Existing SQL access control mechanisms are extremely limited. Attackers can
leak information and escalate their privileges using advanced database features
such as views, triggers, and integrity constraints. This is not merely a
problem of vendors lagging behind the state-of-the-art. The theoretical
foundations for database security lack adequate security definitions and a
realistic attacker model, both of which are needed to evaluate the security of
modern databases. We address these issues and present a provably secure access
control mechanism that prevents attacks that defeat popular SQL database
systems.Comment: A short version of this paper has been published in the proceedings
of the 1st IEEE European Symposium on Security and Privacy (EuroS&P 2016
