Database Security - Databases System Implement - Lecture Slides | CS 4420, Study notes of Computer Science

Material Type: Notes; Class: Database Sys Implement; Subject: Computer Science; University: Georgia Institute of Technology-Main Campus; Term: Spring 2004;

Typology: Study notes

Pre 2010

Uploaded on 08/05/2009

koofers-user-9d0
koofers-user-9d0 🇺🇸

9 documents

1 / 25

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
1
CS 4420
Database Security
Ling Liu
Associate Professor
College of Computing
Georgia Tech
2003 CSI/FBI Computer Security Survey
Source: http://www.gocsi.com/
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19

Partial preview of the text

Download Database Security - Databases System Implement - Lecture Slides | CS 4420 and more Study notes Computer Science in PDF only on Docsity!

CS 4420

Database Security

Ling Liu

Associate Professor

College of Computing

Georgia Tech

2003 CSI/FBI Computer Security Survey

Source: http://www.gocsi.com/

Attack Sophistication vs.

Intruder Technical Knowledge

High

Low 1980 1985 1990 1995 2000

password guessing

self-replicating code

password cracking

exploiting known vulnerabilities

disabling audits

back doors hijacking sessions

sweepers

sniffers

packet spoofing

GUI automated probes/scans

denial of service

www attacks

Tools

Attackers

Intruder Knowledge

Attack Sophistication

“stealth” / advanced scanning techniques

burglaries

network mgmt. diagnostics

distributed attack tools

Cross site scripting

Staged attack

Copyright: CERT, 2000

Goals of DB Security

  • Integrity:

Only authorized users should be allowed to modify

data.

  • Availability:

Making data available to the authorized users and

application programs.

  • Secrecy (or Confidentiality):

Protection of data from unauthorized disclosure.

Access Control

™ Ensures that all direct accesses to object are

authorized

™ Protects against accidental and malicious

threats by regulating the read, write and

execution of data and programs

™ Need:

  • Proper user identification
  • Information specifying the access rights is

protected form modification

™Access control components:

- Access control policy : specifies the

authorized accesses of a system

- Access control mechanism : implements

and enforces the policy

Access Control

Access Control - Basics

™ Subject : active entity that requests access to an

object

  • e.g., user or program

™ Object : passive entity accessed by a subject

  • e.g., record, relation, file

™ Access right (privileges): how a subject is

allowed to access an object

  • e.g., subject s can read object o

Access Control Models

  • Discretionary Access Control (DAC)

grants privileges to users, including the capability to access specific data files, records, or fields in a specific mode (such as read, insert, delete, or update).

  • Mandatory Access Control (MAC)

classifies users and data into multiple levels of security, and then enforces appropriate rules.

  • Role-Based Access Control (RBAC)

Access Matrix Model (cont.)

  • Conditions can be associated with access authorization
    • Data-dependent
      • Specifying constraints on the value of accessed data
    • Time-dependent
      • Specifying constraints on the time when an access can take place
    • Context-dependent
      • Specifying constraints on combinations of data which can be accessed
    • History-dependent:
      • Specifying constraints dependent on previously performed accesses

Access Matrix Model (cont.)

  • An Example
    • Object types:
      • Relations, views, rows (records), columns, operations
    • Subject types:
      • Users, accounts, programs

subjectobject^ O1^ ….^ Oi^ ….^ Om S S ….

Sn

A[S1,O1] A[S1,Oi] A[S1,Om] A[S2,O1] A[S2,Oi] A[S2,Om]

A[Sn,O1] A[Sn,Oi] A[Sn,Om]

Access Modes

  • Access Modes
    • Read, Write, Append, and Execute
  • Operations
    • A[S,O] is an entry in the access matrix.
  • Mechanisms
    • <subject Si |
    • <subject Si |
    • <enter| delete> <operation x into | from A[Si, Oj]
    • Discretionary Access Control

      GRANT SCHEMA DB-schema-name AUTHORIZATION users ;

      GRANT privileges ON object TO users [WITH GRANT OPTION]

      REVOKE [GRANT OPTION FOR] privileges ON object FROM users {CASCADE | RESTRICT}

      Privileges: SELECT,INSERT,DELETE,UPDATE,REFERENCES

      DAC by Views

      L. White Candy 28,000 G.R. Green

      S. Red Toy 43,000 K. Brown

      J. Black Toy 25,000 S. Red

      Name Dept. Salary Manager

      Employee relation

      CREATE VIEW toy_dept AS SELECT Name,Salary, Manager FROM Employee WHERE Dept.=“Toy”

      S. Red 43,000 K. Brown

      J. Black 25,000 S. Red

      Name Salary Manger

      toy_dept view

      DAC by Grant and Revoke

      Brown (owner)

      Black (^) Red

      White

      GRANT SELECT ON Employee TO Red GRANT SELECT ON Employee TO Black WITH GRANT OPTION ? Brown revokes grant given to Black ? Brown does not want Red to access the Employee relation GRANT UPDATE(Salary) ON Employee TO White

      Weakness of Discretionary Access

      Control

      Revoked Privilege

      System

      user1 user

      user3 user

      (System, user1, SELECT ON EMPLOYEE WITH GRANT OPTION)

      Granted Privilege

      Authorization Graph

      Summary

      • Types of discretionary privileges
        • The Account level
        • The Relation level
      • Features
        • Specifying privileges using views
        • Revoking privileges
        • Propagation of privileges using the GRANT option
        • Specifying limits on propagation of privileges
          • Horizontal propagation limits
          • Vertical Propagation limits
      • Advantage
        • flexible
      • Disadvantage
        • No real assurance
        • Information “leak” and Vulnerable to attacks (like Trojan Horses)

      Multilevel Relation and

      Polyinstantiation

      smith

      NAME SALARY DEPTNO SECURITY CLASS

      100000 5 S brown 80000 C

      smith null 5 C

      EMP-ID

      4

      1 2

      1

      MAC

      ™ Access rights : defined by comparing the security

      classification of the requested objects with the

      security clearance of the subject

      ™ If access control rules are satisfied, access is

      permitted

      ™ Otherwise access is rejected

      ™ Granularity of access rights!

      MAC – Bell-LaPadula (BLP) Model

      ™ Single security property : a subject S is allowed a

      read access to an object O only if label(S)

      dominates label(O)

      ™ Star-property : a subject S is allowed a write

      access to an object O only if label(O) dominates

      label(S)

      No direct flow of information from

      high security objects to low security objects!

      Axioms

      • Simple security (ss) property
        • An object may have read or write access to an object only if the clearance of the subject dominates the security level of the object.
      • Star (*) property
        • A subject can only read objects at or above their level
        • A subject can only write objects at or below their level.
      • Tranquility principle
        • No subject can modify the classification of an active object

      Role Based Access Control

      RBAC Motivation

      ™ Express organizational policies

      • Separation of duties
      • Delegation of authority

      ™ Flexible: easy to modify to meet new security

      requirements

      ™ Supports

      • Least-privilege
      • Separation of duties
      • Data abstraction

      Role-Based Access Control

      • Mandatory access control is rigid because the

      security class should be assigned to each

      subject and data object.

      • In the real world, access privileges are

      associated with the role of the person in the

      organization. (example: bank teller)

      • Each role is created and is granted/revoked

      privileges.

      • Each user is granted/revoked roles.

      RBAC 0

      U

      Users

      R

      Roles

      P

      Permissions

      S.

      Sessions

      User assignment

      Permission assignment

      Solutions for Inference Control

      • No statistical queries are permitted whenever

      the number of tuples in the selected population

      is smaller than a certain number.

      • Prohibit a sequence of queries that refer to the

      same population of tuples repeatedly.

      • Partition the database into groups larger than

      certain size, and queries can refer to any

      complete group or set of groups, but never to a

      subset of a group.

      Statistical Database Security

      Statistical Database Security

      Statistical databases are used to produce statistics on various populations. Features are:

      • individual information is considered confidential.
      • users may allow to access statistical information on the population, i.e., applying statistic functions to a population of tuples.

      Techniques for protecting privacy of individual information solutions are illustrated by examples:

      Person(name, ssn, income, address,city, state, zip, sex, last_degree) Suppose we are allowed to retrieve only the statistical information over this relation by using SUM, AVG, MIN, MAX, COUNT etc,.

      Statistical Database Security

      select COUNT(*) from Person where last_degree = “ph.D.” and sex = “F” and city = “Calgary” and state = “Alberta”;

      If we know Mary Black is ph.D. and live in Calgary and we want to know her income, we may use the above two queries.

      • When query Q1 returns one, the result of Q2 is the income of Mary.
      • Otherwise we may issue a number of subsequent queries using MAX and MIN, we may easily know the close range of Mary’s income.

      The following two queries are valid:

      select AVG(income) from Person where last_degree = “ph.D.” and sex = “F” and city = “Calgary” and state = “Alberta”;

      Q1: find the total number of women who have ph.D. and live in Calgary, Alberta.

      Q1: find the average income of women who have ph.D. and live in Calgary, Alberta.