Authorization in OracleAuthorization in OraclePart 2Part 2

Ji-WonJi-Won MaheshMahesh

Stored ProceduresStored Procedures

If A gives B insert on t with no grant If A gives B insert on t with no grant optionoption Can only B can insert into t?Can only B can insert into t? No – must consider whether B has the No – must consider whether B has the

“create procedure” (or “create any “create procedure” (or “create any procedure”) system privilege.procedure”) system privilege.

ExamplesExamples

create or replace create or replace procedure def(x procedure def(x number, y number)number, y number)

[authid definer] as[authid definer] asbeginbegin insert into alice.t1 insert into alice.t1

values (x,y);values (x,y); commit;commit;end;end;//

Bob.defBob.def

create or replace create or replace procedure inv(x number, procedure inv(x number, y number)y number)

authid current_user asauthid current_user as

beginbegin

insert into alice.t1 values insert into alice.t1 values (x,y);(x,y);

commit;commit;

end;end;

//

Bob.invBob.inv

Definer’s rights procedureDefiner’s rights procedure

““A user…requires only the privilege to A user…requires only the privilege to execute the procedure and no execute the procedure and no privileges on the underlying objects…”privileges on the underlying objects…”

“…“…operates under the security domain operates under the security domain of the user who owns the procedure…”of the user who owns the procedure…”

““At runtime, the privileges of the At runtime, the privileges of the owner…are always checked…”owner…are always checked…”

Invoker’s rights procedureInvoker’s rights procedure

“…“…executes with all of the invoker’s executes with all of the invoker’s privileges…”privileges…”

“…“…invoker needs privileges at runtime to invoker needs privileges at runtime to access…DML or dynamic SQL statements, access…DML or dynamic SQL statements, because they are effectively recompiled at because they are effectively recompiled at runtime.”runtime.”

““For…direct PL/SQL function calls, the owner’s For…direct PL/SQL function calls, the owner’s privileges are checked at compile time, and privileges are checked at compile time, and no runtime check is made. Therefore, the no runtime check is made. Therefore, the user…needs no privileges…outside DML or user…needs no privileges…outside DML or dynamic SQL statements.”dynamic SQL statements.”

ExamplesExamplescreate or replace procedure create or replace procedure

def_inv(x number, y number) def_inv(x number, y number) asasbeginbegin

bob.inv(x,y);bob.inv(x,y);end;end;

//

Carl.def_invCarl.def_inv

• Similarly: Carl.inv_inv, Carl.inv_def, …

def_invdef_inv

A

B

C

D

inv

def_inv

inv_invinv_inv

A

B

C

D

inv

inv_inv

inv_definv_def

A

B

C

D

def

inv_def

Understanding Java Stack Understanding Java Stack InspectionInspection

OS

TrustedJava“The system”

UntrustedJava

Java Access ControlJava Access Control

Consequences of type safetyConsequences of type safety Old approach: sandboxOld approach: sandbox New approach: stack inspectionNew approach: stack inspection

Assume access matrix, with subjects = Assume access matrix, with subjects = signors/classes (?), and objects = signors/classes (?), and objects = resourcesresources

Stack InspectionStack Inspection

Annotated with:enable_privs(t)

(Assumptions aboutwho may do this)

Frame has:-Arguments- Local vars.- Ret. Addr.

Newest frame,Or current frame

PrimitivesPrimitives

enable_privilege(t)enable_privilege(t) disable_privilege(t)disable_privilege(t)

Explicit denialExplicit denial revert_privilege(t)revert_privilege(t)

Removal of annotationRemoval of annotation check_privilege(t)check_privilege(t)

check_privilegecheck_privilegeFF(t)(t)check_privilege(t) {check_privilege(t) { foreach stackFrame {foreach stackFrame { if (local policy forbits access to t byif (local policy forbits access to t by the class executing in stackFrame)the class executing in stackFrame) deny access;deny access; if (stackFrame has enabled priv. for t)if (stackFrame has enabled priv. for t) return; // allow accessreturn; // allow access if (stackFrame has disabled priv. for t)if (stackFrame has disabled priv. for t) deny access;deny access; }} Default:Default:

Netscape: denyNetscape: deny Sun/Microsoft: allowSun/Microsoft: allow

ABLP LogicABLP Logic

If s is an instance of a theorem in If s is an instance of a theorem in propositional logic, then s is true in propositional logic, then s is true in ABLPABLP

(Atomic) principals, statements(Atomic) principals, statements Connectives:Connectives:

says, says, , , , , ∧, |∧, | Statement: eg. Statement: eg. Ok(t)Ok(t) E.g. axiom: (A says (B E.g. axiom: (A says (B A)) A)) (B (B A) A)

Decision ProblemDecision Problem

check_privilegecheck_privilegeFF(t) ≈ E(t) ≈ EF F Ok(t) Ok(t) ?? EEF F = (= (, A, AVM(F)VM(F), B, BFF)) = set of frame credentials= set of frame credentials

frame frame signer signer AAVM(F) VM(F) = access matrix entries= access matrix entries

P P t t BBFF = belief set for the frame F = belief set for the frame F

Constructing belief setConstructing belief set

Example from the paper…Example from the paper…

Decision ProcedureDecision Procedure

Collects all statements from (Collects all statements from (, A, AVM(F)VM(F), B, BFF)) Considers “type 1” statements: Considers “type 1” statements: Ok(u)Ok(u) Then considers “type 2” statements (P Then considers “type 2” statements (P

Q) and builds a di-graph.Q) and builds a di-graph. Then considers “type 3” statements (F1 | Then considers “type 3” statements (F1 |

F2 | … | Fk says F2 | … | Fk says Ok(u) Ok(u) ). True if both:). True if both: For all 1, …, k, Fi For all 1, …, k, Fi t in the di-graph t in the di-graph u = tu = t

Decision Procedure (contd.)Decision Procedure (contd.)

TerminatesTerminates Is soundIs sound Conjectured to be completeConjectured to be complete Is “equivalent” to java stack Is “equivalent” to java stack

inspectioninspection

Other stuffOther stuff

E.g., when does call to E.g., when does call to enable_privilege(t) succeed?enable_privilege(t) succeed?

Canonical form for belief setCanonical form for belief set P1 | P2 P1 | P2 P2 | P1 P2 | P1 P | P P | P P P

Pushdown automataPushdown automata Security-passing style: carrying around Security-passing style: carrying around

belief set in a “hidden” parameterbelief set in a “hidden” parameter

Other stuff (contd.)Other stuff (contd.)

RPC:RPC: Caller sends to callee:Caller sends to callee:

Belief setBelief set Frame credentialsFrame credentials

Callee prepends:Callee prepends: KKcallercaller | to every entry in belief set | to every entry in belief set