CHAPTER 5 SECURITY ADVANCED DATABASE SYSTEMS Assist. Prof. Dr. Volkan TUNALI
Topics 2 Introduction Discretionary Access Control Mandatory Access Control Statistical Databases Data Encryption SQL Facilities
Introduction 3 Security protecting data against unauthorized users Integrity protecting data against authorized users Constraints for assuring Security and Integrity Must be explicitly defined Maintained and stored in the catalog Continuous monitoring by the DBMS so that Constraints are not violated
Security Aspects 4 Aspects of the Security problem Legal, social, and ethical aspects Physical controls Policy questions Operational problems Hardware controls Operating system support Issues related to the database itself
Database Security 5 Approaches to the database security Discretionary control (flexible) Users have different privileges on different objects Mandatory control (rigid) Each data object has a certain classification level Each user has a certain clearance level
Security Policy 6 Security is a policy issue, not a technical one Access request checked by security subsystem authorization Requested operation Requested object Requesting user Authentication checking that users are who they say User groups have the same same privileges roles A powerful tool commonly used to administer large databases
Discretionary Access Control 7 Security languages usually state what is allowed rather than constrained. AUTHORITY SA3 GRANT RETRIEVE ( S#, SNAME, CITY ), DELETE ON S TO Jim, Fred, Mary ; AUTHORITY <authority name> GRANT <privilege commalist> ON <relvar name> TO <user ID commalist> ; Unauthorized attempts may be logged DROP AUTHORITY <authority name> ;
Discretionary Access Control 8 AUTHORITY EX1 GRANT RETRIEVE ( P#, PNAME, WEIGHT ) ON P TO Jacques, Anne, Charley ; AUTHORITY EX2 GRANT RETRIEVE, UPDATE ( SNAME, STATUS ), DELETE ON LS TO Dan, Misha ; VAR SSPPR VIEW ( S JOIN SP JOIN (P WHERE CITY = Rome ) { P# }) { ALL BUT P#, QTY } ; AUTHORITY EX3 GRANT RETRIEVE ON SSPPR TO Giovanni ;
Discretionary Access Control 9 VAR SSQ VIEW SUMMARIZE SP PER S { S# } ADD SUM ( QTY ) AS SQ ; AUTHORITY EX4 GRANT RETRIEVE ON SSQ TO Fidel ; AUTHORITY EX5 GRANT RETRIEVE, UPDATE ( STATUS ) ON S WHEN DAY( ) IN ( Mon, Tue, Wed, Thu, Fri ) AND NOW( ) >= TIME 09:00:00 AND NOW( ) <= TIME 17:00:00 TO Purchasing ;
Discretionary Access Control 10 Request modification (University Ingres and QUEL) QUEL requests are modified so that no constraint violation possible DEFINE PERMIT RETRIEVE ON P TO U WHERE P.CITY = London RETRIEVE ( P.P#, P.WEIGHT ) WHERE P.COLOR = Red The system modifies these to the following: RETRIEVE ( P.P#, P.WEIGHT ) WHERE P.COLOR = Red AND P.CITY = London
Discretionary Access Control 11 Request modification (cont d) DEFINE PERMIT APPEND, RETRIEVE, REPLACE ON S ( S#, CITY ) TO Joe AT TTA4 FROM 9:00 TO 17:00 ON Sat TO Sun WHERE S.STATUS < 50 AND S.S# = SP.S# AND SP.P# = P.P# AND P.COLOR = Red Audit trail a special file or db in which the system keeps track of all operations performed by users Request, terminal, user, time, relvars, tuples, attributes, old values, new values
Mandatory Access Control 12 Mandatory access controls are usually applicable to static and rigid databases An example of clearance level of users and classification level of db objects Top secret > Secret > Confidential Simple security property user i can retrieve object j only if his/her clearance level is greater than or equal to classification level of j Star property user i can update object j only if his/her clearance level is equal to the classification level of j In the 1990s most DBMSs supported MAC because of DoD requirement
Mandatory Access Control 13 Multi-level security S WHERE CITY = London S WHERE CITY = London AND CLASS <= user clearance
Mandatory Access Control 14 Multi-level security (cont d) INSERT INTO S RELATION { TUPLE { S# S# ( S4 ), SNAME NAME ( Baker ), STATUS 25, CITY Rome } } ; This insert is not rejected but modified as follows: INSERT INTO S RELATION { TUPLE { S# S# ( S4 ), SNAME NAME ( Baker ), STATUS 25, CITY Rome } }, CLASS CLASS ( 3 ) } } ;
Statistical Databases 15 Statistical dbs permit queries that derive aggregated information but not queries that derive individual information. What is the average employee salary? Allowed Whay is the salary of employee mary? Rejected Problem: Deduction of confidential information by inference. Data Warehouses
Statistical Databases 16 WITH ( STATS WHERE SEX = M AND OCCUPATION = Programmer AS X : COUNT ( X ) WITH ( STATS WHERE SEX = M AND OCCUPATION = Programmer AS X : SUM ( X, SALARY )
Statistical Databases 17 The system should refuse queries for which the cardinality of the set to be summarized is less than some lower bound b and greater than the upper bound N b where N is the cardinality of the given relation ( b <= c <= N-b ) COUNT ( STATS ) WITH ( STATS WHERE NOT ( SEX = M AND OCCUPATION = Programmer )) AS X: COUNT (X) SUM ( STATS, SALARY ) WITH ( STATS WHERE NOT ( SEX = M AND OCCUPATION = Programmer )) AS X: SUM ( X, SALARY )
Statistical Databases 18 Using STATS table, assume that b=2 (N=10) Queries will be answered if (2 <= c <= 8 ) Therefore SEX = M and OCCUPATION = Programmer will not be answered. BUT: WITH ( STATS WHERE SEX = M ) AS X: COUNT (X) WITH ( STATS WHERE SEX = M AND NOT (OCCUPATION = Programmer )) AS X: COUNT (X) WITH ( STATS WHERE SEX = M ) AS X: SUM ( X, SALARY ) WITH ( STATS WHERE SEX = M AND NOT ( OCCUPATION = Programmer ) ) AS X: SUM ( X, SALARY ) Individual tracker enables the user to track down info about a particular record
Statistical Databases 19 If BE identifies some specific individual I, and if BE can be expressed in the form BE1 AND BE2 then BE1 AND NOT BE2 is a tracker for I set (BE)= set (BE1 AND BE2 ) = set (BE1 ) minus set ( BE1 AND NOT BE2 )
Statistical Databases 20 General tracker a boolean expression that can be used to find the answer to any inadmissible query T is a general tracker if and only if NOT T is also a general tracker ( 2b <= c <= N-2b ) Example: assume b=2 and 4<=c<= 6 and AUDITS=0 WITH ( STATS WHERE AUDITS = 0 ) AS X : COUNT ( X ) WITH ( STATS WHERE NOT ( AUDITS = 0 ) ) AS X : COUNT ( X ) WITH ( STATS ( WHERE ( SEX = M AND OCCUPATION = Programmer ) OR AUDITS = 0 ) AS X : COUNT ( X ) WITH ( STATS ( WHERE ( SEX = M AND OCCUPATON= Programmer ) OR NOT (AUDITS=0)) AS X: COUNT ( X )
Statistical Databases 21 Example (cont d) WITH ( STATS WHERE AUDITS = 0 ) AS X : SUM ( X, SALARY ) WITH ( STATS WHERE NOT ( AUDITS = 0 ) ) AS X : SUM ( X, SALARY ) WITH ( STATS ( WHERE ( SEX = M AND OCCUPATION = Programmer ) OR AUDITS = 0 ) AS X : SUM ( X, SALARY ) WITH ( STATS ( WHERE ( SEX = M AND OCCUPATON= Programmer ) OR NOT (AUDITS=0)) AS X: SUM ( X, SALARY ) Result : 778 000 728 000 = 50 000
Statistical Databases 22 General tracker: set (BE) = (set(be OR T) plus set (BE OR NOT T)) minus set (T OR NOT T) A General Tracker almost always exists.
Data Encryption 23 Usually for data in transmission, but also for the data in the database Terminology: Plaintext original data Encryption algorithm used to encrypt by an encryption key Ciphertext encrypted data Two approaches Substitution of other characters Permutation plaintext characters are arranged into some different sequence Data Encryption Standard (DES) by IBM in 1977 Plaintext is divided into 64-bit blocks, then permutation
Data Encryption 24 Public key encryption both the encryption algorithm and the encryption key are freely available, but not decryption key RSA scheme There is a known fast algorithm for determining whether a given number is prime There is no known fast algoritm for finding the prime factors of a given nonprime number
SQL Facilities 25 SQL supports only Discretionary Access Control Plus View mechanism Authorization subsystem CREATE VIEW LS AS SELECT S.S#, S.SNAME, S.STATUS, S.CITY FROM S WHERE S.CITY = London ; GRANT SELECT, UPDATE (SNAME, STATUS), DELETE ON LS TO Dan, Misha ; CREATE VIEW SSQ AS SELECT S.S#, (SELECT SUM (SP.QTY) FROM SP WHERE SP.S# = S.S# ) AS SQ FROM S ; GRANT SELECT ON SSQ TO Fidel ;
SQL Facilities 26 Creator of any object (owner) has all privileges on that object GRANT <privilege commalist> ON <object> TO <user ID commalist> [WITH GRANT OPTION] ; Privileges USAGE, SELECT, INSERT, UPDATE, DELETE, REFERENCES Objects DOMAIN, TABLE <user ID commalist> or PUBLIC WITH GRANT OPTION the users can in turn grant privileges to other users REVOKE [GRANT OPTION FOR] <privilege commalist> ON <object> FROM <user ID commalist> <option> ;