SQLite is the most widely deployed in-process library that implements a SQL database engine. It offers high storage efficiency, fast query operation and small memory needs. Due to the fact that a complete SQLite database is stored in a single cross-platform disk file and SQLite does not support multiple users, anyone who has direct access to the file can read the whole database content. SELinux was originally developed as a Mandatory Access Control (MAC) mechanism for Linux to demonstrate how to overcome DAC limitations. However, SELinux provides per-file protection, thus the database file is treated as an atomic unit, impeding the definition of a fine-grained mandatory access control (MAC) policy for database objects.
We introduce SeSQLite, an SQLite extension that integrates SELinux access controls into SQLite with minimal performance and storage overhead. SeSQLite implements labeling and access control at both schema level (for tables and columns) and row level. This permits the management of a fine-grained access policy for database objects. A prototype has been implemented and it has been used to improve the security of Android Content Providers.
[1]
S. Sudarshan,et al.
Extending query rewriting techniques for fine-grained access control
,
2004,
SIGMOD '04.
[2]
Stefano Paraboschi,et al.
AppPolicyModules: Mandatory Access Control for Third-Party Apps
,
2015,
AsiaCCS.
[3]
David Caplan,et al.
SELinux by Example: Using Security Enhanced Linux (Prentice Hall Open Source Software Development Series)
,
2006
.
[4]
Stephen Smalley,et al.
Security Enhanced (SE) Android: Bringing Flexible MAC to Android
,
2013,
NDSS.
[5]
Stefano Paraboschi,et al.
Policy Specialization to Support Domain Isolation
,
2015,
SafeConfig@CCS.
[6]
Stefano Paraboschi,et al.
An SELinux-based intent manager for Android
,
2015,
2015 IEEE Conference on Communications and Network Security (CNS).
[7]
Wayne Salamon,et al.
Implementing SELinux as a Linux Security Module
,
2003
.