scholarly journals Advanced Analysis of the Integrity of Access Control Policies: the Specific Case of Databases

2020 ◽  
Vol 17 (5) ◽  
pp. 808-815
Author(s):  
Faouzi Jaidi ◽  
Faten Ayachi ◽  
Adel Bouhoula
Keyword(s):  
Access Control ◽  
Relational Databases ◽  
Large Scale ◽  
Complete Solution ◽  
Role Based Access Control ◽  
Critical Systems ◽  
Control Policies ◽  
Access Control Policies ◽  
Formal Framework ◽  
Advanced Analysis

Databases are considered as one of the most compromised assets according to 2014-2016 Verizon Data Breach Reports. The reason is that databases are at the heart of Information Systems (IS) and store confidential business or private records. Ensuring the integrity of sensitive records is highly required and even vital in critical systems (e-health, clouds, e-government, big data, e-commerce, etc.,). The access control is a key mechanism for ensuring the integrity and preserving the privacy in large scale and critical infrastructures. Nonetheless, excessive, unused and abused access privileges are identified as most critical threats in the top ten database security threats according to 2013-2015 Imperva Application Defense Center reports. To address this issue, we focus in this paper on the analysis of the integrity of access control policies within relational databases. We propose a rigorous and complete solution to help security architects verifying the correspondence between the security planning and its concrete implementation. We define a formal framework for detecting non-compliance anomalies in concrete Role Based Access Control (RBAC) policies. We rely on an example to illustrate the relevance of our contribution

VeRA: Verifying RBAC and Authorization Constraints Models of Web Applications

2021 ◽  
Vol 31 (05) ◽  
pp. 655-675
Author(s):  
Thanh-Nhan Luong ◽  
Hanh-Phuc Nguyen ◽  
Ninh-Thuan Truong
Keyword(s):  
Access Control ◽  
Programming Languages ◽  
Web Application ◽  
Web Applications ◽  
Implementation Process ◽  
Record Management ◽  
Role Based Access Control ◽  
Security Issue ◽  
Control Policies ◽  
Access Control Policies

The software security issue is being paid great attention from the software development community as security violations have emerged variously. Developers often use access control techniques to restrict some security breaches to software systems’ resources. The addition of authorization constraints to the role-based access control model increases the ability to express access rules in real-world problems. However, the complexity of combining components, libraries and programming languages during the implementation stage of web systems’ access control policies may arise potential flaws that make applications’ access control policies inconsistent with their specifications. In this paper, we introduce an approach to review the implementation of these models in web applications written by Java EE according to the MVC architecture under the support of the Spring Security framework. The approach can help developers in detecting flaws in the assignment implementation process of the models. First, the approach focuses on extracting the information about users and roles from the database of the web application. We then analyze policy configuration files to establish the access analysis tree of the application. Next, algorithms are introduced to validate the correctness of the implemented user-role and role-permission assignments in the application system. Lastly, we developed a tool called VeRA, to automatically support the verification process. The tool is also experimented with a number of access violation scenarios in the medical record management system.

Secure Publishing using Schema-level Role-based Access Control Policies for Fragments of XML Documents

2009 ◽  
Author(s):  
Tomasz Müldner ◽  
Robin McNeill ◽  
Jan Krzysztof Miziołek
Keyword(s):  
Access Control ◽  
Fixed Number ◽  
Original Structure ◽  
Role Based Access Control ◽  
Control Policies ◽  
Xml Documents ◽  
Access Control Policies ◽  
Minimum Number ◽  
Role Based ◽  
Implementation Tool

Popularity of social networks is growing rapidly and secure publishing is an important implementation tool for these networks. At the same time, recent implementations of access control policies (ACPs) for sharing fragments of XML documents have moved from distributing to users numerous sanitized sub-documents to disseminating a single document multi-encrypted with multiple cryptographic keys, in such a way that the stated ACPs are enforced. Any application that uses this implementation of ACPs will incur a high cost of generating keys separately for each document. However, most such applications, such as secure publishing, use similar documents, i.e. documents based on a selected schema. This paper describes RBAC defined at the schema level, (SRBAC), and generation of the minimum number of keys at the schema level. The main advantage of our approach is that for any application that uses a fixed number of schemas, keys can be generated (or even pre-generated) only once, and then reused in all documents valid for the given schema. While in general, key generation at the schema level has to be pessimistic, our approach tries to minimize the number of generated keys. Incoming XML documents are efficiently encrypted using single-pass SAX parsing in such a way that the original structure of these documents is completely hidden. We also describe distributing to each user only keys needed for decrypting accessible nodes, and for applying the minimal number of encryption operations to an XML document required to satisfy the protection requirements of the policy.

Sign in / Sign up

Export Citation Format

Share Document