Fine Grained Access Control in Databases

The goal of this project is to develop a declarative approach to fine-grained access control in databases.

Backgrounds

Starting with Oracle 8i, Oracle introduced the concept of Virtual Private Databases (VPD), which is implemented by server-enforced, fine-grained access control (also known as row-level security) together with secure application context. Fine-grained access control gives one the ability to attach, at run time, a predicate to the where clause of any query issued against a database table (or a view). To do this, one writes a stored procedure that returns a predicate and associates the procedure with a table. When a query is issued against the table, the procedure is executed and the returned predicate is attached to the where clause of the query. The procedure may evaluate who is running the query, when is the query being executed, and query databases, and develop a predicate given those circumstances. The main advantages of VPD are as follows:

Ease of maintenance. Fine-grained access control enables one to have one table and one stored procedure to manage what used to take many views.
Server-enforced policy. Many times, given the complexity of managing and maintaining so many views, developers will encode the application logic into the application itself. The application will look at who is logged in and whether the user has the permission and then submit an appropriate request. This protects data only when the data is accessed via the application. Having policies enforced at databases ensures that data is always protected.

We see the following research issues with VPD:

Security policies are coded in PL/SQL programs. This makes them difficult to understand and analyze. A declarative, high-level approach to policy specification is more desirable.
Database content can be used to generate predicates. For example, one may enforce the following policy: the manager of a department may access employee record in the department. In this case, which user is the manager in a department and which users are employees in the department may be defined by an HR table. This is very powerful, as one does not need to store separately relationship between users. On the other hand, HR table is protected using the same mechanism. By changing the state of the HR table, one may obtain additional permission. In other words, the access control system is dynamic and self-protecting. Therefore, one needs to analyze whether the access control system as a whole satisfies desirable policies; for example, whether there exist attack paths such that an adversary can gain illegal access by changing several tables one by one.
VPD is just one feature in the range of features available for access control, including grant-revoke, roles, views, and stored procedures with grant-execute. These features all affect access control decisions in one way or another. Without a high-level, coherent view of access control, access control specified using multiple mechanisms interact in subtle and unexpected ways.

Task

Understand existing access control mechanisms in databases and the issues involved in declarative approach to fine-grained access control. Develop a high-level database access control language that supports fine-grained access control.

Potential presentation topics: Fine-grained access control in databases.

References

Fine Grained Access Control (a.k.a. DBMS_RLS). By Thomas Kyte.
The Virtual Private Database in Oracle9iR2 An Oracle technical white paper.
Oracle9i Data Security Internals. Donald K. Burleson.

Implementing Low Level Access Control with DB2 UDB Paul Bird.
A Context-Based Access Control Model for HIPAA Privacy and Security Compliance Smith, Harry. SANS Institute, July 18, 2001.
Access Control in a Relational Data Base Management System by Query Modification. Michael Stonebraker and Eugene Wong. Proceedings of the 1974 annual ACM conference.
An authorization model for a shared data base. E. B. Fernández, R. C. Summers, and C. D. Coleman. SIGMOD'1975.
Specification of Content-Dependent Security Policies. David L. Spooner. Proceedings of the 1983 annual ACM conference on Computers.