A Formal Approach to Detecting Security Flaws in Objected-Oriented Databases

Detecting security aws is important in order to keep the database secure. A security aw in object-oriented databases means that a user can infer the result of an unpermitted method only from permitted methods. Although a database management system enforces access control by an authorization, security aws can occur under the authorization. The main aim of this paper is to show an e cient decision algorithm for detecting a security aw under a given authorization. This problem is solvable in polynomial time in practical cases by reducing it to the congruence closure problem. This paper also mentions the problem of nding a maximal subset of a given authorization under which no security aw exists. key words: object-oriented database, authorization, security aw, term rewriting system

[1]  Teresa F. Lunt,et al.  Cover Stories for Database Security , 1991, DBSec.

[2]  Greg Nelson,et al.  Fast Decision Procedures Based on Congruence Closure , 1980, JACM.

[3]  Minoru Ito,et al.  An Authorization Model for Object-Oriented Databases and Its Efficient Access Control , 1998 .

[4]  Keishi Tajima Static detection of security flaws in object-oriented databases , 1996, SIGMOD '96.

[5]  Ehud Gudes,et al.  A Method-Based Authorization Model for Object-Oriented Databases , 1993, Security for Object-Oriented Systems.

[6]  Ronald L. Rivest,et al.  Introduction to Algorithms , 1990 .

[7]  Leonard J. Binns Implementation Considerations for Inference Detection: Intended vs. Actual Classification , 1993, Database Security.

[8]  Hans Hermann Brüggemann,et al.  Object-Oriented Authorization , 1993, CISM - Advances in Database Systems.

[9]  Elisa Bertino,et al.  An Approach to Authorization Modeling in Object-Oriented Database Systems , 1994, Data Knowl. Eng..

[10]  Bhavani M. Thuraisingham,et al.  The Use of Conceptual Structures for Handling the Inference Problem , 1991, DBSec.

[11]  Minoru Ito,et al.  Authorization Analysis of Queries in Object-Oriented Databases , 1995, DOOD.

[12]  Sujeet Shenoi,et al.  A Practical Formalism for Imprecise Inference Control , 1994, DBSec.

[13]  Jean-Pierre Jouannaud,et al.  Rewrite Systems , 1991, Handbook of Theoretical Computer Science, Volume B: Formal Models and Sematics.

[14]  Minoru Ito,et al.  A Formal Approach to Detecting Security Flaws in Object-Oriented Database Schemas , 1998 .

[15]  Serge Abiteboul,et al.  Foundations of Databases , 1994 .

[16]  Randall P. Wolf,et al.  A Framework for Inference-Directed Data Mining , 1996, DBSec.

[17]  Jan Paredaens,et al.  Advances in database systems : implementations and applications , 1994 .

[18]  Sridhar Ramaswamy,et al.  Method schemas , 1990, PODS '90.

[19]  Robert E. Tarjan,et al.  Variations on the Common Subexpression Problem , 1980, J. ACM.