Securing Web Applications with Predicate Access Control

  • Zhaomo YangEmail author
  • Kirill Levchenko
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10359)


Web application security is an increasingly important concern as we entrust these applications to handle sensitive user data. Security vulnerabilities in these applications are quite common, however, allowing malicious users to steal other application users’ data. A more reliable mechanism for enforcing application security policies is needed. Most applications rely on a database to store user data, making it a natural point to introduce additional access controls. Unfortunately, existing database access control mechanisms are too coarse-grained to express an application security policy. In this paper we propose and implement a fine-grained access control mechanism for controlling access to user data. Application access control policy is expressed using row-level access predicates, which allow an application’s access control policy to be extended to the database. These predicates are expressed using the SQL syntax familiar to developers, minimizing the developer effort necessary to take advantage of this mechanism. We implement our predicate access control system in the PostgreSQL 9.2 DBMS and evaluate our system by developing an access control policy for the Drupal 7 and Spree Commerce. Our mechanism protected Drupal and Spree against five known security vulnerabilities.


  1. 1.
  2. 2.
  3. 3.
    Burket, J., Mutchler, P., Weaver, M., Zaveri, M., Evans, D.: GuardRails: a data-centric web application security framework. In: Proceedings of the 2nd USENIX Conference on Web Application Development (2011)Google Scholar
  4. 4.
    Chaudhuri, S., Dutta, T., Sudarashan, S.: Fine grained authorization through predicated grants. In: Proceedings of the 23rd IEEE International Conference on Data Engineering (2007)Google Scholar
  5. 5.
    Dalton, M., Kozyrakis, C., Zeldovich, N.: Nemesis: preventing authentication and access control vulnerabilities in web applications. In: Proceedings of the 18th USENIX Security Symposium (2009)Google Scholar
  6. 6.
    Felt, A.P., Finifter, M., Weinberger, J., Wagner, D. : Diesel: applying privilege separation to database access. In: Proceedings of 6th ACM Symposium on Information, Computer and Communication Security (2011)Google Scholar
  7. 7.
    Parno, B., McCune, J., Wendlandt, D., Andersen, D., Perrig, A.: CLAMP: practical prevention of large-scale data leaks. In: Proceedings of the 30th IEEE Symposium on Security and Privacy (2009)Google Scholar
  8. 8.
    Rizvi, S., Mendelzon, A., Sudarshan, S., Roy, P.: Extending query rewriting techniques for fine-grained access control. In: Proceedings of the 2004 ACM SIGMOD international conference on Management of Data (2004)Google Scholar
  9. 9.
    Roichman, A., Gudes, E.: Fine-grained access control to web databases. In: Proceedings of the 12th ACM Symposium on Access Control Models and Technologies (2007)Google Scholar
  10. 10.
    Son, S., McKinley, K.S., Shmatikov, V.: RoleCast: finding missing security checks when you do not know what checks are. In: Proceedings of the 2011 ACM Conference on Object Oriented Programing Systems Languages and Applications (2011)Google Scholar
  11. 11.
    Son, S., McKinley, K.S., Shmatikov, V., Up, F.M.: Repairing Access-Control Bugs in Web Applications. In Proceedings of the 10th USENIX Symposium on Networked Systems Design and Implementation (2013)Google Scholar
  12. 12.
    Tan, X., Du, W., Luo, T., Soundararaj, K.D.: SCUTA: a server-side access control system for web applications. In: Proceedings of the 17th ACM Symposium on Access Control Models and Technologies (2012)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2017

Authors and Affiliations

  1. 1.University of CaliforniaSan DiegoUSA
  2. 2.University of CaliforniaSan DiegoUSA

Personalised recommendations