Database Security. Chapter 21

Similar documents
Security and Authorization. Introduction to DB Security. Access Controls. Chapter 21

INFO/CS 330: Applied Database Systems

Chapter 23. Database Security. Security Issues. Database Security

Database Security and Authorization

ITM661 Database Systems. Database Security and Administration

Chapter 23. Database Security. Security Issues. Database Security

Database Security. Soon M. Chung Department of Computer Science and Engineering Wright State University

COSC344 Database Theory and Applications. Lecture 23 Security and Auditing. COSC344 Lecture 23 1

Chapter 24. Database Security. Copyright 2011 Pearson Education, Inc. Publishing as Pearson Addison-Wesley

Lecture 6. SQL, Logical DB Design

The Relational Model. Why Study the Relational Model?

The Relational Model. Ramakrishnan&Gehrke, Chapter 3 CS4320 1

SQL: Queries, Programming, Triggers

Example Instances. SQL: Queries, Programming, Triggers. Conceptual Evaluation Strategy. Basic SQL Query. A Note on Range Variables

SQL: Queries, Programming, Triggers

Ch.5 Database Security. Ch.5 Database Security Review

CS377: Database Systems Data Security and Privacy. Li Xiong Department of Mathematics and Computer Science Emory University

The Relational Model. Why Study the Relational Model? Relational Database: Definitions. Chapter 3

Chapter 5. SQL: Queries, Constraints, Triggers

Boats bid bname color 101 Interlake blue 102 Interlake red 103 Clipper green 104 Marine red. Figure 1: Instances of Sailors, Boats and Reserves

SECURITY CHAPTER 24 (6/E) CHAPTER 23 (5/E)

In This Lecture. Security and Integrity. Database Security. DBMS Security Support. Privileges in SQL. Permissions and Privilege.

DATABASDESIGN FÖR INGENJÖRER - 1DL124

The Relational Model. Why Study the Relational Model? Relational Database: Definitions

E-Commerce: Designing And Creating An Online Store

Database Security & Cryptography

Client Server Registration Protocol

Part III. Access Control Fundamentals

Computer Security: Principles and Practice

Review: Participation Constraints

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

Database Security. Database Security Requirements

Relational Algebra and SQL

BM482E Introduction to Computer Security

COMP 5138 Relational Database Management Systems. Week 5 : Basic SQL. Today s Agenda. Overview. Basic SQL Queries. Joins Queries

E-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications

Oracle Database Security

Database Security. The Need for Database Security

There are five fields or columns, with names and types as shown above.

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

New Security Options in DB2 for z/os Release 9 and 10

Weighted Total Mark. Weighted Exam Mark

Privacy and Encryption in egovernment. Dewey Landrum Technical Architect CSO SLED West Sector CISSP August 11, 2008

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Chapter 6: Integrity and Security. Domain Constraints

Patel Group of Institutions Advance Database Management System MCA SEM V UNIT -1

4. Identify the security measures provided by Microsoft Office Access. 5. Identify the methods for securing a DBMS on the Web.

APWG. (n.d.). Unifying the global response to cybecrime. Retrieved from

CMSC 421, Operating Systems. Fall Security. URL: Dr. Kalpakis


Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Databases and BigData

Network Security. HIT Shimrit Tzur-David

Name: 1. CSE331: Introduction to Networks and Security Fall 2003 Dec. 12, /14 2 /16 3 /16 4 /10 5 /14 6 /5 7 /5 8 /20 9 /35.

MySQL Security: Best Practices

CS558. Network Security. Boston University, Computer Science. Midterm Spring 2014.

Content Teaching Academy at James Madison University

Common security requirements Basic security tools. Example. Secret-key cryptography Public-key cryptography. Online shopping with Amazon

Chapter 7: Network security

Access Control Models Part I. Murat Kantarcioglu UT Dallas

DISCRETIONARY ACCESS CONTROL. Tran Thi Que Nguyet Faculty of Computer Science & Engineering HCMC University of Technology ttqnguyet@cse.hcmut.edu.

Query-by-Example (QBE)

Proposed solutions Project Assignment #1 (SQL)

SECURITY IN NETWORKS

Oracle Database 10g Express

Application Design and Development

Concepts of Database Management Seventh Edition. Chapter 7 DBMS Functions

Database Security Encryption

Digital Cash. is not a check, credit card or a debit card. They leave audit trails. can be sent through computer networks.

CS143 Notes: Views & Authorization

Computer security Lecture 3. Access control

Relational Algebra. Module 3, Lecture 1. Database Management Systems, R. Ramakrishnan 1

Rights Management Services

Security & Privacy on the WWW. Topic Outline. Information Security. Briefing for CS4173

SECURITY IN ELECTRONIC COMMERCE - SOLUTION MULTIPLE-CHOICE QUESTIONS

CS 758: Cryptography / Network Security

Chapter 8 A secure virtual web database environment

Thick Client Application Security

Chapter 8 Security. IC322 Fall Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

Module 7 Security CS655! 7-1!

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

What is network security?

Chapter 12 Databases, Controls, and Security

Trusted RUBIX TM. Version 6. Multilevel Security in Trusted RUBIX White Paper. Revision 2 RELATIONAL DATABASE MANAGEMENT SYSTEM TEL

CS 348: Computer Networks. - Security; 30 th - 31 st Oct Instructor: Sridhar Iyer IIT Bombay

First Semester Examinations 2011/12 INTERNET PRINCIPLES

IT2304: Database Systems 1 (DBS 1)

Cryptosystems. Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K.

Outline. Data Modeling. Conceptual Design. ER Model Basics: Entities. ER Model Basics: Relationships. Ternary Relationships. Yanlei Diao UMass Amherst

Database and Data Mining Security

Identity Management and Access Control

ISM/ISC Middleware Module

Properties of Secure Network Communication

Computer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University

IT2305 Database Systems I (Compulsory)

Database Security Part 7

DATABASE SECURITY MECHANISMS AND IMPLEMENTATIONS

CS2Bh: Current Technologies. Introduction to XML and Relational Databases. Introduction to Databases. Why databases? Why not use XML?

Overview. SSL Cryptography Overview CHAPTER 1

SECURITY MODELS FOR OBJECT-ORIENTED DATA BASES

Transcription:

Database Security Chapter 21

Introduction to DB Security Secrecy: Users should not be able to see things they are not supposed to. E.g., A student can t see other students grades. Integrity: Users should not be able to modify things they are not supposed to. E.g., Only instructors can assign grades. Availability: Users should be able to see and modify things they are allowed to.

Access Controls A security policy specifies who is authorized to do what. A security mechanism allows us to enforce a chosen security policy. Two main mechanisms at the DBMS level: Discretionary access control Mandatory access control

Discretionary Access Control Based on the concept of access rights or privileges for objects (tables and views), and mechanisms for giving users privileges (and revoking privileges). Creator of a table or a view automatically gets all privileges on it. DMBS keeps track of who subsequently gains and loses privileges, and ensures that only requests from users who have the necessary privileges (at the time the request is issued) are allowed.

GRANT Command GRANT privileges ON object TO users [WITH GRANT OPTION] The following privileges can be specified: SELECT: Can read all columns (including those added later via ALTER TABLE command). INSERT(col-name): Can insert tuples with non-null or non-default values in this column. INSERT means same right with respect to all columns. DELETE: Can delete tuples. REFERENCES (col-name): Can define foreign keys (in other tables) that refer to this column. If a user has a privilege with the GRANT OPTION, can pass privilege on to other users (with or without passing on the GRANT OPTION). Only owner can execute CREATE, ALTER, and DROP.

Schema for Examples Sailors (sid: integer, sname: string, rating: integer, age: real) Reserves (sid: integer, bid: integer, day: dates, rname: string) Boat (bid: integer, bname: string, color: string) 6

GRANT Examples GRANT DELETE ON Sailors TO Yuppy WITH GRANT OPTION Yuppy can delete tuples, and also authorize others to do so. GRANT SELECT ON Sailors TO Michael Michael can query Sailors or insert tuples into it. GRANT UPDATE (rating) ON Sailors TO Dustin Dustin can update (only) the rating field of Sailors tuples. Is Dustin allowed to perform the following command? UPDATE Sailors S SET S.rating = 8 UPDATE Sailors S SET S.rating = S.rating - 1

GRANT Examples GRANT REFERENCES (bid) ON Boats TO Andrew Andrew can refer to the bid column of Boats as a foreign key in another table CRAEATE TABLE Reserves ( sid INTEGER bid INTEGER PRIMARY KEY (sid, bid) FOREIGN KEY (sid) REFERENCES Sailors, FOREIGN KEY (bid) REFERENCES Boats) 8

GRANT Examples GRANT INSERT ON Sailors TO Michael vs GRANT INSERT (sid, sname, rating, age) ON Sailors TO Michael 9

REVOKE Command REVOKE [ GRANT OPTION FOR ] privileges ON object FROM users {RESTRICT CASCADE} When a privilege is revoked from X, it is also revoked from all users who got it solely from X. GRANT SELECT ON Sailors TO Art WITH GRANT OPTION (executed by Joe) GRANT SELECT ON Sailors TO Bob WITH GRANT OPTION (executed by Art) 10 REVOKE SELECT ON Sailors FROM Art CASCADE (executed by Joe) REVOKE SELECT ON Sailors FROM Art RESTRICT (executed by Joe)

REVOKE Example GRANT SELECT ON Sailors TO Art WITH GRANT OPTION (executed by Joe) GRANT SELECT ON Sailors TO Bob WITH GRANT OPTION (executed by Joe) GRANT SELECT ON Sailors TO Bob WITH GRANT OPTION (executed by Art) REVOKE SELECT ON Sailors FROM Art CASCADE (executed by Joe) What is Bob s privilege? 11

GRANT SELECT ON Sailors TO Art WITH GRANT OPTION (executed by Joe) GRANT SELECT ON Sailors TO Bob WITH GRANT OPTION (executed by Art) GRANT SELECT ON Sailors TO Art WITH GRANT OPTION (executed by Bob) GRANT SELECT ON Sailors TO Cal WITH GRANT OPTION (executed by Joe) GRANT SELECT ON Sailors TO Bob WITH GRANT OPTION (executed by Cal) REVOKE SELECT ON Sailors FROM Art CASCADE (executed by Joe) Does Art have the SELECT privilege on Sailors? 12

REVOKE Example GRANT SELECT ON Sailors TO Art WITH GRANT OPTION (executed by Joe) GRANT SELECT ON Sailors TO Bob WITH GRANT OPTION (executed by Art) GRANT SELECT ON Sailors TO Art WITH GRANT OPTION (executed by Bob) GRANT SELECT ON Sailors TO Cal WITH GRANT OPTION (executed by Joe) GRANT SELECT ON Sailors TO Bob WITH GRANT OPTION (executed by Cal) REVOKE SELECT ON Sailors FROM Art CASCADE (executed by Joe) sys Joe Cal (Sys, Joe, Select, Yes) (Joe, Art, Select, Yes) (Art, Bob,Select, Yes) (Joe, Cal,Select, Yes) (Cal, Bob, Select, Yes) Art Bob (Bob, Art,Select, Yes) Does Art have the SELECT privilege on Sailors? REVOKE SELECT ON Sailors FROM Cal CASCADE (executed by Joe) 13

Views and Security Views can be used to present necessary information (or a summary), while hiding details in underlying relation(s). Given ActiveSailors, but not Sailors or Reserves, we can find sailors who have a reservation, but not the bid s of boats that have been reserved. Creator of view has a privilege on the view if (s)he has the privilege on all underlying tables. Together with GRANT/REVOKE commands, views are a very powerful access control tool. CREATE VIEW ActiveSailors (name, age, day) AS SELECT S.name, S.age, R.day FROM Sailors S, Reserves R WHERE S.sid = R.sid AND S.rating > 6

GRANT/REVOKE on Views If the creator of a view loses the SELECT privilege on an underlying table, the view is dropped! If the creator of a view loses a privilege held with the grant option on an underlying table, (s)he loses the privilege on the view as well; so do users who were granted that privilege on the view!

Role-Based Authorization In SQL-92, privileges are actually assigned to authorization ids, which can denote a single user or a group of users. In SQL:1999 (and in many current systems), privileges are assigned to roles. Roles can then be granted to users and to other roles. Reflects how real organizations work. Illustrates how standards often catch up with de facto standards embodied in popular systems.

Mandatory Access Control Discretionary control has some flaws, e.g., the Trojan horse problem: Dick creates Horsie and gives INSERT privileges to Justin (who doesn t know about this). Dick modifes the code of an application program used by Justin to additionally write some secret data to table Horsie. Now, Justin can see the secret info. The modification of the code is beyond the DBMSs control, but it can try and prevent the use of the database as a channel for secret information.

Mandatory Access Control Based on system-wide policies that cannot be changed by individual users. Each DB object is assigned a security class. Each subject (user or user program) is assigned a clearance for a security class. Rules based on security classes and clearances govern who can read/write which objects. Most commercial systems do not support mandatory access control. Versions of some DBMSs do support it; used for specialized (e.g., military) applications.

Bell-LaPadula Model Objects (e.g., tables, views, tuples) Subjects (e.g., users, user programs) Security classes: Top secret (TS), secret (S), confidential (C), unclassified (U): TS > S> C > U Each object and subject is assigned a class. Subject S can read object O only if class(s) >= class(o) (Simple Security Property) Subject S can write object O only if class(s) <= class(o) (*-Property)

Intuition Idea is to ensure that information can never flow from a higher to a lower security level. E.g., If Dick has security class C, Justin has class S, and the secret table has class S: Dick s table, Horsie, has Dick s clearance, C. Justin s application has his clearance, S. So, the program cannot write into table Horsie. The mandatory access control rules are applied in addition to any discretionary controls that are in effect.

Multilevel Relations bid bname color class 101 Salsa Red S 102 Pinto Brown C Users with S and TS clearance will see both rows; a user with C will only see the 2 nd row; a user with U will see no rows. If user with C tries to insert <101,Pasta,Blue,C>: Allowing insertion violates key constraint Disallowing insertion tells user that there is another object with key 101 that has a class > C! Problem resolved by treating class field as part of key.

Internet-Oriented Security Key Issues: User authentication and trust. When DB must be accessed from a secure location, passwordbased schemes are usually adequate. For access over an external network, trust is hard to achieve. If someone with Sam s credit card wants to buy from you, how can you be sure it is not someone who stole his card? How can Sam be sure that the screen for entering his credit card information is indeed yours, and not some rogue site spoofing you (to steal such information)? How can he be sure that sensitive information is not sniffed while it is being sent over the network to you? Encryption is a technique used to address these issues.

Encryption Masks data for secure transmission or storage Encrypt(data, encryption key) = encrypted data Decrypt(encrypted data, decryption key) = original data Without decryption key, the encrypted data is meaningless gibberish Symmetric Encryption: Encryption key = decryption key; all authorized users know decryption key (a weakness). DES, used since 1977, has 56-bit key; AES has 128-bit (optionally, 192-bit or 256-bit) key Public-Key Encryption: Each user has two keys: User s public encryption key: Known to all Decryption key: Known only to this user Used in RSA scheme (Turing Award!)

RSA Public-Key Encryption Let the data be an integer I Choose a large (>> I) integer L = p * q p, q are large, say 1024-bit, distinct prime numbers Encryption: Choose a random number 1 < e < L that is relatively prime to (p-1) * (q-1) Encrypted data S = I e mod L Decryption key d: Chosen so that d * e = 1 mod ((p-1) * (q-1)) We can then show that I = S d mod L It turns out that the roles of e and d can be reversed; so they are simply called the public and private keys

Certifying Servers: SSL, SET If Amazon distributes their public key, Sam s browser will encrypt his order using it. So, only Amazon can decipher the order, since no one else has Amazon s private key. But how can Sam (or his browser) know that the public key for Amazon is genuine? The SSL protocol covers this. Amazon contracts with, say, Verisign, to issue a certificate <Verisign, Amazon, amazon.com, public-key> This certificate is stored in encrypted form, encrypted with Verisign s private key, known only to Verisign. Verisign s public key is known to all browsers, which can therefore decrypt the certificate and obtain Amazon s public key, and be confident that it is genuine. The browser then generates a temporary session key, encodes it using Amazon s public key, and sends it to Amazon. All subsequent msgs between the browser and Amazon are encoded using symmetric encryption (e.g., DES), which is more efficient than public-key encryption. What if Sam doesn t trust Amazon with his credit card information? Secure Electronic Transaction protocol: 3-way communication between Amazon, Sam, and a trusted server, e.g., Visa.

Authenticating Users Amazon can simply use password authentication, i.e., ask Sam to log into his Amazon account. Done after SSL is used to establish a session key, so that the transmission of the password is secure! Amazon is still at risk if Sam s card is stolen and his password is hacked. Business risk Digital Signatures: Sam encrypts the order using his private key, then encrypts the result using Amazon s public key. Amazon decrypts the msg with their private key, and then decrypts the result using Sam s public key, which yields the original order! Exploits interchangeability of public/private keys for encryption/ decryption Now, no one can forge Sam s order, and Sam cannot claim that someone else forged the order.

Roles of DBA Creating accounts Mandatory control issues Assigning security classes to objects Assigning security clearance to each authorization ID Maintaining audit trail Extending log entries with authorization ID 28

Statistical DB Security Statistical DB: Contains information about individuals, but allows only aggregate queries (e.g., average age, rather than Joe s age). New problem: It may be possible to infer some secret information! E.g., If I know Joe is the oldest sailor, I can ask How many sailors are older than X? for different values of X until I get the answer 1; this allows me to infer Joe s age. Idea: Insist that each query must involve at least N rows, for some N. Will this work? (No!)

Why Minimum N is Not Enough By asking How many sailors older than X? until the system rejects the query, can identify a set of N sailors, including Joe, that are older than X; let X=55 at this point. Next, ask What is the sum of ages of sailors older than X? Let result be S1. Next, ask What is sum of ages of sailors other than Joe who are older than X, plus my age? Let result be S2. S1-S2 is Joe s age!

Summary Three main security objectives: secrecy, integrity, availability. DB admin is responsible for overall security. Designs security policy, maintains an audit trail, or history of users accesses to DB. Two main approaches to DBMS security: discretionary and mandatory access control. Discretionary control based on notion of privileges. Mandatory control based on notion of security classes. Statistical DBs try to protect individual data by supporting only aggregate queries, but often, individual information can be inferred.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information