Research On Fine-Grained Access Control In Relational Databases

As a component of relational database, access control merchanism is very important for database management system (DBMS). Due to the integration of the database and Web technology, and the complex requirements of privacy preserving, the tranditional database access control can not satisify the complex security requirements. Therefore, in order to provide a new flexible access control merchanism to satisfy the security requirements, it is of great significance to research on fine-grained access control (FGAC) in relational database systems.Focusing on the design and implementation of fine-grained access control in relational database systems, we conducted deep researches on the following five aspects, including fine-grained access control model, analysis of fine-grained access control policies, inference controlling in database systems with fine-grained access control, query modification algorithm about the implementation of fine-grained access control, the design and implementation of fine-grained access control systems.In order to improve the expressiveness of fine-grained access control policy, a new fine-grained access control model, named DFFAC model, is proposed. The DFFAC model includes two sub-models:D-DFFAC model and R-DFFAC model, which are respectively compatible with discretionary access control (DAC) and role-based access control (RBAC) in relational database systems. DFFAC model not only supports the closed access control policiy, but also the open access control policy, namely it supports fine-grained negative authorization. Based on the DFFAC model, the definition of multiple fine-grained access control policies is presented, and according to the features of subjects, combination principles and combination algorithm of multiple fine-grained access control policies are introduced.In order to make sure that fine-grained access control policies take effect, the researches on analysis of fine-grained access control policies are conducted. First, the definitions of valid and consistent fine-grained access control policies are proposed. Validity requires that there is no ambiguity in fine-grained access control policies, namely there is only a result of access decision under fine-grained access control policies; consistency requires that there is no redundancy and violated fine-grained access control policies. Then, based on the DFFAC model, the validity and consistency of DFFAC policies are introduced. The analysis methods are presented and the corresponding checking merchanism are implemented. Finally, the experiments of the implementation about the checking merchanism are reported, which demonstrate that the checking merchanism is applicable.For ensuring the relational database is secure, the researches on inference problems in database systems with fine-grained access control are conducted. First, the inferences caused by UPDATE operation are introduced. Second, the inference problems are analyzed at data level, and a security condition which can ensure the inferences are controlled is presented. Third, based on the DFFAC model, a new security condition at policy level is proposed. Fourth, for controlling the inferences caused by UPDATE operation, an approach named dynamical policy modification approach is proposed to make all DFFAC policies satisfy the security condition at policy level. Finally, for DELETE operation, the similar security condition and dynamical policy modification approach are presented.Based on the query modification ideal, a new query modification algorithm named KAB algorithm is proposed. KAB algorithm is secure. Then, the definition of soundness is refined and exteneded. Moreover, the theory of soundness is enhanced based on the relational algebra. For which kinds of SQL queries the KAB algorithm can guarantee soundness is presented. Finally, experiments are conducted to demonstrate that the KAB algorithm is efficient.Base on the research works above, the design and implementation of fine-grained access control system for DFFAC model is reported. First, SQL language is extended to support the specification of DFFAC policies. Then, the design of DFFAC system is introduced. Finally, the DFFAC system is implemented in Dameng DBMS, and experiments are conducted to demonstrate that DFFAC system is applicable.