Publicação
Runtime values driven by access control policies: statically enforced at the level of relational business tiers
| Resumo: | Access control is a key challenge in software engineering, especially in relational database applications. Current access control techniques are based on additional security layers designed by security experts. These additional security layers do not take into account the necessary business logic leading to a separation between business tiers and access control mechanisms. Moreover, business tiers are built from commercial tools (ex: Hibernate, JDBC, ODBC, LINQ), which are not tailored to deal with security aspects. To overcome this situation several proposals have been presented. In spite of their relevance, they do not support the enforcement of access control policies at the level of the runtime values that are used to interact with protected data. Runtime values are critical entities because they play a key role in the process of defining which data is accessed. In this paper, we present a general technique for static checking, at the business tier level, the runtime values that are used to interact with databases and in accordance with the established access control policies. The technique is applicable to CRUD (create, read, update and delete) expressions and also to actions (update and insert) that are executed on data retrieved by Select expressions. A proof of concept is also presented. It uses an access control platform previously developed, which lacks the key issue of this paper. The collected results show that the presented approach is an effective solution to enforce access control policies at the level of runtime values that are used to interact with data residing in relational databases. |
|---|---|
| Autores principais: | Pereira, Óscar M. |
| Outros Autores: | Aguiar, Rui L.; Santos, Maribel Yasmina |
| Assunto: | Security Access control Databases Business tiers Software architecture Database |
| Ano: | 2013 |
| País: | Portugal |
| Tipo de documento: | comunicação em conferência |
| Tipo de acesso: | acesso aberto |
| Instituição associada: | Universidade do Minho |
| Idioma: | inglês |
| Origem: | RepositóriUM - Universidade do Minho |
| _version_ | 1867439582499307520 |
|---|---|
| author | Pereira, Óscar M. |
| author2 | Aguiar, Rui L. Santos, Maribel Yasmina |
| author2_role | author author |
| author_facet | Pereira, Óscar M. Aguiar, Rui L. Santos, Maribel Yasmina |
| author_role | author |
| contributor_name_str_mv | RepositóriUM - Universidade do Minho |
| country_str | PT |
| creators_json_txt | [{\"Person.name\":\"Pereira, Óscar M.\"},{\"Person.name\":\"Aguiar, Rui L.\"},{\"Person.name\":\"Santos, Maribel Yasmina\"}] |
| datacite.contributors.contributor.contributorName.fl_str_mv | RepositóriUM - Universidade do Minho |
| datacite.creators.creator.creatorName.fl_str_mv | Pereira, Óscar M. Aguiar, Rui L. Santos, Maribel Yasmina |
| datacite.date.Accepted.fl_str_mv | 2013-06-01T00:00:00Z |
| datacite.date.available.fl_str_mv | 2013-09-09T14:21:28Z |
| datacite.date.embargoed.fl_str_mv | 2013-09-09T14:21:28Z |
| datacite.rights.fl_str_mv | http://purl.org/coar/access_right/c_abf2 |
| datacite.subjects.subject.fl_str_mv | Security Access control Databases Business tiers Software architecture Database |
| datacite.titles.title.fl_str_mv | Runtime values driven by access control policies: statically enforced at the level of relational business tiers |
| dc.contributor.none.fl_str_mv | RepositóriUM - Universidade do Minho |
| dc.creator.none.fl_str_mv | Pereira, Óscar M. Aguiar, Rui L. Santos, Maribel Yasmina |
| dc.date.Accepted.fl_str_mv | 2013-06-01T00:00:00Z |
| dc.date.available.fl_str_mv | 2013-09-09T14:21:28Z |
| dc.date.embargoed.fl_str_mv | 2013-09-09T14:21:28Z |
| dc.format.none.fl_str_mv | application/pdf |
| dc.identifier.none.fl_str_mv | https://hdl.handle.net/1822/25069 |
| dc.language.none.fl_str_mv | eng |
| dc.publisher.none.fl_str_mv | Knowledge Systems Institute |
| dc.rights.none.fl_str_mv | http://purl.org/coar/access_right/c_abf2 |
| dc.subject.none.fl_str_mv | Security Access control Databases Business tiers Software architecture Database |
| dc.title.fl_str_mv | Runtime values driven by access control policies: statically enforced at the level of relational business tiers |
| dc.type.none.fl_str_mv | http://purl.org/coar/resource_type/c_5794 |
| description | Access control is a key challenge in software engineering, especially in relational database applications. Current access control techniques are based on additional security layers designed by security experts. These additional security layers do not take into account the necessary business logic leading to a separation between business tiers and access control mechanisms. Moreover, business tiers are built from commercial tools (ex: Hibernate, JDBC, ODBC, LINQ), which are not tailored to deal with security aspects. To overcome this situation several proposals have been presented. In spite of their relevance, they do not support the enforcement of access control policies at the level of the runtime values that are used to interact with protected data. Runtime values are critical entities because they play a key role in the process of defining which data is accessed. In this paper, we present a general technique for static checking, at the business tier level, the runtime values that are used to interact with databases and in accordance with the established access control policies. The technique is applicable to CRUD (create, read, update and delete) expressions and also to actions (update and insert) that are executed on data retrieved by Select expressions. A proof of concept is also presented. It uses an access control platform previously developed, which lacks the key issue of this paper. The collected results show that the presented approach is an effective solution to enforce access control policies at the level of runtime values that are used to interact with data residing in relational databases. |
| dirty | 0 |
| eu_rights_str_mv | openAccess |
| format | conferencePaper |
| fulltext.url.fl_str_mv | https://repositorium.uminho.pt/bitstreams/94fc3a83-2379-4e8e-98db-5f5c4c71f460/download |
| id | rum_167c04f7bba872e00aaeaa71fc4b1697 |
| identifier.url.fl_str_mv | https://hdl.handle.net/1822/25069 |
| instacron_str | repositorium |
| institution | Universidade do Minho |
| instname_str | Universidade do Minho |
| language | eng |
| network_acronym_str | rum |
| network_name_str | RepositóriUM - Universidade do Minho |
| oai_identifier_str | oai:repositorium.uminho.pt:1822/25069 |
| organization_str_mv | urn:organizationAcronym:repositorium |
| person_str_mv | Pereira, Óscar M. Aguiar, Rui L. Santos, Maribel Yasmina |
| publishDate | 2013 |
| publisher.none.fl_str_mv | Knowledge Systems Institute |
| reponame_str | RepositóriUM - Universidade do Minho |
| repository_id_str | urn:repositoryAcronym:rum |
| service_str_mv | urn:repositoryAcronym:rum |
| spelling | engKnowledge Systems InstituteporAccess control is a key challenge in software engineering, especially in relational database applications. Current access control techniques are based on additional security layers designed by security experts. These additional security layers do not take into account the necessary business logic leading to a separation between business tiers and access control mechanisms. Moreover, business tiers are built from commercial tools (ex: Hibernate, JDBC, ODBC, LINQ), which are not tailored to deal with security aspects. To overcome this situation several proposals have been presented. In spite of their relevance, they do not support the enforcement of access control policies at the level of the runtime values that are used to interact with protected data. Runtime values are critical entities because they play a key role in the process of defining which data is accessed. In this paper, we present a general technique for static checking, at the business tier level, the runtime values that are used to interact with databases and in accordance with the established access control policies. The technique is applicable to CRUD (create, read, update and delete) expressions and also to actions (update and insert) that are executed on data retrieved by Select expressions. A proof of concept is also presented. It uses an access control platform previously developed, which lacks the key issue of this paper. The collected results show that the presented approach is an effective solution to enforce access control policies at the level of runtime values that are used to interact with data residing in relational databases.application/pdfporRuntime values driven by access control policies: statically enforced at the level of relational business tiersPereira, Óscar M.Aguiar, Rui L.Santos, Maribel YasminaHostingInstitutionOrganizationalRepositóriUM - Universidade do Minhoe-mailmailto:repositorium@usdb.uminho.ptrepositorium@usdb.uminho.ptISBNIsPartOf978-1-891706-33-2ISSNIsPartOf2325-90002013-09-09T14:21:28Z2013-062013-06-01T00:00:00ZHandlehttps://hdl.handle.net/1822/25069http://purl.org/coar/access_right/c_abf2open accessSecurityAccess controlDatabasesBusiness tiersSoftware architectureDatabase335543 bytesother research producthttp://purl.org/coar/resource_type/c_5794conference paperhttp://purl.org/coar/access_right/c_abf2application/pdffulltexthttps://repositorium.uminho.pt/bitstreams/94fc3a83-2379-4e8e-98db-5f5c4c71f460/download |
| spellingShingle | Runtime values driven by access control policies: statically enforced at the level of relational business tiers Pereira, Óscar M. Security Access control Databases Business tiers Software architecture Database |
| status | SINGLETON |
| subject.fl_str_mv | Security Access control Databases Business tiers Software architecture Database |
| title | Runtime values driven by access control policies: statically enforced at the level of relational business tiers |
| title_full | Runtime values driven by access control policies: statically enforced at the level of relational business tiers |
| title_fullStr | Runtime values driven by access control policies: statically enforced at the level of relational business tiers |
| title_full_unstemmed | Runtime values driven by access control policies: statically enforced at the level of relational business tiers |
| title_short | Runtime values driven by access control policies: statically enforced at the level of relational business tiers |
| title_sort | Runtime values driven by access control policies: statically enforced at the level of relational business tiers |
| topic | Security Access control Databases Business tiers Software architecture Database |
| topic_facet | Security Access control Databases Business tiers Software architecture Database |
| url | https://hdl.handle.net/1822/25069 |
| visible | 1 |