Diesel: Applying privilege separation to database access

Proceedings of the 6th International Symposium on Information, Computer and Communications Security, ASIACCS 2011

Volumn , Issue , 2011, Pages 416-422

  Felt, Adrienne Porter ^a   Finifter, Matthew ^a   Weinberger, Joel ^a   Wagner, David ^a  

^a UNIVERSITY OF CALIFORNIA   (United States)

Author keywords

Data separation; Privilege separation

Indexed keywords

CODES (SYMBOLS); QUERY LANGUAGES; QUERY PROCESSING;

CODE REVIEW; DATA BASE; DATA SEPARATION; DATABASE ACCESS; DATABASE QUERIES; PRIVILEGE SEPARATION; SQL INJECTION; WORDPRESS;

SEPARATION;

EID: 79955984052     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1966913.1966971     Document Type: Conference Paper

References (29)

1. J. P. Boyer, R. Hasan, L. E. Olson, N. Borisov, C. A. Gunter, and D. Raila. Improving multi-tier security using redundant authentication. In CSAW '07: Proceedings of the 2007 ACM workshop on Computer security architecture, pages 54-62, New York, NY, USA, 2007. ACM.
2. G. Buehrer, B. W. Weide, and P. A. G. Sivilotti. Using parse tree validation to prevent SQL injection attacks. In SEM '05: Proceedings of the 5th international workshop on Software engineering and middleware, pages 106-113, New York, NY, USA, 2005. ACM.
3. M. Dalton, C. Kozyrakis, and N. Zeldovich. Nemesis: Preventing Authentication & Access Control Vulnerabilities in Web Applications. In Proceedings of the 18th USENIX Security Symposium, Montreal, Canada, August 2009.
4. V. Felmetsger, L. Cavedon, C. Kruegel, and G. Vigna. Toward Automated Detection of Logic Vulnerabilities in Web Applications. In USENIX Security, 2010.
5. A. P. Felt, M. Finifter, J. Weinberger, and D. Wagner. Diesel: Applying privilege separation to database access. Technical Report UCB/EECS-2010-149, EEC-S Department, University of California, Berkeley, Dec 2010.
6. Google. Android Developers: Security and Permissions. http://developer.android.com/guide/topics/security/security.html.
7. P. P. Griffiths and B. W. Wade. An authorization mechanism for a relational database system. ACM Trans. Database Syst., 1(3):242-255, 1976.
8. W. Halfond and A. Orso. AMNESIA: Analysis and Monitoring for NEutralizing SQL-Injection Attacks. In Proceedings of the IEEE and ACM International Conference on Automated Software Engineering (ASE 2005), pages 174-183, Long Beach, CA, USA, November 2005.
9. W. G. Halfond, J. Viegas, and A. Orso. A Classification of SQL-Injection Attacks and Countermeasures. In Proceedings of the IEEE International Symposium on Secure Software Engineering, Arlington, VA, USA, March 2006.
10. JForum-Powering communities.http://www.jforum.net.
11. G. Kabra, R. Ramamurthy, and S. Sudarshan. Redundancy and information leakage in fine-grained access control. In SIGMOD '06: Proceedings of the 2006 ACM SIGMOD international conference on Management of data, pages 133-144, New York, NY, USA, 2006. ACM. (Pubitemid 46946508)
12. J. C. K. Keane. [Full-disclosure] Drupal Brilliant Gallery module SQL injection vulnerability. http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/ 2008-09/msg00506.html.
13. A. Krishnamurthy, A. Mettler, and D. Wagner. FineGrained Privilege Separation for Web Applications. In WWW '10: Proceedings of the 19th international conference on World Wide Web. ACM, 2010.
14. C. R. Landau. Security in a secure capability-based system. SIGOPS Oper. Syst. Rev., 23(4):2-4, 1989.
15. J. G. Lara. Internet Security Auditors Alert: WP-Forum < 2.3 SQL Injection vulnerabilities. http://www.securityfocus.com/archive/1/archive/1/ 508504/100/0/threaded 2009.
16. H. M. Levy. Capability-Based Computer Systems. Butterworth-Heinemann, Newton, MA, USA, 1984.
17. N. Loeve. Funnel - A Multiplexer Plugin for MySQLProxy. https://lists.launchpad.net/mysql-proxy-discuss/msg00030.html.
18. A. Mettler, D. Wagner, and T. Close. Joe-E: A Security-Oriented Subset of Java. In Proceedings of the 17th Annual Network and Distributed Systems Security Symposium (NDSS 2010), 2010.
19. M. S. Miller. Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control. PhD thesis, Johns Hopkins University, Baltimore, Maryland, USA, May 2006.
20. MySQL Proxy. http://forge.mysql.com/wiki/MySQL-Proxy.
21. L. E. Olson, C. A. Gunter, and P. Madhusudan. A Formal Framework for Reflective Database Access Control Policies. In CCS '08: Proceedings of the 15th ACM conference on Computer and Communications Security, pages 289-298, New York, NY, USA, 2008. ACM.
22. Oracle. Examples of Second Order SQL Injection Attack. http://st-curriculum.oracle.com/tutorial/SQLInjection/html/lesson1/ les01-tm-attacks2.htm.
23. B. Parno, J. M. McCune, D. Wendlandt, D. G. Andersen, and A. Perrig. CLAMP: Practical prevention of large-scale data leaks. In Proc. IEEE Symposium on Security and Privacy, Oakland, CA, May 2009.
24. N. Provos, M. Friedl, and P. Honeyman. Preventing privilege escalation. In SSYM'03: Proceedings of the 12th conference on USENIX Security Symposium, pages 16-16, Berkeley, CA, USA, 2003. USENIX Association.
25. S. Rizvi, A. Mendelzon, S. Sudarshan, and P. Roy. Extending query rewriting techniques for fine-grained access control. In SIGMOD '04: Proceedings of the 2004 ACM SIGMOD international conference on Management of data, pages 551-562, New York, NY, USA, 2004. ACM.
26. J. H. Saltzer and M. D. Schroeder. The protection of information in computer systems. Proceedings of the IEEE, 63(9):1278-1308, 1975.
27. J. S. Shapiro, J. M. Smith, and D. J. Farber. EROS: a fast capability system. In SOSP '99: Proceedings of the seventeenth ACM Symposium on Operating Systems Principles, pages 170-185, New York, NY, USA, 1999. ACM. (Pubitemid 129548355)
28. Sun Microsystems, Inc. Connection pooling, 2008.http://java.sun.com/ developer/onlineTraining/Programming/JDCBook/conpool.html#pool.
29. S. Thomas and L. Williams. Using Automated Fix Generation to Secure SQL Statements. In SESS '07: Proceedings of the Third International Workshop on Software Engineering for Secure Systems, page 9, Washington, DC, USA, 2007. IEEE Computer Society.