Analyzing and Controlling Information Inference of Fine-Grained Access Control Policies in Relational Databases

As a more flexible and effective access control mechanism in databases, fine-grained access control (FGAC) has drawn considerable attention from industrial and research community. While providing more effective protection for databases, FGAC also incurs new loopholes for attacks. When FGAC policies are defined inconsistently, performing UPDATE/DELETE operations might cause information inference, called UD inference, probably leading to the disclosure of sensitive data to unauthorized users. In order to protect database security, UD inference must be controlled. However, it is challenging to control such inference, due to the flexibility of FGAC policies. In this paper, we aim to provide an effective approach to control UD inference under the circumstance of FGAC policies. We first propose a formal framework for FGAC policies, and in-depth analyze UD inference based on this framework. Then, we propose a security condition to guarantee that there is no UD inference under the circumstances of FGAC policies, while these FGAC policies satisfy the proposed security condition. Finally, we present an effective approach to control UD inference by dynamically modifying FGAC policies.

[1]  S. Sudarshan,et al.  Fine Grained Authorization Through Predicated Grants , 2007, 2007 IEEE 23rd International Conference on Data Engineering.

[2]  Jorge Lobo,et al.  On the Correctness Criteria of Fine-Grained Access Control in Relational Databases , 2007, VLDB.

[3]  Michael Stonebraker,et al.  Access control in a relational data base management system by query modification , 1974, ACM '74.

[4]  Robert H. Deng,et al.  SecDS: a secure EPC discovery service system in EPCglobal network , 2012, CODASPY '12.

[5]  Kanwal Rekhi,et al.  Database Access Control for E-Business – A case study , 2005 .

[6]  Agostino Cortesi,et al.  Observation-based Fine Grained Access Control for Relational Databases , 2010, ICSOFT.

[7]  Sushil Jajodia,et al.  The inference problem: a survey , 2002, SKDD.

[8]  Elisa Bertino,et al.  Privacy-Preserving Database Systems , 2005, FOSAD.

[9]  Robert H. Deng,et al.  A secure and efficient discovery service system in EPCglobal network , 2012, Comput. Secur..

[10]  S. Sudarshan,et al.  Redundancy and information leakage in fine-grained access control , 2006, SIGMOD Conference.

[11]  Rakesh Agrawal,et al.  Extending relational database systems to automatically enforce privacy policies , 2005, 21st International Conference on Data Engineering (ICDE'05).

[12]  Elisa Bertino,et al.  Privacy Protection , 2022 .

[13]  Neha Sehta,et al.  A Fine Grained Access Control Model for Relational Databases , 2012 .

[14]  David J. DeWitt,et al.  Limiting Disclosure in Hippocratic Databases , 2004, VLDB.

[15]  S. Sudarshan,et al.  Extending query rewriting techniques for fine-grained access control , 2004, SIGMOD '04.

[16]  Ramakrishnan Srikant,et al.  Hippocratic Databases , 2002, VLDB.