Authorization analysis of queries in object-oriented databases

Abstract

A simple model for method-based authorization is defined and an algorithm is presented for testing in compile-time whether a given database schema violates authorizations. As an underlying model of method execution, we adopt the model proposed by Hull et al.; a database schema consists of a class hierarchy, attribute declarations and method definitions. A method body is simply a sequence of statements. There are three types of statements: an access to an attribute of the self object, a method invocation, and a built-in operation on basic values. Authorizations are represented as a pair of finite sets: AUTH =〈AUTH _m,AUTH _s〉, AUTH _m={(c₁, m₁, c′₁, m′₁), (c₂, m₂, c′₂, m′₂),..., (c_l, m_l, c′_l, m′_l)}, AUTH_s= {(s₁, c₁, m₁), (s₂, c₂, m₂),..., (s_n, c_n, m_n)} where s _i is a subject (user, process), c _i, c′_i are classes and m _i, m′_i are method names. Given a database schema S, a subject s and a set of authorizations AUTH, we say that (S, s) is valid with respect to AUTH, if, whenever a method m invoked by s on an object of a class c is directly invoking a method m′ on an object of a class c′, (s, c′, m′) belongs to AUTH _s or (c, m, c′,m′) belongs to AUTH _m. In this paper we show that if one of the following conditions holds, then it can be decided in polynomial time whether (S, s) is valid with respect to AUTH.

1. 1.

   S is a retrieval schema, that is, does not contain any statement which updates an attribute.

2. 2.

   S is a non-branching update schema, which permits updates in a restricted way, and a database instance is acyclic.