Static detection of security flaws in object-oriented databases

Authors:
Keishi Tajima
Affiliations:
Kobe University and Research Institute for Mathematical Sciences, Kyoto University, Japan
Venue:
SIGMOD '96 Proceedings of the 1996 ACM SIGMOD international conference on Management of data
Year:
1996

Citing 28
Cited 3

Views for Multilevel Database Security

IEEE Transactions on Software Engineering - Special issue on computer security and privacy
Security and inference in multilevel database and knowledge-base systems

SIGMOD '87 Proceedings of the 1987 ACM SIGMOD international conference on Management of data
Resolving the tension between integrity and security using a theorem prover

SIGMOD '88 Proceedings of the 1988 ACM SIGMOD international conference on Management of data
Integrity versus security in multi-level secure databases

on Database Security: Status and Prospects
The SeaView Security Model

IEEE Transactions on Software Engineering
A model of authorization for next-generation database systems

ACM Transactions on Database Systems (TODS)
Toward a multilevel secure relational data model

SIGMOD '91 Proceedings of the 1991 ACM SIGMOD international conference on Management of data
Objects and views

SIGMOD '91 Proceedings of the 1991 ACM SIGMOD international conference on Management of data
AERIE: an inference modeling and detection approach for databases

Results of the Sixth Working Conference of IFIP Working Group 11.3 on Database Security on Database security, VI : status and prospects: status and prospects
A polymorphic calculus for views and object sharing (extended abstract)

PODS '94 Proceedings of the thirteenth ACM SIGACT-SIGMOD-SIGART symposium on Principles of database systems
Secure databases: protection against user influence

ACM Transactions on Database Systems (TODS)
The tracker: a threat to statistical database security

ACM Transactions on Database Systems (TODS)
Security in statistical databases for queries with small counts

ACM Transactions on Database Systems (TODS)
A model of statistical database their security

ACM Transactions on Database Systems (TODS)
A security machanism for statistical database

ACM Transactions on Database Systems (TODS)
Certification of programs for secure information flow

Communications of the ACM
A lattice model of secure information flow

Communications of the ACM
Database Security and Integrity

Database Security and Integrity
Controlling FD and MVD Inferences in Multilevel Relational Database Systems

IEEE Transactions on Knowledge and Data Engineering
Supporting Access Control in an Object-Oriented Database Language

EDBT '92 Proceedings of the 3rd International Conference on Extending Database Technology: Advances in Database Technology
Schema Virtualization in Object-Oriented Databases

Proceedings of the Fourth International Conference on Data Engineering
Inference-Security Analysis Using Resolution Theorem-Proving

Proceedings of the Fifth International Conference on Data Engineering
Object Views: Extending the Vision

Proceedings of the Sixth International Conference on Data Engineering
Data Hiding and Security in Object-Oriented Databases

Proceedings of the Eighth International Conference on Data Engineering
Multiview: A Methodology for Supporting Multiple Views in Object-Oriented Databases

VLDB '92 Proceedings of the 18th International Conference on Very Large Data Bases
A Model of Methods Access Authorization in Object-oriented Databases

VLDB '93 Proceedings of the 19th International Conference on Very Large Data Bases
Detection and Elimination of Inference Channels in Multilevel Relational Database Systems

SP '93 Proceedings of the 1993 IEEE Symposium on Security and Privacy
Inference Channel-Free Integrity Constraints in Multilevel Relational Databases

SP '94 Proceedings of the 1994 IEEE Symposium on Security and Privacy

Security against Inference Attacks on Negative Information in Object-Oriented Databases

ICICS '02 Proceedings of the 4th International Conference on Information and Communications Security
An equational logic based approach to the security problem against inference attacks on object-oriented databases

Journal of Computer and System Sciences
Evolving a model of transaction management with concurrency control for multilevel secure distributed real-time database systems

ACS'07 Proceedings of the 7th Conference on 7th WSEAS International Conference on Applied Computer Science - Volume 7

Quantified Score

Hi-index	0.00

Visualization

Abstract

Access control in function granularity is one of the features of many object-oriented databases. In those systems, the users are granted rights to invoke composed functions instead of rights to invoke primitive operations. Although primitive operations are invoked inside composed functions, the users can invoke them only through the granted functions. This achieves access control in abstract operation level. Access control utilizing encapsulated functions, however, easily causes many "security flaws" through which malicious users can bypass the encapsulation and can abuse the primitive operations inside the functions. In this paper, we develop a technique to statically detect such security flaws. First, we design a framework to describe security requirements that should be satisfied. Then, we develop an algorithm that syntactically analyzes program code of the functions and determines whether given security requirements are satisfied or not. This algorithm is sound, that is, whenever there is a security flaw, it detects it.