Assessing query privileges via safe and efficient permission composition

We propose an approach for the selective enforcement of access control restrictions in, possibly distributed, large data collections based on two basic concepts: i) flexible authorizations identify, in a declarative way, the data that can be released, and ii) queries are checked for execution not with respect to individual authorizations but rather evaluating whether the information release they (directly or indirectly) entail is allowed by the authorizations. Our solution is based on the definition of query profiles capturing the information content of a query and builds on a graph-based modeling of database schema, authorizations, and queries. Access control is then effectively modeled and efficiently executed in terms of graph coloring and composition and on traversal of graph paths. We then provide a polynomial composition algorithm for determining if a query is authorized.

[1]  Sushil Jajodia,et al.  Controlled Information Sharing in Collaborative Distributed Query Processing , 2008, 2008 The 28th International Conference on Distributed Computing Systems.

[2]  Abraham Silberschatz,et al.  Database Systems Concepts , 1997 .

[3]  Alin Deutsch,et al.  Privacy in GLAV Information Integration , 2007, ICDT.

[4]  Ioana Manolescu,et al.  Query optimization in the presence of limited access patterns , 1999, SIGMOD '99.

[5]  Sabrina De Capitani di Vimercati,et al.  Maximizing Sharing of Protected Information , 2002, J. Comput. Syst. Sci..

[6]  David Maier,et al.  Testing implications of data dependencies , 1979, SIGMOD '79.

[7]  Andrea Calì,et al.  Querying Data under Access Limitations , 2008, 2008 IEEE 24th International Conference on Data Engineering.

[8]  Arnon Rosenthal,et al.  Administering Permissions for Distributed Data: Factoring and Automated Inference , 2001, DBSec.

[9]  Georg Gottlob,et al.  Data exchange: computing cores in polynomial time , 2006, PODS '06.

[10]  Arnon Rosenthal,et al.  View security as the basis for data warehouse security , 2000, DMDW.

[11]  Stefano Paraboschi,et al.  Database Systems: Concepts, Languages & Architectures , 1999 .

[12]  Serge Abiteboul,et al.  Foundations of Databases , 1994 .

[13]  Alfred V. Aho,et al.  The theory of joins in relational databases , 1979, ACM Trans. Database Syst..

[14]  Catriel Beeri,et al.  A Proof Procedure for Data Dependencies , 1984, JACM.

[15]  S. Sudarshan,et al.  Extending query rewriting techniques for fine-grained access control , 2004, SIGMOD '04.

[16]  Georg Gottlob,et al.  Computing cores for data exchange: new algorithms and practical solutions , 2005, PODS '05.

[17]  Chen Li,et al.  Computing complete answers to queries in the presence of limited access patterns , 2003, The VLDB Journal.

[18]  Stefano Paraboschi,et al.  Database Systems - Concepts, Languages and Architectures , 1999 .

[19]  Amihai Motro,et al.  An access authorization model for relational databases based on algebraic manipulation of view definitions , 1989, [1989] Proceedings. Fifth International Conference on Data Engineering.

[20]  Alin Deutsch,et al.  Rewriting queries using views with access patterns under integrity constraints , 2005, Theor. Comput. Sci..