Implementing Reflective Access Control in SQL

Reflective Database Access Control (RDBAC) is a model in which a database privilege is expressed as a database query itself, rather than as a static privilege in an access control matrix. RDBAC aids the management of database access controls by improving the expressiveness of policies. The Transaction Datalog language provides a powerful syntax and semantics for expressing RDBAC policies, however there is no efficient implementation of this language for practical database systems. We demonstrate a strategy for compiling policies in Transaction Datalog into standard SQL views that enforce the policies, including overcoming significant differences in semantics between the languages in handling side-effects and evaluation order. We also report the results of evaluating the performance of these views compared to policies enforced by access control matrices. This implementation demonstrates the practical feasibility of RDBAC, and suggests a rich field of further research.

[1]  Georg Gottlob,et al.  Efficient Database Access from Prolog , 1989, IEEE Trans. Software Eng..

[2]  Jeffrey D. Ullman,et al.  Principles Of Database And Knowledge-Base Systems , 1979 .

[3]  Sebastian Maneth,et al.  Efficient Memory Representation of XML Documents , 2005, DBPL.

[4]  S. Sudarshan,et al.  Redundancy and information leakage in fine-grained access control , 2006, SIGMOD Conference.

[5]  Carl A. Gunter,et al.  A formal framework for reflective database access control policies , 2008, CCS.

[6]  Anthony J. Bonner,et al.  Transaction datalog: A compositional language for transaction programming , 1997 .

[7]  David Maier Is Prolog a Database Language? , 1983, XP4.5 Workshop on Database Theory.

[8]  Andreas Matheus,et al.  How to Declare Access Control Policies for XML Structured Information Objects using OASIS' eXtensible Access Control Markup Language (XACML) , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[9]  Serge Abiteboul,et al.  Data functions, datalog and negation , 1988, SIGMOD '88.

[10]  Serge Abiteboul,et al.  Data Functions, Datalog and Negation (Extended Abstract). , 1988, SIGMOD 1988.

[11]  Jeffrey D. Ullman,et al.  Principles of Database and Knowledge-Base Systems, Volume II , 1988, Principles of computer science series.

[12]  Georg Gottlob,et al.  Translation and Optimization of Logic Queries: The Algebraic Approach , 1986, VLDB.

[13]  Annalisa Bossi,et al.  A method for specializing logic programs , 1990, TOPL.

[14]  Elisa Bertino,et al.  Static Analysis of Logical Languages with Deferred Update Semantics , 2003, IEEE Trans. Knowl. Data Eng..

[15]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[16]  Philosophischen Fakultät,et al.  Accessing Relational and Higher Databases Through Database Set Predicates in Logic Programming Languages , 1991 .

[17]  S. Sudarshan,et al.  Fine Grained Authorization Through Predicated Grants , 2007, 2007 IEEE 23rd International Conference on Data Engineering.

[18]  Dave Thomas,et al.  ECOOP 2006 - Object-Oriented Programming , 2006 .

[19]  Elnar Hajiyev,et al.  codeQuest: Scalable Source Code Queries with Datalog , 2006, ECOOP.