Systems and methods that optimize row level database security

US 20050177570A1
Filed: 07/07/2004
Published: 08/11/2005
Est. Priority Date: 02/11/2004
Status: Active Grant

First Claim

Patent Images

1. A system that facilitates database security, comprising:

an input component that receives a query; and

a query management component that utilizes rules of predicate to augment the query with at least row-level security expressions, the augmented query is utilized to search data and return rows of data that at least satisfy an aggregate of the row-level security expressions.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The systems and methods of the present invention facilitate database row-level security by utilizing SQL extensions to create and associate named security expressions with a query initiator(s). Such expressions include Boolean expressions, which must be satisfied by a row of data in order for that data to be made accessible to the query initiator. In general, a query is augmented with security expressions, which are aggregated and utilized during querying rows of data. The systems and methods variously place security expressions within a query in order to optimize query performance while mitigating information leaks. This is achieved by tagging security expressions as special and utilizing rules of predicate to pull or push non-security expressions above or below security expressions, depending on the likelihood of a non-security being safe, as determined via a static and/or dynamic analysis.

Citations

28 Claims

1. A system that facilitates database security, comprising:
- an input component that receives a query; and
  
  a query management component that utilizes rules of predicate to augment the query with at least row-level security expressions, the augmented query is utilized to search data and return rows of data that at least satisfy an aggregate of the row-level security expressions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The system of claim 1, the query is augmented by inserting an expression composed of a conjunction of:
    - a disjunction of Boolean expressions that grant row access when satisfied, and a conjunction of a complement of respective Boolean expressions that deny row access when satisfied.
  - 3. The system of claim 1, the row-level security expressions are tagged special in order to discriminate between security expressions and non-security expressions.
  - 4. The system of claim 1, the rules of predicate mitigate information leaks by defining an order in which security expressions and non-security expressions are inserted into the query, which determines the order in which respective expressions are utilized during data row evaluation.
  - 5. The system of claim 1, further comprising an optimizer that pulls non-security expressions above security expressions or pushes non-security expressions below security expressions in order to improve performance and mitigate information leaks.
  - 6. The system of claim 1, further comprising a component that performs a static analysis at compile-time to determine whether a non-security expression within the query is safe.
  - 7. The system of claim 6, a safe expression is an expression that executes without risk of information disclosure from a security breach.
  - 8. The system of claim 1, further comprising a component that performs a dynamic analysis at run-time to determine whether a non-security expression is safe.
  - 9. The system of claim 8, the dynamic analysis returns data if all security expressions successfully execute.
  - 10. The system of claim 1, further comprising a component that detects safety violations and aborts the query or re-starts the query in a safe mode.
  - 11. The system of claim 10, the safe mode ensures security expressions are employed to evaluate rows of data prior to employing non-security expressions.
  - 12. The system of claim 1, the security expressions are Boolean expressions.
  - 13. The system of claim 1, one or more security expressions are created via SQL statements for a row of data by an administrator of the data.
  - 14. The system of claim 1, one or more security expressions for a set of rows of data are associated with one or more query initiators by an administrator of the data.

15. A method for employing row-level database security, comprising:
- obtaining one or more row-level security expressions for a query, based on the source of the query; and
  
  inserting the one or more row-level security expression into the query so that the security expressions are utilized to evaluate a row of data prior to executing the unsafe non-security expression.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 16. The method of claim 15, further comprising grafting an expression composed of a conjunction of a disjunction of Boolean expressions that grant row access when satisfied and a conjunction of a complement of respective Boolean expressions that deny row access when satisfied and inserting the grafted expression into the query.
  - 17. The method of claim 15, further comprising employing SQL statements to create, associate and/or revoke security expressions.
  - 18. The method of claim 15, further comprising employing SQL statements to grant or deny a permission to a row(s) of data to a user.
  - 19. The method of claim 15, further comprising inserting the one or more row-level security expression into the query to optimize performance when the query does not include an unsafe non-security expression
  - 20. The method of claim 15, further comprising utilizing predicate rules of movement to facilitate ordering the security expressions within the query.
  - 21. The method of claim 20, the predicate rules define whether to pull or push a non-security expression above or below a security expression to improve performance and mitigate data leaks.
  - 22. The method of claim 15, further comprising performing a static analysis to determine whether a non-security expression is unsafe.
  - 23. The method of claim 15, further comprising performing a dynamic analysis to determine whether a non-security expression is unsafe.
  - 24. The method of claim 15, further comprising defining logical non-security expressions as safe expressions.
  - 25. The method of claim 15, further comprising re-starting a query in safe mode when a safety violations is detected, safe mode ensures security expressions are utilized to evaluate row data prior to non-security expressions.

26. A data packet transmitted between two or more computer components that facilitates row-level database security, comprising:
- a query with one or more SQL created security expressions located therein based on a rules of predicate that is utilized to evaluate a row of data in order to provide access to the row of data when the security expressions are satisfied.

27. A computer readable medium storing computer executable components to facilitate row-level database security, comprising:
- a component that grafts security expressions for a user into a statement;
  
  a component that adds the statement to a query initiated by the user;
  
  a component that optimizes the placement of the statement within the query; and
  
  a component that queries rows of data based on the statement and returns rows of data that satisfy the statement.

28. A database security system, comprising:
- means for augmenting queries with row level security expressions;
  
  means for positioning the row level security expressions within the query to improve performance or mitigate data leaks;
  
  means for evaluating rows of data with the row level security expressions; and
  
  means for providing access to rows of data that satisfy the row level security expressions to users.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Hamilton, James R., Dutta, Tanmoy, Cristofor, Laurentiu Bogdan, Kline, Rodger N., Chander, Girish

Granted Patent

US 7,661,141 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/6227 where protection concerns t...

Systems and methods that optimize row level database security

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods that optimize row level database security

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links