ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Extending query rewriting techniques for fine-grained access control
Full text PdfPdf (173 KB)
Source International Conference on Management of Data archive
Proceedings of the 2004 ACM SIGMOD international conference on Management of data table of contents
Paris, France
SESSION: Research sessions: security and privacy table of contents
Pages: 551 - 562  
Year of Publication: 2004
ISBN:1-58113-859-8
Authors
Shariq Rizvi  University of California, Berkeley
Alberto Mendelzon  University of Toronto
S. Sudarshan  Indian Institute of Technology, Bombay
Prasan Roy  IBM Indian Research Laboratory
Sponsor
SIGMOD: ACM Special Interest Group on Management of Data
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 22,   Downloads (12 Months): 124,   Citation Count: 30
Additional Information:

abstract   references   cited by   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1007568.1007631
What is a DOI?

ABSTRACT

Current day database applications, with large numbers of users, require fine-grained access control mechanisms, at the level of individual tuples, not just entire relations/views, to control which parts of the data can be accessed by each user. Fine-grained access control is often enforced in the application code, which has numerous drawbacks; these can be avoided by specifying/enforcing access control at the database level. We present a novel fine-grained access control model based on authorization views that allows "authorization-transparent" querying; that is, user queries can be phrased in terms of the database relations, and are valid if they can be answered using only the information contained in these authorization views. We extend earlier work on authorization-transparent querying by introducing a new notion of validity, conditional validity. We give a powerful set of inference rules to check for query validity. We demonstrate the practicality of our techniques by describing how an existing query optimizer can be extended to perform access control checks by incorporating these inference rules.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
The Virtual Private Database in Oracle9ir2: An Oracle Technical White Paper http://otn.oracle.com/deploy/security/oracle9ir2/pdf/vpd9ir2twp.pdf.
2
Gail-Joon Ahn , Ravi Sandhu, Role-based authorization constraints specification, ACM Transactions on Information and System Security (TISSEC), v.3 n.4, p.207-226, Nov. 2000  [doi>10.1145/382912.382913]
 
3
Randall G. Bello , Karl Dias , Alan Downing , James J. Feenan, Jr. , James L. Finnerty , William D. Norcott , Harry Sun , Andrew Witkowski , Mohamed Ziauddin, Materialized Views in Oracle, Proceedings of the 24rd International Conference on Very Large Data Bases, p.659-664, August 24-27, 1998
 
4
Alexander Brodsky , Csilla Farkas , Sushil Jajodia, Secure Databases: Constraints, Inference Channels, and Monitoring Disclosures, IEEE Transactions on Knowledge and Data Engineering, v.12 n.6, p.900-919, November 2000  [doi>10.1109/69.895801]
 
5
Silvana Castano , Maria Grazia Fugini , Giancarlo Martella , Pierangela Samarati, Database security, ACM Press/Addison-Wesley Publishing Co., New York, NY, 1995
 
6
Surajit Chaudhuri , Ravi Krishnamurthy , Spyros Potamianos , Kyuseok Shim, Optimizing Queries with Materialized Views, Proceedings of the Eleventh International Conference on Data Engineering, p.190-200, March 06-10, 1995
7
Surajit Chaudhuri, Optimization of real conjunctive queries, Proceedings of the twelfth ACM SIGACT-SIGMOD-SIGART symposium on Principles of database systems, p.59-70, May 25-28, 1993, Washington, D.C., United States  [doi>10.1145/153850.153856]
8
Sara Cohen , Werner Nutt , Alexander Serebrenik, Rewriting aggregate queries using views, Proceedings of the eighteenth ACM SIGMOD-SIGACT-SIGART symposium on Principles of database systems, p.155-166, May 31-June 03, 1999, Philadelphia, Pennsylvania, United States  [doi>10.1145/303976.303992]
 
9
D. Denning. Commutative filters for reducing inference threats in multilevel database systems. In IEEE Symp. on Security and Privacy, pages 134--146, 1985.
10
Csilla Farkas , Sushil Jajodia, The inference problem: a survey, ACM SIGKDD Explorations Newsletter, v.4 n.2, p.6-11, December 2002  [doi>10.1145/772862.772864]
11
Virgil Gligor, Characteristics of role-based access control, Proceedings of the first ACM Workshop on Role-based access control, p.10-es, November 30-December 02, 1995, Gaithersburg, Maryland, United States  [doi>10.1145/270152.270169]
12
Jonathan Goldstein , Per-Åke Larson, Optimizing queries using materialized views: a practical, scalable solution, Proceedings of the 2001 ACM SIGMOD international conference on Management of data, p.331-342, May 21-24, 2001, Santa Barbara, California, United States
 
13
Goetz Graefe , William J. McKenna, The Volcano Optimizer Generator: Extensibility and Efficient Search, Proceedings of the Ninth International Conference on Data Engineering, p.209-218, April 19-23, 1993
 
14
Ashish Gupta , Venky Harinarayan , Dallan Quass, Aggregate-Query Processing in Data Warehousing Environments, Proceedings of the 21th International Conference on Very Large Data Bases, p.358-369, September 11-15, 1995
 
15
Alon Y. Halevy, Answering queries using views: A survey, The VLDB Journal — The International Journal on Very Large Data Bases, v.10 n.4, p.270-294, December 2001  [doi>10.1007/s007780100054]
16
Michael A. Harrison , Walter L. Ruzzo , Jeffrey D. Ullman, Protection in operating systems, Communications of the ACM, v.19 n.8, p.461-471, Aug. 1976  [doi>10.1145/360303.360333]
17
Sushil Jajodia , Pierangela Samarati , Maria Luisa Sapino , V. S. Subrahmanian, Flexible support for multiple access control policies, ACM Transactions on Database Systems (TODS), v.26 n.2, p.214-260, June 2001  [doi>10.1145/383891.383894]
18
Sushil Jajodia , Ravi Sandhu, Toward a multilevel secure relational data model, Proceedings of the 1991 ACM SIGMOD international conference on Management of data, p.50-59, May 29-31, 1991, Denver, Colorado, United States
 
19
Sushil Jajodia , Duminda Wijesekera, Recent advances in access control models, Proceedings of the fifteenth annual working conference on Database and application security, p.3-15, July 15-18, 2001, Niagara, Ontario, Canada
 
20
Amihai Motro, An Access Authorization Model for Relational Databases Based on Algebraic Manipulation of View Definitions, Proceedings of the Fifth International Conference on Data Engineering, p.339-347, February 06-10, 1989
 
21
Amihai Motro, Panorama: a database system that annotates its answers to queries with their properties, Journal of Intelligent Information Systems, v.7 n.1, p.51-73, Sept. 1996  [doi>10.1007/BF00125522]
 
22
A. Rosenthal and E. Sciore. View security as the basis for data warehouse security. In Intl. Workshop on Design and Management of Data Warehouses (DMDW), 2000.
 
23
A. Rosenthal and E. Sciore. Administering permissions for distributed data: Factoring and automated inference. In IFIP 11.3 Working Conf. in Database Security, 2001.
 
24
Arnon Rosenthal , Edward Sciore , Vinti Doshi, Security Administration for Federations, Warehouses, and other Derived Data, Proceedings of the IFIP WG 11.3 Thirteenth International Conference on Database Security: Research Advances in Database and Information Systems Security, p.209-223, July 26-28, 1999
25
Prasan Roy , S. Seshadri , S. Sudarshan , Siddhesh Bhobe, Efficient and extensible algorithms for multi query optimization, Proceedings of the 2000 ACM SIGMOD international conference on Management of data, p.249-260, May 15-18, 2000, Dallas, Texas, United States
 
26
Divesh Srivastava , Shaul Dar , H. V. Jagadish , Alon Y. Levy, Answering Queries with Aggregation Using Views, Proceedings of the 22th International Conference on Very Large Data Bases, p.318-329, September 03-06, 1996
27
Ramana Yerneni , Chen Li , Hector Garcia-Molina , Jeffrey Ullman, Computing capabilities of mediators, Proceedings of the 1999 ACM SIGMOD international conference on Management of data, p.443-454, May 31-June 03, 1999, Philadelphia, Pennsylvania, United States
28
Markos Zaharioudakis , Roberta Cochrane , George Lapis , Hamid Pirahesh , Monica Urata, Answering complex SQL queries using automatic summary tables, Proceedings of the 2000 ACM SIGMOD international conference on Management of data, p.105-116, May 15-18, 2000, Dallas, Texas, United States

CITED BY  30
Elisa Bertino , Ravi Sandhu, Database Security-Concepts, Approaches, and Challenges, IEEE Transactions on Dependable and Secure Computing, v.2 n.1, p.2-19, January 2005
Radu Sion, Query execution assurance for outsourced databases, Proceedings of the 31st international conference on Very large data bases, August 30-September 02, 2005, Trondheim, Norway
Bo Luo , Dongwon Lee , Wang-Chien Lee , Peng Liu, QFilter: fine-grained run-time XML access control via NFA-based query rewriting, Proceedings of the thirteenth ACM international conference on Information and knowledge management, November 08-13, 2004, Washington, D.C., USA
Chao Yao , X. Sean Wang , Sushil Jajodia, Checking for k-anonymity violation by views, Proceedings of the 31st international conference on Very large data bases, August 30-September 02, 2005, Trondheim, Norway
William R. Cook , Siddhartha Rai, Safe query objects: statically typed objects as remotely executable queries, Proceedings of the 27th international conference on Software engineering, May 15-21, 2005, St. Louis, MO, USA
Michalis Petropoulos , Alin Deutsch , Yannis Papakonstantinou, Interactive query formulation over web service-accessed sources, Proceedings of the 2006 ACM SIGMOD international conference on Management of data, June 27-29, 2006, Chicago, IL, USA
Govind Kabra , Ravishankar Ramamurthy , S. Sudarshan, Redundancy and information leakage in fine-grained access control, Proceedings of the 2006 ACM SIGMOD international conference on Management of data, June 27-29, 2006, Chicago, IL, USA
Peng Liu , Hai Wang , Lunquan Li, Real-time data attack isolation for commercial database applications, Journal of Network and Computer Applications, v.29 n.4, p.294-320, November 2006
Jason Crampton , Wing Leung , Konstantin Beznosov, The secondary and approximate authorization model and its application to Bell-LaPadula policies, Proceedings of the eleventh ACM symposium on Access control models and technologies, June 07-09, 2006, Lake Tahoe, California, USA
Konstantin (Kosta) Beznosov, Flooding and recycling authorizations, Proceedings of the 2005 workshop on New security paradigms, September 20-23, 2005, Lake Arrowhead, California
Nicola Onose , Alin Deutsch , Yannis Papakonstantinou , Emiran Curtmola, Rewriting nested XML queries using nested views, Proceedings of the 2006 ACM SIGMOD international conference on Management of data, June 27-29, 2006, Chicago, IL, USA
Bogdan Cautis, Distributed access control: a privacy-conscious approach, Proceedings of the 12th ACM symposium on Access control models and technologies, June 20-22, 2007, Sophia Antipolis, France
Roxana Geambasu , Magdalena Balazinska , Steven D. Gribble , Henry M. Levy, Homeviews: peer-to-peer middleware for personal data sharing applications, Proceedings of the 2007 ACM SIGMOD international conference on Management of data, June 11-14, 2007, Beijing, China
Brian J. Corcoran , Nikhil Swamy , Michael Hicks, Cross-tier, label-based security enforcement for web applications, Proceedings of the 35th SIGMOD international conference on Management of data, June 29-July 02, 2009, Providence, Rhode Island, USA
Fengjun Li , Bo Luo , Peng Liu , Dongwon Lee , Chao-Hsien Chu, Automaton segmentation: a new approach to preserve privacy in xml information brokering, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA
Michalis Petropoulos , Alin Deutsch , Yannis Papakonstantinou , Yannis Katsis, Exporting and interactively querying Web service-accessed sources: The CLIDE System, ACM Transactions on Database Systems (TODS), v.32 n.4, p.22-es, November 2007
Rafae Bhatti , Dengfeng Gao , Wen-Syan Li, Enabling policy-based access control in BI applications, Data & Knowledge Engineering, v.66 n.2, p.199-222, August, 2008
Michalis Petropoulos , Alin Deutsch , Yannis Papakonstantinou, CLIDE: interactive query formulation for service oriented architectures, Proceedings of the 2007 ACM SIGMOD international conference on Management of data, June 11-14, 2007, Beijing, China
Qihua Wang , Ting Yu , Ninghui Li , Jorge Lobo , Elisa Bertino , Keith Irwin , Ji-Won Byun, On the correctness criteria of fine-grained access control in relational databases, Proceedings of the 33rd international conference on Very large data bases, September 23-27, 2007, Vienna, Austria
Feifei Li , Marios Hadjieleftheriou , George Kollios , Leonid Reyzin, Dynamic authenticated index structures for outsourced databases, Proceedings of the 2006 ACM SIGMOD international conference on Management of data, June 27-29, 2006, Chicago, IL, USA
Mahmoud Barhamgi , Djamal Benslimane , Aris M. Ouksel, Composing and optimizing data providing web services, Proceeding of the 17th international conference on World Wide Web, April 21-25, 2008, Beijing, China
Sabrina De Capitani di Vimercati , Sara Foresti , Sushil Jajodia , Stefano Paraboschi , Pierangela Samarati, Assessing query privileges via safe and efficient permission composition, Proceedings of the 15th ACM conference on Computer and communications security, October 27-31, 2008, Alexandria, Virginia, USA
Qiang Wei , Jason Crampton , Konstantin Beznosov , Matei Ripeanu, Authorization recycling in RBAC systems, Proceedings of the 13th ACM symposium on Access control models and technologies, June 11-13, 2008, Estes Park, CO, USA
Travis Kriplean , Evan Welbourne , Nodira Khoussainova , Vibhor Rastogi , Magdalena Balazinska , Gaetano Borriello , Tadayoshi Kohno , Dan Suciu, Physical Access Control for Captured RFID Data, IEEE Pervasive Computing, v.6 n.4, p.48-55, October 2007
Lars E. Olson , Carl A. Gunter , P. Madhusudan, A formal framework for reflective database access control policies, Proceedings of the 15th ACM conference on Computer and communications security, October 27-31, 2008, Alexandria, Virginia, USA
Vibhor Rastogi , Dan Suciu , Evan Welbourne, Access control over uncertain data, Proceedings of the VLDB Endowment, v.1 n.1, August 2008
Bogdan Cautis , Alin Deutsch , Nicola Onose, Querying data sources that export infinite sets of views, Proceedings of the 12th International Conference on Database Theory, March 23-25, 2009, St. Petersburg, Russia
Kyriakos Mouratidis , Dimitris Sacharidis , Hweehwa Pang, Partially materialized digest scheme: an efficient verification method for outsourced databases, The VLDB Journal — The International Journal on Very Large Data Bases, v.18 n.1, p.363-381, January 2009
Faiz Currim , Eunjin Jung , Xin Xiao , Insoon Jo, Privacy policy enforcement for health information data access, Proceedings of the 1st ACM international workshop on Medical-grade wireless networks, May 18-18, 2009, New Orleans, Louisiana, USA
David DeHaan, Equivalence of nested queries with mixed semantics, Proceedings of the twenty-eighth ACM SIGMOD-SIGACT-SIGART symposium on Principles of database systems, June 29-July 01, 2009, Providence, Rhode Island, USA
Collaborative Colleagues:
Shariq Rizvi: colleagues
Alberto Mendelzon: colleagues
S. Sudarshan: colleagues
Prasan Roy: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player