A Translation Layer for Automatic Conversion of High-Level Access Control Policies to SQL Procedures

Abstract

In enterprise and cloud environments where employee and customer data is rapidly and constantly changing there is a need for fine grained and flexible access control policies which are easy to administer. Traditional models like access control lists (ACL) and database views fall short and enterprises typically resort to embedding access controls in the applications itself, a process which is developer error prone and results in increased application complexity. As a consequence of these problems, the use of reflective security policies is becoming popular where database privileges are expressed as database queries themselves rather than a static privilege contained in an access control matrix (ACM). Actual data in the database is used for its own protection and any updating of queries results in automatic update of policies. The focus of this work is the proposal of a mechanism to further reduce the task of database security policy administration. Transactional Datalog (TD), an extension of classical datalog has been proposed as a medium for authoring access control policies by which high-level policies may be automatically converted to reflective SQL procedures to be stored in the database. This mechanism provides a reflective way of implementing security policies instead of static privileges contained in ACLs. In this thesis we have provided a translation layer for compiling TD rules into appropriate SQL statements and storing as user defined functions in the database. Our translation layer allows a security administrator to express powerful access control policies in the high-level language of TD while having minimal knowledge of the underlying database schema or database implementation. We have evaluated our translation layer by authoring four popular and reasonably complex policy models namely (i) Chinese Wall (ii) Bell La Padula (iii) x Role Based Access Control (iv) and Temporal Policies. Detailed rule-sets and their corresponding database schemas have been discussed along with examples. Security administrators new to usage of reflective access control policies can tailor the four policy models to almost any variation they desire because the policy models we have picked in literature serve as foundation for many policy models today. Finally to verify that our translation layer does not compromise security or degrade performance we have tested our translation algorithm using two different approaches. Formal verification of access control policies using SPIN model checking tool shows that the security of the automated translation is as good as the manual approach and timing analysis of realistic applications demonstrate that it adds negligible impact on performance.