reflective database access control lars olson ph.d. thesis defense
TRANSCRIPT
![Page 1: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/1.jpg)
Reflective Database Access Control
Lars OlsonPh.D. Thesis Defense
![Page 2: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/2.jpg)
Introduction
Database
Alice Bob Carol David
![Page 3: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/3.jpg)
ACM-Based Access Control
Employees
Name SSN Salary Dept Position
Alice 123456789
80000 HR CPA
Bob 234567890
70000 Sales Sales Rep
Carol 345678901
90000 Sales Manager
David 456789012
90000 HR Manager
ACM Entrie
s
Alice
David
![Page 4: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/4.jpg)
ACM-Based Access Control
Employees
Name SSN Salary Dept Position
Alice 123456789
80000 HR CPA
Bob 234567890
70000 Sales Sales Rep
Carol 345678901
90000 Sales Manager
David 456789012
90000 HR Manager
![Page 5: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/5.jpg)
ACM-Based Access Control
Sales_Employees
Bob Sales
SalesCarol
Sales Rep
Manager
ACM Entrie
s
Bob
Carol
![Page 6: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/6.jpg)
ACM Weaknesses
• Complicated policies can be awkward to define
• “Every employee can access their own records”
• “Every employee can view the name and position of every other employee in their department”
![Page 7: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/7.jpg)
Motivation
• ACMs describe extent, rather than intent
• Decision support data is often already in the database– Redundancy– Possibility of update anomalies
![Page 8: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/8.jpg)
Reflective Database Access Control
• Solution: access policies should contain queries– Not limited to read-only operations– Policies not assumed to be “omniscient”
• Is this a secure solution? (CCS ’08)• Is this a practical solution? (DBSec ’09)• What is it useful for? (SPIMACS ’09)
Database
![Page 9: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/9.jpg)
Thesis Statement
Datalog-based reflective database access control can provide a flexible, scalable, and efficient mechanism for defining, enforcing, and formally reasoning about fine-grained access control policies.
![Page 10: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/10.jpg)
Outline
• Challenges for RDBAC• Theory
– Formalism using Transaction Datalog– Security analysis
• Implementation– Prototype description– Evaluation
• Case Studies– Medical database– Building automation system
• Future Work and Conclusion
![Page 11: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/11.jpg)
Outline
• Challenges for RDBAC• Theory
– Formalism using Transaction Datalog– Security analysis
• Implementation– Prototype description– Evaluation
• Case Studies– Medical database– Building automation system
• Future Work and Conclusion
![Page 12: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/12.jpg)
Application-Layer Security
Database
Application A
Access Control Rules
User a
User b
User c
A
![Page 13: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/13.jpg)
Oracle Virtual Private Database
• User-defined function as query filter– Access to current user– Access to other table data (excluding
current table)– Non-omniscient— subject to policies
protecting other data
• Flexible— a little too flexible…
![Page 14: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/14.jpg)
create or replace function leakInfoFilter (p_schema varchar2, p_obj varchar2)
return varchar2 asbegin
for allowedVal in (select * from alice.employees) loop
insert into logtable values (sysdate,'name:' || allowedVal.name|| ', ssn:' || allowedVal.ssn|| ', salary:' || allowedVal.salary);
end loop;commit;return '';
end;
Pitfalls in Reflective AC
![Page 15: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/15.jpg)
Not Necessarily a Problem
• Note:– Only privileged users can define VPD policies.– Using POLICY_INVOKER instead of SESSION_USER in the employees table would solve this problem.
• Still, centralized policy definers not ideal– Scalability– Difficulty in understanding subtle policy
interactions…and you have to deal with surly DB admins
![Page 16: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/16.jpg)
Pitfalls in Reflective AC
• Queries within policies must be executed under someone’s permissions.
• Cyclic policies cause infinite loop.• Long chains of policies may use the
database inefficiently.• Determining safety is undecidable, in
general.
![Page 17: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/17.jpg)
Desirable Properties
• Policy can depend on user attributes or object attributes in database
• Updates immediately affect policy evaluation• Policies are fine-grained• Policies may modify database• Lower-privileged users may define privileges
for their own tables (non-omniscient policies)• Model has formal mathematical basis• System performance is comparable to current
technology
![Page 18: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/18.jpg)
Outline
• Challenges for RDBAC• Theory
– Formalism using Transaction Datalog– Security analysis
• Implementation– Prototype description– Evaluation
• Case Studies– Medical database– Building automation system
• Future Work and Conclusion
![Page 19: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/19.jpg)
Transaction Datalog
• Datalog extended with assertion and retraction semantics
• Inference process extended to track modifications
• Concurrency and atomicity• Implicit rollback on failure
![Page 20: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/20.jpg)
Transaction Datalog Example
• State:emp(alice, 1234, 80000, hr, manager).emp(bob, 2345, 60000, hr, accountant).
• Transaction Base:changeSalary(Name, OldSalary, NewSalary) :- emp(Name, SSN, OldSalary, Dept, Pos), del.emp(Name, SSN, OldSalary, Dept, Pos), ins.emp(Name, SSN, NewSalary, Dept, Pos).
• Runtime queries:changeSalary(alice, 50000, 100000)? No.changeSalary(alice, 80000, 100000)? Yes.
![Page 21: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/21.jpg)
• Allow users to access their own records:view.emp(User, Name, SSN, Salary, Dept, Pos) :- emp(Name, SSN, Salary, Dept, Pos), User=Name.
• Allow users to view names of employees in their own department:view.emp(User, Name, null, null, Dept, Pos) :- emp(User, _, _, Dept, _), emp(Name, _, _, Dept, Pos).
TD as a Policy Language
![Page 22: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/22.jpg)
TD as a Policy Language
• Restrict and audit sensitive accesses:view.emp(User, Name, SSN, Salary, Dept, Pos) :- emp(User, _, _, hr, _), emp(Name, SSN, Salary, Dept, Pos), ins.auditLog(User, Name, cur_time).
• Chinese Wall policy:view.bank1(User, Data1, Data2) :- cwUsers(User, 1, OldValue), bank1(Data1, Data2), del.cwUsers(User, 1, OldValue), ins.cwUsers(User, 1, 0).
![Page 23: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/23.jpg)
Fixing the Leak
• Policies must always run under the definer’s privileges:view.a(User, ...) :- view.b(alice, ...), view.c(alice, ...).
• Basic table owner privileges can be generated automatically.view.a(alice, ...) :- a(...).
![Page 24: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/24.jpg)
Formal Safety Analysis
• Efficiency of answering the question “Can user u ever gain access right r to object o?”– Excludes actions taken by trusted users
• TD can implement HRU model• Consequence: safety is undecidable
in general
![Page 25: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/25.jpg)
Decidable Class #1
• Read-only policies
• Check whether subject s can access object o initially
• Ignore irrelevant tables• Infrequent updates
– Polynomial-time safety check– Unsafe configurations can be rolled back
![Page 26: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/26.jpg)
• Retraction-free• “Safe rewritability”
– Rewrite policies to calculate their effect on the database, e.g.:
• Original policy rule:p(X) :- q(X, Y), ins.r(X, Y), s(Y, Z).
• Rewritten rules:r(X, Y) :- q(X, Y).
p(X) :- q(X, Y), r(X, Y), s(Y, Z).
– Rewritten rules must be range-restricted to ensure efficient computation
Decidable Class #2
![Page 27: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/27.jpg)
Proving Safety Decidability
• Database never shrinks• Rewritten rules provide upper bound on
database• Every sequence of operations reaches
fixed point• Finitely many operations
• Too ugly?– Use upper bound as conservative estimate– No negation semantics in TD
![Page 28: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/28.jpg)
Outline
• Challenges for RDBAC• Theory
– Formalism using Transaction Datalog– Security analysis
• Implementation– Prototype description– Evaluation
• Case Studies– Medical database– Building automation system
• Future Work and Conclusion
![Page 29: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/29.jpg)
System Architecture
Database
TD Policy
Individual User-defined Policies
Policy Compiler
SQL:1999 Recursive
View Definition
s
Schem
a
met
adat
a
User queries normally
![Page 30: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/30.jpg)
Compilation to SQL Views
• Off-the-shelf SQL databases benefit from years of query optimization research
• Datalog, SQL roughly equivalent– User ID provided by CURRENT_USER system
variable– Recursion requires SQL:1999
• Assertions and retractions– SQL syntax does not permit insert or delete within select statement
– Execution ordering is significant
![Page 31: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/31.jpg)
Side-Effects Within Queries
• Ideally, part of the language– Transaction control– Variable bindings
• In practice, executed as UDF– Execution ordering depends on query plan
• Executing UDF(s) last• Forbids policies with mid-execution side-
effects
– Requires separate connection setup in DBs that do not support side-effects
![Page 32: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/32.jpg)
Compilation Process (1st Pass)
view.emp(User, Name, SSN, Salary, Dept, Pos) :-view.emp('alice', User, _, _, 'hr', _),view.emp('alice', Name, SSN, Salary, Dept, Pos),view.ins.auditLog('alice', User, Name, cur_time).
with view_emp as (...union all
select e1.Name as User,e2.Name as Name, ..., e2.Pos as Pos,1 as Assert_flag,e1.Name as Assert_param1,e2.Name as Assert_param2
from view_emp e1, view_emp e2where e1.Dept = 'hr' and e1.Name =
'alice' and e2.Name = 'alice'union all...)select distinct User, Name, ..., Posfrom view_empwhere Assert_flag = 0 or (Assert_flag = 1and assert_auditLog(Assert_param1,
Assert_param2) != 0)
function assert_auditLog(@User varchar,@Name varchar)
...
Schema:
User, Name, SSN, Salary, Dept, Pos,
Assert_flag, Assert_param1, Assert_param2
![Page 33: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/33.jpg)
Compilation Process (2nd Pass)
function assert_auditLog(@User varchar,@Name varchar)
...
with view_emp as (...union all
select e1.Name as User,e2.Name as Name, ..., e2.Pos as Pos,1 as Assert_flag,e1.Name as Assert_param1,e2.Name as Assert_param2
from view_emp e1, view_emp e2where e1.Dept = 'hr' and e1.Name =
'alice' and e2.Name = 'alice'union all...)select distinct User, Name, ..., Posfrom view_empwhere Assert_flag = 0 or (Assert_flag = 1and assert_auditLog(Assert_param1,
Assert_param2) != 0)
Schema:
User, Name, SSN, Salary, Dept, Pos,
Assert_flag, Assert_param1, Assert_param2
view.emp(User, Name, SSN, Salary, Dept, Pos) :-view.emp('alice', User, _, _, 'hr', _),view.emp('alice', Name, SSN, Salary, Dept, Pos),view.ins.auditLog('alice', User, Name, cur_time).
![Page 34: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/34.jpg)
Compilation Process (cont.)
• Filter on user:
create view view_emp_public asselect Name, ..., Posfrom view_empwhere User = CURRENT_USER;
grant select on view_emp_public to public;
![Page 35: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/35.jpg)
Optimizations
• Recursive views are expensive!• Use predicate unfoldingview.emp('alice', Name, SSN, Salary, Dept, Pos) :-emp(Name, SSN, Salary, Dept, Pos).
…allows us to rewriteview.emp('alice', User, _, _, 'hr', _)
…toemp(User, _, _, 'hr', _)
![Page 36: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/36.jpg)
Optimizations (cont.)
• union all is expensive (although not as bad as recursion)– Build query dynamically– Pre-compute portions of rule– If rule doesn’t apply, we can eliminate a union
– Simulated with stored procedure
![Page 37: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/37.jpg)
Evaluation
• Baseline– Custom-defined views– ACM-based enforcement– Two baselines for side-effect queries
• No side-effect• Side-effect UDF called within view
• Compiled views– Unoptimized, with recursion– Optimized with predicate unfolding
• Simulated optimization with predicate unfolding and union all elimination
![Page 38: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/38.jpg)
Timing Results (fixed DB size)
0.01
0.1
1
10
100
1000
10000
100000
HR Manager Insurance ChineseWall
Avg
. E
xecu
tio
n T
ime
(sec
)
Baseline 1
Baseline 2
Recursive
Optimized
Target
![Page 39: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/39.jpg)
Timing Results (fixed query)
0.0001
0.001
0.01
0.1
1
10
100
1000
10000
100000
1000 10000 100000
Database Size
Avg
. Exe
cuti
on
Tim
e (s
ec)
Recursive
Optimized
Target
Baseline 1
![Page 40: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/40.jpg)
Outline
• Challenges for RDBAC• Theory
– Formalism using Transaction Datalog– Security analysis
• Implementation– Prototype description– Evaluation
• Case Studies– Medical database– Building automation system
• Future Work and Conclusion
![Page 41: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/41.jpg)
Case Study: Medical Database
• HIPAA legislation– Protects privacy of patients– Access to electronic health records must
be restricted “based on the specific roles of the members of their workforce.”
• Idealism meets reality: emergencies are common
• Commonly implemented by Honor System, e.g. sign a form yearly
![Page 42: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/42.jpg)
Example Policies
• Patients may view their own medical data
• Primary care physicians may view their own patients’ data
• Caregivers assigned to consult with a patient may view that patient’s data
• Current employees may access any patient’s record, but an audit record is generated
![Page 43: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/43.jpg)
Formal Security Analysis
• “No untrusted user can ever gain access to a patient’s lab results.”
• Uses upper-bound estimate on append-only policies– Rules with retractions, rules not safely
rewritable omitted– Sample database populated, verified with
Prolog– Omitted rules analyzed manually
• Analysis scalability– Running time A: increased patients & doctors– Running time B: increated patients only
![Page 44: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/44.jpg)
Formal Security Analysis
1
10
100
1000
10000
100000
10,000 100,000 1,000,000 10,000,000
Number of patients
Exe
cuti
on
Tim
e (s
ec)
Running Time A
Running Time B
![Page 45: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/45.jpg)
Case Study: Building Automation
System
BuildingControlNetwork
Building Resources
Legacy BASControllerand DB
LocalNetwork
ClassRegistration
TeachingAssignments
to Internet
Firewall
![Page 46: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/46.jpg)
Example Policies
• Users who are given delegation privileges over a room may add or delete users that may access the room
• Students enrolled in a class may unlock the room where the class occurs during normal class hours– Attendance recorded– Internet access disabled
• Anyone may purchase items from a vending machine, with cost of items deducted from their account
![Page 47: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/47.jpg)
Outline
• Challenges for RDBAC• Theory
– Formalism using Transaction Datalog– Security analysis
• Implementation– Prototype description– Evaluation
• Case Studies– Medical database– Building automation system
• Future Work and Conclusion
![Page 48: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/48.jpg)
Future Research Possibilities
• Improvements to TD– Aggregation– Negation– Atomic policies for updates
• Improvements to analysis– Retraction analysis– State-independent analysis– Information flow using delegated
privileges
![Page 49: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/49.jpg)
Future Research Possibilities
• Further DB integration– Automatic checks for safety– Pre-computing optimization– Side-effects and ordering
• Development of Case Studies– Discretionary access to patient records
• “Trusted users” no longer constant• Specifying exceptions
– Firewall rules
![Page 50: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/50.jpg)
Conclusion
• Reflective Database Access Control is a more flexible model than View-Based Access Control.– Easier to model policy intent– Subtle data interactions create new
dangers• Transaction Datalog provides a
reasonable theoretical basis for RDBAC.– Expressive semantics for describing policy
intent– Safety analysis
![Page 51: Reflective Database Access Control Lars Olson Ph.D. Thesis Defense](https://reader035.vdocuments.site/reader035/viewer/2022062801/56649e2c5503460f94b1aa6f/html5/thumbnails/51.jpg)
Conclusion
• Compilation of TD rules to SQL views implements RDBAC with current database technology.
• Performance cost of compiled views is low and can yet be improved.
• RDBAC provides benefits for real-world scenarios.