Fine-grained access control to web databases

Authors:
Alex Roichman;Ehud Gudes
Affiliations:
The Open University, Raanana, Israel;The Open University, Raanana, Israel
Venue:
Proceedings of the 12th ACM symposium on Access control models and technologies
Year:
2007

Citing 7
Cited 9

An authorization mechanism for a relational database system

ACM Transactions on Database Systems (TODS)
Writing Secure Code

Writing Secure Code
An Extended Authorization Model for Relational Databases

IEEE Transactions on Knowledge and Data Engineering
View Definitions with Parameters

ADBIS '95 Proceedings of the Second International Workshop on Advances in Databases and Information Systems
GQL: A Reasonable Complex SQL for Genomic Databases

BIBE '00 Proceedings of the 1st IEEE International Symposium on Bioinformatics and Biomedical Engineering
A data mining approach for database intrusion detection

Proceedings of the 2004 ACM symposium on Applied computing
A learning-based approach to the detection of SQL attacks

DIMVA'05 Proceedings of the Second international conference on Detection of Intrusions and Malware, and Vulnerability Assessment

DIWeDa - Detecting Intrusions in Web Databases

Proceeedings of the 22nd annual IFIP WG 11.3 working conference on Data and Applications Security
Effectively and efficiently selecting access control rules on materialized views over relational databases

Proceedings of the Fourteenth International Database Engineering & Applications Symposium
Inheriting access control rules from large relational databases to materialized views automatically

KES'10 Proceedings of the 14th international conference on Knowledge-based and intelligent information and engineering systems: Part III
MyABDAC: compiling XACML policies for attribute-based database access control

Proceedings of the first ACM conference on Data and application security and privacy
Users tracking and roles mining in web-based applications

Proceedings of the 2011 Joint EDBT/ICDT Ph.D. Workshop
Integrating large and distributed life sciences resources for systems biology research: progress and new challenges

Transactions on large-scale data- and knowledge-centered systems III
A secured collaborative model for data integration in life sciences

Transactions on large-scale data- and knowledge-centered systems IV
SENTINEL: securing database from logic flaws in web applications

Proceedings of the second ACM conference on Data and Application Security and Privacy
From MDM to DB2: a case study of security enforcement migration

DBSec'12 Proceedings of the 26th Annual IFIP WG 11.3 conference on Data and Applications Security and Privacy

Quantified Score

Hi-index	0.00

Visualization

Abstract

Before the Web era, databases were well-protected by using the standard access control techniques such as Views and SQL authorization commands. But with the development of web systems, the number of attacks on databases increased and it has become clear that their access control mechanism is inadequate for web-based systems. In particular, the SQL Injection and other vulnerabilities have received considerable attention in recent years, and satisfactory solutions to these kinds of attacks are still lacking. We present a new method for protecting web databases that is based on fine-grained access control mechanism. This method uses the databases' built-in access control mechanisms enhanced with Parameterized Views and adapts them to work with web applications. The proposed access control mechanism is applicable for any existing databases and is capable to prevent many kinds of attacks, thus significantly decreases the web databases' attack surface.