Diesel: Applying Privilege Separation to Database Access
Database-backed applications typically grant complete database access to every part of the application. In this scenario, a flaw in one module can expose data that the module never uses for legitimate purposes. Drawing parallels to traditional privilege separation, the authors argue that database data should be subject to limitations such that each section of code receives access to only the data it needs. They call this data separation. Data separation defends against SQL-based errors including buggy queries and SQL injection attacks and facilitates code review, since a module's policy makes the extent of its database access explicit to programmers and code reviewers. They design and construct a system called Diesel, which implements data separation by intercepting database queries and applying modules' restrictions to the queries. They evaluate Diesel on three widely-used applications: Drupal, JForum, and WordPress.