Protecting Databases from Schema Disclosure - A CRUD-Based Protection Model

Óscar Mortágua Pereira, Diogo Domingues Regateiro, Rui L. Aguiar

Abstract

Database schemas, in many organizations, are considered one of the critical assets to be protected. From database schemas, it is not only possible to infer the information being collected but also the way organizations manage their businesses and/or activities. One of the ways to disclose database schemas is through the Create, Read, Update and Delete (CRUD) expressions. In fact, their use can follow strict security rules or be unregulated by malicious users. In the first case, users are required to master database schemas. This can be critical when applications that access the database directly, which we call database interface applications (DIA), are developed by third party organizations via outsourcing. In the second case, users can disclose partially or totally database schemas following malicious algorithms based on CRUD expressions. To overcome this vulnerability, we propose a new technique where CRUD expressions cannot be directly manipulated by DIAs any more. Whenever a DIA starts-up, the associated database server generates a random codified token for each CRUD expression and sends it to the DIA that the database servers can use to execute the correspondent CRUD expression. In order to validate our proposal, we present a conceptual architectural model and a proof of concept.

References

  1. Anley, C. (2002). Advanced SQL injection in SQL server applications. White paper, Next Generation Security Software . . . .
  2. Bagui, S. (2003). Achievements and weaknesses of objectoriented databases. Journal of Object Technology, 2(4):29-41.
  3. Bauer, C. and King, G. (2005). Hibernate in action. Manning Publications.
  4. Chaudhuri, S., Dutta, T., and Sudarshan, S. (2007). Fine grained authorization through predicated grants. In Proceedings - International Conference on Data Engineering, pages 1174-1183, Istanbul.
  5. Eclipselink, U. (2013). Eclipse.
  6. Understanding EclipseLink 2.4.
  7. Erhieyovwe, E., Oghenekaro, P., and Oluwole, N. (2013). An Object Relational Mapping Technique for Java Framework. International Journal of Engineering Science Invention, 2(6):1-9.
  8. Garcia-Molina, H. (2008). Stored Procedures. In Database systems: the complete book, chapter 9.4, pages 391- 404. Pearson, 2nd e. edition.
  9. Halfond, W., Viegas, J., and Orso, A. (2006). A classification of SQL-injection attacks and countermeasures. Proceedings of the IEEE . . . .
  10. IETF (2008). RFC 5246: The Transport Layer Security (TLS) Protocol - Version 1.2.
  11. Pereira, O. M., Aguiar, R. L., and Santos, M. Y. (2011). CRUD-DOM: a model for bridging the gap between the object-oriented and the relational paradigms: an enhanced performance assessment based on a case study. International Journal On Advances in Software, 4(1):158-180.
  12. Pereira, O. M., Regateiro, D. D., and Aguiar, R. L. (2014). Role-Based Access Control Mechanisms. . . . (ISCC), 2014 IEEE . . . .
  13. Pereira, O. O. M., Aguiar, R. R. L., and Santos, M. Y. M. (2012). ACADA: access control-driven architecture with dynamic adaptation. SEKE'12 - 24th Intl. Conf. on Software Engineering and Knowledge Engineering, pages 387-393.
  14. Rohilla, S. and Mittal, P. K. (2013). Database Security by Preventing SQL Injection Attacks in Stored Procedures. Software Engineering Conference, 2006. Australian, 3(11):915-919.
  15. Roichman, A. and Gudes, E. (2007). Fine-grained access control to web databases. Proceedings of the 12th ACM symposium on Access control models and technologies - SACMAT 7807, page 31.
  16. Russell, C. (2008). Bridging the Object-Relational Divide. Queue, 6(June):18.
  17. Sumathi, S. and Esakkirajan, S. (2007). Fundamentals of relational database management systems. Springer.
  18. Wilson, J. (1988). Views as the security objects in a multilevel secure relational database management system. Proceedings. 1988 IEEE Symposium on Security and Privacy.
Download


Paper Citation


in Harvard Style

Mortágua Pereira Ó., Domingues Regateiro D. and Aguiar R. (2016). Protecting Databases from Schema Disclosure - A CRUD-Based Protection Model . In Proceedings of the 13th International Joint Conference on e-Business and Telecommunications - Volume 4: SECRYPT, (ICETE 2016) ISBN 978-989-758-196-0, pages 292-301. DOI: 10.5220/0005967402920301


in Bibtex Style

@conference{secrypt16,
author={Óscar Mortágua Pereira and Diogo Domingues Regateiro and Rui L. Aguiar},
title={Protecting Databases from Schema Disclosure - A CRUD-Based Protection Model},
booktitle={Proceedings of the 13th International Joint Conference on e-Business and Telecommunications - Volume 4: SECRYPT, (ICETE 2016)},
year={2016},
pages={292-301},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005967402920301},
isbn={978-989-758-196-0},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 13th International Joint Conference on e-Business and Telecommunications - Volume 4: SECRYPT, (ICETE 2016)
TI - Protecting Databases from Schema Disclosure - A CRUD-Based Protection Model
SN - 978-989-758-196-0
AU - Mortágua Pereira Ó.
AU - Domingues Regateiro D.
AU - Aguiar R.
PY - 2016
SP - 292
EP - 301
DO - 10.5220/0005967402920301