A framework to enforce access control over data streams

Q Engineering

ACM Transactions on Information and System Security Pub Date : 2010-07-01 DOI:10.1145/1805974.1805984

B. Carminati, E. Ferrari, Jianneng Cao, K. Tan

{"title":"A framework to enforce access control over data streams","authors":"B. Carminati, E. Ferrari, Jianneng Cao, K. Tan","doi":"10.1145/1805974.1805984","DOIUrl":null,"url":null,"abstract":"Although access control is currently a key component of any computational system, it is only recently that mechanisms to guard against unauthorized access to streaming data have started to be investigated. To cope with this lack, in this article, we propose a general framework to protect streaming data, which is, as much as possible, independent from the target stream engine. Differently from RDBMSs, up to now a standard query language for data streams has not yet emerged and this makes the development of a general solution to access control enforcement more difficult. The framework we propose in this article is based on an expressive role-based access control model proposed by us. It exploits a query rewriting mechanism, which rewrites user queries in such a way that they do not return tuples/attributes that should not be accessed according to the specified access control policies. Furthermore, the framework contains a deployment module able to translate the rewritten query in such a way that it can be executed by different stream engines, therefore, overcoming the lack of standardization. In the article, besides presenting all the components of our framework, we prove the correctness and completeness of the query rewriting algorithm, and we present some experiments that show the feasibility of the developed techniques.","PeriodicalId":50912,"journal":{"name":"ACM Transactions on Information and System Security","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2010-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"65","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"ACM Transactions on Information and System Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/1805974.1805984","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q","JCRName":"Engineering","Score":null,"Total":0}

引用次数: 65

Abstract

Although access control is currently a key component of any computational system, it is only recently that mechanisms to guard against unauthorized access to streaming data have started to be investigated. To cope with this lack, in this article, we propose a general framework to protect streaming data, which is, as much as possible, independent from the target stream engine. Differently from RDBMSs, up to now a standard query language for data streams has not yet emerged and this makes the development of a general solution to access control enforcement more difficult. The framework we propose in this article is based on an expressive role-based access control model proposed by us. It exploits a query rewriting mechanism, which rewrites user queries in such a way that they do not return tuples/attributes that should not be accessed according to the specified access control policies. Furthermore, the framework contains a deployment module able to translate the rewritten query in such a way that it can be executed by different stream engines, therefore, overcoming the lack of standardization. In the article, besides presenting all the components of our framework, we prove the correctness and completeness of the query rewriting algorithm, and we present some experiments that show the feasibility of the developed techniques.

查看原文本刊更多论文

对数据流实施访问控制的框架

尽管访问控制目前是任何计算系统的关键组成部分，但直到最近才开始研究防止未经授权访问流数据的机制。为了解决这一不足，在本文中，我们提出了一个通用框架来保护流数据，该框架尽可能独立于目标流引擎。与rdbms不同的是，到目前为止，还没有出现用于数据流的标准查询语言，这使得开发用于访问控制实施的通用解决方案更加困难。本文提出的框架是基于我们提出的一个表达性的基于角色的访问控制模型。它利用了查询重写机制，该机制以不返回根据指定的访问控制策略不应访问的元组/属性的方式重写用户查询。此外，该框架还包含一个部署模块，该模块能够转换重写的查询，使其可以由不同的流引擎执行，从而克服了缺乏标准化的问题。在本文中，除了展示了我们的框架的所有组件外，我们还证明了查询重写算法的正确性和完整性，并给出了一些实验来证明所开发技术的可行性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

ACM Transactions on Information and System Security 工程技术-计算机：信息系统

CiteScore

4.50

自引率

0.00%

发文量

审稿时长

3.3 months

期刊介绍： ISSEC is a scholarly, scientific journal that publishes original research papers in all areas of information and system security, including technologies, systems, applications, and policies.