INSE 6160 Database Security and Privacy

Similar documents
CSE 565 Computer Security Fall 2018

Oracle Database Vault

Oracle User Administration

Fine-Grained Access Control

Data Security and Privacy. Topic 11: Virtual Private Databases Based on Prof. Bertino s Slides

Real Application Security Administration

Access Control Models

Security and Authorization

Unit 5.2b - Security 1. Security. Unit 5.2b

Lets start with the standard disclaimer. Please go to the next slide

Database System Concepts

Chapter 1 SQL and Data

Oracle Way To Grant Schema Privileges All Tables

MTAT Introduction to Databases

Database Security. Authentification: verifying the id of a user. Authorization: checking the access privileges

Security Benefits of Implementing Database Vault. -Arpita Ghatak

Chapter 10 Advanced topics in relational databases

Database System Concepts"

Oracle Database. Installation and Configuration of Real Application Security Administration (RASADM) Prerequisites

Access Control. Protects against accidental and malicious threats by

Introduction to database administration

Database Security Overview. Murat Kantarcioglu

INSE 6130 Operating System Security

Database Security Lecture 10

Chapter 9: Database Security: An Introduction. Nguyen Thi Ai Thao

Oracle Database 10g: Introduction to SQL

SQL Fundamentals. Chapter 3. Class 03: SQL Fundamentals 1

Textbook: Chapter 4. Chapter 5: Intermediate SQL. CS425 Fall 2016 Boris Glavic. Chapter 5: Intermediate SQL. View Definition.

Debapriyo Majumdar DBMS Fall 2016 Indian Statistical Institute Kolkata

Access Control. Access control: ensures that all direct accesses to object are authorized a scheme for mapping users to allowed actions

CS425 Fall 2017 Boris Glavic Chapter 5: Intermediate SQL

Lesson 14 Transcript: Triggers

MySQL for Database Administrators Ed 4

Installing and Configuring Oracle 10g Express Edition. for use with the ETM System

Access Control. Tom Chothia Computer Security, Lecture 5

Core Role Based Access Control (RBAC) mechanism for MySQL

Automated SQL Ownage Techniques. OWASP October 30 th, The OWASP Foundation

The Relational Model 2. Week 3

Developing Integrated Engine for Database Administrator and Developer

CSC 261/461 Database Systems Lecture 6. Fall 2017

Assorted Topics Stored Procedures and Triggers Pg 1

Oracle Database 12c R2: New Features for Administrators Part 2 Ed 1

Creating and Managing Tables Schedule: Timing Topic

Chapter 4. Basic SQL. Copyright 2011 Pearson Education, Inc. Publishing as Pearson Addison-Wesley

Oracle Database 12c R2: New Features for Administrators Part 2 Ed 1 -

Shariq Rizvi, Alberto Mendelzon, S. Sudarshan, Prasan Roy. Presenter: Thao N. Pham

Relational Data Structure and Concepts. Structured Query Language (Part 1) The Entity Integrity Rules. Relational Data Structure and Concepts

ORACLE DATABASE 12C INTRODUCTION

Oracle Database 10g: Administration I. Course Outline. Oracle Database 10g: Administration I. 20 Jul 2018

Enabling Seamless Data Access for JD Edwards EnterpriseOne

SQL: Data Definition Language. csc343, Introduction to Databases Diane Horton Fall 2017

Oracle Database 11g: New Features for Oracle 9i DBAs

Database Applications (15-415)

Lab # 4. Data Definition Language (DDL)

You Don t Have Database Vault

Database Management System 9

Lab # 2. Data Definition Language (DDL) Eng. Alaa O Shama

Grant permissions sql server Grant permissions sql server 2008.zip

Ebook : Overview of application development. All code from the application series books listed at:

DATABASE SECURITY AND PRIVACY. Some slides were taken from Database Access Control Tutorial, Lars Olson, UIUC CS463, Computer Security

RBAC: Motivations. Users: Permissions:

Database Programming with PL/SQL

Copyright 2012, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 13

The Relational Model. Roadmap. Relational Database: Definitions. Why Study the Relational Model? Relational database: a set of relations

"Charting the Course... Oracle 18c DBA I (5 Day) Course Summary

Course Outline and Objectives: Database Programming with SQL

Oracle Database: Introduction to SQL

Alter Change Default Schema Oracle Sql Developer

1 Prepared By Heena Patel (Asst. Prof)

Access Control Policies and Languages in Open Environments

Oracle Database 11g: Security Release 2

SQL Interview Questions

"Charting the Course... Oracle 18c DBA I (3 Day) Course Summary

Oracle 12C DBA Online Training. Course Modules of Oracle 12C DBA Online Training: 1 Oracle Database 12c: Introduction to SQL:

Relational Databases BORROWED WITH MINOR ADAPTATION FROM PROF. CHRISTOS FALOUTSOS, CMU /615

Oracle Database 11g: Administration Workshop I

Overview of the Class and Introduction to DB schemas and queries. Lois Delcambre

Oracle Database: SQL and PL/SQL Fundamentals

Databasesystemer, forår 2006 IT Universitetet i København. Forelæsning 9: Mere om SQL. 30. marts Forelæser: Esben Rune Hansen

T-sql Grant View Definition Example

A7-R3: INTRODUCTION TO DATABASE MANAGEMENT SYSTEMS

Introduction to Computer Science and Business

Database access control, activity monitoring and real time protection

Debapriyo Majumdar DBMS Fall 2016 Indian Statistical Institute Kolkata

CSC 474/574 Information Systems Security

Oracle Database 11g: Security Release 2

Relational Model. Topics. Relational Model. Why Study the Relational Model? Linda Wu (CMPT )

Oracle Syllabus Course code-r10605 SQL

CSE 344 Final Examination

Course Description. Audience. Prerequisites. At Course Completion. : Course 40074A : Microsoft SQL Server 2014 for Oracle DBAs

Oracle Database 11g: Introduction to SQLRelease 2

Oracle Flashback Data Archive (FDA) O R A C L E W H I T E P A P E R M A R C H

Copyright 2016 Ramez Elmasri and Shamkant B. Navathe

AO3 - Version: 2. Oracle Database 11g SQL

Oracle Database: Introduction to SQL

The Relational Model. Outline. Why Study the Relational Model? Faloutsos SCS object-relational model

Chapter 4: Intermediate SQL

Installation and Configuration Guide

CHAPTER. Oracle Database 11g Architecture Options

Oracle Database: Introduction to SQL

Transcription:

INSE 6160 Database Security and Privacy Discretionary Access Control in DBMS Prof. Lingyu Wang 1

Outline Grant Revoke Model Meta-Policy and FAF Security By Views 2

Grant-Revoke Grant-Revoke Model (Griffith&Wade 76, Fagin 78) Widely supported, e.g., Oracle, mysql, etc. Basic syntax GRANT rights ON objects TO subjects [WITH GRANT OPTIONS] REVOKE rights ON objects FROM subjects [CASCADE] What can be rights? Objects? And subjects in a DBMS? 3

Grant-Revoke user rights select, insert, update, drop, ALL, etc. objects user, post, user.id (may also be databases, stored procedures, etc.) subjects: Bob, Alice, students, etc. post ID password Reg_Date No ID Topic Date Bob f70b082f Oct-1-2005 1 Bob About the random numbers Nov-7-2005 Alice 2bcc1da0 Sep-27-2005 2 Bob A question in implementation of RSA Oct-17-2005 Eve 4f54aa2e Aug-18-2005 3 Bob About BIBA with Categories Sep-17-2005 4 Alice Breaking Caesar Cipher Problem Oct-12-2005 5 Eve Welcome to ISA 662 class discussion! Aug-3-2005 4

Grant-Revoke Example: GRANT select ON user TO Bob WITH GRANT OPTION REVOKE select ON user FROM Bob CASCADE Almost exactly matches the ACM model WITH GRANT is copy flag (right of granting rights) sys Bob Alice user post user.id sys Bob {select, insert} Alice 5

Grant Option and Cascading Revoke The Grant-Revoke model requires If a right is revoked, the system should reverse to a state in which the right is never granted Easier said then done With timestamps (auditing) What if B revokes D at 5:00? Case 1 Case 2 2:30 2:45 3:00 4:00 2:30 2:40 2:45 4:00 100 1:00 B 2:30 2:45 100 E 1:00 B 2:30 2:45 A D A D 1:30 C 3:00 4:00 F 1:30 C 2:40 4:00 E F 6

Cont d What if no timestamp? What would have happened if B never grants D the right? A B C D E F Non-Cascading revoke Need to add new right (to compose a story) 2:00 B 2:30 A 230 2:30 D 7

Negative Authorizations You may decide to prohibit a right It s not sufficient simply not to grant that right Because someone else may grant it Solution: Negative right Complications Need meta-policy to resolve potential conflicts between negative and positive rights For example, denials takes precedence How to represent the effect of negative rights on positive ones? Later negative rights can be revoked, too 8

Cont d Negative right interacting with positive right A 1:00+ What if B gives D a negative right at 5:00? 1:30+ B 2:30-5:00-3:00+ D 4:00+ C Delete A D (denials take precedence) and D F? What if later this negative right is revoked? Solution: mark A DandD D Fasblocked But do not delete them F E 9

Cont d Another example A What if A revokes B at 6:00? Should reverse to a state in which A never grants B 1:00+ B 230 2:30-5:00-3:00+(Blocked) D 4:00+ 1:30+ (Blocked) C F E cascading A 130 1:30+ D 3:00+ 4:00+ C F noncascading A 230 2:30-5:00-3:00+(Blocked) 1:30+ C D 4:00+ E (Blocked) F 10

Outline Grant Revoke Model Meta-Policy and FAF Security By Views 11

Meta-Policy Policy and meta-policy Policy: Bob can select on user, and Alice can t Meta-policy: If a user is given both positive and negative right, his positive right is blocked (denials take precedence) policy about policies A system usually has an implicit meta-policy Meta-policies are needed because of Under specification: what if no policy is found Over specification: what if policies conflict 12

Typical Meta-Policies Closed policy: deny if no policy is found GRANT select ON user TO jim Jim: select * from post (denied) Open policy: allow if no policy is found DENY select ON user TO jim Jim: select * from post (allowed) Separation of duties (static vs dynamic) Taking money/depositing account need two users 13

Typical Meta-Policies Permission/Denial/Most specific takes precedence Most specific: User s right overrides group s Chinese Wall policy Different types of meta-policies may co-exist We may need to apply different meta-policies i on different object/subject/rights E.g., open policy for SELECT, closed policy for DROP Hard-coded meta-policies are not sufficient Can we deal with meta-policies just like policies? 14

Learn Logic programming in 2 Slides Predicate logic programs are composed of: job(user,job): A predicate says user has a job, where user and job are variables that can be instantiated D A&B&C : D is true if A,B, and C are all true The following says D is true if either (A&B&C=true) or (E&F=true) D A&B&C D E&F 15

Learn Logic programming in 2 Slides Predicate logic programs job(user,job) job) righteducation(user,job)& goodpersonality(user)& goodcommunicationskills(user) goodjob(user,job2) job(user,job1) & workhard(user,job1) & luck(user) hasmoney(user) goodjob(user,job) & workhard(user,job) rich(user) hasmoney(user)& workhard(user,job) & knowtobecontent(user) rich(user1) marry(user1,user2) & rich(user2) corruptedmind(user) rich(user)& knowtobecontent(user) corruptedmind(user) losepride(user) happylife(user) hasmoney(user)& corruptedmind(user) & healthy(user) happylife(bob)? 16

Flexible Authorization Framework A policy neutral logic language That can be used to specify different meta-policies That can help to enforce any mixture of meta-policies Basics Predicates: cando(user,bob,+select) states a positive right: GRANT select ON user to Bob Rules: cando(user,bob,+select) cando(user,bob,-select) a positive right is given if no corresponding negative right exists A collection of rules form a logic program, which can be run to derive authorization results from given facts 17

FAF-Predicates Enough to describe any meta-policy! cando(o,s,<sign>a) states a granted right dercando(o,s,<sign>a) states a derived right do(o,s,<sign>a), states a decision done(o,s,a) states a previously executed right error(o,s,a) states an exception Let s talk English: cando are facts (Bob is nice guy; Nice guys don t get rich) dercandod are derived d facts (Bob isn t rich) do are decisions based on all facts done means history error means something is wrong 18

FAF-Predicates Simpler facts for subject/object hierarchies: dirin(bob,cs_dept), dirin(cs_dept,encs), dirin(ciise,encs), in(bob,encs) typeof(oracle,dbms) owner(bob, Bob_record) cando(o,s,<sign>a), dercando(o,s,<sign>a), do(o,s,<sign>a) Each o, s, a can be a constant or a variable <sign> is either + or Positive right or negative right 19

FAF-Rules Layers of rules to avoid loops Authorization rule: Facts cando(o,s,<sign>a) L1&L2& Ln Each Li is in, dirin, i or typeof Examples: cando(post,cs _ dept,+select). cando(post,s,+insert) in(s,cs_dept) cando(o,bob,+insert) typeof(o,post_attributes) cando(o,s,-insert) in(s,cs_dept) & typeof(o,post_attributes) These are facts given by administrators Can only have simpler facts as conditions 20

FAF-Rules Cont d Derivation rule: Derived facts dercando(o,s,<sign>a) L1&L2& Ln Each Li is cando, dercando, done, in, dirin, or typeof Examples: dercando(o,s,-a) cando(o,s,-a) & in(s,s ) dercando(o,s,-insert) d dercando(o,s,-d insert) & in(s,s ) We can derive facts from given facts, or derived facts Recursive - 2 nd example can be run many times! 21

FAF-Rules Cont d Done rule: History done(o,s,a) Examples: done(post,bob,select) select) History typically y has no condition Or, maybe the only condition: You believe it 22

FAF-Rules Cont d Resolution rule: Decision do(o,s,<sign>a) L1&L2& Ln Each Li is do, cando, dercando, done, in, dirin, or typeof Examples: do(o,s,+a) cando(o,s,+a) do(o,s,-insert) dercando(o,s,-insert) d A final decision is made based on given facts, derived facts, history, or simpler facts 23

FAF-Rules Cont d Integrity rule: Error States exceptions that should never happen error() L1&L2& Ln Each Li is do, cando, dercando, done, in, dirin, or typeof Example: error() dercando(nice,bob,+is) & dercando(rich,bob,+is) 24

FAF Examples Closed policy dercando(o,u,+a) cando(o,s,+a)&in(u,s) do(o,u,+a) dercando(o,u,+a) error() cando(o,s,-a) d ( ) do(o,u,-a) do(o,u,+a) cando(exam, TA, +grading), in(bob, TA) do(exam, Bob, +grading)? do(exam, Alice, +grading)? 25

FAF Examples Open policy dercando(o,u,-a) cando(o,s,-a)&in(u,s) do(o,u,+a) dercando(o,u,-a) error() cando(o,s,+a) d ( + ) do(o,u,-a) do(o,u,+a) cando(exam, TA, -taking), in(bob, TA) do(exam, Bob, +taking)? do(exam, Alice, +taking)? 26

FAF Examples Cont d Denials take precedence do(o,u,+a) dercando(o,u,+a) & dercando(o,u,-a) do(o,u, -a) do(o,u,+a) dercando(exam, Alice, +taking), dercando(exam, Bob, +taking), dercando(exam, Bob, -taking), dercando(exam, Eve, -taking) do(exam, Alice, +taking)? do(exam, Bob, +taking)? do(exam, Eve, +taking)? 27

FAF Examples Cont d Permissions take precedence do(o,u,+a) dercando(o,u,+a) do(o,u,-a) do(o,u,+a) No conflict do(o,u,+a) dercando(o,u,+a) error() dercando(o,u,+a) u & dercando(o,u,-a) 28

FAF Examples Cont d Static separation of duty error do(course,s,taking)&do(course,s,taing) Dynamic separation of duty error done(course,s,taking) & done(course,s,taing) Chinese Wall policy error() done(o,s,r) & done(o,s,r) & typeof(o,company) & typeof(o,competitor) 29

Outline Grant Revoke Model Meta-Policy and FAF Security By Views user ID password Reg_Date Bob f70b082f Oct-1-2005 Alice 2bcc1da0 Sep-27-2005 post No ID Topic Date 1 Bob About the random numbers Nov-7-2005 2 Bob A question in implementation of RSA Oct-17-2005 Eve 4f54aa2e Aug-18-2005 3 Bob About BIBA with Categories Sep-17-2005 4 Alice Breaking Caesar Cipher Problem Oct-12-2005 5 Eve Welcome to ISA 662 class discussion! Aug-3-2005 30

Fine-Grained Access Control Grant-revoke provides no fine-grained control For example, tuple level, attribute level Why fine-grained access control? Table or attribute-level l access control can t satisfy application s requirements, e.g., myconcordia Application-enforced access control is error prone For example, SQL injection attack attacker Application SELECT * FROM user WHERE ID= &input sys Database SELECT * FROM user WHERE ID= Bob ; DELETE * FROM user; Bob ; DELETE * FROM user;-- 31

Fine-Grained Access Control By Views View: a virtual relation as the result of a query Not materialized A query on views can be optimized eg e.g., SELECT ID FROM Bob_post Grant-revoke works on views CREATE VIEW Bob_post AS SELECT * FROM post WHERE ID= Bob GRANT ALL ON Bob_post TO Bob Bob_post (not materialized) No ID Topic Date 1 Bob About the random numbers Nov-7-2005 2 Bob A question in implementation of RSA Oct-17-2005 3 Bob About BIBA with Categories Sep-17-2005 32

Query Modification E.g., Oracle VPD Transparently add WHERE clause to user s query before executing it Bob asks s query: SELECT topic FROM post He got answer for: SELECT topic FROM post WHERE ID= Bob Different from security by views 33

Truman and Nontruman model Truman model (Rizvi 04) Bob asks query: SELECT COUNT(topic) FROM post He gets 3 as answer, a misleading result Nontruman Model A query is either answered without change, if it can be rewritten using authorized views, or it is rejected Example SELECT COUNT(topic) FROM post will be rejected, because it cannot be rewritten using SELECT * FROM post WHERE ID= Bob However, to determine whether a query can be rewritten using authorized views is a hard problem 34

Unconditional Validity Get a sense why query rewritten using authorized views is a hard problem: Unconditional validity: whether the query can be rewritten doesn t depend on the underlying data For example Authorized view post_count: select id,count(*) as c from post group by id Query: select count(*) from post where id= Bob The query can be rewritten as: select c from post_count where id= Bob, regardless of the underlying data Simple, huh? 35

Conditional Validity Conditional validity: whether the query can be rewritten depends d on the underlying data For example Authorized view post_count: select id,count( count(*) as c from post group by id where c>2 Query: select count(*) from post where id= Bob Whether the query can be rewritten as: select c from post_count where id= Bob now depends on whether Bob has more than 2 posts And if we reject the query, then Bob is known to have 2 or less posts To have a complete set of inferences rules for checking for conditional validity is still open 36

INSE 691A Database Security and Privacy Grant and Revoke in Oracle Prof. Lingyu Wang 37

Grant and Revoke in Oracle A privilege is a method to permit or deny access to data or to perform database operations Another word for right In Oracle there are two type of privileges: System privileges Schema Object Privileges Table Privileges View Privileges Procedure Privileges Type Privileges 38

System Privileges Granted only by a database administrator a user with administration privileges Some system privileges: il create session, alter any role, alter any table, alter any trigger, alter any type, alter any procedure, alter database, alter profile, alter any, create any cluster, create any index, create any view, create any table, create any procedure, 39

Object Privileges Granted to a user by the schema owner Granted by a user with GRANT privileges Examples: select, insert, update, delete, alter, debug, execute, flashback, index, query rewrite, read, references Some schema objects, such as clusters, s indexes, triggers, and database links, do not have associated object privileges Can only use system privileges 40

ADMIN and GRANT Options Grant a privilege using the DCL GRANT statement SQL> grant select any table to Linda with admin option; (by DBA) SQL> grant select any table to George; (by Linda) Revoke a privilege using the DCL REVOKE statement: SQL> revoke select any table from Linda (by DBA) George still has select any table privilege! 41

ADMIN Option and GRANT Option 42

ADMIN Option and GRANT Option 43

Data Dictionary Oracle provides some data dictionary views to view privileges, il they are DBA_SYS_PRIVS ALL_SYS_PRIVS USER_SYS_PRIVS 44

Data Dictionary Example Example: SQL> DESC DBA_SYS_PRIVS; Name Null? Type -------------------------------------------------------------------------------- ------- GRANTEE NOT NULL VARCHAR2(30) PRIVILEGE NOT NULL VARCHAR2(40) ADMIN_OPTION VARCHAR2(3) SQL> SELECT * 2 FROM DBA_SYS_PRIVS 3 WHERE GRANTEE= SCOTT ; Grantee Privilege Admin -------------------------------------------------------------------------------- ------- SCOTT UNLIMITED TABLESPACE NO 45

GUI 46

Roles Role: Used to organize and administer privileges It is like a user, except it cannot own object Can be assigned privileges Can be assigned to users Intermediate between privileges and users 47

Roles in Oracle In Oracle: Create a role using CREATE ROLE statement Assign a role using GRANT statement Oracle Enterprise Manager Roles tool Revoke a role using REVOKE statement Drop a role using DROP statement These can be done by Any user with the GRANT ANY ROLE system privilege Any user granted a role with ADMIN option 48

Examples Create roles: SQL> CREATE ROLE DEV_ROLE; SQL> CREATE ROLE QA_ROLE; Assign a privilege to a role SQL> GRANT CREATE SESSION TO DEV_ROLE; Assign a role to a user SQL> GRANT DEV_ROLE to Bob; 49

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback