Database Security. Sarajane Marques Peres, Ph.D. University of São Paulo

Transcription

1 Database Security Sarajane Marques Peres, Ph.D. University of São Paulo Based on Elsmari x Navathe / Silberschatz, Korth, Sudarshan s books

2

3 Types of security Legal and ethical issues regarding the right to access certain informalon. Some informalon may be private and cannot be accessed legally by unauthorized organizalons or persons. Policy issues at the governmental, insltulonal, or corporate level. Credit ralngs or personal medical records. System- related issues such as the system levels at which various security funclons should be enforce. A security funclon should be handled at the physical hardware level, or OS level or DBMS level. The need in some organiza8ons to idenlfy mullple security level and to categorize the data and users based on these classificalons: Top secret, secret, confidenlal, and unclassified

4 Threats to databases Integrity: the requirement that informalon be protected from improper modificalon. Loss of integrity: unauthorized changes, by either intenlonal or accidental acts. Availability: making objects available to a human user or a program to which they have a legilmate right. Confiden8ality: the proteclon of data from unauthorized disclosure.

5 Control measures Three important factors need to be considered before deciding whether it is safe to reveal the data: Data availability: If a user is updalng a field, then this field becomes inaccessible and other users should not be able to view this data (concurrency control). Access acceptability: Data should only be revealed to authorized users. Be careful: data can reveal informalon Authen8city assurance: Before granlng access, certain external characterislcs about the user may also be considered (working hours). The system may track previous queries to ensure that a combinalon of queries does not reveal sensilve data.

6 Control measures System log Recovery purposes Id transac8ons Start / commit transac8ons Read / write opera8ons Old / new values of data Audit purposes Id user Log in / log out 8me Id computer / device

7 Control measures Sensi8vity of data is a measure of the importance assigned to the data by its owner for the purpose of denolng its needs for proteclon. SensiLve data: Inherently sensilve: person s salary or that a palent has HIV/AIDS From a sensilve source: an informer whose idenlty must be kept secret. Declared sensilve A sensilve azribute or sensilve record: the salary azribute of an employee SensiLve in relalon to previously disclosed data: the exact laltude and longitude informalon for a localon where some previously recorded event happened that was later deemed sensilve.

8 Control measures Access control: Prevent unauthorized persons from accessing the system itself, either to obtain informalon or to make malicious changes. User accounts and passwords to control the login process. The DBA has a DBA account (a superuser accout), which provides powerful capabililes that are not made available to regular database accounts and users, including commands for granlng and revoking privileges to individual accounts, users, or user groups. AcLons: account crea8on, privilege gran8ng, privilege revoca8on, security level assignment.

9 Control measures DiscreLonary Access Control: based on the granlng and revoking of privileges Level: Account level: the DBA specifies the parlcular privileges that each account holds. Create schema; create table/view; alter table/view; drop table/view; modify (tuples); select (query). Rela8on level: the DBA can control the privilege to access each individual relalon or view in the database. access matrix model, where the rows of a matrix M represent subjects (users, programs) and the columns represent objects (relalons, records, columns, views, operalons); each posilon M(i, j) in the matrix represents the types of privileges (read, write, update) that subject i holds on object j. It is possible to use VIEWS in order to specify some kind of privilege!

10 The example Considering four accounts: A1, A2, A3 e A4 GRANT CREATETAB TO A1; % A1 is able to create base rela8ons CREATE SCHEMA EXAMPLE AUTHORIZATION A1; % the same effect A1 creates the relalons EMPLOYEE and DEPARTMENT. He is the owner.

11 The example A1 GRANT INSERT, DELETE ON EMPLOYEE, DEPARTMENT TO A2; % A2 was given the privilege to insert and delete tuples in both of these rela8ons. % A1 does not want A2 to be able to propagate these privileges to addi8onal accounts GRANT SELECT ON EMPLOYEE, DEPARTMENT TO A3 WITH GRAND OPTION; % A1 wants to allow account A3 to retrieve informa8on from either of the two tables and also to be able to propagate the SELECT privilege to other accounts.

12 The example A3 GRANT SELECT ON EMPLOYEE TO A4; A1 REVOKE SELECT ON EMPLOYEE FROM A3;

13 The example A3 GRANT SELECT ON EMPLOYEE TO A4; A1 REVOKE SELECT ON EMPLOYEE FROM A3; The DBMS must now revoke the SELECT privilege on EMPLOYEE from A3, and it must also automalcally revoke the SELECT privilege on EMPLOYEE from A4.

14 The example A1 CREATE VIEW A3EMPLOYEE AS SELECT Name, Bdate, Address FROM EMPLOYEE WHERE Dno = 5; GRANT SELECT ON A3EMPLOYEE TO A3 WITH GRANT OPTION; GRANT UPDATE ON EMPLOYEE (Salary) TO A4;

15 Control measures Role- Based Access Control Privileges and other permissions are associated with organizalonal roles, rather than individual users. Individual users are then assigned to appropriate roles. GRANT ROLE full- Lme TO employee_type1 GRANT ROLE intern TO employee_type2

16 Control measures StaLsLcal Database Security StaLsLcal databases are used mainly to produce stalslcs about various populalons. The database may contain confidenlal data about individuals, which should be protected from user access. However, users are permized to retrieve stalslcal informalon about the populalons, such as averages, sums, counts, maximums, minimums, and standard devialons.

17 Control measures StaLsLcal Database Security we may want to retrieve the number of individuals in a populalon or the average income in the populalon. stalslcal users are not allowed to retrieve individual data, such as the income of a specific person. Sta8s8cal queries: queries that involve stalslcal aggregate funclons such as COUNT, SUM, MIN, MAX, AVERAGE, and STANDARD DEVIATION.

18 An inference StaLsLcal Database Security It is possible to infer the values of individual tuples from a sequence of stalslcal queries. Consider the following stalslcal queries

19 An inference Suppose the following condilon for Q1: Last_degree= Ph.D. AND Sex= F AND City= Bellaire AND State= Texas If we get a result of 1 for this query, we can issue Q2 with the same condilon and find the Salary of Jane Smith. Even if the result of Q1 on the preceding condilon is not 1 but is a small number say 2 or 3 we can issue stalslcal queries using the funclons MAX, MIN, and AVERAGE to idenlfy the possible range of values for the Salary of Jane Smith.

20 Control measures StaLsLcal Database Security This is why no stalslcal queries are permized whenever the number of tuples in the populalon specified by the seleclon condilon falls below some threshold. it is prohibited sequences of queries that refer repeatedly to the same populalon of tuples. it is recommended to introduce slight inaccuracies or noise into the results of stalslcal queries deliberately, to make it difficult to deduce individual informalon from the results.

21 SQL InjecLon In an SQL InjecLon azack, the azacker injects a string input through the applicalon, which changes or manipulates the SQL statement to the azacker s advantage. Types SQL ManipulaLon Code InjecLon FuncLon Call InjecLon

22 SQL InjecLon SQL ManipulaLon AlternaLva (usar parametrização)

23 SQL InjecLon

24 SQL InjecLon The SQL engine checks each parameter to ensure that it is correct for its column and are treated literally, and not as part of the SQL to be executed.

25 SQL InjecLon Code Injec8on: the azacker can inject or introduce code into a computer program to change the course of execulon. Func8on Call Injec8on: In this kind of azack, a database funclon or operalng system funclon call is inserted into a vulnerable SQL statement.

26 The end!!!!