Fine-grained access control to web databases

Alex Roichman, Ehud Gudes

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

38 Scopus citations

Abstract

Before the Web era, databases were well-protected by using the standard access control techniques such as Views and SQL authorization commands. But with the development of web systems, the number of attacks on databases increased and it has become clear that their access control mechanism is inadequate for web-based systems. In particular, the SQL Injection and other vulnerabilities have received considerable attention in recent years, and satisfactory solutions to these kinds of attacks are still lacking. We present a new method for protecting web databases that is based on fine-grained access control mechanism. This method uses the databases' built-in access control mechanisms enhanced with Parameterized Views and adapts them to work with web applications. The proposed access control mechanism is applicable for any existing databases and is capable to prevent many kinds of attacks, thus significantly decreases the web databases' attack surface.

Original languageEnglish
Title of host publicationSACMAT'07
Subtitle of host publicationProceedings of the 12th ACM Symposium on Access Control Models and Technologies
Pages31-40
Number of pages10
DOIs
StatePublished - 24 Aug 2007
EventSACMAT'07: 12th ACM Symposium on Access Control Models and Technologies - Sophia Antipolis, France
Duration: 20 Jun 200722 Jun 2007

Publication series

NameProceedings of ACM Symposium on Access Control Models and Technologies, SACMAT

Conference

ConferenceSACMAT'07: 12th ACM Symposium on Access Control Models and Technologies
Country/TerritoryFrance
CitySophia Antipolis
Period20/06/0722/06/07

Keywords

  • Access control
  • Database vulnerability
  • Parameterized view
  • Rolling key
  • Session key
  • Web database security

ASJC Scopus subject areas

  • General Computer Science

Fingerprint

Dive into the research topics of 'Fine-grained access control to web databases'. Together they form a unique fingerprint.

Cite this