authorization in oracle part 2 ji-wonmahesh
DESCRIPTION
Authorization in Oracle Part 2 Ji-WonMahesh. Stored Procedures. If A gives B insert on t with no grant option Can only B can insert into t? No – must consider whether B has the “create procedure” (or “create any procedure”) system privilege. Examples. - PowerPoint PPT PresentationTRANSCRIPT
Authorization in OracleAuthorization in OraclePart 2Part 2
Ji-WonJi-Won MaheshMahesh
Stored ProceduresStored Procedures
If A gives B insert on t with no grant If A gives B insert on t with no grant optionoption Can only B can insert into t?Can only B can insert into t? No – must consider whether B has the No – must consider whether B has the
“create procedure” (or “create any “create procedure” (or “create any procedure”) system privilege.procedure”) system privilege.
ExamplesExamples
create or replace create or replace procedure def(x procedure def(x number, y number)number, y number)
[authid definer] as[authid definer] asbeginbegin insert into alice.t1 insert into alice.t1
values (x,y);values (x,y); commit;commit;end;end;//
Bob.defBob.def
create or replace create or replace procedure inv(x number, procedure inv(x number, y number)y number)
authid current_user asauthid current_user as
beginbegin
insert into alice.t1 values insert into alice.t1 values (x,y);(x,y);
commit;commit;
end;end;
//
Bob.invBob.inv
Definer’s rights procedureDefiner’s rights procedure
““A user…requires only the privilege to A user…requires only the privilege to execute the procedure and no execute the procedure and no privileges on the underlying objects…”privileges on the underlying objects…”
“…“…operates under the security domain operates under the security domain of the user who owns the procedure…”of the user who owns the procedure…”
““At runtime, the privileges of the At runtime, the privileges of the owner…are always checked…”owner…are always checked…”
Invoker’s rights procedureInvoker’s rights procedure
“…“…executes with all of the invoker’s executes with all of the invoker’s privileges…”privileges…”
“…“…invoker needs privileges at runtime to invoker needs privileges at runtime to access…DML or dynamic SQL statements, access…DML or dynamic SQL statements, because they are effectively recompiled at because they are effectively recompiled at runtime.”runtime.”
““For…direct PL/SQL function calls, the owner’s For…direct PL/SQL function calls, the owner’s privileges are checked at compile time, and privileges are checked at compile time, and no runtime check is made. Therefore, the no runtime check is made. Therefore, the user…needs no privileges…outside DML or user…needs no privileges…outside DML or dynamic SQL statements.”dynamic SQL statements.”
ExamplesExamplescreate or replace procedure create or replace procedure
def_inv(x number, y number) def_inv(x number, y number) asasbeginbegin
bob.inv(x,y);bob.inv(x,y);end;end;
//
Carl.def_invCarl.def_inv
• Similarly: Carl.inv_inv, Carl.inv_def, …
def_invdef_inv
A
B
C
D
inv
def_inv
inv_invinv_inv
A
B
C
D
inv
inv_inv
inv_definv_def
A
B
C
D
def
inv_def
Understanding Java Stack Understanding Java Stack InspectionInspection
OS
TrustedJava“The system”
UntrustedJava
Java Access ControlJava Access Control
Consequences of type safetyConsequences of type safety Old approach: sandboxOld approach: sandbox New approach: stack inspectionNew approach: stack inspection
Assume access matrix, with subjects = Assume access matrix, with subjects = signors/classes (?), and objects = signors/classes (?), and objects = resourcesresources
Stack InspectionStack Inspection
Annotated with:enable_privs(t)
(Assumptions aboutwho may do this)
Frame has:-Arguments- Local vars.- Ret. Addr.
Newest frame,Or current frame
PrimitivesPrimitives
enable_privilege(t)enable_privilege(t) disable_privilege(t)disable_privilege(t)
Explicit denialExplicit denial revert_privilege(t)revert_privilege(t)
Removal of annotationRemoval of annotation check_privilege(t)check_privilege(t)
check_privilegecheck_privilegeFF(t)(t)check_privilege(t) {check_privilege(t) { foreach stackFrame {foreach stackFrame { if (local policy forbits access to t byif (local policy forbits access to t by the class executing in stackFrame)the class executing in stackFrame) deny access;deny access; if (stackFrame has enabled priv. for t)if (stackFrame has enabled priv. for t) return; // allow accessreturn; // allow access if (stackFrame has disabled priv. for t)if (stackFrame has disabled priv. for t) deny access;deny access; }} Default:Default:
Netscape: denyNetscape: deny Sun/Microsoft: allowSun/Microsoft: allow
ABLP LogicABLP Logic
If s is an instance of a theorem in If s is an instance of a theorem in propositional logic, then s is true in propositional logic, then s is true in ABLPABLP
(Atomic) principals, statements(Atomic) principals, statements Connectives:Connectives:
says, says, , , , , ∧, |∧, | Statement: eg. Statement: eg. Ok(t)Ok(t) E.g. axiom: (A says (B E.g. axiom: (A says (B A)) A)) (B (B A) A)
Decision ProblemDecision Problem
check_privilegecheck_privilegeFF(t) ≈ E(t) ≈ EF F Ok(t) Ok(t) ?? EEF F = (= (, A, AVM(F)VM(F), B, BFF)) = set of frame credentials= set of frame credentials
frame frame signer signer AAVM(F) VM(F) = access matrix entries= access matrix entries
P P t t BBFF = belief set for the frame F = belief set for the frame F
Constructing belief setConstructing belief set
Example from the paper…Example from the paper…
Decision ProcedureDecision Procedure
Collects all statements from (Collects all statements from (, A, AVM(F)VM(F), B, BFF)) Considers “type 1” statements: Considers “type 1” statements: Ok(u)Ok(u) Then considers “type 2” statements (P Then considers “type 2” statements (P
Q) and builds a di-graph.Q) and builds a di-graph. Then considers “type 3” statements (F1 | Then considers “type 3” statements (F1 |
F2 | … | Fk says F2 | … | Fk says Ok(u) Ok(u) ). True if both:). True if both: For all 1, …, k, Fi For all 1, …, k, Fi t in the di-graph t in the di-graph u = tu = t
Decision Procedure (contd.)Decision Procedure (contd.)
TerminatesTerminates Is soundIs sound Conjectured to be completeConjectured to be complete Is “equivalent” to java stack Is “equivalent” to java stack
inspectioninspection
Other stuffOther stuff
E.g., when does call to E.g., when does call to enable_privilege(t) succeed?enable_privilege(t) succeed?
Canonical form for belief setCanonical form for belief set P1 | P2 P1 | P2 P2 | P1 P2 | P1 P | P P | P P P
Pushdown automataPushdown automata Security-passing style: carrying around Security-passing style: carrying around
belief set in a “hidden” parameterbelief set in a “hidden” parameter
Other stuff (contd.)Other stuff (contd.)
RPC:RPC: Caller sends to callee:Caller sends to callee:
Belief setBelief set Frame credentialsFrame credentials
Callee prepends:Callee prepends: KKcallercaller | to every entry in belief set | to every entry in belief set