Download Database Security - Integrated Computer Security - Lecture Slides and more Slides Computer Security in PDF only on Docsity!
Lecture 9
Database Security
Databases
- structured collection of data stored
for use by one or more applications
- contains the relationships between data items and groups of data items
- can sometimes contain sensitive data
- database management system (DBMS)
- suite of programs for constructing and maintaining the database
- ad hoc query facilities to multiple users and applications
- provides a uniform interface to the database
Relational Databases
- table of data consisting of rows and columns
- each column holds a particular type of data
- each row contains a specific value for each column
- ideally has one column where all values are unique, forming an identifier/key for that row - enables the creation of multiple tables linked together by a unique identifier that is present in all tables
- use a relational query language to access the
database
- allow users to request data that fit a given set of criteria
Relational Database Example
Structured Query Language (SQL)
- originally developed by IBM in the mid-1970s
- standardized language to define, manipulate, and query data in a relational database
- several similar versions of ANSI/ISO standard
8
SQL statements can be used to:
- create tables
- insert and delete data in tables
- create views
- retrieve data with query statements
Database Access Control
9
database access control system determines:
if the user has access to the entire database or just portions of it
what access rights the user has (create, insert, delete, update, read, write)
can support a range of administrative policies
centralized administration
- small number of privileged users may grant andrevoke access rights
ownership-based administration
- the creator of a table may grant and revokeaccess rights to the table
decentralized administration
- the owner of the table may grant and revokeauthorization rights to other users, allowing them to grant and revoke access rights to the table
Cascading Authorizations
11
Revoke t = 100
Role-Based Access Control (RBAC)
- RBAC eases administrative burden and improves
security
- categories of database users:
- application owner
- end user
- administrator
- needs to provide the following capabilities:
- create and delete roles
- define permissions for a role
- assign and cancel assignment of users to roles
Inference Example
Inference Countermeasures
- inference detection at database design
- alter the database structure or
- change the access control regime
- inference detection at query time
- monitor and alter or reject the query
- an inference detection algorithm is needed
for either approach
- difficult
- subject of ongoing research
18
Statistical
Database
Example
Statistical Database Security
- use a characteristic formula C
- a logical formula over the values of attributes
- e.g. (Sex=Male) AND ((Major=CS) OR (Major=EE))
- query set X(C) of characteristic formula C, is
the set of records matching C
- a statistical query is a query that produces a
value calculated over a query set
Tracker Attacks
- divide queries into parts
- C = C1.C
- count(C โ
D) = count(C1) - count (C1 โ
~C2)
- combination is called a tracker
- each part acceptable query size
- overlap is desired result
- Count(C) = Count(C1) - Count(T)
- Count(C โ
D ) = Count(T + C1D) - Count(T) (^22)
Other Query Restrictions
- query set overlap control
- limit overlap between new and previous queries
- partitioning
- cluster records into a number of mutually exclusive groups
- query the statistical properties of each group as a whole
- query denial and information leakage
- denials can leak information
- to counter, must track queries from user (^) Docsity.com^23