Abstract
This dissertation considers the use of a virtual machine as an access control mechanism
in a relational database management system. Such a mechanism may prove
to be more flexible than the normal access control mechanism that forms part of a
relational database management system.
The background information provided in this text (required to clearly comprehend
the issues that are related to the virtual machine and its language) introduces
databases, security and security mechanisms in relational database management
systems.
Finally, an existing implementation of a virtual machine that is used as a
pseudo access control mechanism is provided. This mechanism is used to examine
data that travels across a electronic communications network.
Subsequently, the language of the virtual machine is chiefly considered, since
it is this language which will determine the power and flexibility that the virtual
machine offers. The capabilities of the language is illustrated by showing how
it can be used to implement selected access control policies. Furthermore it is
shown that the language can be used to access data stored in relations in a safe
manner, and that the addition of the programs to the DAC model does not cause a
significant increase in the management of a decentralised access control model.
Following the proposed language it is obvious that the architecture of the
ìnewî access control subsystem is also important since this architecture determines
where the virtual machine fits in to the access control mechanism as a
whole. Other extensions to the access control subsystem which are important
for the functioning of the new access control subsystem are also reected upon.
Finally, before concluding, the dissertation aims to provide general considerations
that have to be taken into account for any potential implementation of
the virtual machine. Aspects such as the runtime support system, data types and
capabilities for extensions are taken into consideration.
By examining all of the previous aspects, the access control language and programs,
the virtual machine and the extensions to the access control subsystem, it
is shown that the virtual machine and the language offered in this text provides
the capability of implementing all the basic access control policies that can normally
be provided. Additionally it can equip the database administrator with a
tool to implement even more complex policies which can not be handled in a simple
manner by the normal access control system. Additionally it is shown that
using the virtual machine does not mean that certain complex policies have to be
implemented on an application level.
It is also shown that the new and extended access control subsystem does
not significantly alter the way in which access control is managed in a relational
database management system.
Prof. M.S. Olivier