Runtime values driven by access control policies: statically enforced at the level of relational business tiers
| Autor(a) principal: | |
|---|---|
| Data de Publicação: | 2013 |
| Outros Autores: | , |
| Idioma: | eng |
| Título da fonte: | Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
| Texto Completo: | http://hdl.handle.net/1822/25069 |
Resumo: | Access control is a key challenge in software engineering, especially in relational database applications. Current access control techniques are based on additional security layers designed by security experts. These additional security layers do not take into account the necessary business logic leading to a separation between business tiers and access control mechanisms. Moreover, business tiers are built from commercial tools (ex: Hibernate, JDBC, ODBC, LINQ), which are not tailored to deal with security aspects. To overcome this situation several proposals have been presented. In spite of their relevance, they do not support the enforcement of access control policies at the level of the runtime values that are used to interact with protected data. Runtime values are critical entities because they play a key role in the process of defining which data is accessed. In this paper, we present a general technique for static checking, at the business tier level, the runtime values that are used to interact with databases and in accordance with the established access control policies. The technique is applicable to CRUD (create, read, update and delete) expressions and also to actions (update and insert) that are executed on data retrieved by Select expressions. A proof of concept is also presented. It uses an access control platform previously developed, which lacks the key issue of this paper. The collected results show that the presented approach is an effective solution to enforce access control policies at the level of runtime values that are used to interact with data residing in relational databases. |
| id |
RCAP_bc51932d56b3b9214f1ff5e067b3552d |
|---|---|
| oai_identifier_str |
oai:repositorium.sdum.uminho.pt:1822/25069 |
| network_acronym_str |
RCAP |
| network_name_str |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
| repository_id_str |
7160 |
| spelling |
Runtime values driven by access control policies: statically enforced at the level of relational business tiersSecurityAccess controlDatabasesBusiness tiersSoftware architectureDatabaseAccess control is a key challenge in software engineering, especially in relational database applications. Current access control techniques are based on additional security layers designed by security experts. These additional security layers do not take into account the necessary business logic leading to a separation between business tiers and access control mechanisms. Moreover, business tiers are built from commercial tools (ex: Hibernate, JDBC, ODBC, LINQ), which are not tailored to deal with security aspects. To overcome this situation several proposals have been presented. In spite of their relevance, they do not support the enforcement of access control policies at the level of the runtime values that are used to interact with protected data. Runtime values are critical entities because they play a key role in the process of defining which data is accessed. In this paper, we present a general technique for static checking, at the business tier level, the runtime values that are used to interact with databases and in accordance with the established access control policies. The technique is applicable to CRUD (create, read, update and delete) expressions and also to actions (update and insert) that are executed on data retrieved by Select expressions. A proof of concept is also presented. It uses an access control platform previously developed, which lacks the key issue of this paper. The collected results show that the presented approach is an effective solution to enforce access control policies at the level of runtime values that are used to interact with data residing in relational databases.(undefined)Knowledge Systems InstituteUniversidade do MinhoPereira, Óscar M.Aguiar, Rui L.Santos, Maribel Yasmina2013-062013-06-01T00:00:00Zconference paperinfo:eu-repo/semantics/publishedVersionapplication/pdfhttp://hdl.handle.net/1822/25069eng978-1-891706-33-22325-9000info:eu-repo/semantics/openAccessreponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãoinstacron:RCAAP2024-05-11T07:10:45Zoai:repositorium.sdum.uminho.pt:1822/25069Portal AgregadorONGhttps://www.rcaap.pt/oai/openairemluisa.alvim@gmail.comopendoar:71602024-05-11T07:10:45Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãofalse |
| dc.title.none.fl_str_mv |
Runtime values driven by access control policies: statically enforced at the level of relational business tiers |
| title |
Runtime values driven by access control policies: statically enforced at the level of relational business tiers |
| spellingShingle |
Runtime values driven by access control policies: statically enforced at the level of relational business tiers Pereira, Óscar M. Security Access control Databases Business tiers Software architecture Database |
| title_short |
Runtime values driven by access control policies: statically enforced at the level of relational business tiers |
| title_full |
Runtime values driven by access control policies: statically enforced at the level of relational business tiers |
| title_fullStr |
Runtime values driven by access control policies: statically enforced at the level of relational business tiers |
| title_full_unstemmed |
Runtime values driven by access control policies: statically enforced at the level of relational business tiers |
| title_sort |
Runtime values driven by access control policies: statically enforced at the level of relational business tiers |
| author |
Pereira, Óscar M. |
| author_facet |
Pereira, Óscar M. Aguiar, Rui L. Santos, Maribel Yasmina |
| author_role |
author |
| author2 |
Aguiar, Rui L. Santos, Maribel Yasmina |
| author2_role |
author author |
| dc.contributor.none.fl_str_mv |
Universidade do Minho |
| dc.contributor.author.fl_str_mv |
Pereira, Óscar M. Aguiar, Rui L. Santos, Maribel Yasmina |
| dc.subject.por.fl_str_mv |
Security Access control Databases Business tiers Software architecture Database |
| topic |
Security Access control Databases Business tiers Software architecture Database |
| description |
Access control is a key challenge in software engineering, especially in relational database applications. Current access control techniques are based on additional security layers designed by security experts. These additional security layers do not take into account the necessary business logic leading to a separation between business tiers and access control mechanisms. Moreover, business tiers are built from commercial tools (ex: Hibernate, JDBC, ODBC, LINQ), which are not tailored to deal with security aspects. To overcome this situation several proposals have been presented. In spite of their relevance, they do not support the enforcement of access control policies at the level of the runtime values that are used to interact with protected data. Runtime values are critical entities because they play a key role in the process of defining which data is accessed. In this paper, we present a general technique for static checking, at the business tier level, the runtime values that are used to interact with databases and in accordance with the established access control policies. The technique is applicable to CRUD (create, read, update and delete) expressions and also to actions (update and insert) that are executed on data retrieved by Select expressions. A proof of concept is also presented. It uses an access control platform previously developed, which lacks the key issue of this paper. The collected results show that the presented approach is an effective solution to enforce access control policies at the level of runtime values that are used to interact with data residing in relational databases. |
| publishDate |
2013 |
| dc.date.none.fl_str_mv |
2013-06 2013-06-01T00:00:00Z |
| dc.type.driver.fl_str_mv |
conference paper |
| dc.type.status.fl_str_mv |
info:eu-repo/semantics/publishedVersion |
| status_str |
publishedVersion |
| dc.identifier.uri.fl_str_mv |
http://hdl.handle.net/1822/25069 |
| url |
http://hdl.handle.net/1822/25069 |
| dc.language.iso.fl_str_mv |
eng |
| language |
eng |
| dc.relation.none.fl_str_mv |
978-1-891706-33-2 2325-9000 |
| dc.rights.driver.fl_str_mv |
info:eu-repo/semantics/openAccess |
| eu_rights_str_mv |
openAccess |
| dc.format.none.fl_str_mv |
application/pdf |
| dc.publisher.none.fl_str_mv |
Knowledge Systems Institute |
| publisher.none.fl_str_mv |
Knowledge Systems Institute |
| dc.source.none.fl_str_mv |
reponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação instacron:RCAAP |
| instname_str |
Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação |
| instacron_str |
RCAAP |
| institution |
RCAAP |
| reponame_str |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
| collection |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) |
| repository.name.fl_str_mv |
Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação |
| repository.mail.fl_str_mv |
mluisa.alvim@gmail.com |
| _version_ |
1817545230233108480 |