International Journal of Information Security

, Volume 16, Issue 1, pp 75–89 | Cite as

An extended access control mechanism exploiting data dependencies

  • Davide Alberto Albertini
  • Barbara Carminati
  • Elena Ferrari
Regular Contribution


In general, access control mechanisms in DBMSs ensure that users access only those portions of data for which they have authorizations, according to a predefined set of access control policies. However, it has been shown that access control mechanisms might be not enough. A clear example is the inference problem due to functional dependencies, which might allow a user to discover unauthorized data by exploiting authorized data. In this paper, we wish to investigate data dependencies (e.g., functional dependencies, foreign key constraints, and knowledge-based implications) from a different perspective. In particular, the aim was to investigate data dependencies as a mean for increasing the DBMS utility, that is, the number of queries that can be safely answered, rather than as channels for releasing sensitive data. We believe that, under given circumstances, this unauthorized release may give more benefits than issues. As such, we present a query rewriting technique capable of extending defined access control policies by exploiting data dependencies, in order to authorize unauthorized but inferable data.


Query rewriting Data dependencies Functional dependencies Discretionary access control 



The research presented in this paper was partially funded by the European Office of Aerospace Research and Development (EOARD) and the Air Force for Scientific Research (ASFOR). We would like to thank authors of [1] for their remarkable help in providing the dataset that have been exploited in test phase and in setting the query generator. Authors would like to thank the anonymous reviewers for their valuable comments and suggestions to improve the quality of the paper.


  1. 1.
    Bender, G., Kot, L., Gehrke, J.: Explainable security for relational databases. In: Proceedings of the 2014 ACM SIGMOD International Conference on Management of Data (2014)Google Scholar
  2. 2.
    Bertino, E.: Data Protection from Insider Threats. Synthesis Lecture on Data Management. Morgan & Claypool, San Rafael (2012)Google Scholar
  3. 3.
    Bishop, M., Engle, S., Peisert, S., Whalen, S., Gates, C.: We have met the enemy and he is us. In: Proceedings of the 2008 Workshop on New Security Paradigms (2008)Google Scholar
  4. 4.
    Biskup, J., Embley, D.W., Lochner, J.-H.: Reducing inference control to access control for normalized database schemas. Inf. Process. Lett. 106(1):8–12 (2008)Google Scholar
  5. 5.
    Biskup, J., Hartmann, S., Link, S., Lochner, J.-H.: Efficient inference control for open relational queries. In: Proceedings of the 24th Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy (2010)Google Scholar
  6. 6.
    Brodsky, A., Farkas, C., Jajodia, S.: Secure databases: constraints, inference channels, and monitoring disclosures. IEEE Trans. Knowl. Data Eng. 12(6):900–919 (2000)Google Scholar
  7. 7.
    Delugach, H.S., Hinke, T.H.: Wizard: a database inference analysis and detection system. IEEE Trans. Knowl. Data Eng. 8(1):56–66 (1996)Google Scholar
  8. 8.
    Denning, D.E.: Commutative filters for reducing inference threats in multilevel database systems. In: Security and Privacy, 1985 IEEE Symposium on (1985)Google Scholar
  9. 9.
    Denning, D.E.: Annual Review of Computer Science: Vol. 3, chapter Database Security (1988)Google Scholar
  10. 10.
    Farkas, C., Jajodia, S.: The inference problem: a survey. ACM SIGKDD Explor. Newsl. 4(2):6–11 (2002)Google Scholar
  11. 11.
    Hale, J., Shenoi, S.: Catalytic inference analysis: detecting inference threats due to knowledge discovery. In: Security and Privacy, 1997. Proceedings, 1997 IEEE Symposium on (1997)Google Scholar
  12. 12.
    Morgenstern, M.: Controlling logical inference in multilevel database systems. In: Proceedings of the 1988 IEEE Conference on Security and Privacy (1988)Google Scholar
  13. 13.
    Qian, X., Stickel, M. E., Karp, P. D., Lunt, T. F., Carvey, T. D.: Detection and elimination of inference channels in multilevel relational database systems. In: Proceedings of the 1993 IEEE Symposium on Security and Privacy (1993)Google Scholar
  14. 14.
    Rizvi, S., Mendelzon, A., Sudarshan, S., Roy, P.: Extending query rewriting techniques for fine-grained access control. In: Proceedings of the 2004 ACM SIGMOD International Conference on Management of Data (2004)Google Scholar
  15. 15.
    Thuraisingham, B.M.: Security checking in relational database management systems augmented with inference engines. Comput. Secur. 6(6):479–492 (1987)Google Scholar
  16. 16.
    Thuraisingham, B.M.: Security issues for data warehousing and data mining. In: Proceedings of the Tenth Annual IFIP TC11/WG11.3 International Conference on Database Security: Volume X: Status and Prospects: Status and Prospects (1997)Google Scholar
  17. 17.
    Toland, T.S., Farkas, C., Eastman, C. M.: The inference problem: maintaining maximal availability in the presence of database updates. Comput. Secur. 29(1):88–103 (2010)Google Scholar
  18. 18.
    Wang, Q., Yu, T., Li, N., Lobo, J., Bertino, E., Irwin, K., Byun, J.-W.: On the correctness criteria of fine-grained access control in relational databases. In: Proceedings of the 33rd International Conference on Very Large Data Bases (2007)Google Scholar
  19. 19.
    Woodruff, D., Staddon, J.: Private inference control. In: Proceedings of the 11th ACM Conference on Computer and Communications Security (2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2016

Authors and Affiliations

  • Davide Alberto Albertini
    • 1
  • Barbara Carminati
    • 1
  • Elena Ferrari
    • 1
  1. 1.Università degli Studi dell’InsubriaVareseItaly

Personalised recommendations