Reflective Database Access Control

Reflective Database Access Control (RDBAC) is a model in which a database privilege is expressed as a database query itself, rather than as a static privilege contained in an access control list. RDBAC aids the management of database access controls by improving the expressiveness of policies. However, such policies introduce new interactions between data managed by different users, and can lead to unexpected results if not carefully written and analyzed. We propose the use of Transaction Datalog syntax and semantics as a formal framework for expressing reflective access control policies. Using a formal logic-based language provides a basis for analyzing policies and enables secure implementations that can guarantee that certain configurations built on these policies cannot be subverted. We demonstrate this by defining two classes of policy configurations, and proving that under any set of such policies, a decidable algorithm can determine whether or not access to a sensitive data item can ever be leaked to an unprivileged user. Although the Transaction Datalog language provides a powerful syntax and semantics for expressing RDBAC policies, there is no efficient implementation of this language for practical database systems. We demonstrate a strategy for compiling policies into standard SQL views that enforce the policies, including overcoming significant differences in semantics between the languages in handling side-effects and evaluation order. We also report the results of evaluating the performance of these views compared to policies enforced by traditional access control lists, using a common off-the-shelf relational database management system. We also present two case studies for systems that can be protected using RDBAC security policies. These case studies demonstrate the flexibility of the system by implementing a wide range of functionality, as well as the practicality and scalability of using such a system in real-world applications that require non-trivial policy definitions on large data sets. This work establishes the theoretical soundness of using RDBAC as a basis for access control. It describes an efficient translation process for executing a useful subset of RDBAC rules in standard SQL, thereby demonstrating its practical feasibility using existing software. We show how RDBAC can be applied to realistic applications. These results suggest a rich field of further research.NSF CNS 07-16626NSF CNS 07-16421NSF CNS 05-24695ONR N00014-08-1-0248NSF CNS 05-24516NSF CNS 05-24695DHS 2006-CS-001-000001MacAruthur FoundationBoeing Corporationunpublishednot peer reviewe