Geodesic
Non-invasive method of mandatory access control implementaion on DBMS layer in web applications
Prikladnaya Diskretnaya Matematika. Supplement, no. 8 (2015), pp. 89-92.

Voir la notice de l'article provenant de la source Math-Net.Ru

We propose non-invasive method of mandatory access control implementation on DBMS MySQL layer in web applications. This method is based on formal DP-models for DBMS MySQL and proxy-based reference monitor for SQL queries. The main idea of the method is identification of users in account-based web applications and SQL query rewriting. Users' identities are added by applicaion's module (Django middleware) and transmitted in comments of SQL queries to MySQL-proxy. After identification of users has been completed, we simulate DBMS's entities identification and row level security by SQL rewriting.
Keywords: access control, DBMS security.
Mots-clés : web applications 
@article{PDMA_2015_8_a32,
     author = {D. N. Kolegov and N. O. Tkachenko},
     title = {Non-invasive method of mandatory access control implementaion on {DBMS} layer in web applications},
     journal = {Prikladnaya Diskretnaya Matematika. Supplement},
     pages = {89--92},
     publisher = {mathdoc},
     number = {8},
     year = {2015},
     language = {ru},
     url = {http://geodesic.mathdoc.fr/item/PDMA_2015_8_a32/}
}
TY  - JOUR
AU  - D. N. Kolegov
AU  - N. O. Tkachenko
TI  - Non-invasive method of mandatory access control implementaion on DBMS layer in web applications
JO  - Prikladnaya Diskretnaya Matematika. Supplement
PY  - 2015
SP  - 89
EP  - 92
IS  - 8
PB  - mathdoc
UR  - http://geodesic.mathdoc.fr/item/PDMA_2015_8_a32/
LA  - ru
ID  - PDMA_2015_8_a32
ER  - 
%0 Journal Article
%A D. N. Kolegov
%A N. O. Tkachenko
%T Non-invasive method of mandatory access control implementaion on DBMS layer in web applications
%J Prikladnaya Diskretnaya Matematika. Supplement
%D 2015
%P 89-92
%N 8
%I mathdoc
%U http://geodesic.mathdoc.fr/item/PDMA_2015_8_a32/
%G ru
%F PDMA_2015_8_a32
D. N. Kolegov; N. O. Tkachenko. Non-invasive method of mandatory access control implementaion on DBMS layer in web applications. Prikladnaya Diskretnaya Matematika. Supplement, no. 8 (2015), pp. 89-92. http://geodesic.mathdoc.fr/item/PDMA_2015_8_a32/

[1] Trusted DBMS Rubix, http://rubix.com/cms

[2] SUBD Linter, http://linter.ru

[3] Oracle Database. Oracle Label Security, http://www.oracle.com/technetwork/database/options/label-security/index.html

[4] CVE-2012-2122, https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2122

[5] Devyanin P. N., Zakharenkov P. S., “Sposob realizatsii informatsionnogo potoka po vremeni v operatsionnykh sistemakh s mandatnym upravleniem dostupom cherez clipboard”, Metody i tekhnicheskie sredstva obespecheniya bezopasnosti informatsii, materialy Yubileinoi 20-i nauch.-tekhnich. konf. (27 iyunya – 01 iyulya 2011 g.), Izd-vo Politekhn. un-ta, SPb., 2011, 76–77

[6] Kolegov D. N., Tkachenko N. O., Chernov D. V., “Razrabotka i realizatsiya mandatnykh mekhanizmov upravleniya dostupom v SUBD MySQL”, Prikladnaya diskretnaya matematika. Prilozhenie, 2013, no. 6, 62–67

[7] Kolegov D. N., Tkachenko N. O., Chernov D. V., “Osnovnye elementy razrabotki mekhanizma mandatnogo upravleniya dostupom v SUBD MySQL na osnove DP-modelei”, Bezopasnost informatsionnykh tekhologii, 2014, no. 3, 102–107

[8] Tkachenko N. O., “Realizatsiya monitora bezopasnosti SUBD MySQL v DBF/DAM-sistemakh”, Prikladnaya diskretnaya matematika. Prilozhenie, 2014, no. 7, 99–101