Distributed and typed role-based access control mechanisms driven by CRUD expressions

Detalhes bibliográficos
Autor(a) principal: Pereira, Óscar Mortágua
Data de Publicação: 2014
Outros Autores: Regateiro, Diogo, Aguiar, Rui L.
Tipo de documento: Artigo
Idioma: eng
Título da fonte: Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
Texto Completo: http://hdl.handle.net/10773/12831
Resumo: Business logics of relational databases applications are an important source of security violations, namely in respect to access control. The situation is particularly critical when access control policies are many and complex. In these cases, programmers of business logics can hardly master the established access control policies. Now we consider situations where business logics are built with tools such as JDBC and ODBC. These tools convey two sources of security threats: 1) the use of unauthorized Create, Read, Update and Delete (CRUD) expressions and also 2) the modification of data previously retrieved by Select statements. To overcome this security gap when Role-based access control policies are used, we propose an extension to the basic model in order to control the two sources of security threats. Finally, we present a software architectural model from which distributed and typed RBAC mechanisms are automatically built, this way relieving programmers from mastering any security schema. We demonstrate empirical evidence of the effectiveness of our proposal from a use case based on Java and JDBC.
id RCAP_45e2dd7f9410969b61687b58fb82406b
oai_identifier_str oai:ria.ua.pt:10773/12831
network_acronym_str RCAP
network_name_str Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
repository_id_str 7160
spelling Distributed and typed role-based access control mechanisms driven by CRUD expressionsRBACAccess controlInformation securitySoftware architectureMiddlewareDistributed systemsRelational databasesBusiness logics of relational databases applications are an important source of security violations, namely in respect to access control. The situation is particularly critical when access control policies are many and complex. In these cases, programmers of business logics can hardly master the established access control policies. Now we consider situations where business logics are built with tools such as JDBC and ODBC. These tools convey two sources of security threats: 1) the use of unauthorized Create, Read, Update and Delete (CRUD) expressions and also 2) the modification of data previously retrieved by Select statements. To overcome this security gap when Role-based access control policies are used, we propose an extension to the basic model in order to control the two sources of security threats. Finally, we present a software architectural model from which distributed and typed RBAC mechanisms are automatically built, this way relieving programmers from mastering any security schema. We demonstrate empirical evidence of the effectiveness of our proposal from a use case based on Java and JDBC.ORB - Academic Publisher2014-11-17T09:45:45Z2014-10-30T00:00:00Z2014-10-30info:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/articleapplication/pdfhttp://hdl.handle.net/10773/12831eng2336-0984Pereira, Óscar MortáguaRegateiro, DiogoAguiar, Rui L.info:eu-repo/semantics/openAccessreponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãoinstacron:RCAAP2024-05-06T03:51:33Zoai:ria.ua.pt:10773/12831Portal AgregadorONGhttps://www.rcaap.pt/oai/openairemluisa.alvim@gmail.comopendoar:71602024-05-06T03:51:33Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãofalse
dc.title.none.fl_str_mv Distributed and typed role-based access control mechanisms driven by CRUD expressions
title Distributed and typed role-based access control mechanisms driven by CRUD expressions
spellingShingle Distributed and typed role-based access control mechanisms driven by CRUD expressions
Pereira, Óscar Mortágua
RBAC
Access control
Information security
Software architecture
Middleware
Distributed systems
Relational databases
title_short Distributed and typed role-based access control mechanisms driven by CRUD expressions
title_full Distributed and typed role-based access control mechanisms driven by CRUD expressions
title_fullStr Distributed and typed role-based access control mechanisms driven by CRUD expressions
title_full_unstemmed Distributed and typed role-based access control mechanisms driven by CRUD expressions
title_sort Distributed and typed role-based access control mechanisms driven by CRUD expressions
author Pereira, Óscar Mortágua
author_facet Pereira, Óscar Mortágua
Regateiro, Diogo
Aguiar, Rui L.
author_role author
author2 Regateiro, Diogo
Aguiar, Rui L.
author2_role author
author
dc.contributor.author.fl_str_mv Pereira, Óscar Mortágua
Regateiro, Diogo
Aguiar, Rui L.
dc.subject.por.fl_str_mv RBAC
Access control
Information security
Software architecture
Middleware
Distributed systems
Relational databases
topic RBAC
Access control
Information security
Software architecture
Middleware
Distributed systems
Relational databases
description Business logics of relational databases applications are an important source of security violations, namely in respect to access control. The situation is particularly critical when access control policies are many and complex. In these cases, programmers of business logics can hardly master the established access control policies. Now we consider situations where business logics are built with tools such as JDBC and ODBC. These tools convey two sources of security threats: 1) the use of unauthorized Create, Read, Update and Delete (CRUD) expressions and also 2) the modification of data previously retrieved by Select statements. To overcome this security gap when Role-based access control policies are used, we propose an extension to the basic model in order to control the two sources of security threats. Finally, we present a software architectural model from which distributed and typed RBAC mechanisms are automatically built, this way relieving programmers from mastering any security schema. We demonstrate empirical evidence of the effectiveness of our proposal from a use case based on Java and JDBC.
publishDate 2014
dc.date.none.fl_str_mv 2014-11-17T09:45:45Z
2014-10-30T00:00:00Z
2014-10-30
dc.type.status.fl_str_mv info:eu-repo/semantics/publishedVersion
dc.type.driver.fl_str_mv info:eu-repo/semantics/article
format article
status_str publishedVersion
dc.identifier.uri.fl_str_mv http://hdl.handle.net/10773/12831
url http://hdl.handle.net/10773/12831
dc.language.iso.fl_str_mv eng
language eng
dc.relation.none.fl_str_mv 2336-0984
dc.rights.driver.fl_str_mv info:eu-repo/semantics/openAccess
eu_rights_str_mv openAccess
dc.format.none.fl_str_mv application/pdf
dc.publisher.none.fl_str_mv ORB - Academic Publisher
publisher.none.fl_str_mv ORB - Academic Publisher
dc.source.none.fl_str_mv reponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação
instacron:RCAAP
instname_str Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação
instacron_str RCAAP
institution RCAAP
reponame_str Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
collection Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
repository.name.fl_str_mv Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação
repository.mail.fl_str_mv mluisa.alvim@gmail.com
_version_ 1817543521798717440