authorization in oracle part 2 ji-wonmahesh
DESCRIPTION
Authorization in Oracle Part 2 Ji-WonMahesh. Stored Procedures. If A gives B insert on t with no grant option Can only B can insert into t? No – must consider whether B has the “create procedure” (or “create any procedure”) system privilege. Examples. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Authorization in Oracle Part 2 Ji-WonMahesh](https://reader034.vdocuments.us/reader034/viewer/2022051418/568150ba550346895dbed63a/html5/thumbnails/1.jpg)
Authorization in OracleAuthorization in OraclePart 2Part 2
Ji-WonJi-Won MaheshMahesh
![Page 2: Authorization in Oracle Part 2 Ji-WonMahesh](https://reader034.vdocuments.us/reader034/viewer/2022051418/568150ba550346895dbed63a/html5/thumbnails/2.jpg)
Stored ProceduresStored Procedures
If A gives B insert on t with no grant If A gives B insert on t with no grant optionoption Can only B can insert into t?Can only B can insert into t? No – must consider whether B has the No – must consider whether B has the
“create procedure” (or “create any “create procedure” (or “create any procedure”) system privilege.procedure”) system privilege.
![Page 3: Authorization in Oracle Part 2 Ji-WonMahesh](https://reader034.vdocuments.us/reader034/viewer/2022051418/568150ba550346895dbed63a/html5/thumbnails/3.jpg)
ExamplesExamples
create or replace create or replace procedure def(x procedure def(x number, y number)number, y number)
[authid definer] as[authid definer] asbeginbegin insert into alice.t1 insert into alice.t1
values (x,y);values (x,y); commit;commit;end;end;//
Bob.defBob.def
create or replace create or replace procedure inv(x number, procedure inv(x number, y number)y number)
authid current_user asauthid current_user as
beginbegin
insert into alice.t1 values insert into alice.t1 values (x,y);(x,y);
commit;commit;
end;end;
//
Bob.invBob.inv
![Page 4: Authorization in Oracle Part 2 Ji-WonMahesh](https://reader034.vdocuments.us/reader034/viewer/2022051418/568150ba550346895dbed63a/html5/thumbnails/4.jpg)
Definer’s rights procedureDefiner’s rights procedure
““A user…requires only the privilege to A user…requires only the privilege to execute the procedure and no execute the procedure and no privileges on the underlying objects…”privileges on the underlying objects…”
“…“…operates under the security domain operates under the security domain of the user who owns the procedure…”of the user who owns the procedure…”
““At runtime, the privileges of the At runtime, the privileges of the owner…are always checked…”owner…are always checked…”
![Page 5: Authorization in Oracle Part 2 Ji-WonMahesh](https://reader034.vdocuments.us/reader034/viewer/2022051418/568150ba550346895dbed63a/html5/thumbnails/5.jpg)
Invoker’s rights procedureInvoker’s rights procedure
“…“…executes with all of the invoker’s executes with all of the invoker’s privileges…”privileges…”
“…“…invoker needs privileges at runtime to invoker needs privileges at runtime to access…DML or dynamic SQL statements, access…DML or dynamic SQL statements, because they are effectively recompiled at because they are effectively recompiled at runtime.”runtime.”
““For…direct PL/SQL function calls, the owner’s For…direct PL/SQL function calls, the owner’s privileges are checked at compile time, and privileges are checked at compile time, and no runtime check is made. Therefore, the no runtime check is made. Therefore, the user…needs no privileges…outside DML or user…needs no privileges…outside DML or dynamic SQL statements.”dynamic SQL statements.”
![Page 6: Authorization in Oracle Part 2 Ji-WonMahesh](https://reader034.vdocuments.us/reader034/viewer/2022051418/568150ba550346895dbed63a/html5/thumbnails/6.jpg)
ExamplesExamplescreate or replace procedure create or replace procedure
def_inv(x number, y number) def_inv(x number, y number) asasbeginbegin
bob.inv(x,y);bob.inv(x,y);end;end;
//
Carl.def_invCarl.def_inv
• Similarly: Carl.inv_inv, Carl.inv_def, …
![Page 7: Authorization in Oracle Part 2 Ji-WonMahesh](https://reader034.vdocuments.us/reader034/viewer/2022051418/568150ba550346895dbed63a/html5/thumbnails/7.jpg)
def_invdef_inv
A
B
C
D
inv
def_inv
![Page 8: Authorization in Oracle Part 2 Ji-WonMahesh](https://reader034.vdocuments.us/reader034/viewer/2022051418/568150ba550346895dbed63a/html5/thumbnails/8.jpg)
inv_invinv_inv
A
B
C
D
inv
inv_inv
![Page 9: Authorization in Oracle Part 2 Ji-WonMahesh](https://reader034.vdocuments.us/reader034/viewer/2022051418/568150ba550346895dbed63a/html5/thumbnails/9.jpg)
inv_definv_def
A
B
C
D
def
inv_def
![Page 10: Authorization in Oracle Part 2 Ji-WonMahesh](https://reader034.vdocuments.us/reader034/viewer/2022051418/568150ba550346895dbed63a/html5/thumbnails/10.jpg)
Understanding Java Stack Understanding Java Stack InspectionInspection
OS
TrustedJava“The system”
UntrustedJava
![Page 11: Authorization in Oracle Part 2 Ji-WonMahesh](https://reader034.vdocuments.us/reader034/viewer/2022051418/568150ba550346895dbed63a/html5/thumbnails/11.jpg)
Java Access ControlJava Access Control
Consequences of type safetyConsequences of type safety Old approach: sandboxOld approach: sandbox New approach: stack inspectionNew approach: stack inspection
Assume access matrix, with subjects = Assume access matrix, with subjects = signors/classes (?), and objects = signors/classes (?), and objects = resourcesresources
![Page 12: Authorization in Oracle Part 2 Ji-WonMahesh](https://reader034.vdocuments.us/reader034/viewer/2022051418/568150ba550346895dbed63a/html5/thumbnails/12.jpg)
Stack InspectionStack Inspection
Annotated with:enable_privs(t)
(Assumptions aboutwho may do this)
Frame has:-Arguments- Local vars.- Ret. Addr.
Newest frame,Or current frame
![Page 13: Authorization in Oracle Part 2 Ji-WonMahesh](https://reader034.vdocuments.us/reader034/viewer/2022051418/568150ba550346895dbed63a/html5/thumbnails/13.jpg)
PrimitivesPrimitives
enable_privilege(t)enable_privilege(t) disable_privilege(t)disable_privilege(t)
Explicit denialExplicit denial revert_privilege(t)revert_privilege(t)
Removal of annotationRemoval of annotation check_privilege(t)check_privilege(t)
![Page 14: Authorization in Oracle Part 2 Ji-WonMahesh](https://reader034.vdocuments.us/reader034/viewer/2022051418/568150ba550346895dbed63a/html5/thumbnails/14.jpg)
check_privilegecheck_privilegeFF(t)(t)check_privilege(t) {check_privilege(t) { foreach stackFrame {foreach stackFrame { if (local policy forbits access to t byif (local policy forbits access to t by the class executing in stackFrame)the class executing in stackFrame) deny access;deny access; if (stackFrame has enabled priv. for t)if (stackFrame has enabled priv. for t) return; // allow accessreturn; // allow access if (stackFrame has disabled priv. for t)if (stackFrame has disabled priv. for t) deny access;deny access; }} Default:Default:
Netscape: denyNetscape: deny Sun/Microsoft: allowSun/Microsoft: allow
![Page 15: Authorization in Oracle Part 2 Ji-WonMahesh](https://reader034.vdocuments.us/reader034/viewer/2022051418/568150ba550346895dbed63a/html5/thumbnails/15.jpg)
ABLP LogicABLP Logic
If s is an instance of a theorem in If s is an instance of a theorem in propositional logic, then s is true in propositional logic, then s is true in ABLPABLP
(Atomic) principals, statements(Atomic) principals, statements Connectives:Connectives:
says, says, , , , , ∧, |∧, | Statement: eg. Statement: eg. Ok(t)Ok(t) E.g. axiom: (A says (B E.g. axiom: (A says (B A)) A)) (B (B A) A)
![Page 16: Authorization in Oracle Part 2 Ji-WonMahesh](https://reader034.vdocuments.us/reader034/viewer/2022051418/568150ba550346895dbed63a/html5/thumbnails/16.jpg)
Decision ProblemDecision Problem
check_privilegecheck_privilegeFF(t) ≈ E(t) ≈ EF F Ok(t) Ok(t) ?? EEF F = (= (, A, AVM(F)VM(F), B, BFF)) = set of frame credentials= set of frame credentials
frame frame signer signer AAVM(F) VM(F) = access matrix entries= access matrix entries
P P t t BBFF = belief set for the frame F = belief set for the frame F
![Page 17: Authorization in Oracle Part 2 Ji-WonMahesh](https://reader034.vdocuments.us/reader034/viewer/2022051418/568150ba550346895dbed63a/html5/thumbnails/17.jpg)
Constructing belief setConstructing belief set
Example from the paper…Example from the paper…
![Page 18: Authorization in Oracle Part 2 Ji-WonMahesh](https://reader034.vdocuments.us/reader034/viewer/2022051418/568150ba550346895dbed63a/html5/thumbnails/18.jpg)
Decision ProcedureDecision Procedure
Collects all statements from (Collects all statements from (, A, AVM(F)VM(F), B, BFF)) Considers “type 1” statements: Considers “type 1” statements: Ok(u)Ok(u) Then considers “type 2” statements (P Then considers “type 2” statements (P
Q) and builds a di-graph.Q) and builds a di-graph. Then considers “type 3” statements (F1 | Then considers “type 3” statements (F1 |
F2 | … | Fk says F2 | … | Fk says Ok(u) Ok(u) ). True if both:). True if both: For all 1, …, k, Fi For all 1, …, k, Fi t in the di-graph t in the di-graph u = tu = t
![Page 19: Authorization in Oracle Part 2 Ji-WonMahesh](https://reader034.vdocuments.us/reader034/viewer/2022051418/568150ba550346895dbed63a/html5/thumbnails/19.jpg)
Decision Procedure (contd.)Decision Procedure (contd.)
TerminatesTerminates Is soundIs sound Conjectured to be completeConjectured to be complete Is “equivalent” to java stack Is “equivalent” to java stack
inspectioninspection
![Page 20: Authorization in Oracle Part 2 Ji-WonMahesh](https://reader034.vdocuments.us/reader034/viewer/2022051418/568150ba550346895dbed63a/html5/thumbnails/20.jpg)
Other stuffOther stuff
E.g., when does call to E.g., when does call to enable_privilege(t) succeed?enable_privilege(t) succeed?
Canonical form for belief setCanonical form for belief set P1 | P2 P1 | P2 P2 | P1 P2 | P1 P | P P | P P P
Pushdown automataPushdown automata Security-passing style: carrying around Security-passing style: carrying around
belief set in a “hidden” parameterbelief set in a “hidden” parameter
![Page 21: Authorization in Oracle Part 2 Ji-WonMahesh](https://reader034.vdocuments.us/reader034/viewer/2022051418/568150ba550346895dbed63a/html5/thumbnails/21.jpg)
Other stuff (contd.)Other stuff (contd.)
RPC:RPC: Caller sends to callee:Caller sends to callee:
Belief setBelief set Frame credentialsFrame credentials
Callee prepends:Callee prepends: KKcallercaller | to every entry in belief set | to every entry in belief set