Database Security. Authentification: verifying the id of a user. Authorization: checking the access privileges

Similar documents
Chapter 9: Database Security: An Introduction. Nguyen Thi Ai Thao

Mandatory Access Control

Discretionary Vs. Mandatory

Multilevel relations: Schema and multiple instances based on each access class. A multilevel relation consists of two parts:

Database Security Overview. Murat Kantarcioglu

Access Control Models

Access Control. Discretionary Access Control

CHAPTER 5 SECURITY ADVANCED DATABASE SYSTEMS. Assist. Prof. Dr. Volkan TUNALI

CSE 565 Computer Security Fall 2018

Security and Authorization

Mobile and Heterogeneous databases Security. A.R. Hurson Computer Science Missouri Science & Technology

Data Warehouse. T rusted Application. P roject. Trusted System. T echnology. System. Trusted Network. Physical Security

The Relational Model. Outline. Why Study the Relational Model? Faloutsos SCS object-relational model

The Relational Model. Roadmap. Relational Database: Definitions. Why Study the Relational Model? Relational database: a set of relations

DATABASE SECURITY AND PRIVACY. Some slides were taken from Database Access Control Tutorial, Lars Olson, UIUC CS463, Computer Security

Protecting Information Assets - Week 10 - Identity Management and Access Control. MIS 5206 Protecting Information Assets

Real Application Security Administration

CSCI 420: Mobile Application Security. Lecture 7. Prof. Adwait Nadkarni. Derived from slides by William Enck, Patrick McDaniel and Trent Jaeger

The Relational Model 2. Week 3

INSE 6160 Database Security and Privacy

The Relational Model. Week 2

Oracle Database. Installation and Configuration of Real Application Security Administration (RASADM) Prerequisites

Database Applications (15-415)

MTAT Introduction to Databases

The Relational Model. Chapter 3

The Relational Model. Chapter 3. Database Management Systems, R. Ramakrishnan and J. Gehrke 1

MIDTERM EXAMINATION Spring 2010 CS403- Database Management Systems (Session - 4) Ref No: Time: 60 min Marks: 38

Relational Databases BORROWED WITH MINOR ADAPTATION FROM PROF. CHRISTOS FALOUTSOS, CMU /615

C1: Define Security Requirements

Discretionary Access Control (DAC)

Discretionary Access Control (DAC)

IT Service Delivery and Support Week Three. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao

CS 252: Fundamentals of Relational Databases: SQL5

CSC 261/461 Database Systems Lecture 6. Fall 2017

Access Control. Access control: ensures that all direct accesses to object are authorized a scheme for mapping users to allowed actions

The Relational Model. Chapter 3. Comp 521 Files and Databases Fall

Instructor: Jinze Liu. Fall 2008

Module 4: Access Control

Essay Question: Explain 4 different means by which constrains are represented in the Conceptual Data Model (CDM).

Database Systems ( 資料庫系統 )

Post-Class Quiz: Access Control Domain

ITCS 3160 DATA BASE DESIGN AND IMPLEMENTATION

Databases. Jörg Endrullis. VU University Amsterdam

The Relational Model (ii)

Ders # 7. Veri Bütünlüğü Programlama ve Güvenlik. From Elmasri/Navathe textbook Ch9,26 Sciore textbook, Ch 9-10

Access Control. Protects against accidental and malicious threats by

Data Security and Privacy. Topic 11: Virtual Private Databases Based on Prof. Bertino s Slides

Data Modelling and Databases. Exercise Session 7: Integrity Constraints

CIS 330: Applied Database Systems. ER to Relational Relational Algebra

CSE 127: Computer Security. Security Concepts. Kirill Levchenko

Relational model continued. Understanding how to use the relational model. Summary of board example: with Copies as weak entity

Relational Model. Topics. Relational Model. Why Study the Relational Model? Linda Wu (CMPT )

Database Applications (15-415)

Data Modeling. Yanlei Diao UMass Amherst. Slides Courtesy of R. Ramakrishnan and J. Gehrke

Authorization, Database Security

The Relational Model

High-Level Database Models (ii)

Introduction C H A P T E R1. Exercises

SDR Guide to Complete the SDR

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

CSC 742 Database Management Systems

The DBMS accepts requests for data from the application program and instructs the operating system to transfer the appropriate data.

Introduction to Data Management. Lecture #5 (E-R Relational, Cont.)

Core Role Based Access Control (RBAC) mechanism for MySQL

Database Management Systems. Chapter 3 Part 2

CIS433/533 - Introduction to Computer and Network Security. Access Control

Overview of Information Security

Conceptual Data Modeling

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Introduction to Data Management. Lecture #5 Relational Model (Cont.) & E-Rà Relational Mapping

The Relational Model. Why Study the Relational Model? Relational Database: Definitions

Introduction to Data Management. Lecture #4 (E-R à Relational Design)


Comp 5311 Database Management Systems. 4b. Structured Query Language 3

Secure Enterprise Access to Support Collaboration on Clinical Research

Why Study the Relational Model? The Relational Model. Relational Database: Definitions. The SQL Query Language. Relational Query Languages

CS419 Spring Computer Security. Vinod Ganapathy Lecture 15. Chapter 5: Database security

Systems:;-'./'--'.; r. Ramez Elmasri Department of Computer Science and Engineering The University of Texas at Arlington

Integrity Constraints (Reminder)

Last time. User Authentication. Security Policies and Models. Beyond passwords Biometrics

The Relational Model. Chapter 3. Comp 521 Files and Databases Fall

Debapriyo Majumdar DBMS Fall 2016 Indian Statistical Institute Kolkata

Drug-drug interactions database created by thousands of doctors in hundreds of hospitals.

Dion Model. Objects and their classification

ACS-3921/ Computer Security And Privacy. Chapter 5 Database and Data Centre Security

Copyright 2016 Ramez Elmasri and Shamkant B. Navathe

Advent IM Ltd ISO/IEC 27001:2013 vs

Relational Database Languages

Access Control (slides based Ch. 4 Gollmann)

History of SQL. Relational Database Languages. Tuple relational calculus ALPHA (Codd, 1970s) QUEL (based on ALPHA) Datalog (rule-based, like PROLOG)

The Relational Model

SQL (structured query language)

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Implementing Isolation

CS450 - Database Concepts Fall 2015

The Entity-Relationship Model. Overview of Database Design

Introduction to Data Management. Lecture #6 E-Rà Relational Mapping (Cont.)

MULTILEVEL POLICY BASED SECURITY IN DISTRIBUTED DATABASE

Introduction to Data Management. Lecture #4 (E-R Relational Translation)

Chapter 11 Database Concepts

Transcription:

Database Security Security Tasks Authentification: verifying the id of a user Authorization: checking the access privileges Auditing: looking for violations (in the past) 1

Data Security Dorothy Denning, 1982: Data Security is the science and study of methods of protecting data (...) from unauthorized disclosure and modification Data Security = Confidentiality + Integrity 2

How to attack an IT System? Misuse of Authority Inference and Aggregation Masking Bypass Access Control Browsing Trojans Hidden Channels 3

Security in Databases Privacy (Confidentiality) Do not allow access to private information But support statistic analyses over private information Avoid inference attacks (e.g., there is only one 42y man) Q does not leak info for secret S if: P(S Q) = P(S) SELECT name FROM Patient SELECT count(*) WHERE age=42 FROM Patient OK? and sex= M WHERE age=42 and diagnostic= schizophrenia and sex= M and diagnostic= schizophrenia 4

SQL Injection Problem: Naïve implementation of GUIs: Login: User: Password: fred ******** Search Box in Application (SQL Interface in Anwendung): Search: Dr. Lee SELECT FROM WHERE doctor= Dr. Lee and patientid= fred 5

SQL Injection Another example of poor application implementation: Search: Dr. Lee ; DROP TABLE Patients; -- 6

SQL Injection: Summary The DBMS does the right thing. Why does SQL injection work so often? Quick & Dirty Reply: Bad Programmers (easy fix if you are careful in your Java code) Sad Truth: Security is implemented in the app and not in the DBMS. (similar discussion as for integrity constraints) Question: How many users does your project DB manage? (Probably, no project has more than one user!) 7

Layers of Security Human Machine Legislation Organisation Authentification Authorization (access control) Cryptography Database Problem: When human meets machine. Authentification and sometimes authorization 8

Discretionary Access Control Access rules (o, s, t, p, f): o O, set of objects (e.g., table, tuple, attribute) s S, set of subjects (e.g., user, processes, apps) t T, set of access rights (e.g., read, write, delete) p a predicate (e.g., Level = FP ) f a Boolean value specifying whether s may gran the privilege (o, t, p) to another subject s. 9

Discretionary Access Control Unix SQL S User, groups User O Files, directories DB, tables, tuples, attributes, views T Read, write, execute CRUD P Not supported Supported via views F Fixed (owner, root) Grant option 10

Discretionary Access Control Implementation: Access matrix Views Query Modification Disadvantages: Creator of data needs to manage authorizations Managing authorizations is cumbersome and error-prone Exercise: Find all functional dependencies in the access matrix of Unix! Normalize the access matrix of unix! 11

Access Control in SQL Example: grant select on Professor to eickler; o=professor, s=eickler, t=select implicit: p=true, f=false grant update (Legi, Lecture, PersNr) on tests to eickler; o=p(tests), s=eickler, t=update implicit: p=true, f=false 12

Other privileges: Access Control in SQL Delete insert create references (inference attack) grant option (f = true) Revoke privileges revoke update (Legi, Lecture, PersNr) on tests from eickler cascade; 13

Views Implementation of predicates (p in the (o,s,t,p,f) model) create view FirstSemesterStudents as select * from Student where Semester = 1; grant select on FirstSemesterStudents to tutor; Protecting personal records by aggregation create view StrictProf (Nr, AvgGrade) as select Nr, avg(grade) from tests group by Nr; 14

Group Access Rights CREATE VIEW StudentGrades AS SELECT * FROM tests t WHERE EXISTS (SELECT * FROM Student WHERE Legi = t.legi AND Name = USER) GRANT SELECT ON StudentGrades TO <StudentGroup> Give students right to access their own test results. specific to Oracle magic Name = USER predicate not standardized 15

Auditing Components of Audits Logging: keep a record of all (interesting) activities Analyze the logs (Ideally query logs with DBMS in practice not poss.) audit session by system whenever not successful; audit insert, delete, update on Professor; 16

Summary: Security in SQL Cons: coarse granularity: objects are tables or views not tuples Example: auction system; read your own bids, but not bids of others responsibility to manage privileges with creator of table Not necessarily the creator of the data difficult to deal with DBMS access violations in app layer (Analogous to Integrity Constraints ) Implications Access control is implemented at the app tier App access DB as super-user Security features of DB are not used Goal: Increase managability of privileges. 17

explicit / implicit privileges positive / negative privileges strong / weak privileges Authorization Algo: Kinds of Privileges Input: (o, s, t) (May Subject s access Object o using Operation t?) Output: Boolean (grant access / refuse access) if (exists explicit or implicit strong privilege (o, s, t ) then return true else if (exists explicit or implicit strong negative privilege (o, s, t ) then return false else if (exists explicit or implicit weak privilege (o, s, t ) then return true else if (exists explicit or implicit weak negative privilege (o, s, t ) then return false return false // default: reject 18

Implicit Authorization: Subject Hierarchy President Dean Professor PhD Student Group Leader. Assistant Employees explicit positive privilege at one level implicit positive privileges on all higher levels explicit negative privilege at one level implicit negative privilege on all lower levels 19

Strong and Weak Privileges President Dean Professor PhD Student Pres. Assistant Privilege: Read Name of all Employees Employee overwrites Group Leader Assistant strong pos. privilege Privilege: Read Name of all Employees strong neg. privilege weak pos. Privilege weak neg. privilege 20

Implicit Privileges: Operation Hierarchy write read explicit positive privilege at one level implicit positive privileges on all lower levels explicit negative privilege at one level implicit negative privilege on all higher levels 21

Implicit Privileges: Object Hierarchy Database Schema Relation Tuple Attribute Implications depend on operations! 22

Implicit Authorizations & Normalization Subject Object Prof. X Tuple A.1 Prof. X Tuple A.2 Prof. X Tuple A.3 Prof. X Table A 23

Implicit Authorizations & Normalization Subject Object Prof. X Tuple A.1 Prof. X Tuple A.2 Prof. X Tuple A.3 Prof. X Table A Tuple Relation Subject Object Tuple A.1 Table A Prof. X Table A Tuple A.2 Table A Tuple A.3 Table A 24

Implicit Privileges: Type Hierarchy PersNr Name Employee age PersNr PersNr is-a Name Name PhD Student Professor age age Level area Room 25

Implicit Privileges: Type Hierarchy User Groups: Group leaders may read the name of all employees PhD students may read the name of all professors Queries: Read the name of all PhD students Read the name of all professors 26

Implicit Privileges: Type Hierarchy Rules: Privilege on A.x implies Privilege on B.x if B is subtype of A Privilege on Class A implies Privilege on A.x if x is inherited from supertype Privilege on Class A does NOT imply Right on B.x if B is subtype of A and x is defined in B. 27

Mandatory Access Control Classification of importance of subjects and objects clear(s), for Subject s class(o), for Object o Main idea: control data flow from low to high levels s may read o iff class(o) clear(s) Class of o depends on importance of creator s clear(s) class(o) Used in military: data flows bottom-up (control flows from top-down) 28

Multi-level Databases Goal: User should not know what he/she cannot see! s < ts ; Id is key of the SecretAgent relation SecretAgent TC Id IC Name NC Skills SC ts 007 s Bond, James s meucheln ts ts 008 ts Clouseau ts spitzeln ts View of a user who is classified as s SecretAgent TC Id IC Name NC Skills SC s 007 s Bond, James s - s Problems: s user inserts tuple with Id 008 s user modifies the Skills of 007 29

Multi-level Relations Multilevel-Relation R with schema R = {A 1, C 1, A 2, C 2,..., A n, C n, TC} Instances R C with tuples of the form [a 1, c 1, a 2, c 2,..., a n, c n, tc] Visibility of tuples in R C : c i c k for all attr. i; key k Visibility of attributes in R C : a i is visible if clear(s) c i tc c i (classification of tuple; not used here) 30

Integrity Constraints k is the (logical) key of Multi-level Relation R Entity-Integrity. R is entity consistent iff, for all instances R c of R and all r R c : 1. A i k r.a i Null 2. A i, A j k r.c i = r.c j 3. A i k r.c i r.c k (c k is class of the key) All visible tuples of R can be identified by their key at all levels. It is possible to hide some (non-key) attributes of a tuple. 31

Integrity Constraints k is the (logical) key of Multi-level Relation R Null-Integrity. R is Null consistent iff, for all instancesr c of R : 1. r R c : r.a i = Null r.c i = r.c k 2. R c has no subsumptions. That is, there are no two tuples r, s so that for all attributes A i : r.a i = s.a i and r.c i = s.c i OR r.a i Null and s.a i = Null (See next slides for subsumption violations.) 32

Subsumption-free Relations a) R ts SecretAgent TC Id IC Name NC Skill SC s 007 s Bond, James s - s b) Correct update of R ts by user classified as ts SecretAgent TC Id IC Name NC Skill SC ts 007 s Bond, James s meucheln ts c) Incorrect update of R ts by user classified as ts SecretAgent TC Id IC Name NC Skill SC s 007 s Bond, James s - s ts 007 s Bond, James s meucheln ts 33

Integrity Constraints Inter-instance Integrity: for c < c, R c can be computed from R c R c = f(r c, c ) Filter function f can be defined as follows: 1. foreach r R c, r.c k c create s R c such that s. a s. c i i r. ai if r. ci c' Null otherwise r. ci r. c k if r. c i c' otherwise 2. R c does not contain any other tuples. 3. Eliminate subsumed tuples. 34

Integrity Constraints Poly-instantiation Integrity. For all instances R c and all attributes A i the following functional dependency holds: {k, C k, C i } A i k is the visible key of each instance If all integrity constraints are met, then a multi-value relation can be implemented as a set of (regular) relations on top of a (regular) relational database system. 35

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback