Preventing The Leakage Of Sensitive Information With CREATE_SECURE_OBJECT Privilege
Publication Date: 2011-Sep-06
The IP.com Prior Art Database
Disclosed is a "CREATE_SECURE_OBJECT" privilege to address the threat of information leakage from malicious User- Defined Functions (UDFs) or triggers. A user who is granted this privilege can create UDFs and triggers that are trusted by the database system by specifying the SECURED option in the CREATE or ALTER statement.
Page 01 of 4
Preventing The Leakage Of Sensitive Information With CREATE
The issue of row and column access control has grown in importance to commercial and government users of relational databases, especially with recent government initiatives for to strengthening overall security. Row and column access control can be used by a database installation as part of the plan for complying with data protection laws.
Column level Fine-Grained Access Control has been proposed for Hippocratic databases by Agrawal et al. in the paper "Extending Relational Database Systems to
Automatically Enforce Privacy Policies".
This article describes an implementation of Fine-Grained Access Control in DB2 using row permissions and column masks.
A row permission is a database object that
expresses a row access control rule for a specific table. It contains the rule in the form of a Structured Query Language (SQL) search condition that describes under what conditions who can access the rows of data.
A new CREATE PERMISSION statement
with the FOR ROWS clause allows a user to create a row permission object. Multiple
row permissions can be created for a table. The definition of a row permission can reference the user, role, or group in the search condition. When multiple permissions for row access control are defined for a table, a row access control search condition is derived by application of the logical OR operator to the search condition in each enabled row permission. This row access control search condition is applied when the table is accessed.
A column mask is a database object that expresses a column access control rule for a
specific column. It contains the rule in the form of an SQL CASE expression that describes under what conditions who can receive the masked values returned for a column. The new CREATE MASK statement allows a user to create a column mask object. Multiple column masks can be created for a table. One column can have one column mask only. The definition of a column mask can reference the user, role, or group in the CASE expression. The CASE expression can mask the stored column value before returning it to the application. The CASE expression can conditionally determine how the value should be returned depending on runtime conditions.
Modern database systems have other features, such as triggers, that can interact with sensitive data protected by Fine Grained Access Control (FGAC). Like User-Defined Functions (UDFs), triggers can compromise sensitive data if used without additional safeguards. Even if restricted to the privileges of individual users, over time, triggers could amass information accessible to the union of these users. The same holds true of UDFs regardless of the sequencing of operators.
In this disclosure, a new privilege called "CREATE
described to address the threat of information leakage from malicious UDFs or triggers.
A user who is granted this privilege can create UDFs and triggers that are trusted by...