Reverse Engineering of Database Security Policies

Security is a critical concern for any database. Therefore, database systems provide a wide range of mechanisms to enforce security constraints. These mechanisms can be used to implement part of the security policies requested of an organization. Nevertheless, security requirements are not static, and thus, implemented policies must be changed and reviewed. As a first step, this requires to discover the actual security constraints being enforced by the database and to represent them at an appropriate abstraction level to enable their understanding and reenginering by security experts. Unfortunately, despite the existence of a number of techniques for database reverse engineering, security aspects are ignored during the process. This paper aims to cover this gap by presenting a security metamodel and reverse engineering process that helps security experts to visualize and manipulate security policies in a vendor-independent manner.

[1]  Jean-Marc Jézéquel,et al.  ≪UML≫ 2002 — The Unified Modeling Language , 2002, Lecture Notes in Computer Science.

[2]  David Basin,et al.  Model driven security: From UML models to access control infrastructures , 2006, TSEM.

[3]  Ramez Elmasri,et al.  Entity-Relationship Approach — ER '93 , 1993, Lecture Notes in Computer Science.

[4]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[5]  Ehab Al-Shaer,et al.  Anomaly Discovery and Resolution in MySQL Access Control Policies , 2012, DEXA.

[6]  Steve Barker,et al.  RBAC Policy Implementation for SQL Databases , 2003, DBSec.

[7]  Jean-Luc Hainaut,et al.  Contribution to a theory of database reverse engineering , 1993, [1993] Proceedings Working Conference on Reverse Engineering.

[8]  Wenfei Fan,et al.  Keys with Upward Wildcards for XML , 2001, DEXA.

[9]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[10]  Irina Astrova,et al.  Towards the Semantic Web - An Approach to Reverse Engineering of Relational Databases to Ontologies , 2005, ADBIS Research Communications.

[11]  Jean-Marc Petit,et al.  Using Queries to Improve Database Reverse Engineering , 1994, ER.

[12]  Ravi S. Sandhu,et al.  The NIST model for role-based access control: towards a unified standard , 2000, RBAC '00.

[13]  Veda C. Storey,et al.  Reverse Engineering of Relational Databases: Extraction of an EER Model from a Relational Database , 1994, Data Knowl. Eng..

[14]  Seog Park,et al.  Enterprise model as a basis of administration on role-based access control , 2001, Proceedings of the Third International Symposium on Cooperative Database Systems for Advanced Applications. CODAS 2001.