skip to main content
research-article

Integrating trust management and access control in data-intensive Web applications

Published:04 June 2012Publication History
Skip Abstract Section

Abstract

The widespread diffusion of Web-based services provided by public and private organizations emphasizes the need for a flexible solution for protecting the information accessible through Web applications. A promising approach is represented by credential-based access control and trust management. However, although much research has been done and several proposals exist, a clear obstacle to the realization of their benefits in data-intensive Web applications is represented by the lack of adequate support in the DBMSs. As a matter of fact, DBMSs are often responsible for the management of most of the information that is accessed using a Web browser or a Web service invocation.

In this article, we aim at eliminating this gap, and present an approach integrating trust management with the access control of the DBMS. We propose a trust model with a SQL syntax and illustrate an algorithm for the efficient verification of a delegation path for certificates. Our solution nicely complements current trust management proposals allowing the efficient realization of the services of an advanced trust management model within current relational DBMSs. An important benefit of our approach lies in its potential for a robust end-to-end design of security for personal data in Web scenario, where vulnerabilities of Web applications cannot be used to violate the protection of the data residing on the database server. We also illustrate the implementation of our approach within an open-source DBMS discussing design choices and performance impact.

References

  1. Agrawal, R., Bird, P., Grandison, T., Kiernan, J., Logan, S., and Rjaibi, W. 2005. Extending relational database systems to automatically enforce privacy policies. In Proceedings of the 21st International Conference on Data Engineering. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Blaze, M., Feigenbaum, J., Ioannidis, J., and Keromytis, A. 1999. The KeyNote trust management system (version 2). Internet RFC 2704. http://www.crypto.com/papers/rfc2704.txt. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Blaze, M., Feigenbaum, J., and Lacy, J. 1996. Decentralized trust management. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, Los Alamitos, CA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Bonatti, P. and Samarati, P. 2002. A unified framework for regulating access and information release on the Web. J. Comput, Secur. 10, 3, 241--272. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Bonner, A. 1997. Transaction datalog: A compositional language for transaction programming. In Proceedings of the 6th International Workshop on Database Programming Languages.Google ScholarGoogle Scholar
  6. Brands, S. 2000. Rethinking Public Key Infrastructure and Digital Certificates. MIT Press, Cambridge, MA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Camenisch, J. and Lysyanskaya, A. 2001. An efficient system for non-transferable anonymous credentials with optional anonymity revocation. In Proceedings of the 20th Annual International Conference on the Theory and Applications of Cryptographic Techniques. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Ceri, S., Fraternali, P., Paraboschi, S., and Tanca, L. 1994. Automatic generation of production rules for integrity maintenance. ACM Trans. Datab. Syst. 19, 3, 367--422. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Chaudhuri, S., Dutta, T., and Sudarshan, S. 2007. Fine-grained authorization through predicated grants. In Proceeding of the 23rd IEEE International Conference on Data Engineering. IEEE, Los Alamitos, CA.Google ScholarGoogle Scholar
  10. Chu, Y., Feigenbaum, J., Lamacchia, B., Resnick, P., and Strauss, M. 1997. REFEREE: Trust management for Web applications. World Wide Web J.l 2, 3, 127--139. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Clarke, D., Elien, J., Ellison, C., Fredette, M., Morcos, A., and Rivest, R. 2001. Certificate chain discovery in SPKI/SDSI. J.Comput. Secur. 9, 4, 285--322. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. De Capitani di Vimercati, S., Jajodia, S., Paraboschi, S., and Samarati, P. 2007. Trust management services in relational databases. In Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security. ACM, New York. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Dierks, T. and Rescorla, E. 2008. The transport layer security (TLS) protocol (version 1.2). Internet RFC 5246. http://tools.ietf.org/rfc/rfc5246.txt.Google ScholarGoogle Scholar
  14. Ellison, C. 1999. SPKI requirements. Internet RFC 2692. http://www.ietf.org/rfc/rfc2692.txt. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B., and Lonen, T. 1999. SPKI certificate theory. Internet RFC 2693. http://www.ietf.org/rfc/rfc2693.txt. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Freier, A. O., Karlton, P., and Kocher, P. C. 1996. The SSL protocol (version 3.0). Netscape's final SSL3.0 draft. http://www.mozilla.org/projects/security/pki/nss/ssl/draft302.txt.Google ScholarGoogle Scholar
  17. Housley, R., Polk, W., Ford, W., and Solo, D. 2002. Internet X.509 public key infrastructure certificate and CRL profile. Internet RFC 3280. http://www.ietf.org/rfc/rfc3280.txt. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Irwin, K. and Yu, T. 2005. Preventing attribute information leakage in automated trust negotiation. In Proceedings of the 12th ACM Conference on Computer and Communications Security. ACM, New York. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. ISO. 1996. Database language SQL -- part 2: Foundation (SQL/foundation) 1999. ISO International Standard, ISO/IEC9075.Google ScholarGoogle Scholar
  20. Kabra, G., Ramamurthy, R., and S. Sudarshan, S. 2006. Redundancy and information leakage in fine-grained access control. In Proceeding of the 2006 ACM SIGMOD International Conference on Management of Data. ACM, New York. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Lee, A., Minami, K., and Winslett, M. 2007. Lightweight consistency enforcement schemes for distributed proofs with hidden subtrees. In Proceedings of the 12th ACM Symposium on Access Control Models and Technologies. ACM, New York. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Lee, A. and Winslett, M. 2006. Safety and consistency in policy-based authorization systems. In Proceedings of the 13th ACM Conference on Computer and Communications Security. ACM, New York. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Lee, A. and Winslett, M. 2008a. Enforcing safety and consistency constraints in policy-based authorization systems. ACM Trans. Inf. Syst. Secur. 12, 2, 1--33. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Lee, A. and Winslett, M. 2008b. Towards an efficient and language-agnostic compliance checker for trust negotiation systems. In Proceedings of the 3rd ACM Symposium on Information, Computer and Communications Security. ACM, New York. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Lee, A., Winslett, M., Basney, J., and Welch, V. 2008. The trust authorization service. ACM Trans. Inf. Syst. Secur. 11, 1, 1--33. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Li, J., Li, N., and Winsborough, W. 2005a. Automated trust negotiation using cryptographic credentials. In Proceedings of the 12th ACM Conference on Computer and Communications Security. ACM, New York. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Li, N., Mitchell, J., and Winsborough, W. 2005b. Beyond proof-of compliance: Security analysis in trust management. J. ACM 52, 3, 474--514. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Li, N. and Mitchell, J. 2006. Understanding SPKI/SDSI using first-order logic. Int. J, Inf. Secur. 5, 1, 48--64. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Li, N., Winsborough, W., and Mitchell, J. 2003. Distributed credential chain discovery in trust management. J. Comput. Secur. 11, 1, 35--86. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Lockhart, H., Wisniewski, T., Cantor, S., Mishra, P., and Lien, J. 2007. Security assertion markup language (SAML) V2.0 tech. overview. OASIS working draft. http://www.oasisopen.org/committees/download.php/22553/sstc-saml-tech-overview-2200-draft-13.pdf.Google ScholarGoogle Scholar
  31. Lowe, G. 1996. Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In Proceedings of the 2nd International Workshop on Tools and Algorithms for Construction and Analysis of Systems. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Murthy, R. and Sedlar, E. 2007. Flexible and efficient access control in Oracle. In Proceedings of the ACM SIGMOD International Conference on Management of Data. ACM, New York. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Needham, R. M. and Schroeder, M. D. 1978. Using encryption for authentication in large networks of computers. Comm. ACM 21, 12, 993--999. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Olson, E., Gunter, C., and Madhusudan, P. 2008. A formal framework for reflective database access control policies. In Proceedings of the 15th ACM Conference on Computer and Communications Security. ACM, New York. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Reith, M., Niu, J., and Winsborough, W. 2007. Apply model checking to security analysis in trust management. In Proceedings of the 23rd International Workshop on Data Engineering. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Rivest, R. and Lampson, B. 1996. SDSI - A simple distributed security infrastructure. http://people.csail .mit.edu/rivest/sdsi10.html.Google ScholarGoogle Scholar
  37. Ryutov, T., Zhou, L., Neuman, C., Leithead, T., and Seamons, K. 2005. Adaptive trust negotiation and access control. In Proceedings of the 10th ACM Symposium on Access Control Models and Technologies. ACM, New York. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. Saltzer, J. and Schroeder, M. 1975. The protection of information in computer systems. Proc. IEEE 63, 9, 1278--1308.Google ScholarGoogle ScholarCross RefCross Ref
  39. Stonebraker, M. 1987. The design of the POSTGRES storage system. In Proceedings of the 13th International Conference on Very Large Data Bases. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. Wang, L., Wijesekera, D., and Jajodia, S. 2004. A logic-based framework for attribute based access control. In Proceedings of the ACM Workshop on Formal Methods in Security Engineering. ACM, New York. Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. Warner, J., Atluri, V., and Mukkamala, R. 2005. An attribute graph-based approach to map local access control policies to credential based access control policies. In Proceedings of the 1st International Conference on Information Systems Security. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. Winsborough, W. and Li, N. 2006. Safety in automated trust negotiation. ACM Trans. Inf. Syst. Secur. 9, 3, 352--390. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. Winslett, M., Ching, N., Jones, V., and Slepchin, I. 1997. Using digital credentials on the World Wide Web. J. Comput. Secur. 5, 3, 255--267. Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. Winslett, M., Yu, T., Seamons, K., Hess, A., Jacobson, J., Jarvis, R., Smith, B., and Yu, L. 2002. Negotiating trust on the Web. IEEE Internet Comput. 6, 6, 30--37. Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. Yu, T., Ma, X., and Winslett, M. 2000. PRUNES: An efficient and complete strategy for automated trust negotiation over the internet. In Proceedings of the 7th ACM Conference on Computer and Communications Security. ACM, New York. Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. Yu, T. and Winslett, M. 2003. A unified scheme for resource protection in automated trust negotiation. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, Los Alamitos, CA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. Yu, T., Winslett, M., and Seamons, K. 2001. Interoperable strategies in automated trust negotiation. In Proceedings of the 8th ACM Conference on Computer and Communications Security. ACM, New York. Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. Yu, T., Winslett, M., and Seamons, K. 2003. Supporting structured credentials and sensitive policies through interoperable strategies for automated trust negotiation. ACM Trans. Inf. Syst. Secur. 6, 1, 1--42. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Integrating trust management and access control in data-intensive Web applications

              Recommendations

              Comments

              Login options

              Check if you have access through your login credentials or your institution to get full access on this article.

              Sign in

              Full Access

              • Published in

                cover image ACM Transactions on the Web
                ACM Transactions on the Web  Volume 6, Issue 2
                May 2012
                137 pages
                ISSN:1559-1131
                EISSN:1559-114X
                DOI:10.1145/2180861
                Issue’s Table of Contents

                Copyright © 2012 ACM

                Publisher

                Association for Computing Machinery

                New York, NY, United States

                Publication History

                • Published: 4 June 2012
                • Accepted: 1 October 2011
                • Revised: 1 August 2011
                • Received: 1 January 2009
                Published in tweb Volume 6, Issue 2

                Permissions

                Request permissions about this article.

                Request Permissions

                Check for updates

                Qualifiers

                • research-article
                • Research
                • Refereed

              PDF Format

              View or Download as a PDF file.

              PDF

              eReader

              View online with eReader.

              eReader
              About Cookies On This Site

              We use cookies to ensure that we give you the best experience on our website.

              Learn more

              Got it!