Web application security is an increasingly important concern as we entrust these applications to handle sensitive user data. Security vulnerabilities in these applications are quite common, however, allowing malicious users to steal other application users’ data. A more reliable mechanism for enforcing application security policies is needed. Most applications rely on a database to store user data, making it a natural point to introduce additional access controls. Unfortunately, existing database access control mechanisms are too coarse-grained to express an application security policy. In this paper we propose and implement a fine-grained access control mechanism for controlling access to user data. Application access control policy is expressed using row-level access predicates, which allow an application’s access control policy to be extended to the database. These predicates are expressed using the SQL syntax familiar to developers, minimizing the developer effort necessary to take advantage of this mechanism. We implement our predicate access control system in the PostgreSQL 9.2 DBMS and evaluate our system by developing an access control policy for the Drupal 7 and Spree Commerce. Our mechanism protected Drupal and Spree against five known security vulnerabilities.
[1]
Christoforos E. Kozyrakis,et al.
Nemesis: Preventing Authentication & Access Control Vulnerabilities in Web Applications
,
2009,
USENIX Security Symposium.
[2]
David A. Wagner,et al.
Diesel: applying privilege separation to database access
,
2011,
ASIACCS '11.
[3]
Wenliang Du,et al.
SCUTA: a server-side access control system for web applications
,
2012,
SACMAT '12.
[4]
S. Sudarshan,et al.
Fine Grained Authorization Through Predicated Grants
,
2007,
2007 IEEE 23rd International Conference on Data Engineering.
[5]
Patrick Mutchler,et al.
GuardRails: A Data-Centric Web Application Security Framework
,
2011,
WebApps.
[6]
Adrian Perrig,et al.
CLAMP: Practical Prevention of Large-Scale Data Leaks
,
2009,
2009 30th IEEE Symposium on Security and Privacy.
[7]
S. Sudarshan,et al.
Extending query rewriting techniques for fine-grained access control
,
2004,
SIGMOD '04.
[8]
Ehud Gudes,et al.
Fine-grained access control to web databases
,
2007,
SACMAT '07.
[9]
Vitaly Shmatikov,et al.
RoleCast: finding missing security checks when you do not know what checks are
,
2011,
OOPSLA '11.