COSC344 Database Theory and Applications. Lecture 23 Security and Auditing. COSC344 Lecture 23 1

Size: px

Start display at page:

Download "COSC344 Database Theory and Applications. Lecture 23 Security and Auditing. COSC344 Lecture 23 1"

Amber Harrison
8 years ago
Views:

1 COSC344 Database Theory and Applications Lecture 23 Security and Auditing COSC344 Lecture 23 1

2 Overview Last Lecture Indexing This Lecture Database Security and Auditing Security Mandatory access control Discretionary access control Auditing Source: Chapter 25 Source: Oracle documentation Next Lecture Query Optimization COSC344 Lecture 23 2

access control Auditing Source: Chapter 25 Source: Oracle

3 Security Security refers to the protection of the database against unauthorized access, either intentional or accidental. COSC344 Lecture 23 3

4 Security Security refers to the protection of the database against unauthorized access, either intentional or accidental. COSC344 Lecture 23 4

5 Security Security refers to the protection of the database against unauthorized access, either intentional or accidental. Confidentiality (unauthorized disclosure) Integrity (protection from improper modification) Availability (make data available to user) COSC344 Lecture 23 5

Confidentiality (unauthorized disclosure) Integrity (protection from

6 Control Measures Access Control User account and password Inference Control Statistical database security Flow Control Prevent information from reaching unauthorized users Data encryption Protect sensitive data (e.g., credit card number) COSC344 Lecture 23 6

Prevent information from reaching unauthorized users Data

7 Access Control: DBA s responsibility COSC344 Lecture 23 7

8 Access Control: DBA s responsibility DBA has DBA account known as superuser Overall responsibility for managing a DBMS and its data DBA-privileged commands provide Account creation Creates a new account/password for a user or group of users Used to control access to DBMS as a whole Privilege Granting grants certain privileges to certain accounts/users Used by discretionary database authorization Privilege Revocation revokes (cancels) certain privileges from the accounts used by discretionary database authorization Security level assignment assigns user accounts to the appropriate security classification level Used by mandatory database authorization COSC344 Lecture 23 8

certain accounts/users Used by discretionary database authorization Privilege Revocation revokes (cancels) certain privileges from the accounts used by discretionary

9 Access Protection, User Accounts User needs to have proper access to DBMS To enforce access control user needs to have password and account number to log to the systems DBMS must keep track of db users uses an encrypted table of <Account#, Psswrd> uses Log-in sessions to keep track of all operations on the db [from the time of login to logoff] System log: record of all updates applied to the database by particular users COSC344 Lecture 23 9

table of <Account#, Psswrd> uses Log-in sessions to keep track of all operations on the db [from the time of

10 Audit Trails What is auditing? [sensitive database/when suspected] performed on system log to investigate any kind of unauthorized access to db at specific time Why audit a database? Monitoring errant or unauthorised activity Monitoring database statistics Audit trail: a system log used mainly for security purpose, and may contain the following Request User who invoked the operation Date and time of the operation Base relation(s), tuple(s), and attributes affected Old values New values COSC344 Lecture 23 10

11 Two Approaches to DB Security Discretionary (provided by most commercial DBMSs) A given user may have different access rights to different objects (relation level) Different users may have different rights on the same object (account level) Very flexible Give or not give Mandatory (incorporated by some DBMS for government, military, and etc.) Each data object is tagged with a certain classification level Each user is given a certain clearance level Data object can only be accessed by users with the appropriate clearance Rigid Multi-level security COSC344 Lecture 23 11

(incorporated by some DBMS for government, military, and etc.

12 Two Approaches to DB Security Discretionary (provided by most commercial DBMSs) A given user may have different access rights to different objects Different users may have different rights on the same object Very flexible Give or not give Mandatory (incorporated by some DBMS for government, military, and etc.) Each data object is tagged with a certain classification level Each user is given a certain clearance level Data object can only be accessed by users with the appropriate clearance Rigid Multi-level security COSC344 Lecture 23 12

by some DBMS for government, military, and etc.

13 Two Approaches to DB Security Discretionary (provided by most commercial DBMSs) A given user may have different access rights to different objects Different users may have different rights on the same object Very flexible Give or not give Mandatory (incorporated by some DBMS for government, military, and etc.) Each data object is tagged with a certain classification level Each user is given a certain clearance level Data object can only be accessed by users with the appropriate clearance Rigid Multi-level security COSC344 Lecture 23 13

14 Two Approaches to DB Security Discretionary (provided by most commercial DBMSs) A given user may CONFIDENTIAL have different TOP SECRET access rights to different objects Different users may have different rights on the same object Very flexible Give or not give Mandatory (incorporated by some DBMS for government, military, and etc.) Each data object is tagged with a certain classification level Each user is given a certain clearance level Data object can only be accessed by users with the appropriate clearance Rigid Multi-level security COSC344 Lecture 23 14

15 Mandatory Access Control Applicable to databases with static and rigid classification structures Each data object has a classification level Each user has a clearance level Levels Top secret Secret Confidential None Levels ordered top secret > secret > confidential > none Multi-level security COSC344 Lecture 23 15

user has a clearance level Levels Top secret Secret Confidential None Levels

16 Mandatory Access Control Rules Bell-Lapadula Model 1. Simple security property A subject S is not allowed to read access to an object O unless clearance(s) >= classification(o) 2. Star property A subject S is not allowed to write an object O unless clearance(s) <= classification(o) Note: Rule 2 keeps a user from lowering the security of database objects top secret secret confidential none read O O O write O O S COSC344 Lecture 23 16

17 Discretionary Access Control Based on granting & revoking privileges Provide selective access to each relation based on specific users Two levels for assigning privileges Account level Relation level Access matrix model Tablex Tabley.col3 Tablez User 1 RW RW R User 2 R R R User 3 RWD RW - Give or not give COSC344 Lecture 23 17

assigning privileges Account level Relation level Access matrix model Tablex

18 Discretionary Access Control (cont.) Each table has an owner Owner is granted all privileges on his/her tables. Owner can pass on privileges on owned tables to other users Types of privileges SELECT MODIFY (includes UPDATE, DELETE, INSERT) REFERENCES (the ability to reference relation R when specifying integrity constraints) Views COSC344 Lecture 23 18

Owner can pass on privileges on owned tables to other users Types of privileges SELECT

19 Discretionary Access Control in Oracle Based on Privileges and Roles Example system privilege CREATE TABLE CREATE VIEW SELECT ANY TABLE ALTER ANY TABLE CREATE ROLE Many more Command COSC344 Lecture 23 19

CREATE TABLE CREATE VIEW SELECT ANY TABLE ALTER

20 Discretionary Access Control in Oracle GRANT gives privileges to users. GRANT system_privilege role [, {system_privilege role}]... TO {user role PUBLIC} [, {user role PUBLIC}]... [WITH ADMIN OPTION]; REVOKE takes away privileges REVOKE system_privilege role [, {system_privilege role}] FROM {user role PUBLIC}; COSC344 Lecture 23 20

.. TO {user role PUBLIC} [, {user role PUBLIC}].

21 Discretionary Access Control in Oracle (cont.) Examples GRANT CREATE TABLE TO SCOTT; GRANT CREATE TABLE TO PUBLIC; REVOKE CREATE TABLE FROM PUBLIC; COSC344 Lecture 23 21

22 Discretionary Access Control in Oracle (cont.) Object Privileges SELECT INSERT UPDATE DELETE ALTER EXECUTE INDEX REFERENCE Items All or specified columns Command GRANT object_privilege [, object_privilege]... [(column [, column]...)] ON [user.] object TO {user role PUBLIC} [, {user role PUBLIC}]... [WITH ADMIN OPTION] COSC344 Lecture 23 22

23 Discretionary Access Control in Oracle (cont.) Example GRANT SELECT ON employee TO SMITH; GRANT UPDATE, DELETE ON employee TO SMITH; GRANT UPDATE(salary) ON employee TO SMITH; COSC344 Lecture 23 23

24 Discretionary Access Control in Oracle (cont.) COSC344 Lecture 23 24

25 Discretionary Access Control in Oracle (cont.) Roles Groups of related privileges Simplify Dynamic Command CREATE ROLE <role>; Use GRANT command to give the role privileges Grant the role to users COSC344 Lecture 23 25

26 Example CREATE ROLE researcher; GRANT ALL ON results1 TO researcher; GRANT SELECT, INSERT ON results2 to researcher; GRANT researcher TO SMITH, WONG; COSC344 Lecture 23 26

27 Views Can restrict access by creating a view A view creates a horizontal and vertical subset of a table CREATE VIEW LsEmployee AS SELECT fname, lname, sex, dno FROM employee; GRANT SELECT ON LsEmployee TO Smith; COSC344 Lecture 23 27

28 Problems With the WITH ADMIN OPTION An owner (A) of a table can grant another user (B) a privilege with a WITH ADMIN OPTION B can grant privileges on the table to other users with or without the GRANT option Propagation of privileges without the knowledge of the owner How to track cascading GRANTs? How to revoke cascading GRANTs? GRANT SELECT, UPDATE, DELETE ON mytable TO USERB WITH ADMIN OPTION COSC344 Lecture 23 28

29 Statistical Database Security Produce statistics on various populations Users only allowed to retrieve statistical information Averages Counts Sums Standard deviations Must prevent the retrieval of individual data It is possible to deduce the values of individual tuples from a sequence of statistical queries COSC344 Lecture 23 29

30 Statistical Database Security Example SELECT COUNT(*) FROM PERSON WHERE <condition>; SELECT AVERAGE(INCOME) FROM PERSON WHERE <condition>; (last_degree='phd' AND SEX='F' AND city='dunedin') Prohibit statistical queries when the number of tuples specified by the selection condition falls below some threshold Prohibit statistical queries that refer repeatedly to the same tuples COSC344 Lecture 23 30

Chapter 23. Database Security. Security Issues. Database Security

Chapter 23. Database Security. Security Issues. Database Security Chapter 23 Database Security Security Issues Legal and ethical issues Policy issues System-related issues The need to identify multiple security levels 2 Database Security A DBMS typically includes a database