title: Distributed and Typed Role-based Access Control Mechanisms Driven by CRUD Expressions
creator: Regateiro, Diogo Domingues; Instituto de Telecomunicações, University of Aveiro
creator: Aguiar, Rui Luís; Instituto de Telecomunicações, DETI, University of Aveiro
creator: Pereira, Óscar Mortágua
description: Business logics of relational databases applications are an important source of security violations, namely in respect to access control. The situation is particularly critical when access control policies are many and complex. In these cases, programmers of business logics can hardly master the established access control policies. Now we consider situations where business logics are built with tools such as JDBC and ODBC. These tools convey two sources of security threats: 1) the use of unauthorized Create, Read, Update and Delete (CRUD) expressions and also 2) the modification of data previously retrieved by Select statements. To overcome this security gap when Role-based access control policies are used, we propose an extension to the basic model in order to control the two sources of security threats. Finally, we present a software architectural model from which distributed and typed RBAC mechanisms are automatically built, this way relieving programmers from mastering any security schema. We demonstrate empirical evidence of the effectiveness of our proposal from a use case based on Java and JDBC.
publisher: International Journal of Computer Science: Theory and Application
type: Peer-reviewed Article
source: International Journal of Computer Science: Theory and Application; Vol 2, No 1 (2014)