Diesel: Applying Privilege Separation to Database Access

Authors:
Felt, Adrienne Porter
Finifter, Matthew
Weinberger, Joel
Wagner, David
Technical Report Identifier: EECS-2010-149
December 8, 2010
EECS-2010-149.pdf

Abstract: Database-backed applications typically grant complete database access to every part of the application. In this scenario, a flaw in one module can expose data that the module never uses for legitimate purposes. Drawing parallels to traditional privilege separation, we argue that database data should be subject to limitations such that each section of code receives access to only the data it needs. We call this data separation. Data separation defends against SQL-based errors including buggy queries and SQL injection attacks and facilitates code review, since a module's policy makes the extent of its database access explicit to programmers and code reviewers. We design and construct a system called Diesel, which implements data separation by intercepting database queries and applying modules' restrictions to the queries. We evaluate Diesel on three widely-used applications: Drupal, JForum, and WordPress.