INFO/CS 330: Applied Database Systems



Similar documents
Security and Authorization. Introduction to DB Security. Access Controls. Chapter 21

Database Security. Chapter 21

Chapter 23. Database Security. Security Issues. Database Security

Database Security. Soon M. Chung Department of Computer Science and Engineering Wright State University

ITM661 Database Systems. Database Security and Administration

Ch.5 Database Security. Ch.5 Database Security Review

Chapter 23. Database Security. Security Issues. Database Security

SQL: Queries, Programming, Triggers

Example Instances. SQL: Queries, Programming, Triggers. Conceptual Evaluation Strategy. Basic SQL Query. A Note on Range Variables

Database Security and Authorization

SQL: Queries, Programming, Triggers

CS377: Database Systems Data Security and Privacy. Li Xiong Department of Mathematics and Computer Science Emory University

SECURITY CHAPTER 24 (6/E) CHAPTER 23 (5/E)

Lecture 6. SQL, Logical DB Design

Chapter 24. Database Security. Copyright 2011 Pearson Education, Inc. Publishing as Pearson Addison-Wesley

The Relational Model. Why Study the Relational Model?


The Relational Model. Ramakrishnan&Gehrke, Chapter 3 CS4320 1

Access Control Models Part I. Murat Kantarcioglu UT Dallas

Chapter 5. SQL: Queries, Constraints, Triggers

SECURITY MODELS FOR OBJECT-ORIENTED DATA BASES

The Relational Model. Why Study the Relational Model? Relational Database: Definitions

The Relational Model. Why Study the Relational Model? Relational Database: Definitions. Chapter 3

Relational Algebra and SQL

Boats bid bname color 101 Interlake blue 102 Interlake red 103 Clipper green 104 Marine red. Figure 1: Instances of Sailors, Boats and Reserves

Computer Security: Principles and Practice

Query-by-Example (QBE)

Database Security Part 7

Part III. Access Control Fundamentals

COMP 5138 Relational Database Management Systems. Week 5 : Basic SQL. Today s Agenda. Overview. Basic SQL Queries. Joins Queries

In This Lecture. Security and Integrity. Database Security. DBMS Security Support. Privileges in SQL. Permissions and Privilege.

Database Security. Database Security Requirements

Computer security Lecture 3. Access control

DISCRETIONARY ACCESS CONTROL. Tran Thi Que Nguyet Faculty of Computer Science & Engineering HCMC University of Technology ttqnguyet@cse.hcmut.edu.

Chapter 5 More SQL: Complex Queries, Triggers, Views, and Schema Modification

Role Based Access Control: Adoption and Implementation in the Developing World

Trusted RUBIX TM. Version 6. Multilevel Security in Trusted RUBIX White Paper. Revision 2 RELATIONAL DATABASE MANAGEMENT SYSTEM TEL


Access Control. ITS335: IT Security. Sirindhorn International Institute of Technology Thammasat University ITS335. Access Control.

Access Control Matrix

Patel Group of Institutions Advance Database Management System MCA SEM V UNIT -1

There are five fields or columns, with names and types as shown above.

Relational Algebra. Module 3, Lecture 1. Database Management Systems, R. Ramakrishnan 1

SQL DATA DEFINITION: KEY CONSTRAINTS. CS121: Introduction to Relational Database Systems Fall 2015 Lecture 7

Database security. André Zúquete Security 1. Advantages of using databases. Shared access Many users use one common, centralized data set

Outline. Data Modeling. Conceptual Design. ER Model Basics: Entities. ER Model Basics: Relationships. Ternary Relationships. Yanlei Diao UMass Amherst

The Structured Query Language. De facto standard used to interact with relational DB management systems Two major branches

Relational Database: Additional Operations on Relations; SQL

IT2304: Database Systems 1 (DBS 1)

Database Security. Sarajane Marques Peres, Ph.D. University of São Paulo

Proposed solutions Project Assignment #1 (SQL)

CS143 Notes: Views & Authorization

Identity Management and Access Control

TRANSMAT Trusted Operations for Untrusted Database Applications

IT2305 Database Systems I (Compulsory)

Review: Participation Constraints

CS2Bh: Current Technologies. Introduction to XML and Relational Databases. The Relational Model. The relational model

Elena Baralis, Silvia Chiusano Politecnico di Torino. Pag. 1. Active database systems. Triggers. Triggers. Active database systems.

Database and Data Mining Security

CSI 2132 Lab 3. Outline 09/02/2012. More on SQL. Destroying and Altering Relations. Exercise: DROP TABLE ALTER TABLE SELECT

BM482E Introduction to Computer Security

Intermediate SQL C H A P T E R4. Practice Exercises. 4.1 Write the following queries in SQL:

Physical Database Design Process. Physical Database Design Process. Major Inputs to Physical Database. Components of Physical Database Design

Access Control: Policies, Models, and Mechanisms

Database Security. The Need for Database Security

Oracle Database 10g Express

Schema Evolution in SQL-99 and Commercial (Object-)Relational DBMS

A basic create statement for a simple student table would look like the following.

Extended RBAC Based Design and Implementation for a Secure Data Warehouse

Polyinstantiation in Relational Databases with Multilevel Security

CSE543 - Introduction to Computer and Network Security. Module: Access Control

Access Control: Policies, Models, and Mechanisms

Introduction to Databases

Auditing Data Access Without Bringing Your Database To Its Knees

Mandatory Access Control

Information Security Information & Network Security Lecture 2

Security and privacy for multimedia database management systems

Course: CSC 222 Database Design and Management I (3 credits Compulsory)

Chapter 6 The database Language SQL as a tutorial

Relational model. Relational model - practice. Relational Database Definitions 9/27/11. Relational model. Relational Database: Terminology

Lecture 7: Concurrency control. Rasmus Pagh

In This Lecture. Physical Design. RAID Arrays. RAID Level 0. RAID Level 1. Physical DB Issues, Indexes, Query Optimisation. Physical DB Issues

Access Control Basics. Murat Kantarcioglu

6 QUERY-BY-EXAMPLE (QBE)

SQL NULL s, Constraints, Triggers

Databases and BigData

Cloud and Big Data Summer School, Stockholm, Aug Jeffrey D. Ullman

DATABASE SECURITY MECHANISMS AND IMPLEMENTATIONS

CS2Bh: Current Technologies. Introduction to XML and Relational Databases. Introduction to Databases. Why databases? Why not use XML?

New Security Options in DB2 for z/os Release 9 and 10

Database Design--from E-R Diagram to SQL Statement

Introducción a las bases de datos SQL Libro de referencia

Transcription:

INFO/CS 330: Applied Database Systems Introduction to Database Security Johannes Gehrke johannes@cs.cornell.edu http://www.cs.cornell.edu/johannes Introduction to DB Security Secrecy:Users should not be able to see things they are not supposed to. E.g., A student can t see other students grades. Integrity:Users should not be able to modify things they are not supposed to. E.g., Only instructors can assign grades. Availability: Users should be able to see and modify things they are allowed to. Access Controls A security policy specifies who is authorized to do what. A security mechanism allows us to enforce a chosen security policy. Two main mechanisms at the DBMS level: Discretionary access control Mandatory access control 1

Discretionary Access Control Based on the concept of access rights or privileges for objects (tables and views), and mechanisms for giving users privileges (and revoking privileges). Creator of a table or a view automatically gets all privileges on it. DMBS keeps track of who subsequently gains and loses privileges, and ensures that only requests from users who have the necessary privileges (at the time the request is issued) are allowed. GRANT Command GRANT privileges ON object TO users [WITH ] The following privileges can be specified: SELECT: Can read all columns (including those added later via ALTER TABLE command). INSERT(col-name): Can insert tuples with non-null or nondefault values in this column. INSERT means same right with respect to all columns. DELETE: Can delete tuples. REFERENCES (col-name): Can define foreign keys (in other tables) that refer to this column. If a user has a privilege with the, can pass privilege on to other users (with or without passing on the ). Only owner can execute CREATE, ALTER, and DROP. GRANT and REVOKE of Privileges GRANT INSERT, SELECT ON Sailors TO Horatio Horatio can query Sailors or insert tuples into it. GRANT DELETE ON Sailors TO Yuppy WITH GRANT Yuppy can delete tuples, and also authorize others to do so. GRANT UPDATE (rating) ON Sailors TO Dustin Dustin can update (only) the rating field of Sailors tuples. GRANT SELECT ON ActiveSailors TO Guppy, Yuppy This does NOT allow the uppies to query Sailors directly! REVOKE: When a privilege is revoked from X, it is also revoked from all users who got it solely from X. 2

GRANT/REVOKE on Views If the creator of a view loses the SELECT privilege on an underlying table, the view is dropped! (Example: Why is having access to a SELECT privilege on a view important?) If the creator of a view loses a privilege held with the grant option on an underlying table, (s)he loses the privilege on the view as well; so do users who were granted that privilege on the view! Example Joe: GRANT SELECT ON Sailors TO Art WITH Art: GRANT SELECT ON Sailors TO Bob WITH Joe: REVOKE SELECT ON Sailors FROM Art CASCADE CASCADE versus RESTRICT: CASCADE: All abandoned privileges are also revoked RESTRICT: Command is rejected if abandoned privileges would result Another Example Joe: GRANT SELECT ON Sailors TO Art WITH Joe: GRANT SELECT ON Sailors TO Bob WITH Art: GRANT SELECT ON Sailors TO Bob WITH Joe: REVOKE SELECT ON Sailors FROM Art CASCADE Bob retains his privilege. 3

Another Example Joe: GRANT SELECT ON Sailors TO Art WITH Joe: GRANT SELECT ON Sailors TO Art WITH Joe: REVOKE SELECT ON Sailors FROM Art CASCADE Art s privilege is revoked. Note: We can just revoke the : REVOKE ON Sailors FROM Art CASCADE Authorization Graphs Example: Joe: GRANT SELECT ON Sailors TO Art WITH GRANT Art: GRANT SELECT ON Sailors TO Bob WITH GRANT Bob: GRANT SELECT ON Sailors TO Art WITH GRANT Joe: GRANT SELECT ON Sailors TO Cal WITH GRANT Cal: GRANT SELECT ON Sailors TO Bob WITH GRANT Joe: REVOKE SELECT ON Sailors FROM Art CASCADE Views and Security Views can be used to present necessary information (or a summary), while hiding details in underlying relation(s). Given ActiveSailors, but not Sailors or Reserves, we can find sailors who have a reservation, but not the bid s of boats that have been reserved. Creator of view has a privilege on the view if (s)he has the privilege on all underlying tables. Together with GRANT/REVOKE commands, views are a very powerful access control tool. 4

Role-Based Authorization In SQL-92, privileges are actually assigned to authorization ids, which can denote a single user or a group of users. In SQL:1999 (and in many current systems), privileges are assigned to roles. Roles can then be granted to users and to other roles. Reflects how real organizations work. Illustrates how standards often catch up with de facto standards embodied in popular systems. Security to the Level of a Field! Can create a view that only returns one field of one tuple. (How?) Then grant access to that view accordingly. Allows for arbitrary granularity of control A bit clumsy to specify. Can be hidden under a good UI. Mandatory Access Control Based on system-wide policies that cannot be changed by individual users. Each DB object is assigned a security class. Each subject (user or user program) is assigned a clearance for a security class. Rules based on security classes and clearances govern who can read/write which objects. Most commercial systems do not support mandatory access control. Versions of some DBMSs do support it; used for specialized (e.g., military) applications. 5

Why Mandatory Control? Discretionary control has some flaws, e.g., the Trojan horse problem: Dick creates Horsie and gives INSERT privileges to Justin (who doesn t know about this). Dick modifes the code of an application program used by Justin to additionally write some secret data to table Horsie. Now, Justin can see the secret info. The modification of the code is beyond the DBMSs control, but it can try and prevent the use of the database as a channel for secret information. Bell-LaPadula Model Objects (e.g., tables, views, tuples) Subjects (e.g., users, user programs) Security classes: Top secret (TS), secret (S), confidential (C), unclassified (U): TS > S> C > U Each object and subject is assigned a class. Subject S can read object O only if class(s) >= class(o) (Simple Security Property) Subject S can write object O only if class(s) <= class(o) (*-Property) Intuition Idea is to ensure that information can never flow from a higher to a lower security level. E.g., If Dick has security class C, Justin has class S, and the secret table has class S: Dick s table, Horsie, has Dick s clearance, C. Justin s application has his clearance, S. So, the program cannot write into table Horsie. The mandatory access control rules are applied in addition to any discretionary controls that are in effect. 6

Multilevel Relations bid 101 102 bname Salsa Pinto color Red Brown class S C Users with S and TS clearance will see both rows; a user with C will only see the 2 nd row; a user with U will see no rows. If user with C tries to insert <101,Pasta,Blue,C>: Allowing insertion violates key constraint Disallowing insertion tells user that there is another object with key 101 that has a class > C! Problem resolved by treating class field as part of key. Statistical DB Security Statistical DB: Contains information about individuals, but allows only aggregate queries (e.g., average age, rather than Joe s age). New problem: It may be possible to infer some secret information! E.g., If I know Joe is the oldest sailor, I can ask How many sailors are older than X? for different values of X until I get the answer 1; this allows me to infer Joe s age. Idea: Insist that each query must involve at least N rows, for some N. Will this work? (No!) Why Minimum N is Not Enough By asking How many sailors older than X? until the system rejects the query, can identify a set of N sailors, including Joe, that are older than X; let X=55 at this point. Next, ask What is the sum of ages of sailors older than X? Let result be S1. Next, ask What is sum of ages of sailors other than Joe who are older than X, plus my age? Let result be S2. S1-S2 is Joe s age! 7

Summary Three main security objectives: secrecy, integrity, availability. DB admin is responsible for overall security. Designs security policy, maintains an audit trail, or history of users accesses to DB. Two main approaches to DBMS security: discretionary and mandatory access control. Discretionary control based on notion of privileges. Mandatory control based on notion of security classes. Statistical DBs try to protect individual data by supporting only aggregate queries, but often, individual information can be inferred. 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information