Diesel: applying privilege separation to database access

Database-backed applications typically grant complete database access to every part of the application. In this scenario, a flaw in one module can expose data that the module never uses for legitimate purposes. Drawing parallels to traditional privilege separation, we argue that database data should be subject to limitations such that each section of code receives access to only the data it needs. We call this data separation. Data separation defends against SQL-based errors including buggy queries and SQL injection attacks and facilitates code review, since a module's policy makes the extent of its database access explicit to programmers and code reviewers. We construct a system called Diesel, which implements data separation by intercepting database queries and applying modules' restrictions to the queries. We evaluate Diesel on three widely-used applications: Drupal, JForum, and WordPress.

[1]  Carl A. Gunter,et al.  A formal framework for reflective database access control policies , 2008, CCS.

[2]  David A. Wagner,et al.  Fine-grained privilege separation for web applications , 2010, WWW '10.

[3]  Alessandro Orso,et al.  A Classification of SQL Injection Attacks and Countermeasures , 2006, ISSSE.

[4]  Christoforos E. Kozyrakis,et al.  Nemesis: Preventing Authentication & Access Control Vulnerabilities in Web Applications , 2009, USENIX Security Symposium.

[5]  Steve Vandebogart,et al.  Labels and event processes in the Asbestos operating system , 2005, TOCS.

[6]  Adrian Perrig,et al.  CLAMP: Practical Prevention of Large-Scale Data Leaks , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[7]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[8]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[9]  Charles R. Landau Security in a secure capability-based system , 1989, OPSR.

[10]  S. Sudarshan,et al.  Extending query rewriting techniques for fine-grained access control , 2004, SIGMOD '04.

[11]  Laurie A. Williams,et al.  Using Automated Fix Generation to Secure SQL Statements , 2007, Third International Workshop on Software Engineering for Secure Systems (SESS'07: ICSE Workshops 2007).

[12]  Dan S. Wallach,et al.  Extensible security architectures for Java , 1997, SOSP.

[13]  David A. Wagner,et al.  Joe-E: A Security-Oriented Subset of Java , 2010, NDSS.

[14]  Mark S. Miller,et al.  Robust composition: towards a unified approach to access control and concurrency control , 2006 .

[15]  Bradford W. Wade,et al.  An authorization mechanism for a relational database system , 1976, TODS.

[16]  Bruce W. Weide,et al.  Using parse tree validation to prevent SQL injection attacks , 2005, SEM '05.

[17]  Eddie Kohler,et al.  Information flow control for standard OS abstractions , 2007, SOSP.

[18]  Henry M. Levy,et al.  Capability-Based Computer Systems , 1984 .

[19]  Jonathan M. Smith,et al.  EROS: a fast capability system , 1999, SOSP.

[20]  Niels Provos,et al.  Preventing Privilege Escalation , 2003, USENIX Security Symposium.

[21]  S. Sudarshan,et al.  Redundancy and information leakage in fine-grained access control , 2006, SIGMOD Conference.

[22]  Nikita Borisov,et al.  Improving multi-tier security using redundant authentication , 2007, CSAW '07.

[23]  Alessandro Orso,et al.  AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks , 2005, ASE.

[24]  Christopher Krügel,et al.  Toward Automated Detection of Logic Vulnerabilities in Web Applications , 2010, USENIX Security Symposium.