Diesel: Applying Privilege Separation to Database Access

Adrienne Porter Felt, Matthew Finifter, Joel Weinberger and David Wagner

EECS Department
University of California, Berkeley
Technical Report No. UCB/EECS-2010-149
December 8, 2010

http://www2.eecs.berkeley.edu/Pubs/TechRpts/2010/EECS-2010-149.pdf

Database-backed applications typically grant complete database access to every part of the application. In this scenario, a flaw in one module can expose data that the module never uses for legitimate purposes. Drawing parallels to traditional privilege separation, we argue that database data should be subject to limitations such that each section of code receives access to only the data it needs. We call this data separation. Data separation defends against SQL-based errors including buggy queries and SQL injection attacks and facilitates code review, since a module's policy makes the extent of its database access explicit to programmers and code reviewers. We design and construct a system called Diesel, which implements data separation by intercepting database queries and applying modules' restrictions to the queries. We evaluate Diesel on three widely-used applications: Drupal, JForum, and WordPress.


BibTeX citation:

@techreport{Felt:EECS-2010-149,
    Author = {Felt, Adrienne Porter and Finifter, Matthew and Weinberger, Joel and Wagner, David},
    Title = {Diesel: Applying Privilege Separation to Database Access},
    Institution = {EECS Department, University of California, Berkeley},
    Year = {2010},
    Month = {Dec},
    URL = {http://www2.eecs.berkeley.edu/Pubs/TechRpts/2010/EECS-2010-149.html},
    Number = {UCB/EECS-2010-149},
    Abstract = {Database-backed applications typically grant complete database access to every part of the application. In this scenario, a flaw in one module can expose data that the module never uses for legitimate purposes. Drawing parallels to traditional privilege separation, we argue that database data should be subject to limitations such that each section of code receives access to only the data it needs. We call this data separation.  Data separation defends against SQL-based errors including buggy queries and SQL injection attacks and facilitates code review, since a module's policy makes the extent of its database access explicit to programmers and code reviewers. We design and construct a system called Diesel, which implements data separation by intercepting database queries and applying modules' restrictions to the queries. We evaluate Diesel on three widely-used applications: Drupal, JForum, and WordPress.}
}

EndNote citation:

%0 Report
%A Felt, Adrienne Porter
%A Finifter, Matthew
%A Weinberger, Joel
%A Wagner, David
%T Diesel: Applying Privilege Separation to Database Access
%I EECS Department, University of California, Berkeley
%D 2010
%8 December 8
%@ UCB/EECS-2010-149
%U http://www2.eecs.berkeley.edu/Pubs/TechRpts/2010/EECS-2010-149.html
%F Felt:EECS-2010-149