Abstract
The widespread diffusion of Web-based services provided by public and private organizations emphasizes the need for a flexible solution for protecting the information accessible through Web applications. A promising approach is represented by credential-based access control and trust management. However, although much research has been done and several proposals exist, a clear obstacle to the realization of their benefits in data-intensive Web applications is represented by the lack of adequate support in the DBMSs. As a matter of fact, DBMSs are often responsible for the management of most of the information that is accessed using a Web browser or a Web service invocation.
In this article, we aim at eliminating this gap, and present an approach integrating trust management with the access control of the DBMS. We propose a trust model with a SQL syntax and illustrate an algorithm for the efficient verification of a delegation path for certificates. Our solution nicely complements current trust management proposals allowing the efficient realization of the services of an advanced trust management model within current relational DBMSs. An important benefit of our approach lies in its potential for a robust end-to-end design of security for personal data in Web scenario, where vulnerabilities of Web applications cannot be used to violate the protection of the data residing on the database server. We also illustrate the implementation of our approach within an open-source DBMS discussing design choices and performance impact.
- Agrawal, R., Bird, P., Grandison, T., Kiernan, J., Logan, S., and Rjaibi, W. 2005. Extending relational database systems to automatically enforce privacy policies. In Proceedings of the 21st International Conference on Data Engineering. Google Scholar
Digital Library
- Blaze, M., Feigenbaum, J., Ioannidis, J., and Keromytis, A. 1999. The KeyNote trust management system (version 2). Internet RFC 2704. http://www.crypto.com/papers/rfc2704.txt. Google Scholar
Digital Library
- Blaze, M., Feigenbaum, J., and Lacy, J. 1996. Decentralized trust management. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, Los Alamitos, CA. Google Scholar
Digital Library
- Bonatti, P. and Samarati, P. 2002. A unified framework for regulating access and information release on the Web. J. Comput, Secur. 10, 3, 241--272. Google Scholar
Digital Library
- Bonner, A. 1997. Transaction datalog: A compositional language for transaction programming. In Proceedings of the 6th International Workshop on Database Programming Languages.Google Scholar
- Brands, S. 2000. Rethinking Public Key Infrastructure and Digital Certificates. MIT Press, Cambridge, MA. Google Scholar
Digital Library
- Camenisch, J. and Lysyanskaya, A. 2001. An efficient system for non-transferable anonymous credentials with optional anonymity revocation. In Proceedings of the 20th Annual International Conference on the Theory and Applications of Cryptographic Techniques. Google Scholar
Digital Library
- Ceri, S., Fraternali, P., Paraboschi, S., and Tanca, L. 1994. Automatic generation of production rules for integrity maintenance. ACM Trans. Datab. Syst. 19, 3, 367--422. Google Scholar
Digital Library
- Chaudhuri, S., Dutta, T., and Sudarshan, S. 2007. Fine-grained authorization through predicated grants. In Proceeding of the 23rd IEEE International Conference on Data Engineering. IEEE, Los Alamitos, CA.Google Scholar
- Chu, Y., Feigenbaum, J., Lamacchia, B., Resnick, P., and Strauss, M. 1997. REFEREE: Trust management for Web applications. World Wide Web J.l 2, 3, 127--139. Google Scholar
Digital Library
- Clarke, D., Elien, J., Ellison, C., Fredette, M., Morcos, A., and Rivest, R. 2001. Certificate chain discovery in SPKI/SDSI. J.Comput. Secur. 9, 4, 285--322. Google Scholar
Digital Library
- De Capitani di Vimercati, S., Jajodia, S., Paraboschi, S., and Samarati, P. 2007. Trust management services in relational databases. In Proceedings of the 2nd ACM Symposium on Information, Computer and Communications Security. ACM, New York. Google Scholar
Digital Library
- Dierks, T. and Rescorla, E. 2008. The transport layer security (TLS) protocol (version 1.2). Internet RFC 5246. http://tools.ietf.org/rfc/rfc5246.txt.Google Scholar
- Ellison, C. 1999. SPKI requirements. Internet RFC 2692. http://www.ietf.org/rfc/rfc2692.txt. Google Scholar
Digital Library
- Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B., and Lonen, T. 1999. SPKI certificate theory. Internet RFC 2693. http://www.ietf.org/rfc/rfc2693.txt. Google Scholar
Digital Library
- Freier, A. O., Karlton, P., and Kocher, P. C. 1996. The SSL protocol (version 3.0). Netscape's final SSL3.0 draft. http://www.mozilla.org/projects/security/pki/nss/ssl/draft302.txt.Google Scholar
- Housley, R., Polk, W., Ford, W., and Solo, D. 2002. Internet X.509 public key infrastructure certificate and CRL profile. Internet RFC 3280. http://www.ietf.org/rfc/rfc3280.txt. Google Scholar
Digital Library
- Irwin, K. and Yu, T. 2005. Preventing attribute information leakage in automated trust negotiation. In Proceedings of the 12th ACM Conference on Computer and Communications Security. ACM, New York. Google Scholar
Digital Library
- ISO. 1996. Database language SQL -- part 2: Foundation (SQL/foundation) 1999. ISO International Standard, ISO/IEC9075.Google Scholar
- Kabra, G., Ramamurthy, R., and S. Sudarshan, S. 2006. Redundancy and information leakage in fine-grained access control. In Proceeding of the 2006 ACM SIGMOD International Conference on Management of Data. ACM, New York. Google Scholar
Digital Library
- Lee, A., Minami, K., and Winslett, M. 2007. Lightweight consistency enforcement schemes for distributed proofs with hidden subtrees. In Proceedings of the 12th ACM Symposium on Access Control Models and Technologies. ACM, New York. Google Scholar
Digital Library
- Lee, A. and Winslett, M. 2006. Safety and consistency in policy-based authorization systems. In Proceedings of the 13th ACM Conference on Computer and Communications Security. ACM, New York. Google Scholar
Digital Library
- Lee, A. and Winslett, M. 2008a. Enforcing safety and consistency constraints in policy-based authorization systems. ACM Trans. Inf. Syst. Secur. 12, 2, 1--33. Google Scholar
Digital Library
- Lee, A. and Winslett, M. 2008b. Towards an efficient and language-agnostic compliance checker for trust negotiation systems. In Proceedings of the 3rd ACM Symposium on Information, Computer and Communications Security. ACM, New York. Google Scholar
Digital Library
- Lee, A., Winslett, M., Basney, J., and Welch, V. 2008. The trust authorization service. ACM Trans. Inf. Syst. Secur. 11, 1, 1--33. Google Scholar
Digital Library
- Li, J., Li, N., and Winsborough, W. 2005a. Automated trust negotiation using cryptographic credentials. In Proceedings of the 12th ACM Conference on Computer and Communications Security. ACM, New York. Google Scholar
Digital Library
- Li, N., Mitchell, J., and Winsborough, W. 2005b. Beyond proof-of compliance: Security analysis in trust management. J. ACM 52, 3, 474--514. Google Scholar
Digital Library
- Li, N. and Mitchell, J. 2006. Understanding SPKI/SDSI using first-order logic. Int. J, Inf. Secur. 5, 1, 48--64. Google Scholar
Digital Library
- Li, N., Winsborough, W., and Mitchell, J. 2003. Distributed credential chain discovery in trust management. J. Comput. Secur. 11, 1, 35--86. Google Scholar
Digital Library
- Lockhart, H., Wisniewski, T., Cantor, S., Mishra, P., and Lien, J. 2007. Security assertion markup language (SAML) V2.0 tech. overview. OASIS working draft. http://www.oasisopen.org/committees/download.php/22553/sstc-saml-tech-overview-2200-draft-13.pdf.Google Scholar
- Lowe, G. 1996. Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In Proceedings of the 2nd International Workshop on Tools and Algorithms for Construction and Analysis of Systems. Google Scholar
Digital Library
- Murthy, R. and Sedlar, E. 2007. Flexible and efficient access control in Oracle. In Proceedings of the ACM SIGMOD International Conference on Management of Data. ACM, New York. Google Scholar
Digital Library
- Needham, R. M. and Schroeder, M. D. 1978. Using encryption for authentication in large networks of computers. Comm. ACM 21, 12, 993--999. Google Scholar
Digital Library
- Olson, E., Gunter, C., and Madhusudan, P. 2008. A formal framework for reflective database access control policies. In Proceedings of the 15th ACM Conference on Computer and Communications Security. ACM, New York. Google Scholar
Digital Library
- Reith, M., Niu, J., and Winsborough, W. 2007. Apply model checking to security analysis in trust management. In Proceedings of the 23rd International Workshop on Data Engineering. Google Scholar
Digital Library
- Rivest, R. and Lampson, B. 1996. SDSI - A simple distributed security infrastructure. http://people.csail .mit.edu/rivest/sdsi10.html.Google Scholar
- Ryutov, T., Zhou, L., Neuman, C., Leithead, T., and Seamons, K. 2005. Adaptive trust negotiation and access control. In Proceedings of the 10th ACM Symposium on Access Control Models and Technologies. ACM, New York. Google Scholar
Digital Library
- Saltzer, J. and Schroeder, M. 1975. The protection of information in computer systems. Proc. IEEE 63, 9, 1278--1308.Google Scholar
Cross Ref
- Stonebraker, M. 1987. The design of the POSTGRES storage system. In Proceedings of the 13th International Conference on Very Large Data Bases. Google Scholar
Digital Library
- Wang, L., Wijesekera, D., and Jajodia, S. 2004. A logic-based framework for attribute based access control. In Proceedings of the ACM Workshop on Formal Methods in Security Engineering. ACM, New York. Google Scholar
Digital Library
- Warner, J., Atluri, V., and Mukkamala, R. 2005. An attribute graph-based approach to map local access control policies to credential based access control policies. In Proceedings of the 1st International Conference on Information Systems Security. Google Scholar
Digital Library
- Winsborough, W. and Li, N. 2006. Safety in automated trust negotiation. ACM Trans. Inf. Syst. Secur. 9, 3, 352--390. Google Scholar
Digital Library
- Winslett, M., Ching, N., Jones, V., and Slepchin, I. 1997. Using digital credentials on the World Wide Web. J. Comput. Secur. 5, 3, 255--267. Google Scholar
Digital Library
- Winslett, M., Yu, T., Seamons, K., Hess, A., Jacobson, J., Jarvis, R., Smith, B., and Yu, L. 2002. Negotiating trust on the Web. IEEE Internet Comput. 6, 6, 30--37. Google Scholar
Digital Library
- Yu, T., Ma, X., and Winslett, M. 2000. PRUNES: An efficient and complete strategy for automated trust negotiation over the internet. In Proceedings of the 7th ACM Conference on Computer and Communications Security. ACM, New York. Google Scholar
Digital Library
- Yu, T. and Winslett, M. 2003. A unified scheme for resource protection in automated trust negotiation. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, Los Alamitos, CA. Google Scholar
Digital Library
- Yu, T., Winslett, M., and Seamons, K. 2001. Interoperable strategies in automated trust negotiation. In Proceedings of the 8th ACM Conference on Computer and Communications Security. ACM, New York. Google Scholar
Digital Library
- Yu, T., Winslett, M., and Seamons, K. 2003. Supporting structured credentials and sensitive policies through interoperable strategies for automated trust negotiation. ACM Trans. Inf. Syst. Secur. 6, 1, 1--42. Google Scholar
Digital Library
Index Terms
Integrating trust management and access control in data-intensive Web applications
Recommendations
Trust management languages and complexity
OTM'11: Proceedings of the 2011th Confederated international conference on On the move to meaningful internet systems - Volume Part IITrust management is a concept of automatic verification of access rights against distributed security policies. A policy is described by a set of credentials that define membership of roles and delegation of authority over a resource between the members ...
A New Trust Degree-Based Access Control Method for Semantic Web Services
ICICTA '10: Proceedings of the 2010 International Conference on Intelligent Computation Technology and Automation - Volume 01Recently, semantic Web services have become a rising application over the internet. At the same time, security and trustworthy becomes extremely important. But there is no effective access control method for semantic Web services to provide trusted Web ...
An Evaluation of Role Based Access Control Towards Easier Management Compared to Tight Security
ICFNDS '17: Proceedings of the International Conference on Future Networks and Distributed SystemsRole-based access control (RBAC) is a widely-used protocol to design and build an access control for providing the system security regarding authorization. Even though in the context of internet resources access, the authentication and access control ...






Comments