Distributed and Typed Role-based Access Control Mechanisms Driven by CRUD Expressions

Diogo Domingues Regateiro, Rui Luís Aguiar, Óscar Mortágua Pereira


Business logics of relational databases applications are an important source of security violations, namely in respect to access control. The situation is particularly critical when access control policies are many and complex. In these cases, programmers of business logics can hardly master the established access control policies. Now we consider situations where business logics are built with tools such as JDBC and ODBC. These tools convey two sources of security threats: 1) the use of unauthorized Create, Read, Update and Delete (CRUD) expressions and also 2) the modification of data previously retrieved by Select statements. To overcome this security gap when Role-based access control policies are used, we propose an extension to the basic model in order to control the two sources of security threats. Finally, we present a software architectural model from which distributed and typed RBAC mechanisms are automatically built, this way relieving programmers from mastering any security schema. We demonstrate empirical evidence of the effectiveness of our proposal from a use case based on Java and JDBC.

Full Text:



P. Samarati and S. D. C. di Vimercati, “Access Control: Policies, Models, and Mechanisms,” in Foundations of Security Analysis and Design (LNCS), vol. 2171, Springer, 2001, pp. 137–196.

S. D. C. di Vimercati, S. Foresti, and P. Samarati, “Recent Advances in Access Control - Handbook of Database Security,” in Handbook of Database Security, M. Gertz and S. Jajodia, Eds. Springer, 2008, pp. 1–26.

R. S. Sandhu and P. Samarati, “Access Control: Principle and Practice,” Commun. Mag. IEEE, vol. 32, no. 9, pp. 40–48, 1994.

Microsoft, “Microsoft Open Database Connectivity,” 1992. [Online]. Available: https://msdn.microsoft.com/en-us/library/ms710252(VS.85).aspx.

M. Parsian, JDBC Recipes: A Problem-Solution Approach. NY, USA: Apress, 2005.

C. Pablo, M. Sergey, and A. Atul, “ADO.NET entity framework: raising the level of abstraction in data programming,” in ACM SIGMOD International Conference on Management of Data, 2007, pp. 1070–1072.

M. Erik, B. Brian, and B. Gavin, “LINQ: Reconciling Object, Relations and XML in the .NET framework,” in ACM SIGMOD Intl Conf on Management of Data, 2006, p. 706.

D. Yang, Java Persistence with JPA. Outskirts Press, 2010.

J. O. Elizabeth, “Object/relational mapping 2008: hibernate and the entity data model (edm),” in Proceedings of the 2008 ACM SIGMOD international conference on Management of data, 2008.

R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman, “Role-Based Access Control Models,” Computer (Long. Beach. Calif)., vol. 29, no. 2, pp. 38–47, 1996.

L. Fuchs, G. Pernul, and R. Sandhu, “Roles in information security – A survey and classification of the research area,” Comput. Secur., vol. 30, no. 8, pp. 748–769, 2011.

Ó. M. Pereira, D. D. Regateiro, and R. L. Aguiar, “Role-Based Access Control Mechanisms Distributed, Statically Implemented and Driven by CRUD Expressions,” in ISCC’14 - 9th. IEEE Symposium on Computers and Communications, 2014.

Ó. M. Pereira, R. L. Aguiar, and M. Y. Santos, “Reusable Business Tier Components Based on CLI and Driven by a Single Wide Typed Service,” IJSI - Int. J. Softw. Innov., vol. 2, no. 1, pp. 37–60, 2014.

Ó. M. Pereira, R. L. Aguiar, and M. Y. Santos, “ACADA - Access Control-driven Architecture with Dynamic Adaptation,” in SEKE’12 - 24th Intl. Conf. on Software Engineering and Knowledge Engineering, 2012, pp. 387–393.

Ó. M. Pereira, R. L. Aguiar, and M. Y. Santos, “Runtime Values Driven by Access Control Policies Statically Enforced at the Level of the Relational Business Tiers,” in SEKE’13 - Intl. Conf. on Software Engineering and Knowledge Engineering, 2013, pp. 1–7.

A. Chlipala, “Static checking of dynamically-varying security policies in database-backed applications,” in 9th USENIX Conf. on Operating Systems Design and Implementation, 2010, pp. 1–14.

J. Abramov, O. Anson, M. Dahan, P. Shoval, and A. Sturm, “A methodology for integrating access control policies within database development,” Comput. Secur., vol. 31, no. 3, pp. 299–314, May 2012.

J. Zarnett, M. Tripunitara, and P. Lam, “Role-based Access Control (RBAC) in Java via Proxy Objects Using Annotations,” in Proceedings of the 15th ACM Symposium on Access Control Models and Technologies, 2010, pp. 79–88.

“RMI-Remote Method Invocation.” [Online]. Available: https://java.sun.com/javase/technologies/core/basic/rmi/index.jsp.

J. Fischer, D. Marino, R. Majumdar, and T. Millstein, “Fine-Grained Access Control with Object-Sensitive Roles,” 23rd ECOOP - European Conference on Object-Oriented Programming. Springer-Verlag, Italy, pp. 173–194, 2009.

G.-J. Ahn and H. Hu, “Towards Realizing a Formal RBAC Model in Real Systems,” in Proceedings of the 12th ACM Symposium on Access Control Models and Technologies, 2007, pp. 215–224.

Oracle, “Using Oracle Virtual Private Database to Control Data Access,” 2011. [Online]. Available: https://docs.oracle.com/cd/B28359_01/network.111/b28531/vpd.htm#CIHBAJGI.

K. LeFevre, R. Agrawal, V. Ercegovac, R. Ramakrishnan, Y. Xu, and D. DeWitt, “Limiting disclosure in hippocratic databases,” 30th Int. Conf. on Very Large Databases. VLDB Endowment, Toronto, Canada, pp. 108–119, 2004.

W3C, “The Platform for Privacy Preferences 1.0 (P3P1.0) Specification,” 2002. [Online]. Available: https://www.w3.org/TR/P3P/.

W3C, “Enterprise Privacy Authorization Language (EPAL 1.2),” 2003. [Online]. Available: https://www.w3.org/Submission/2003/SUBM-EPAL-20031110/.

B. J. Corcoran, N. Swamy, and M. Hicks, “Cross-tier, Label-based Security Enforcement for Web Applications,” 35th SIGMOD Int. Conf. on Management of Data. ACM, Providence, Rhode Island, USA, pp. 269–282, 2009.

E. Cooper, S. Lindley, P. Wadler, and J. Yallop, “Links: Web Programming Without Tiers,” 5th Intl Conf on Formal Methods for Components and Objects. Springer-Verlag, Amsterdam, The Netherlands, pp. 266–296, 2007.

N. Swamy, B. J. Corcoran, and M. Hicks, “Fable: A Language for Enforcing User-defined Security Policies,” in IEEE Symposium on Security and Privacy, 2008, pp. 369–383.

S. Rizvi, A. Mendelzon, S. Sudarshan, and P. Roy, “Extending Query Rewriting Techniques for Fine-grained Access Control,” ACM SIGMOD Int. Conf. on Management of Data. ACM, Paris, France, pp. 551–562, 2004.

B. Morin, T. Mouelhi, F. Fleurey, Y. Le Traon, O. Barais, and J.-M. Jézéquel, “Security-Driven Model-based Dynamic Adaptation,” in IEEE/ACM Int. Conf. on Automated Software Engineering, 2010, pp. 205–214.

M. Komlenovic, M. Tripunitara, and T. Zitouni, “An empirical assessment of approaches to distributed enforcement in role-based access control (RBAC),” Proc. first ACM Conf. Data Appl. Secur. Priv. - CODASPY ’11, p. 121, 2011.

K. Jayaraman, M. Tripunitara, V. Ganesh, M. Rinard, and S. Chapin, “MOHAWK : Abstraction-Refinement and Bound-Estimation,” vol. 15, no. 4, pp. 1–28, 2013.

D. S. Wallach, A. W. Appel, and E. W. Felten, “S AFKASI 1 : A Security Mechanism for Language-based Systems,” vol. 1, no. 212, 1998.

A. Roichman and E. Gudes, “Fine-grained access control to web databases,” 12th ACM symposium on Access Control Models and Technologies. ACM, Sophia Antipolis, France, pp. 31–40, 2007.

Q. Wang, T. Yu, N. Li, J. Lobo, E. Bertino, K. Irwin, and J.-W. Byun, “On the correctness criteria of fine-grained access control in relational databases,” 33rd Int. Conf. on Very Large Data Bases. VLDB Endowment, Vienna, Austria, pp. 555–566, 2007.

S. Barker, “Dynamic Meta-level Access Control in SQL,” 22nd Annual IFIP WG 11.3 Working Conf on Data and Applications Security. Springer-Verlag, London, UK, pp. 1–16, 2008.

S. Chaudhuri, T. Dutta, and S. Sudarshan, “Fine Grained Authorization Through Predicated Grants,” IEEE 23rd ICDE - Int. Conf. on Data Engineering. Istanbul, Turkey, pp. 1174–1183, 2007.

L. Caires, J. A. Pérez, J. C. Seco, H. T. Vieira, and L. Ferrão, “Type-based access control in data-centric systems,” 20th European conference on Programming Languages and Systems: part of the joint European conferences on theory and practice of software. Springer-Verlag, Saarbrucken, Germany, pp. 136–155, 2011.

D. Zhang, O. Arden, K. Vikram, S. Chong, and A. Myers, “Jif: Java + information flow (3.3),” 2012. [Online]. Available: https://www.cs.cornell.edu/jif/.

C. Ribeiro, A. Zúquete, P. Ferreira, and P. Guedes, “SPL: An Access Control Language for Security Policies with Complex Constraints,” Network and Distributed System Security Symposium. San Diego,CA,USA, pp. 89–107, 2001.

OASIS, “XACML - eXtensible Access Control Markup Language,” 2012. [Online]. Available: https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml.

Ó. Pereira, R. Aguiar, and M. Santos, “CRUD-DOM: a model for bridging the gap between the object-oriented and the relational paradigms: an enhanced performance assessment based on a case study,” vol. 4, no. 1, pp. 158–180, 2011.

O. M. Pereira, R. L. Aguiar, and M. Y. Santos, “CRUD-DOM: A Model for Bridging the Gap Between the Object-Oriented and the Relational Paradigms - an Enhanced Performance Assessment Based on a case Study,” Int. J. Adv. Softw., vol. 4, no. 1&2, pp. 158–180, 2011.


  • There are currently no refbacks.

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 License.