research-article

Don't Even Ask: Database Access Control through Query Control

Authors:

Uri Blumenthal,

Vijay Gadepally,

John Darby Mitchell,

Robert K. CunninghamAuthors Info & Claims

ACM SIGMOD Record, Volume 47, Issue 3

Pages 17 - 22

https://doi.org/10.1145/3316416.3316420

Published: 27 February 2019 Publication History

Abstract

This paper presents a vision and description for query control, which is a paradigm for database access control. In this model, individual queries are examined before being executed and are either allowed or denied by a pre-defined policy. Traditional view-based database access control requires the enforcer to view the query, the records, or both. That may present difficulty when the enforcer is not allowed to view database contents or the query itself. This discussion of query control arises from our experience with privacy-preserving encrypted databases, in which no single entity learns both the query and the database contents. Query control is also a good fit for enforcing rules and regulations that are not well-addressed by view-based access control. With the rise of federated database management systems, we believe that new approaches to access control will be increasingly important.

References

[1]

E. Bertino and J. Crampton. Security for distributed systems: Foundations of access control. Information Assurance: Survivability and Security in Networked Systems, 2008.

[2]

E. Bertino, G. Ghinita, and A. Kamra. Access control for databases: Concepts and systems. In Foundations and Trends in Databases, 2010.

Digital Library

[3]

E. Bertino and R. Sandhu. Database security-concepts, approaches, and challenges. IEEE Transactions on Dependable and secure computing, 2005.

Digital Library

[4]

M. A. Brookhart, T. St¨urmer, R. J. Glynn, J. Rassen, and S. Schneeweiss. Confounding control in healthcare database research: challenges and potential approaches. Medical care, 2010.

[5]

P. G. Brown. Overview of SciDB: large scale array storage, processing and analysis. In SIGMOD International Conference on Management of data, 2010.

Digital Library

[6]

European Commission. 2018 reform of EU data protection rules. https: //ec.europa.eu/commission/priorities/ justice-and-fundamental-rights/ data-protection/ 2018-reform-eu-data-protection-rules_ en.

[7]

D. F. Ferraiolo, R. Sandhu, S. Gavrila, D. R. Kuhn, and R. Chandramouli. Proposed NIST standard for role-based access control. TISSEC, 2001.

Digital Library

[8]

B. Fuller, D. Mitchell, R. Cunningham, U. Blumenthal, P. Cable, A. Hamlin, L. Milechin, M. Rabe, N. Schear, R. Shay, M. Varia, S. Yakoubov, and A. Yerukhimovich. SPAR pilot evaluation. Technical report, MIT Lincoln Laboratory, 2015.

[9]

B. Fuller, M. Varia, A. Yerukhimovich, E. Shen, A. Hamlin, V. Gadepally, R. Shay, J. D. Mitchell, and R. K. Cunningham. SoK: Cryptographically protected database search. Oakland, 2017.

[10]

V. Gadepally, P. Chen, J. Duggan, A. Elmore, B. Haynes, J. Kepner, S. Madden, T. Mattson, and M. Stonebraker. The bigdawg polystore system and architecture. In HPEC, 2016.

[11]

V. Gadepally, K. O'Brien, A. Dziedzic, A. Elmore, J. Kepner, S. Madden, T. Mattson, J. Rogers, Z. She, and M. Stonebraker. Bigdawg version 0.1. In High Performance Extreme Computing Conference (HPEC), 2017 IEEE, pages 1--7. IEEE, 2017.

[12]

P. P. Griffiths and B. W. Wade. An authorization mechanism for a relational database system. Transactions on Database Systems (TODS), 1976.

Digital Library

[13]

A. Y. Halevy. Answering queries using views: A survey. VLDB Journal, 2001.

Digital Library

[14]

Intelligence Advanced Research Projects Activity. Security and privacy assurance research (SPAR) program broad agency announcement, 2011.

[15]

L. Kagal. Policy compliance of queries for private information retrieval. IARPA BAA Appendix E, August 2010.

[16]

L. Kagal. Policy compliance of queries for private information retrieval. http: //dig.csail.mit.edu/2009/IARPA-PIR/, August 2011.

[17]

J. Kepner, W. Arcand, D. Bestor, B. Bergeron, C. Byun, V. Gadepally, M. Hubbell, P. Michaleas, J. Mullen, A. Prout, et al. Achieving 100,000,000 database inserts per second using accumulo and d4m. In HPEC, 2014.

[18]

A. Khandelwal, J. Bao, L. Kagal, I. Jacobi, L. Ding, and J. Hendler. Analyzing the air language: A semantic web (production) rule language. In International Conference on Web Reasoning and Rule Systems, 2010.

Digital Library

[19]

P. G. Leon, B. Ur, Y. Wang, M. Sleeper, R. Balebako, R. Shay, L. Bauer, M. Christodorescu, and L. F. Cranor. What matters to users? Factors that affect users' willingness to share information with online advertisers. In SOUPS, 2013.

Digital Library

[20]

N. Lomas. WhatsApp to share user data with facebook for ad targeting -- here's how to opt out. https://techcrunch.com/2016/08/25/ whatsapp-to-share, August 2016.

[21]

T. Mattson, V. Gadepally, Z. She, A. Dziedzic, and J. Parkhurst. Demonstrating the bigdawg polystore system for ocean metagenomics analysis. In CIDR, 2017.

[22]

President's Council of Advisors on Science and Technology. Big data and privacy: A technical perspective. Technical report, Executive Office of the President, https://bigdatawg.nist.gov/pdf/pcast_ big_data_and_privacy_-_may_2014.pdf, May 2014.

[23]

S. Rizvi, A. Mendelzon, S. Sudarshan, and P. Roy. Extending query rewriting techniques for fine-grained access control. In SIGMOD International Conference on Management of data, 2004.

Digital Library

[24]

R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman. Role-based access control models. Computer, 29(2):38--47, 1996.

Digital Library

[25]

R. S. Sandhu and P. Samarati. Access control: principle and practice. IEEE Communications, 1994.

Digital Library

[26]

A. P. Sheth and J. A. Larson. Federated database systems for managing distributed, heterogeneous, and autonomous databases. ACM Computing Surveys (CSUR), 1990.

Digital Library

[27]

J. H. Soltren. Query-based database policy assurance using semantic web technologies. Master's thesis, MIT, September 2009.

[28]

C. Spensky, J. Stewart, A. Yerukhimovich, R. Shay, A. Trachtenberg, R. Housley, and R. K. Cunningham. SoK: Privacy on mobile devices -- it's complicated. In Proceedings on Privacy Enhancing Technologies, 2016.

[29]

M. Stonebraker and U. Cetintemel. One size fits all: An idea whose time has come and gone. In ICDE, 2005.

Digital Library

[30]

M. Stonebraker and L. A. Rowe. The design of Postgres, volume 15. ACM, 1986.

Digital Library

[31]

R. Tan, R. Chirkova, V. Gadepally, and T. G. Mattson. Enabling query processing across heterogeneous data models: A survey. In 2017 IEEE International Conference on Big Data, 2017.

[32]

P. Upadhyaya, N. R. Anderson, M. Balazinska, B. Howe, R. Kaushik, R. Ramamurthy, and D. Suciu. Stop that query! The need for managing data use. In CIDR, 2013.

Cited By

Poepsel-Lemaitre RBeedkar KMarkl V(2024)Disclosure-Compliant Query AnsweringProceedings of the ACM on Management of Data10.1145/36988082:6(1-28)Online publication date: 20-Dec-2024
https://dl.acm.org/doi/10.1145/3698808
Li XDu YWang C(2023)RangeQC: A Query Control Framework for Range Query Leakage Quantification and Mitigation2023 IEEE 43rd International Conference on Distributed Computing Systems (ICDCS)10.1109/ICDCS57875.2023.00017(749-759)Online publication date: Jul-2023
https://doi.org/10.1109/ICDCS57875.2023.00017
Agoun JTerras JHacid MHariri S(2023)Empowering Data Federation Security in Polystore Systems2023 20th ACS/IEEE International Conference on Computer Systems and Applications (AICCSA)10.1109/AICCSA59173.2023.10479321(1-8)Online publication date: 4-Dec-2023
https://doi.org/10.1109/AICCSA59173.2023.10479321
Show More Cited By

Recommendations

Can Short Queries Be Even Shorter?
ICTIR '17: Proceedings of the ACM SIGIR International Conference on Theory of Information Retrieval

It is well known that query formulation could affect retrieval performance. Empirical observations suggested that a query may contain extraneous terms that could harm the retrieval effectiveness. This is true for both verbose and title queries. Given a ...
U-ASK: a unified architecture for kNN spatial-keyword queries supporting negative keyword predicates
SIGSPATIAL '22: Proceedings of the 30th International Conference on Advances in Geographic Information Systems

Spatial keyword queries have been popular in the research community for over a decade due to the explosive growth in user-generated data and its prime applications in different domains. kNN queries make a major category of spatial keyword queries that is ...
What Users Ask a Search Engine: Analyzing One Billion Russian Question Queries
CIKM '15: Proceedings of the 24th ACM International on Conference on Information and Knowledge Management

We analyze the question queries submitted to a large commercial web search engine to get insights about what people ask, and to better tailor the search results to the users' needs. Based on a dataset of about one billion question queries submitted ...

Comments

Information & Contributors

Information

Published In

cover image ACM SIGMOD Record

ACM SIGMOD Record Volume 47, Issue 3

September 2018

35 pages

ISSN:0163-5808

DOI:10.1145/3316416

Editors:
Yanlei Diao
University of Massachusetts Amherst
,
Vanessa Braganholo
Universidade Federal Fluminense
,
Marco Brambilla
Politecnico di Milano
,
Chee Yong Chan
National University of Singapore
,
Rada Chirkova
North Carolina State University
,
Zackary Ives
University of Pennsylvania
,
Anastasios Kementsietsidis
Google Research
,
Jeffrey Naughton
University of Wisconsin-Madison
,
Frank Neven
Hasselt University
,
Olga Papaemmanoui
Brandeis Univesity
,
Aditya Parameswaran
University of Illinois
,
Alkis Simitsis
HP Labs
,
Wang-Chiew Tan
University of California Santa Cruz
,
Pinar Tözü
IBM Almaden Research Center
,
Marianne Winslett
University of Illinois
,
Jun Yang
Duke University

Issue’s Table of Contents

Copyright © 2019 Authors.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 February 2019

Published in SIGMOD Volume 47, Issue 3

Check for updates

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
300
Total Downloads

Downloads (Last 12 months)56
Downloads (Last 6 weeks)11

Reflects downloads up to 08 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Poepsel-Lemaitre RBeedkar KMarkl V(2024)Disclosure-Compliant Query AnsweringProceedings of the ACM on Management of Data10.1145/36988082:6(1-28)Online publication date: 20-Dec-2024
https://dl.acm.org/doi/10.1145/3698808
Li XDu YWang C(2023)RangeQC: A Query Control Framework for Range Query Leakage Quantification and Mitigation2023 IEEE 43rd International Conference on Distributed Computing Systems (ICDCS)10.1109/ICDCS57875.2023.00017(749-759)Online publication date: Jul-2023
https://doi.org/10.1109/ICDCS57875.2023.00017
Agoun JTerras JHacid MHariri S(2023)Empowering Data Federation Security in Polystore Systems2023 20th ACS/IEEE International Conference on Computer Systems and Applications (AICCSA)10.1109/AICCSA59173.2023.10479321(1-8)Online publication date: 4-Dec-2023
https://doi.org/10.1109/AICCSA59173.2023.10479321
Hofer DMohamed AAuer DNadschläger SKüng J(2023)Rewriting Graph-DB Queries to Enforce Attribute-Based Access ControlDatabase and Expert Systems Applications10.1007/978-3-031-39847-6_34(431-436)Online publication date: 28-Aug-2023
https://dl.acm.org/doi/10.1007/978-3-031-39847-6_34
Unnibhavi HCerdeira DBarbalace ASantos NBhatotia PIves ZBonifati AEl Abbadi A(2022)Secure and Policy-Compliant Query Processing on Heterogeneous Computational Storage ArchitecturesProceedings of the 2022 International Conference on Management of Data10.1145/3514221.3517913(1462-1477)Online publication date: 10-Jun-2022
https://dl.acm.org/doi/10.1145/3514221.3517913
Beedkar KQuiané-Ruiz JMarkl VLi GLi ZIdreos SSrivastava D(2021)Compliant Geo-distributed Query ProcessingProceedings of the 2021 International Conference on Management of Data10.1145/3448016.3453687(181-193)Online publication date: 9-Jun-2021
https://dl.acm.org/doi/10.1145/3448016.3453687
Zhang W(2020)Multimedia Teaching in Teaching of College English ReadingJournal of Testing and Evaluation10.1520/JTE2020017949:4(20200179)Online publication date: 18-Dec-2020
https://doi.org/10.1520/JTE20200179
Ganesh BPalmieri P(2020)A Survey of Advanced Encryption for Database Security: Primitives, Schemes, and AttacksFoundations and Practice of Security10.1007/978-3-030-70881-8_7(100-120)Online publication date: 1-Dec-2020
https://dl.acm.org/doi/10.1007/978-3-030-70881-8_7
Agoun JHacid M(2020)Data Publishing: Availability of Data Under Security PoliciesFoundations of Intelligent Systems10.1007/978-3-030-59491-6_26(277-286)Online publication date: 23-Sep-2020
https://dl.acm.org/doi/10.1007/978-3-030-59491-6_26

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Issue’s Table of Contents