320 likes | 513 Views
April 6, 2009. 2. Fine Grained Access Control. SQL authorization at the level of table/columne.g. grant select on employee(name) to publicFine-grained access control examplesManagers can see records of their employeesFaculty has access to grades of courses they taughtApplication-layer support
E N D
2. Application Level Support for FGA has several limitations: 1. Provides large surface area for attackers 2. any breach in security at application level exposes the entire database to damage.Application Level Support for FGA has several limitations: 1. Provides large surface area for attackers 2. any breach in security at application level exposes the entire database to damage.
3. There are two significant problems that must be addressed using VRM: 1. Original query usually includes predicates and joins that restrict access to authorized data. Hence the checks performed may be redundant. This includes expensive semi-join operations.
2. Another is effectiveness of access control implementation under a general model that includes users submitting arbitary SQL queries.There are two significant problems that must be addressed using VRM: 1. Original query usually includes predicates and joins that restrict access to authorized data. Hence the checks performed may be redundant. This includes expensive semi-join operations.
2. Another is effectiveness of access control implementation under a general model that includes users submitting arbitary SQL queries.
5. Non Truman Models guarantee correctness, that is, if a query is accepted, it will give same result as if the user had full authorization over all relations. In contrast, in class of Truman Models, the query result can be changed by the authorization mechanism.
However, Non-Truman models require powerful query inference mechanism.Non Truman Models guarantee correctness, that is, if a query is accepted, it will give same result as if the user had full authorization over all relations. In contrast, in class of Truman Models, the query result can be changed by the authorization mechanism.
However, Non-Truman models require powerful query inference mechanism.
8. In general, rewritten query may have many semi-joins that are redundant. This could potentially result in additional optimization as well as execution times for these queries.In general, rewritten query may have many semi-joins that are redundant. This could potentially result in additional optimization as well as execution times for these queries.
16. While UDFonTop obviously prevents information leakage via UDFs, we are not satisfied.
We are now thinking is that the cheapest plan for this query?
Probably not. If UDF happens to be very selective, keeping the UDF on top is not the best choice.
Therefore, we now want to find the optimal safe plan. For this, we need to first characterize when is a query plan safe?
In other words, how do we know if the UDF placement in a certain alternative plan cannot leak any information?
Once we define the space of plans that are guaranteed to be safe with respect to UDFs, we would like to modify the existing
Optimizer to search for an optimal plan within this search space.While UDFonTop obviously prevents information leakage via UDFs, we are not satisfied.
We are now thinking is that the cheapest plan for this query?
Probably not. If UDF happens to be very selective, keeping the UDF on top is not the best choice.
Therefore, we now want to find the optimal safe plan. For this, we need to first characterize when is a query plan safe?
In other words, how do we know if the UDF placement in a certain alternative plan cannot leak any information?
Once we define the space of plans that are guaranteed to be safe with respect to UDFs, we would like to modify the existing
Optimizer to search for an optimal plan within this search space.
17. Do the naïve attempt. Show it fails.
Then second bullet says “correct definition” or something like that. Safe plan was the heading. So don’t use again.
Now conclude in this bullet that a plan in which all UDFs are placed on top of authorized expressions the plan is considered to be safe.
Authorized expression [this is not introduced for the first time here. Infact, we also use a weak form of this definition in our naïve attempt. Conclude that we need the whole expression to be authorized. And then define safe plan. Identify that how do you infer that an expression is authorized is the real contribution]
However, during the optimization phase, there are so many alternative plans. How to determine that an expression, or a subtree in the query plan is authorized. The authorized expression is more formally defined as “ give the definition of authorized expression” .. While concise, this definition does not tell us how to infer whether or not an expression or the subtree in the query plan is authorized.
At this point, talk of intuition.Do the naïve attempt. Show it fails.
Then second bullet says “correct definition” or something like that. Safe plan was the heading. So don’t use again.
Now conclude in this bullet that a plan in which all UDFs are placed on top of authorized expressions the plan is considered to be safe.
Authorized expression [this is not introduced for the first time here. Infact, we also use a weak form of this definition in our naïve attempt. Conclude that we need the whole expression to be authorized. And then define safe plan. Identify that how do you infer that an expression is authorized is the real contribution]
However, during the optimization phase, there are so many alternative plans. How to determine that an expression, or a subtree in the query plan is authorized. The authorized expression is more formally defined as “ give the definition of authorized expression” .. While concise, this definition does not tell us how to infer whether or not an expression or the subtree in the query plan is authorized.
At this point, talk of intuition.
18. A plan is safe if the root node is safe.
In a safe plan USF’s are invoked only on authorized views. So unauthorized information is never passed to a USF.A plan is safe if the root node is safe.
In a safe plan USF’s are invoked only on authorized views. So unauthorized information is never passed to a USF.
21. G7 is not authorized, G5 is authorized. Connect back to the example.
G7 is not authorized, G5 is authorized. Connect back to the example.
24. Spend more time if its ok.Spend more time if its ok.