INSE 6160 Database Security and Privacy Discretionary Access Control in DBMS Prof. Lingyu Wang 1
Outline Grant Revoke Model Meta-Policy and FAF Security By Views 2
Grant-Revoke Grant-Revoke Model (Griffith&Wade 76, Fagin 78) Widely supported, e.g., Oracle, mysql, etc. Basic syntax GRANT rights ON objects TO subjects [WITH GRANT OPTIONS] REVOKE rights ON objects FROM subjects [CASCADE] What can be rights? Objects? And subjects in a DBMS? 3
Grant-Revoke user rights select, insert, update, drop, ALL, etc. objects user, post, user.id (may also be databases, stored procedures, etc.) subjects: Bob, Alice, students, etc. post ID password Reg_Date No ID Topic Date Bob f70b082f Oct-1-2005 1 Bob About the random numbers Nov-7-2005 Alice 2bcc1da0 Sep-27-2005 2 Bob A question in implementation of RSA Oct-17-2005 Eve 4f54aa2e Aug-18-2005 3 Bob About BIBA with Categories Sep-17-2005 4 Alice Breaking Caesar Cipher Problem Oct-12-2005 5 Eve Welcome to ISA 662 class discussion! Aug-3-2005 4
Grant-Revoke Example: GRANT select ON user TO Bob WITH GRANT OPTION REVOKE select ON user FROM Bob CASCADE Almost exactly matches the ACM model WITH GRANT is copy flag (right of granting rights) sys Bob Alice user post user.id sys Bob {select, insert} Alice 5
Grant Option and Cascading Revoke The Grant-Revoke model requires If a right is revoked, the system should reverse to a state in which the right is never granted Easier said then done With timestamps (auditing) What if B revokes D at 5:00? Case 1 Case 2 2:30 2:45 3:00 4:00 2:30 2:40 2:45 4:00 100 1:00 B 2:30 2:45 100 E 1:00 B 2:30 2:45 A D A D 1:30 C 3:00 4:00 F 1:30 C 2:40 4:00 E F 6
Cont d What if no timestamp? What would have happened if B never grants D the right? A B C D E F Non-Cascading revoke Need to add new right (to compose a story) 2:00 B 2:30 A 230 2:30 D 7
Negative Authorizations You may decide to prohibit a right It s not sufficient simply not to grant that right Because someone else may grant it Solution: Negative right Complications Need meta-policy to resolve potential conflicts between negative and positive rights For example, denials takes precedence How to represent the effect of negative rights on positive ones? Later negative rights can be revoked, too 8
Cont d Negative right interacting with positive right A 1:00+ What if B gives D a negative right at 5:00? 1:30+ B 2:30-5:00-3:00+ D 4:00+ C Delete A D (denials take precedence) and D F? What if later this negative right is revoked? Solution: mark A DandD D Fasblocked But do not delete them F E 9
Cont d Another example A What if A revokes B at 6:00? Should reverse to a state in which A never grants B 1:00+ B 230 2:30-5:00-3:00+(Blocked) D 4:00+ 1:30+ (Blocked) C F E cascading A 130 1:30+ D 3:00+ 4:00+ C F noncascading A 230 2:30-5:00-3:00+(Blocked) 1:30+ C D 4:00+ E (Blocked) F 10
Outline Grant Revoke Model Meta-Policy and FAF Security By Views 11
Meta-Policy Policy and meta-policy Policy: Bob can select on user, and Alice can t Meta-policy: If a user is given both positive and negative right, his positive right is blocked (denials take precedence) policy about policies A system usually has an implicit meta-policy Meta-policies are needed because of Under specification: what if no policy is found Over specification: what if policies conflict 12
Typical Meta-Policies Closed policy: deny if no policy is found GRANT select ON user TO jim Jim: select * from post (denied) Open policy: allow if no policy is found DENY select ON user TO jim Jim: select * from post (allowed) Separation of duties (static vs dynamic) Taking money/depositing account need two users 13
Typical Meta-Policies Permission/Denial/Most specific takes precedence Most specific: User s right overrides group s Chinese Wall policy Different types of meta-policies may co-exist We may need to apply different meta-policies i on different object/subject/rights E.g., open policy for SELECT, closed policy for DROP Hard-coded meta-policies are not sufficient Can we deal with meta-policies just like policies? 14
Learn Logic programming in 2 Slides Predicate logic programs are composed of: job(user,job): A predicate says user has a job, where user and job are variables that can be instantiated D A&B&C : D is true if A,B, and C are all true The following says D is true if either (A&B&C=true) or (E&F=true) D A&B&C D E&F 15
Learn Logic programming in 2 Slides Predicate logic programs job(user,job) job) righteducation(user,job)& goodpersonality(user)& goodcommunicationskills(user) goodjob(user,job2) job(user,job1) & workhard(user,job1) & luck(user) hasmoney(user) goodjob(user,job) & workhard(user,job) rich(user) hasmoney(user)& workhard(user,job) & knowtobecontent(user) rich(user1) marry(user1,user2) & rich(user2) corruptedmind(user) rich(user)& knowtobecontent(user) corruptedmind(user) losepride(user) happylife(user) hasmoney(user)& corruptedmind(user) & healthy(user) happylife(bob)? 16
Flexible Authorization Framework A policy neutral logic language That can be used to specify different meta-policies That can help to enforce any mixture of meta-policies Basics Predicates: cando(user,bob,+select) states a positive right: GRANT select ON user to Bob Rules: cando(user,bob,+select) cando(user,bob,-select) a positive right is given if no corresponding negative right exists A collection of rules form a logic program, which can be run to derive authorization results from given facts 17
FAF-Predicates Enough to describe any meta-policy! cando(o,s,<sign>a) states a granted right dercando(o,s,<sign>a) states a derived right do(o,s,<sign>a), states a decision done(o,s,a) states a previously executed right error(o,s,a) states an exception Let s talk English: cando are facts (Bob is nice guy; Nice guys don t get rich) dercandod are derived d facts (Bob isn t rich) do are decisions based on all facts done means history error means something is wrong 18
FAF-Predicates Simpler facts for subject/object hierarchies: dirin(bob,cs_dept), dirin(cs_dept,encs), dirin(ciise,encs), in(bob,encs) typeof(oracle,dbms) owner(bob, Bob_record) cando(o,s,<sign>a), dercando(o,s,<sign>a), do(o,s,<sign>a) Each o, s, a can be a constant or a variable <sign> is either + or Positive right or negative right 19
FAF-Rules Layers of rules to avoid loops Authorization rule: Facts cando(o,s,<sign>a) L1&L2& Ln Each Li is in, dirin, i or typeof Examples: cando(post,cs _ dept,+select). cando(post,s,+insert) in(s,cs_dept) cando(o,bob,+insert) typeof(o,post_attributes) cando(o,s,-insert) in(s,cs_dept) & typeof(o,post_attributes) These are facts given by administrators Can only have simpler facts as conditions 20
FAF-Rules Cont d Derivation rule: Derived facts dercando(o,s,<sign>a) L1&L2& Ln Each Li is cando, dercando, done, in, dirin, or typeof Examples: dercando(o,s,-a) cando(o,s,-a) & in(s,s ) dercando(o,s,-insert) d dercando(o,s,-d insert) & in(s,s ) We can derive facts from given facts, or derived facts Recursive - 2 nd example can be run many times! 21
FAF-Rules Cont d Done rule: History done(o,s,a) Examples: done(post,bob,select) select) History typically y has no condition Or, maybe the only condition: You believe it 22
FAF-Rules Cont d Resolution rule: Decision do(o,s,<sign>a) L1&L2& Ln Each Li is do, cando, dercando, done, in, dirin, or typeof Examples: do(o,s,+a) cando(o,s,+a) do(o,s,-insert) dercando(o,s,-insert) d A final decision is made based on given facts, derived facts, history, or simpler facts 23
FAF-Rules Cont d Integrity rule: Error States exceptions that should never happen error() L1&L2& Ln Each Li is do, cando, dercando, done, in, dirin, or typeof Example: error() dercando(nice,bob,+is) & dercando(rich,bob,+is) 24
FAF Examples Closed policy dercando(o,u,+a) cando(o,s,+a)&in(u,s) do(o,u,+a) dercando(o,u,+a) error() cando(o,s,-a) d ( ) do(o,u,-a) do(o,u,+a) cando(exam, TA, +grading), in(bob, TA) do(exam, Bob, +grading)? do(exam, Alice, +grading)? 25
FAF Examples Open policy dercando(o,u,-a) cando(o,s,-a)&in(u,s) do(o,u,+a) dercando(o,u,-a) error() cando(o,s,+a) d ( + ) do(o,u,-a) do(o,u,+a) cando(exam, TA, -taking), in(bob, TA) do(exam, Bob, +taking)? do(exam, Alice, +taking)? 26
FAF Examples Cont d Denials take precedence do(o,u,+a) dercando(o,u,+a) & dercando(o,u,-a) do(o,u, -a) do(o,u,+a) dercando(exam, Alice, +taking), dercando(exam, Bob, +taking), dercando(exam, Bob, -taking), dercando(exam, Eve, -taking) do(exam, Alice, +taking)? do(exam, Bob, +taking)? do(exam, Eve, +taking)? 27
FAF Examples Cont d Permissions take precedence do(o,u,+a) dercando(o,u,+a) do(o,u,-a) do(o,u,+a) No conflict do(o,u,+a) dercando(o,u,+a) error() dercando(o,u,+a) u & dercando(o,u,-a) 28
FAF Examples Cont d Static separation of duty error do(course,s,taking)&do(course,s,taing) Dynamic separation of duty error done(course,s,taking) & done(course,s,taing) Chinese Wall policy error() done(o,s,r) & done(o,s,r) & typeof(o,company) & typeof(o,competitor) 29
Outline Grant Revoke Model Meta-Policy and FAF Security By Views user ID password Reg_Date Bob f70b082f Oct-1-2005 Alice 2bcc1da0 Sep-27-2005 post No ID Topic Date 1 Bob About the random numbers Nov-7-2005 2 Bob A question in implementation of RSA Oct-17-2005 Eve 4f54aa2e Aug-18-2005 3 Bob About BIBA with Categories Sep-17-2005 4 Alice Breaking Caesar Cipher Problem Oct-12-2005 5 Eve Welcome to ISA 662 class discussion! Aug-3-2005 30
Fine-Grained Access Control Grant-revoke provides no fine-grained control For example, tuple level, attribute level Why fine-grained access control? Table or attribute-level l access control can t satisfy application s requirements, e.g., myconcordia Application-enforced access control is error prone For example, SQL injection attack attacker Application SELECT * FROM user WHERE ID= &input sys Database SELECT * FROM user WHERE ID= Bob ; DELETE * FROM user; Bob ; DELETE * FROM user;-- 31
Fine-Grained Access Control By Views View: a virtual relation as the result of a query Not materialized A query on views can be optimized eg e.g., SELECT ID FROM Bob_post Grant-revoke works on views CREATE VIEW Bob_post AS SELECT * FROM post WHERE ID= Bob GRANT ALL ON Bob_post TO Bob Bob_post (not materialized) No ID Topic Date 1 Bob About the random numbers Nov-7-2005 2 Bob A question in implementation of RSA Oct-17-2005 3 Bob About BIBA with Categories Sep-17-2005 32
Query Modification E.g., Oracle VPD Transparently add WHERE clause to user s query before executing it Bob asks s query: SELECT topic FROM post He got answer for: SELECT topic FROM post WHERE ID= Bob Different from security by views 33
Truman and Nontruman model Truman model (Rizvi 04) Bob asks query: SELECT COUNT(topic) FROM post He gets 3 as answer, a misleading result Nontruman Model A query is either answered without change, if it can be rewritten using authorized views, or it is rejected Example SELECT COUNT(topic) FROM post will be rejected, because it cannot be rewritten using SELECT * FROM post WHERE ID= Bob However, to determine whether a query can be rewritten using authorized views is a hard problem 34
Unconditional Validity Get a sense why query rewritten using authorized views is a hard problem: Unconditional validity: whether the query can be rewritten doesn t depend on the underlying data For example Authorized view post_count: select id,count(*) as c from post group by id Query: select count(*) from post where id= Bob The query can be rewritten as: select c from post_count where id= Bob, regardless of the underlying data Simple, huh? 35
Conditional Validity Conditional validity: whether the query can be rewritten depends d on the underlying data For example Authorized view post_count: select id,count( count(*) as c from post group by id where c>2 Query: select count(*) from post where id= Bob Whether the query can be rewritten as: select c from post_count where id= Bob now depends on whether Bob has more than 2 posts And if we reject the query, then Bob is known to have 2 or less posts To have a complete set of inferences rules for checking for conditional validity is still open 36
INSE 691A Database Security and Privacy Grant and Revoke in Oracle Prof. Lingyu Wang 37
Grant and Revoke in Oracle A privilege is a method to permit or deny access to data or to perform database operations Another word for right In Oracle there are two type of privileges: System privileges Schema Object Privileges Table Privileges View Privileges Procedure Privileges Type Privileges 38
System Privileges Granted only by a database administrator a user with administration privileges Some system privileges: il create session, alter any role, alter any table, alter any trigger, alter any type, alter any procedure, alter database, alter profile, alter any, create any cluster, create any index, create any view, create any table, create any procedure, 39
Object Privileges Granted to a user by the schema owner Granted by a user with GRANT privileges Examples: select, insert, update, delete, alter, debug, execute, flashback, index, query rewrite, read, references Some schema objects, such as clusters, s indexes, triggers, and database links, do not have associated object privileges Can only use system privileges 40
ADMIN and GRANT Options Grant a privilege using the DCL GRANT statement SQL> grant select any table to Linda with admin option; (by DBA) SQL> grant select any table to George; (by Linda) Revoke a privilege using the DCL REVOKE statement: SQL> revoke select any table from Linda (by DBA) George still has select any table privilege! 41
ADMIN Option and GRANT Option 42
ADMIN Option and GRANT Option 43
Data Dictionary Oracle provides some data dictionary views to view privileges, il they are DBA_SYS_PRIVS ALL_SYS_PRIVS USER_SYS_PRIVS 44
Data Dictionary Example Example: SQL> DESC DBA_SYS_PRIVS; Name Null? Type -------------------------------------------------------------------------------- ------- GRANTEE NOT NULL VARCHAR2(30) PRIVILEGE NOT NULL VARCHAR2(40) ADMIN_OPTION VARCHAR2(3) SQL> SELECT * 2 FROM DBA_SYS_PRIVS 3 WHERE GRANTEE= SCOTT ; Grantee Privilege Admin -------------------------------------------------------------------------------- ------- SCOTT UNLIMITED TABLESPACE NO 45
GUI 46
Roles Role: Used to organize and administer privileges It is like a user, except it cannot own object Can be assigned privileges Can be assigned to users Intermediate between privileges and users 47
Roles in Oracle In Oracle: Create a role using CREATE ROLE statement Assign a role using GRANT statement Oracle Enterprise Manager Roles tool Revoke a role using REVOKE statement Drop a role using DROP statement These can be done by Any user with the GRANT ANY ROLE system privilege Any user granted a role with ADMIN option 48
Examples Create roles: SQL> CREATE ROLE DEV_ROLE; SQL> CREATE ROLE QA_ROLE; Assign a privilege to a role SQL> GRANT CREATE SESSION TO DEV_ROLE; Assign a role to a user SQL> GRANT DEV_ROLE to Bob; 49