Paper ID:IEEE TrustCom 2020 (or WiP or Conference/Symposium/Workshop transferred) #291
题目:Automated Enforcement of the Principle of Least Privilege over Data Source Access
作者:Haoqi Wu, Zhengxuan Yu, Dapeng Huang, Haodong Zhang, Weili Han
Conference:The 19th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom 2020), Guangzhou, China, December 29, 2020 – January 1, 2021
Conference Website:http://www.ieee-trustcom.org/TrustCom2020/
Abstract:
The state-of-the-art database-backed web applications usually assign full privileges to connections between applications and data sources. This phenomenon, which would enable a malicious attacker to easily compromise the applications through arbitrarily manipulating the data sources without the restriction of privileges, seriously breaks the principle of least privilege (PLP), a fundamental law of system security. Motivated to counter this problem, we propose a framework PDA (PLP over Data source Access) to automatically enforce this principle over data source access based on application-driven privilege separation. Our proposed PDA contributes from the following aspects:
i) PDA achieves the privilege separation by intercepting database queries and enforcing privileged connections to database for each database query;
ii) PDA can effectively defend against SQLbased vulnerabilities including buggy queries and SQL injection attacks. Lastly, we evaluate PDA on a widely used application platform, JForum, to demonstrate the effectiveness of PDA with a promising performance overhead of 8.13%.
Keywords: Principle of Least Privilege, Fine-grained Access Control, Data Source, Automated Enforcement
