Abstract:
We propose non-invasive method of mandatory access control implementation on DBMS MySQL layer in web applications. This method is based on formal DP-models for DBMS MySQL and proxy-based reference monitor for SQL queries. The main idea of the method is identification of users in account-based web applications and SQL query rewriting. Users' identities are added by applicaion's module (Django middleware) and transmitted in comments of SQL queries to MySQL-proxy. After identification of users has been completed, we simulate DBMS's entities identification and row level security by SQL rewriting.
Keywords:access control, web applications, DBMS security.