New software improves database security

Penn State researchers have developed software that more quickly and efficiently ensures that databases don’t release unauthorized information.

The software, QFilter, “sits” between users and databases and filters or culls out unauthorized requests for data before a database responds to a query. “We have shifted the thinking from data filtering to query filtering,” said Dongwon Lee, assistant professor in the School of Information Sciences and Technology (IST). “This is a practical solution to the ongoing problem of database access controls.”

Businesses and organizations know a critical security guarantee for their databases is that only authorized users can access approved data. That security is managed currently through access control-modules built separately into individual databases. QFilter can implement database security without those modules. This means it can be used with off-the-shelf databases and without requiring substantial changes to existing databases, the researchers said. “That difference not only makes the security check of QFilter very practical, but it also significantly improves query-response time by rejecting unauthorized requests early on,” Lee said.

The technology is discussed in a paper titled “QFilter: Fine-Grained Run-Time XML Access Control via NFA-based Query Rewriting” presented today (Nov. 11) at the ACM Conference on Information and Knowledge Management in Washington, D.C. Lee’s co-authors are Bo Luo, an IST doctoral student; Peng Liu, an assistant professor of information sciences and technology in IST; and Wang-Chien Lee, an associate professor in the department of Computer Science and Engineering.

Other technologies for restricting access to databases exist. One popular technique is view-based technology which creates different data views for each user. Once the views are created, the database no longer has to check users’ credentials, so there is a speed advantage. But as the number of users requesting access grows or views need to be updated frequently, this technology will have maintenance and storage issues, the researchers said. “The issues are what technology is the fastest, what requires the least storage and what requires the least amount of changes to existing databases,” Lee said. “Compared to competing techniques, QFilter is better on all three.”

To capture and determine who can access what information, QFilter uses a specialized model of computation known as non-deterministic finite automata (NFA). NFA stores a large number of access control policies in an efficient and non-redundant fashion. NFA monitors when users’ queries pass through and filters out parts of queries asking for unauthorized access.

Work on QFilter continues as the software is not in its final version, said Lee who anticipates developing other applications for QFilter.