research-article

Assessing query privileges via safe and efficient permission composition

Authors:

Sabrina De Capitani di Vimercati,

Sushil Jajodia,

Stefano Paraboschi,

Pierangela SamaratiAuthors Info & Claims

CCS '08: Proceedings of the 15th ACM conference on Computer and communications security

Pages 311 - 322

https://doi.org/10.1145/1455770.1455810

Published: 27 October 2008 Publication History

Abstract

We propose an approach for the selective enforcement of access control restrictions in, possibly distributed, large data collections based on two basic concepts: i) flexible authorizations identify, in a declarative way, the data that can be released, and ii) queries are checked for execution not with respect to individual authorizations but rather evaluating whether the information release they (directly or indirectly) entail is allowed by the authorizations. Our solution is based on the definition of query profiles capturing the information content of a query and builds on a graph-based modeling of database schema, authorizations, and queries. Access control is then effectively modeled and efficiently executed in terms of graph coloring and composition and on traversal of graph paths. We then provide a polynomial composition algorithm for determining if a query is authorized.

References

[1]

S. Abiteboul, R. Hull, and V. Vianu. Foundations of Databases. Addison-Wesley, 1995.

Digital Library

[2]

A. V. Aho, C. Beeri, and J. D. Ullman. The theory of joins in relational databases. ACM TODS, 4(3):297--314, 1979.

Digital Library

[3]

P. Atzeni, S. Ceri, S. Paraboschi, and R. Torlone. Database Systems -- Concepts, Languages and Architectures. McGraw-Hill Book Company, 1999.

[4]

C. Beeri and M. Y. Vardi. A proof procedure for data dependencies. J. ACM, 31(4):718--741, 1984.

Digital Library

[5]

A. Cali' and D. Martinenghi. Querying data under access limitations. In Proc. of ICDE 2008, Cancun, Mexico, April 2008.

Digital Library

[6]

S. Dawson, S. De Capitani di Vimercati, P. Lincoln, and P. Samarati. Maximizing sharing of protected information. Journal of Computer and System Sciences, 64(3):496--541, May 2002.

Digital Library

[7]

S. De Capitani di Vimercati, S. Foresti, S. Jajodia, S. Paraboschi, and P. Samarati. Controlled information sharing in collaborative distributed query processing. In Proc. of ICDCS 2008, Beijing, China, June 2008.

Digital Library

[8]

A. Deutsch, B. Ludascher, and A. Nash. Rewriting queries using views with access patterns under integrity constraints. In Proc. of ICDT 2005, Edinburgh, UK, January 2005.

Digital Library

[9]

D. Florescu, A. Y. Levy, I. Manolescu, and D. Suciu. Query optimization in the presence of limited access patterns. In Proc. of SIGMOD 1999, Philadelphia, PA, June 1999.

Digital Library

[10]

G. Gottlob. Computing cores for data exchange: new algorithms and practical solutions. In Proc. of the PODS 2005, Baltimore, MD, June 2005.

Digital Library

[11]

G. Gottlob and A. Nash. Data exchange: Computing cores in polynomial time. In Proc. of PODS 2006, Chicago, IL, June 2006.

Digital Library

[12]

C. Li. Computing complete answers to queries in the presence of limited access patterns. VLDB Journal, 12(3):211--227, 2003.

Digital Library

[13]

D. Maier, A. Mendelzon, and Y. Sagiv. Testing implications of data dependencies. In Proc. of the SIGMOD 1979, Boston, MA, June 1979.

Digital Library

[14]

A. Motro. An access authorization model for relational databases based on algebraic manipulation of view definitions. In Proc. of the ICDE89, Los Angeles, CA, February 1989.

Digital Library

[15]

A. Nash and A. Deutsch. Privacy in GLAV information integration. In Proc. of ICDT 2007, Barcelona, Spain, January 2007.

Digital Library

[16]

S. Rizvi, A. Mendelzon, S. Sudarshan, and P. Roy. Extending query rewriting techniques for fine-grained access control. In Proc. of the SIGMOD 2004, Paris, France, 2004.

Digital Library

[17]

A. Rosenthal and E. Sciore. View security as the basis for data warehouse security. In Proc. of DMDW'2000, Stockholm, Sweden, June 2000.

[18]

A. Rosenthal and E. Sciore. Administering permissions for distributed data: factoring and automated inference. In Proc. of the IFIP 11.3 Working Conference in Database Security, Niagara, Ontario, Canada, July 2001.

Digital Library

Cited By

Sellami MHacid MGammoudi M(2018)A FCA framework for inference control in data integration systemsDistributed and Parallel Databases10.1007/s10619-018-7241-537:4(543-586)Online publication date: 1-Aug-2018
https://doi.org/10.1007/s10619-018-7241-5
Sellami MHacid MGammoudi M(2017)An Incremental Approach to Data Integration in Presence of Access Control Policies2017 IEEE 2nd International Workshops on Foundations and Applications of Self* Systems (FAS*W)10.1109/FAS-W.2017.146(187-190)Online publication date: Sep-2017
https://doi.org/10.1109/FAS-W.2017.146
Sellami MHacid MGammoudi M(2015)Inference Control in Data Integration SystemsProceedings of the Confederated International Conferences on On the Move to Meaningful Internet Systems: OTM 2015 Conferences - Volume 941510.1007/978-3-319-26148-5_17(285-302)Online publication date: 26-Oct-2015
https://dl.acm.org/doi/10.1007/978-3-319-26148-5_17
Show More Cited By

Index Terms

Assessing query privileges via safe and efficient permission composition

Recommendations

Compact access control labeling for efficient secure XML query evaluation

Fine-grained access controls for XML define access privileges at the granularity of individual XML nodes. In this paper, we present a fine-grained access control mechanism for XML data. This mechanism exploits the structural locality of access rights as ...
Permission based granular access control pattern
PLoP '14: Proceedings of the 21st Conference on Pattern Languages of Programs

Enterprise applications are designed to address specific business needs and are generally run within the internal corporate networks. Access to enterprise applications is controlled by various corporate policies, based on numerous widely accepted ...
PBDM: a flexible delegation model in RBAC
SACMAT '03: Proceedings of the eighth ACM symposium on Access control models and technologies

Role-based access control (RBAC) is recognized as an efficient access control model for large organizations. Most organizations have some business rules related to access control policy. Delegation of authority is among these rules. RBDM0 and RDM2000 ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '08: Proceedings of the 15th ACM conference on Computer and communications security

October 2008

590 pages

ISBN:9781595938107

DOI:10.1145/1455770

General Chair:
Peng Ning
North Carolina State University, USA
,
Program Chairs:
Paul Syverson
Naval Research Laboratory, USA
,
Somesh Jha
University of Wisconsin, USA

Copyright © 2008 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 October 2008

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS08

Sponsor:

CCS08: 15th ACM Conference on Computer and Communications Security 2008

October 27 - 31, 2008

Virginia, Alexandria, USA

Acceptance Rates

CCS '08 Paper Acceptance Rate 51 of 280 submissions, 18%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
429
Total Downloads

Downloads (Last 12 months)5
Downloads (Last 6 weeks)2

Reflects downloads up to 13 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Sellami MHacid MGammoudi M(2018)A FCA framework for inference control in data integration systemsDistributed and Parallel Databases10.1007/s10619-018-7241-537:4(543-586)Online publication date: 1-Aug-2018
https://doi.org/10.1007/s10619-018-7241-5
Sellami MHacid MGammoudi M(2017)An Incremental Approach to Data Integration in Presence of Access Control Policies2017 IEEE 2nd International Workshops on Foundations and Applications of Self* Systems (FAS*W)10.1109/FAS-W.2017.146(187-190)Online publication date: Sep-2017
https://doi.org/10.1109/FAS-W.2017.146
Sellami MHacid MGammoudi M(2015)Inference Control in Data Integration SystemsProceedings of the Confederated International Conferences on On the Move to Meaningful Internet Systems: OTM 2015 Conferences - Volume 941510.1007/978-3-319-26148-5_17(285-302)Online publication date: 26-Oct-2015
https://dl.acm.org/doi/10.1007/978-3-319-26148-5_17
Haddad MStevovic JChiasera AVelegrakis YHacid M(2014)Access Control for Data Integration in Presence of Data DependenciesDatabase Systems for Advanced Applications10.1007/978-3-319-05813-9_14(203-217)Online publication date: 2014
https://doi.org/10.1007/978-3-319-05813-9_14
Le MKant KJajodia S(2013)Rule Configuration Checking in Secure Cooperative Data AccessAutomated Security Management10.1007/978-3-319-01433-3_8(135-149)Online publication date: 17-Sep-2013
https://doi.org/10.1007/978-3-319-01433-3_8
Le MKant KJajodia S(2013)Enabling Collaborative Data Authorization Between Enterprise CloudsSecure Cloud Computing10.1007/978-1-4614-9278-8_7(149-169)Online publication date: 7-Dec-2013
https://doi.org/10.1007/978-1-4614-9278-8_7
Neri MGuarnieri MMagri EMutti SParaboschi S(2012)Conflict detection in security policies using Semantic Web technology2012 IEEE First AESS European Conference on Satellite Telecommunications (ESTEL)10.1109/ESTEL.2012.6400092(1-6)Online publication date: Oct-2012
https://doi.org/10.1109/ESTEL.2012.6400092
Le MKant KJajodia S(2011)Cooperative data access in multi-cloud environmentsProceedings of the 25th annual IFIP WG 11.3 conference on Data and applications security and privacy10.5555/2029896.2029902(14-28)Online publication date: 11-Jul-2011
https://dl.acm.org/doi/10.5555/2029896.2029902
Le MKant KJajodia S(2011)Cooperative Data Access in Multi-cloud EnvironmentsData and Applications Security and Privacy XXV10.1007/978-3-642-22348-8_4(14-28)Online publication date: 2011
https://doi.org/10.1007/978-3-642-22348-8_4

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents