Database Security: Access Control and Threats, Study notes of Deductive Database Systems

An overview of database security, focusing on access control and threats to databases. Topics include loss of confidentiality, integrity, and availability, access control models (discretionary and mandatory), access matrix model, types of privileges in sql, granularity of access control, access control modes, data-dependent access control, view-based access control, query modification, granting and revoking access, and mandatory access control. The document also discusses limitations of discretionary access control, the covert channel problem, and countermeasures.

Typology: Study notes

Pre 2010

Uploaded on 03/16/2009

koofers-user-9sl
koofers-user-9sl 🇺🇸

10 documents

1 / 7

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
1
CS411
Database Systems
08: Database Security
2
Threats to Databases
Loss of confidentiality
Protection of data from improper disclosure
Loss of integrity
Information be protected from improper modification
Loss of availability
Making data available to a user with a legitimate right
3
Access Control in Database systems
Some information may be deemed to be private
and cannot be accessed legally by unauthorized
persons
E.g., credit ratings, personal medical records, etc.
Provide functions that enable users to access
selected portions of a database without gaining
access to the rest of the database
Ensure that a user is only permitted to perform
operations on the database for which that user is
authorized
4
Access Control Models
Discretionary access control
Grant or revoke privileges to users including
administrative rights
Supported in SQL
Mandatory access control
Identify multiple security levels
Classify data and users into various security classes
5
Discretionary Access Control
6
Access Matrix Model
Each row represents subject (user, account,
program)
Each column represents objects (relations, views,
columns, etc.)
Each position M(i, j) in the matrix represents the
types of privileges
P1
Subjects
P2
Objects
M1 M2 F1 F2 F3
RWX
RW
OWN
RWX
R
pf3
pf4
pf5

Partial preview of the text

Download Database Security: Access Control and Threats and more Study notes Deductive Database Systems in PDF only on Docsity!

1

CS 411

Database Systems

08: Database Security

2

Threats to Databases

  • Loss of confidentiality
    • Protection of data from improper disclosure
  • Loss of integrity
    • Information be protected from improper modification
  • Loss of availability
    • Making data available to a user with a legitimate right 3

Access Control in Database systems

  • Some information may be deemed to be private and cannot be accessed legally by unauthorized persons - E.g., credit ratings, personal medical records, etc.
  • Provide functions that enable users to access selected portions of a database without gaining access to the rest of the database
  • Ensure that a user is only permitted to perform operations on the database for which that user is authorized 4

Access Control Models

  • Discretionary access control
    • Grant or revoke privileges to users including administrative rights
    • Supported in SQL
  • Mandatory access control
    • Identify multiple security levels
    • Classify data and users into various security classes

Discretionary Access Control

Access Matrix Model

  • Each row represents subject (user, account, program)
  • Each column represents objects (relations, views, columns, etc.)
  • Each position M(i, j) in the matrix represents the types of privileges P Subjects P Objects M1 M2 F1 F2 F RWX RW OWN RWX R

7

Types of Privileges in SQL

  • Account level
    • Privileges that each each account holds independently of the relations in the database
    • CREATE TABLE, CREATE VIEW, DROP, ALTER
  • Relation level
    • Specify which types of commands can be applied on each relation
    • Select/Modify/Reference privilege on relation R 8

Granularity of Access Control

  • Access controls can be imposed at various degrees of granularity in a system - The entire database - Some collection of relations - One relation - Some columns of one relation - Some rows of one relation - Some columns of some rows of one relation 9

Modes of Access Control

  • Access controls are differentiated with respect to the operations to which they apply - E.g., each employee may be authorized to read his own salary but not to write it
  • Access control modes are expressed in terms of the basic SQL operations - INSERT and DELETE on a relation - SELECT on a relation or a view - UPDATE on certain columns of a relation 10

Data Dependent Access Control

  • Make an access-control decision based on the content of data
  • Examples:
    • Some users may be limited to seeing salaries which are less than $ 30 , 000
    • A manager may be restricted to seeing salaries for employees in his department
  • Two approaches:
    • View-based access control
    • Query modification

View-based Access Control

  • Limit access only to employees in ‘Toy’ department Name Dept Salary Manager Smith Toy 10 , 000 Jones Jones Toy 15 , 000 Baker Baker Admin 40 , 000 Harding Adams Candy 20 , 000 Harding Harding Admin 50 , 000 NULL CREATE VIEW Toy-Dept AS SELECT Name, Salary, Manager FROM Employees WHERE Dept = ‘Toy’; Name Salary Manager Smith 10 , 000 Jones Jones 15 , 000 Baker Employees Toy-Dept

View-based Access Control

  • Provide access to statistical information
  • Example: Give the average salary for each department CREATE VIEW AVSAL (Dept, Avg) AS SELECT Dept, AVG(Salary) FROM Employees Group by Dept;

19

Examples

Dick: GRANT SELECT ON Employees to Tom Dick: REVOKE SELECT ON Employees FROM Tom Dick: GRANT SELECT ON Employees to Tom Harry: GRANT SELECT ON Employees to Tom Dick: REVOKE SELECT ON Employees FROM Tom Q: Does Tom still have the privilege? 20

Cascading Revocation

Dick SELECT on Employees ** Joe SELECT on Employees

Tom SELECT on Employees Dick: GRANT SELECT ON Employees to Joe WITH GRANT OPTION Joe: GRANT SELECT ON Employees TO Tom Dick: REVOKE SELECT ON Employees FROM Joe 21

Cascading Revocation

Dick p ** Jo pe

Tom p Dick: GRANT SELECT ON Employees to Joe WITH GRANT OPTION Joe: GRANT SELECT ON Employees TO Tom Harry: GRANT SELECT ON Employees TO Joe WITH GRANT OPTION Dick: REVOKE SELECT ON Employees FROM Joe Harry p **^22

Mandatory Access Control

Multilevel Security

  • Limitations of discretionary access control
    • Vulnerability to Trojan Horse attacks
  • Mandatory access controls
  • Covert channel problem

Limitations of discretionary access controls

Dick SELECT on Employees ** Joe SELECT on Employees Tom SELECT on Employees SELECT on Employees- ** Joe copy

25

Trojan Horse

  • A program that executes a malicious action in addition to provide functions expected by its user - E.g., a text editor that provides all the editing services could create a copy of Employees relation
  • Difficult to detect Trojan Horses
  • We cannot assume that all software on the system is free of Trojan Hourses 26

Mandatory Access Controls

  • Based on security labels associated with each data item and each user - Security classification on a data item - Security clearance on a user
  • Every program run by a user inherits the user’s security clearance - A text editor, which is executed by a Secret user is run as a Secret process 27

Security Labels

  • Consists of two components:
    • Hierarchical components: e.g., Top secret, Secret, Confidential, and Unclassified
    • Categories: e.g., NUCLEAR, CONVENTIONAL, NAVY, ARMY, etc.
  • Dominance among labels
    • X= (TOP-SECRET, {NUCLEAR, ARMY}) dominates Y = (SECRET, {ARMY})
    • X = (SECRET, {NUCLEAR, ARMY}) dominates Y = (SECRET, {NUCLEAR}) 28

Bell-LaPadula Model

  • Simple security: a subject with label X can read an object with label Y only if X dominates Y - A Secret subject can read Secret and Unclassified data
  • Star-property: A subject with label X can write an object with label Y only if Y dominates X - A Secret subject can write Top-secret data, but cannot write Unclassified data - I.e., a Trojan Horse program cannot make a copy of Employee relation Unclassified 29

Multilevel Relations

  • Consider attribute values and tuples as data objects
  • Each attribute value in a tuple is associated with a classification attribute C
  • Represented as R(A 1 ,C 1 ,A 2 ,C 2 ,...,An,Cn, TC) where TC = max(C 1 ,...,Cn) 30

Filtering on Multilevel Relation

Name Salary JobPerformance TC Smith U 40000 C Fair S S Brown C 80000 S Good C S Name Salary JobPerformance TC Smith U 40000 C NULL C C Brown C NULL C Good C C Name Salary JobPerformance TC Smith U NULL U NULL U U Original relation Filtering for C Filtering for U S: Secret, C: Confidential, U: Unclassified

37

Statistical Database Security

  • Statistical databases provide statistical information of values based on various criteria - E.g., population statistics based on age, income levels, household size, etc. - May contain confidential data about individuals
  • Must ensure that information about individuals cannot be accessed from summary statistics - Allow only queries that involve aggregate functions 38

Violation of Confidentiality

  • Person (Name, Ssn, Income, City, State, Sex, Last_degree) Q1: SELECT COUNT(*) FROM Person WHERE Q2: SELECT AVG(Income) FROM Person WHERE = Last_degree = ‘Ph.D’ AND Sex = ‘F’ AND City = ‘Champaign’ AND State = ‘Illinois’ Q: What do we learn if we get a result of 1 for Q1?

Counter Measures

  • Do not accept queries whenever the number of tuples that satisfy the selection condition falls below some threshold
  • Prohibit sequence of queries that refer repeatedly to the same group (population) of tuples
  • Introduce slight noise into the results of statistical queries

Summary

  • Discretionary access control
    • Grant/Revoke privileges
    • Vulnerable to Trojan horse attacks
  • Mandatory access control
    • Bell-LaPadula model based on security labels
    • Issue of covert channels
  • Inference problems
  • Statistical database security