Drupal and Spree against five known security vulnerabilities

Data and Applications Security and Privacy XXXI

The proceedings contain 30 papers. The special focus in this conference is on Data and Applications Security and Privacy. The topics include: Resilient reference monitor for distributed access control via moving target defense; preventing unauthorized data flows; object-tagged RBAC model for the hadoop ecosystem; identification of access control policy sentences from natural language policy documents; fast distributed evaluation of stateful attribute-based access control policies; Gaussian mixture models for classification and hypothesis tests under differential privacy; differentially private k skyband query answering through adaptive spatial decomposition; mutually private location proximity detection with access control; privacy-preserving community-aware trending topic detection in online social media; privacy-preserving outlier detection for data streams; undoing of privacy policies on Facebook; towards actionable mission impact assessment in the context of cloud computing; reducing security risks of clouds through virtual machine placement; firewall policies provisioning through sdn in the cloud; budget-constrained result integrity verification of outsourced data mining computations; searchable encryption to reduce encryption degradation in adjustably encrypted databases; efficient protocols for private database queries; toward group based user-attribute policies in azure-like access control systems; high-speed high security public key encryption with keyword search; keylogger detection using a decoy keyboard; the fallout of key compromise in a proxy-mediated key agreement protocol; improving resilience of behaviometric based continuous authentication with multiple accelerometers; a content-aware trust index for online review spam detection and securing web applications with predicate access control