Friday, February 27, 2009

Talk: Fine-Grained Access Control to Data

This week, I presented this talk to a database security class I am taking. It provides some background details about FGAC and then moves on to focus on a SIGMOD 2006 paper "Redundancy and Information Leakage in FGAC" by Kabra et. al. Up until this work, researchers were mainly focusing on the problem "How to prevent information leakage from the query result when FGAC is in action". In other words, research focused on how to make sure that users get only those data they are authorized to access, no more and no less (no less -> completeness is a difficult thing to achieve in FGAC - Can we make sure that user gets all the data that she is entitled to receive?) The paper investigates information leakage through channels other than the query result. Specifically through UDFs (User Defined Functions), exceptions and error messages. A trivial solution to prevent potential information leakage through UDFs is to pull UDFs all the way up in the query plan so that these functions get executed only on authorized relations. However, it could be very inefficient if these UDFs are selective. The novelty of the approach comes from the fact that UDFs are placed to achieve both efficiency and security at the same time. The authors mainly compare improvement in the execution time only. It could mislead readers as they do not include the optimization time in it (Obviously they require more time to optimize as they need to take into account potentially malicious UDFs). Ideally, execution time should be equal to query optimization time + query execution time.

What other approaches can we take to prevent such leakages? A trivial solution is to restrict who can define UDFs. If we allow any user to define UDFs, can we correctly infer if they are safe or not? It looks to be a difficult problem - depending on the context, one UDF may be safe in one situation but not in another. Even more difficult issue is, some UDFs might not actually leak visible data, they may exploit subtle timing variations based on the values passed these functions (For example, a UDF takes a longer time to process for certain types of values - which effectively allow the user to infer some information about the data she does not have access to).

Information leakage is not restricted to FGAC. It's been a widely researched topic in many areas including web applications. In fact, information leakage is one of the top 10 security concerns of ad-hoc web application development.

No comments: