Authorization in Oracle Part 2 Ji-Won Mahesh

1. Authorization in OraclePart 2Ji-Won Mahesh

2. Stored Procedures • If A gives B insert on t with no grant option • Can only B can insert into t? • No – must consider whether B has the “create procedure” (or “create any procedure”) system privilege.

3. Examples create or replace procedure def(x number, y number) [authid definer] as begin insert into alice.t1 values (x,y); commit; end; / Bob.def create or replace procedure inv(x number, y number) authid current_user as begin insert into alice.t1 values (x,y); commit; end; / Bob.inv

4. Definer’s rights procedure • “A user…requires only the privilege to execute the procedure and no privileges on the underlying objects…” • “…operates under the security domain of the user who owns the procedure…” • “At runtime, the privileges of the owner…are always checked…”

5. Invoker’s rights procedure • “…executes with all of the invoker’s privileges…” • “…invoker needs privileges at runtime to access…DML or dynamic SQL statements, because they are effectively recompiled at runtime.” • “For…direct PL/SQL function calls, the owner’s privileges are checked at compile time, and no runtime check is made. Therefore, the user…needs no privileges…outside DML or dynamic SQL statements.”

6. Examples create or replace procedure def_inv(x number, y number) as begin bob.inv(x,y); end; / Carl.def_inv • Similarly: Carl.inv_inv, Carl.inv_def, …

7. def_inv A B inv def_inv C D

8. inv_inv A B inv inv_inv C D

9. inv_def A B def inv_def C D

10. Understanding Java Stack Inspection OS Trusted Java “The system” Untrusted Java

11. Java Access Control • Consequences of type safety • Old approach: sandbox • New approach: stack inspection • Assume access matrix, with subjects = signors/classes (?), and objects = resources

12. Stack Inspection • Frame has: • Arguments • Local vars. • Ret. Addr. Annotated with: enable_privs(t) (Assumptions about who may do this) Newest frame, Or current frame

13. Primitives • enable_privilege(t) • disable_privilege(t) • Explicit denial • revert_privilege(t) • Removal of annotation • check_privilege(t)

14. check_privilegeF(t) check_privilege(t) { foreach stackFrame { if (local policy forbits access to t by the class executing in stackFrame) deny access; if (stackFrame has enabled priv. for t) return; // allow access if (stackFrame has disabled priv. for t) deny access; } Default: • Netscape: deny • Sun/Microsoft: allow

15. ABLP Logic • If s is an instance of a theorem in propositional logic, then s is true in ABLP • (Atomic) principals, statements • Connectives: • says, , , ∧, | • Statement: eg. Ok(t) • E.g. axiom: (A says (B  A))  (B  A)

16. Decision Problem • check_privilegeF(t) ≈ EF Ok(t) ? • EF = (, AVM(F), BF) •  = set of frame credentials • frame  signer • AVM(F) = access matrix entries • P  t • BF = belief set for the frame F

17. Constructing belief set • Example from the paper…

18. Decision Procedure • Collects all statements from (, AVM(F), BF) • Considers “type 1” statements: Ok(u) • Then considers “type 2” statements (P  Q) and builds a di-graph. • Then considers “type 3” statements (F1 | F2 | … | Fk says Ok(u) ). True if both: • For all 1, …, k, Fi  t in the di-graph • u = t

19. Decision Procedure (contd.) • Terminates • Is sound • Conjectured to be complete • Is “equivalent” to java stack inspection

20. Other stuff • E.g., when does call to enable_privilege(t) succeed? • Canonical form for belief set • P1 | P2  P2 | P1 • P | P  P • Pushdown automata • Security-passing style: carrying around belief set in a “hidden” parameter

21. Other stuff (contd.) • RPC: • Caller sends to callee: • Belief set • Frame credentials • Callee prepends: • Kcaller | to every entry in belief set