CSCI 453 -- Database Security1 SECURITY OF DATABASE SYSTEMS Dr. Awad Khalil Computer Science Department AUC

CSCI 453 -- Database Security 1

SECURITY OF DATABASE SYSTEMS

Dr. Awad KhalilDr. Awad Khalil

Computer Science DepartmentComputer Science Department

AUCAUC


Content

Database SecurityDatabase Security ThreatsThreats Countermeasures – Computer Based Countermeasures – Computer Based

Controls Controls Countermeasures – Non Computer Based Countermeasures – Non Computer Based

ControlsControls Database Security on the WebDatabase Security on the Web


Database Security

Database security is the protection of the Database against intentional or unintentional threats using computer-based or non-computer-based controls.

A database represents an essential corporate resource that should be properly secured using appropriate controls. We consider database security in relation to the following situations:

1. Theft and fraud.2. Loss of confidentiality (secrecy).

3. Loss of privacy. 4. Loss of integrity. 5. Loss of availability.

Database security aims to minimize losses caused by anticipated events in a cost-effective manner without unduly constraining the users.


Threats

A threat is any A threat is any situation or event, situation or event, whether intentional or whether intentional or unintentional, unintentional, involving a person, involving a person, action, or action, or circumstance, that circumstance, that will adversely affect a will adversely affect a system and system and consequently an consequently an organization.organization.


Potential threats to computer systems


Countermeasures(I)Computer-Based Controls

1. 1. Authorization & AccessAuthorization & Access Controls.Controls.2. Firewalls2. Firewalls 3.3. Views.Views. 4.4. Backup and recovery.Backup and recovery. 5.5. Integrity.Integrity. 6.6. Encryption.Encryption. 7.7. RAID Technology.RAID Technology.


(1) Authorization & Access Controls (Privileges)

Authorization is the granting of a right or privilege, which Authorization is the granting of a right or privilege, which enables a subject to have legitimate access to a system’s objectenables a subject to have legitimate access to a system’s object

Authorization controls can be built into the software, and Authorization controls can be built into the software, and govern not only what system or object a specified user can have govern not only what system or object a specified user can have access to, but also what the user may do with it.access to, but also what the user may do with it.

The process of authorization involves authentication of subjects The process of authorization involves authentication of subjects requesting access to objects.requesting access to objects.

Authentication A mechanism that determines whether a user is, who he or she A mechanism that determines whether a user is, who he or she

claims to be.claims to be.


(1) Authorization & Privileges (Cont’d) Privileges: Privileges may include the right to access or create Privileges may include the right to access or create

certain database objects such as relations, views, and indexes, certain database objects such as relations, views, and indexes, or to run various DBMS utilities.or to run various DBMS utilities.

Select(0001) Update(0010) Insert(0100) Delete(1000) All(1111)Select(0001) Update(0010) Insert(0100) Delete(1000) All(1111)


(2) Views

A view is a dynamic result of one or more relational A view is a dynamic result of one or more relational operations operating on the base relations, to produce operations operating on the base relations, to produce another relation. A view is a virtual relation that does another relation. A view is a virtual relation that does not actually exist in the database, but is produced upon not actually exist in the database, but is produced upon request by a particular user, at the time of request.request by a particular user, at the time of request.


(3) Backup and Recovery

The process of periodically taking a copy of the database and The process of periodically taking a copy of the database and log file (and possibly programs) onto offline storage media.log file (and possibly programs) onto offline storage media.

JOURNALINGJOURNALING The process of keeping and maintaining a log file (or The process of keeping and maintaining a log file (or

journal) of all changes made to the database to enable journal) of all changes made to the database to enable recovery to be undertaken effectively in the event of failure.recovery to be undertaken effectively in the event of failure.

CHECKPOINTINGCHECKPOINTING The Point of synchronization between the database and the The Point of synchronization between the database and the

transaction log file. All buffers are force-written to transaction log file. All buffers are force-written to secondary storage.secondary storage.


(4) Integrity

Integrity controls (entity integrity and referential Integrity controls (entity integrity and referential integrity constraints) contribute to maintaining a secure integrity constraints) contribute to maintaining a secure database system by preventing data from becoming database system by preventing data from becoming invalid, and hence giving misleading or incorrect invalid, and hence giving misleading or incorrect results.results.


(5) Encryption

Encryption is the encoding of the data by a special algorithm Encryption is the encoding of the data by a special algorithm that renders the data unreadable by any program without the that renders the data unreadable by any program without the decryption key.decryption key.

CRYPTOSYSTEMCRYPTOSYSTEM To transmit data securely over insecure networks requires the use of To transmit data securely over insecure networks requires the use of

cryptosystem, which includes:cryptosystem, which includes:

1. 1. Encryption keyEncryption key to encrypt the data ( to encrypt the data (plain textplain text).).

2. 2. Encryption algorithmEncryption algorithm that, with the encryption key, transforms the plain that, with the encryption key, transforms the plain text into text into ciphertextciphertext..

3. 3. Decryption keyDecryption key to decrypt the cyphertext. to decrypt the cyphertext.

4. 4. Decryption algorithmDecryption algorithm that, with the decryption key, transforms the that, with the decryption key, transforms the cyphertext back into plain text.cyphertext back into plain text.


(5) Encryption (Cont’d)

Symmetric CryptosystemSymmetric Cryptosystem This technique uses the same key for both encryption and decryption and relies on safe This technique uses the same key for both encryption and decryption and relies on safe

communication lines for exchanging the key.communication lines for exchanging the key.

One scheme used for symmetric encryption is the Data Encryption Standard (DES), One scheme used for symmetric encryption is the Data Encryption Standard (DES), developed by IBM. This scheme uses one key for both encryption and decryption, which developed by IBM. This scheme uses one key for both encryption and decryption, which must be kept secret, although the algorithm need not be. must be kept secret, although the algorithm need not be.

The algorithm transforms each 64-bit block of plaintext using a 56-bit key.The algorithm transforms each 64-bit block of plaintext using a 56-bit key.

The DES is not universally regarded as being very secure. The DES is not universally regarded as being very secure.

A scheme called PGP (Pretty Good Privacy) uses a 128-bit symmetric algorithm for bulk A scheme called PGP (Pretty Good Privacy) uses a 128-bit symmetric algorithm for bulk encryption of data it sends.encryption of data it sends.

Keys with 64 bits are now probably breakable by major governments with special hardware, Keys with 64 bits are now probably breakable by major governments with special hardware, albeit at substantial cost. albeit at substantial cost.

While. keys with 80 bits will also become breakable in the future, keys with 128 bits will While. keys with 80 bits will also become breakable in the future, keys with 128 bits will remain unbreakable for the foreseeable future.remain unbreakable for the foreseeable future.


(5) Encryption (Cont’d)

Asymmetric CryptosystemAsymmetric Cryptosystem This cryptosystem uses two different keys for encryption and decryption. This cryptosystem uses two different keys for encryption and decryption.

One example is public key cryptosystems, which uses two keys, one of which is One example is public key cryptosystems, which uses two keys, one of which is public and the other private.public and the other private.

The encryption algorithm may also be public, so that anyone wishing to send a user The encryption algorithm may also be public, so that anyone wishing to send a user message can use the user's publicly known key in conjunction with the algorithm to message can use the user's publicly known key in conjunction with the algorithm to encrypt it. Only the owner of the private key can then decipher the message.encrypt it. Only the owner of the private key can then decipher the message.

Public key cryptosystems can also be used to send a 'digital signature' with a message Public key cryptosystems can also be used to send a 'digital signature' with a message and prove that the message came from the person who claimed to have sent it.and prove that the message came from the person who claimed to have sent it.

The most well known asymmetric encryption is RSA.The most well known asymmetric encryption is RSA.

Generally, symmetric algorithms are much faster to execute on a computer than those Generally, symmetric algorithms are much faster to execute on a computer than those that are asymmetric.that are asymmetric.

However, in practice, they are often used together, so that a public key algorithm is However, in practice, they are often used together, so that a public key algorithm is used to encrypt a randomly generated encryption key, and the random key is used to used to encrypt a randomly generated encryption key, and the random key is used to encrypt the actual message using a symmetric algorithm.encrypt the actual message using a symmetric algorithm.


(5) Using Encryption

SecuritySecurity

Is ensured if the sender uses the recipient’s public key to Is ensured if the sender uses the recipient’s public key to encrypt and the recipient uses his/her private key to decrypt. encrypt and the recipient uses his/her private key to decrypt.

AuthenticationAuthentication

Is achieved if the sender uses his/her private key to encrypt and Is achieved if the sender uses his/her private key to encrypt and the recipient uses the public to decrypt. the recipient uses the public to decrypt.


(6) RAID Technology

RAID (Redundant Array of Independent Disks)RAID (Redundant Array of Independent Disks)

The Hardware that the DBMS is running on must be fault-The Hardware that the DBMS is running on must be fault-tolerant, meaning that the DBMS should continue to operate even tolerant, meaning that the DBMS should continue to operate even if one of the hardware components fails.if one of the hardware components fails.

This suggests having redundant components that can de This suggests having redundant components that can de seamlessly integrated into the working system whenever there is seamlessly integrated into the working system whenever there is one or more component failures.one or more component failures.

The main hardware components that should be fault-tolerant The main hardware components that should be fault-tolerant include disk drives, disk controllers, CPU, power supplies, and include disk drives, disk controllers, CPU, power supplies, and cooling fans.cooling fans.

Disk drives are the most vulnerable components with the shortest Disk drives are the most vulnerable components with the shortest times between failure of any of the hardware components.times between failure of any of the hardware components.


(7) RAID Technology (Cont’d)

One solution is the use of RAID technology. RAID works on having a large One solution is the use of RAID technology. RAID works on having a large array comprising an arrangement of several independent disks that are array comprising an arrangement of several independent disks that are organized to improve reliability and at the same time increase performance.organized to improve reliability and at the same time increase performance.

Performance is increased through data stripping; the data is segmented into Performance is increased through data stripping; the data is segmented into equal-size portions (the stripping unit) which are transparently distributed equal-size portions (the stripping unit) which are transparently distributed across multiple disks. across multiple disks.

This gives the appearance of a single large, fast disk where in actual fact the This gives the appearance of a single large, fast disk where in actual fact the data is distributed across several smaller disks.data is distributed across several smaller disks.

Stripping improves overall I/O performance by allowing multiple I/Os to be Stripping improves overall I/O performance by allowing multiple I/Os to be serviced in parallel.serviced in parallel.

At the same time, data stripping also balances the load among disks.At the same time, data stripping also balances the load among disks.

Reliability is improved through storing redundant information across the Reliability is improved through storing redundant information across the disks using a parity scheme or an error-correcting scheme, such as Reed-disks using a parity scheme or an error-correcting scheme, such as Reed-Solomon codes.Solomon codes.


(7) RAID Technology (Cont’d) There are a number of different disk configurations with RAID, termed RAID levels:There are a number of different disk configurations with RAID, termed RAID levels:

1. RAID 0 - Nonredundant: This level maintains no redundant data and so has the best write 1. RAID 0 - Nonredundant: This level maintains no redundant data and so has the best write performance since updates do not have to be replicated. Data stripping is performed at the level performance since updates do not have to be replicated. Data stripping is performed at the level of blocks.of blocks.

2. RAID 1 - Mirrored: This level maintains (mirrors) two identical copies of the data across different 2. RAID 1 - Mirrored: This level maintains (mirrors) two identical copies of the data across different disks. To maintain consistency in the presence of disk failure, writes may not performed disks. To maintain consistency in the presence of disk failure, writes may not performed simultaneously. This is the most expensive storage solution.simultaneously. This is the most expensive storage solution.

3. RAID 0+1 - Nonredundant and Mirrored: This level combines stripping and mirroring.3. RAID 0+1 - Nonredundant and Mirrored: This level combines stripping and mirroring.4. RAID 2 - Memory-style Error-Correcting Codes: With this level, the stripping unit is a single bit 4. RAID 2 - Memory-style Error-Correcting Codes: With this level, the stripping unit is a single bit

and Hamming codes are used as the redundancy scheme.and Hamming codes are used as the redundancy scheme.5. RAID 3 - Bit-Interleaved Parity: This level provides redundancy by storing parity information on 5. RAID 3 - Bit-Interleaved Parity: This level provides redundancy by storing parity information on

a single disk in the array.a single disk in the array.6. RAID 4 - Block-Interleaved Parity: With this level, the stripping unit is a disk block - a parity 6. RAID 4 - Block-Interleaved Parity: With this level, the stripping unit is a disk block - a parity

block is maintained on a separate disk for corresponding blocks from a number of other disks.block is maintained on a separate disk for corresponding blocks from a number of other disks.7. RAID 5 - Block-Interleaved Distributed Parity: This level uses parity data for redundancy in a 7. RAID 5 - Block-Interleaved Distributed Parity: This level uses parity data for redundancy in a

similar way to RAID 3 but stripes the parity data across all the disks, similar to the way in which similar way to RAID 3 but stripes the parity data across all the disks, similar to the way in which the source data is stripped. the source data is stripped.

8. RAID P+Q: This level is similar to RAID 5 but additional redundant data is maintained to protect 8. RAID P+Q: This level is similar to RAID 5 but additional redundant data is maintained to protect against multiple disk failures.against multiple disk failures.

Oracle, for example, recommends use of RAID 1 for the redo log files. For the database Oracle, for example, recommends use of RAID 1 for the redo log files. For the database files, Oracle, recommends either RAID 5, provided the write overhead is acceptable, files, Oracle, recommends either RAID 5, provided the write overhead is acceptable, otherwise Oracle recommends either RAID 1 or RAID 0+1.otherwise Oracle recommends either RAID 1 or RAID 0+1.


Countermeasures(II) Non-Computer-Based Controls

1.1. Security policy and contingency plan.Security policy and contingency plan. 2.2. Personnel control.Personnel control. 3.3. Secure positioning of equipment.Secure positioning of equipment. 4.4. Escrow agreements.Escrow agreements. 5.5. Maintenance agreements.Maintenance agreements. 6.6. Physical access control.Physical access control.


Web Security

Proxy servers.Proxy servers.

Firewalls.Firewalls.

Digital signatures.Digital signatures.

Message digest and digital signatures.Message digest and digital signatures.

Digital certificates.Digital certificates.

Kerberos.Kerberos.

Secure Sockets Layer (SSL) and Secure HTTP Secure Sockets Layer (SSL) and Secure HTTP (SHTTP).(SHTTP).


Proxy Servers

In a Web environment, a proxy server is a computer that sits In a Web environment, a proxy server is a computer that sits between a Web browser and a Web server. between a Web browser and a Web server.

It intercepts all requests to the Web server to determine if it can It intercepts all requests to the Web server to determine if it can fulfill the requests itself. If not, it forwards the requests to the fulfill the requests itself. If not, it forwards the requests to the Web server.Web server.

Proxy servers have two main purposes: to improve performance Proxy servers have two main purposes: to improve performance and filter requests.and filter requests.

Improve PerformanceImprove Performance: Since a proxy server saves the results of : Since a proxy server saves the results of all requests for a certain amount of time, it can significantly all requests for a certain amount of time, it can significantly improve performance for group of users.improve performance for group of users.

Filter requestsFilter requests: Proxy servers can also be used to filter requests. : Proxy servers can also be used to filter requests. For example, an organization might use a proxy server to prevent For example, an organization might use a proxy server to prevent its employees from accessing a specific set of Web sites.its employees from accessing a specific set of Web sites.


Firewalls A firewall is a system designed to prevent unauthorized access to or from a A firewall is a system designed to prevent unauthorized access to or from a

private network (Intranet).private network (Intranet). Firewalls can be implemented in both hardware and software, or a Firewalls can be implemented in both hardware and software, or a

combination of both.combination of both. All messages entering or leaving the Intranet pass through the firewall, which All messages entering or leaving the Intranet pass through the firewall, which

examines each message and blocks those that do not meet the specified examines each message and blocks those that do not meet the specified security criteria. There are several types of firewall techniques:security criteria. There are several types of firewall techniques: Packet filterPacket filter: : which looks at each packet entering or leaving the network which looks at each packet entering or leaving the network

and accepts or rejects it based on user-defined rules.and accepts or rejects it based on user-defined rules. Application gatewayApplication gateway: : which applies security mechanisms to specific which applies security mechanisms to specific

applications, such as FTP and Telnet servers.applications, such as FTP and Telnet servers. Circuit-level gatewayCircuit-level gateway: : which applies security mechanisms when a TCP which applies security mechanisms when a TCP

or UDP (User Datagram Protocol) connection is established. Once the or UDP (User Datagram Protocol) connection is established. Once the connection has been made, packets can flow between the hosts without connection has been made, packets can flow between the hosts without further checks.further checks.

Proxy serverProxy server, , which intercepts all messages entering and leaving the which intercepts all messages entering and leaving the network. The proxy server in effect hides the true network addresses. network. The proxy server in effect hides the true network addresses.


Message Digest Algorithms and Digital Signature

A message digest algorithm, or one-way hash function, takes an A message digest algorithm, or one-way hash function, takes an arbitrary-sized string (the message) and generates a fixed-length arbitrary-sized string (the message) and generates a fixed-length string (the digest or hash). string (the digest or hash).

A digest has the following characteristics:A digest has the following characteristics: It should be computationally infeasible to find another It should be computationally infeasible to find another

message that will generate the same digest.message that will generate the same digest. The digest doesn’t reveal anything about the message. The digest doesn’t reveal anything about the message.

A digital signature consists of two pieces of information: a string A digital signature consists of two pieces of information: a string of bits that is computed from the data that is being ‘signed’, along of bits that is computed from the data that is being ‘signed’, along with the private key of the individual or organization wishing the with the private key of the individual or organization wishing the signature.signature.

The signature can be used to verify that the data comes from this The signature can be used to verify that the data comes from this individual or organization.individual or organization.


Message Digest Algorithms and Digital Signature (Cont’d)

Like a handwritten signature, a digital signature has many useful Like a handwritten signature, a digital signature has many useful properties:properties: Its authenticity can be verified, using a computation based on Its authenticity can be verified, using a computation based on

the corresponding public key.the corresponding public key. It cannot be forged (assuming the private key is kept secret).It cannot be forged (assuming the private key is kept secret). It is a function of the data signed and cannot be claimed to be It is a function of the data signed and cannot be claimed to be

the signature for any other data.the signature for any other data. The signed data cannot be changed, otherwise the signature The signed data cannot be changed, otherwise the signature

will no longer verify the data as being authenticwill no longer verify the data as being authentic

Some digital signature algorithms use message digest algorithms Some digital signature algorithms use message digest algorithms for parts of their computations; others for efficiency, compute the for parts of their computations; others for efficiency, compute the digest of a message and digitally sign the digest rather than digest of a message and digitally sign the digest rather than signing the message itself.signing the message itself.


Digital Certificates

A digital certificate is an attachment to an electronic message A digital certificate is an attachment to an electronic message used for security purposes, most commonly to verify that a user used for security purposes, most commonly to verify that a user sending a message is who he or she claims to be, and to provide sending a message is who he or she claims to be, and to provide the receiver with the means to encode a reply.the receiver with the means to encode a reply.

An individual wishing to send an encrypted message applies for a An individual wishing to send an encrypted message applies for a digital certificate from a Certificate Authority (CA).digital certificate from a Certificate Authority (CA).

The CA issues an encrypted digital certificate containing the The CA issues an encrypted digital certificate containing the applicant’s public key and a variety of other identification applicant’s public key and a variety of other identification information.information.

The recipient of an encrypted message uses the CA’s public key The recipient of an encrypted message uses the CA’s public key to decode the digital certificate attached to the message, verifies to decode the digital certificate attached to the message, verifies it as issued by the CA, and then obtains the sender’s public key it as issued by the CA, and then obtains the sender’s public key and identification information held within the certificate.and identification information held within the certificate.

With this information, the recipient can send an encrypted reply.With this information, the recipient can send an encrypted reply.


Kerberos

Kerberos is a server of secured user names and Kerberos is a server of secured user names and passwords (named after the three-headed monster in passwords (named after the three-headed monster in Greek mythology that guarded the gate of hell).Greek mythology that guarded the gate of hell).

The importance of Kerberos is that it provides one The importance of Kerberos is that it provides one centralized security server for all data and resources on centralized security server for all data and resources on the network.the network.

Kerberos has a similar function to that of a Certificate Kerberos has a similar function to that of a Certificate server to identify and validate a user.server to identify and validate a user.

Security companies are currently investigating a merger Security companies are currently investigating a merger of Kerberos and Certificate servers to provide a of Kerberos and Certificate servers to provide a network-wide secure systemnetwork-wide secure system


Secure Sockets Layer and Secure HTTP SSL is an encryption protocol developed by Netscape for transmitting SSL is an encryption protocol developed by Netscape for transmitting

private documents over the Internet.private documents over the Internet. SSL works by using private key to encrypt data that is transferred over the SSL works by using private key to encrypt data that is transferred over the

SSL connection.SSL connection. The protocol, layered between application-level protocols such as HTTP and The protocol, layered between application-level protocols such as HTTP and

the TCP/IP transport-level protocol, is designed to prevent eavesdropping the TCP/IP transport-level protocol, is designed to prevent eavesdropping tampering, and message forgery.tampering, and message forgery.

Through the use of cryptographic techniques such as encryption, and digital Through the use of cryptographic techniques such as encryption, and digital signatures, these protocols:signatures, these protocols: Allow Web browsers and servers to authenticate each other.Allow Web browsers and servers to authenticate each other. Permit Web site owners to control access to particular servers, Permit Web site owners to control access to particular servers,

directories, files, or services.directories, files, or services. Allow sensitive information (for example, credit card numbers) to be Allow sensitive information (for example, credit card numbers) to be

shared between browser and server, yet remain inaccessible to third shared between browser and server, yet remain inaccessible to third parties.parties.

Ensure that data exchanged between browser and server is reliable (that Ensure that data exchanged between browser and server is reliable (that is , cannot be corrupted either accidentally or deliberately, without is , cannot be corrupted either accidentally or deliberately, without detection).detection).


DATABASE SECURITY and AUTHORIZATION

AA DBMS DBMS typically includes atypically includes a database security and database security and authorization subsystemauthorization subsystem that is responsible for ensuring the that is responsible for ensuring the security portions of a database against unauthorized access.security portions of a database against unauthorized access.

TheThe DBA DBA is the central authority for managing a database is the central authority for managing a database system.system.

TheThe DBA DBA has ahas a privileged account privileged account in thein the DBMS, DBMS, is sometimes is sometimes called acalled a system account system account, which provides powerful capabilities , which provides powerful capabilities that are not made available to regular database accounts and that are not made available to regular database accounts and users.users.

DBA privileged commands DBA privileged commands include commands for granting include commands for granting and revoking privileges to individual accounts, users, or user and revoking privileges to individual accounts, users, or user groups and for performing the following types of actions:groups and for performing the following types of actions:


DBA Privileged Commands

1. 1. Account creationAccount creation: This action creates a new account and : This action creates a new account and password for a user or a group of users to enable them to access the password for a user or a group of users to enable them to access the DBMS.DBMS.

2. 2. Privilege grantingPrivilege granting:: This action permits the This action permits the DBADBA to grant certain to grant certain

privileges to certain accounts.privileges to certain accounts. 3. 3. Privilege revocationPrivilege revocation: : This action permits the DBA to revoke This action permits the DBA to revoke

(cancel) certain privileges that were previously given to certain (cancel) certain privileges that were previously given to certain accounts.accounts.

4. 4. Security level assignmentSecurity level assignment: : This action consists of assigning user This action consists of assigning user

accounts to the appropriate security classification level.accounts to the appropriate security classification level.


Access Control Based on Privileges

There are two levels for which assigning privileges to There are two levels for which assigning privileges to use the database system:use the database system:

1.The 1.The Account level: At this level, the DBA specifies the : At this level, the DBA specifies the particular privileges that each account holds particular privileges that each account holds independently of relations in the database.independently of relations in the database.

2.The2.The Relation level: : At this level, we can control the At this level, we can control the privilege to access each individual relation or view in privilege to access each individual relation or view in the database.the database.


The Account Level Privileges

The The CREATE SCHEMACREATE SCHEMA or or CREATE TABLECREATE TABLE privilege to privilege to create schema or base relation.create schema or base relation.

The The CREATE VIEWCREATE VIEW privilege to create views. privilege to create views.

The The ALTERALTER privilege to add or remove attributes from privilege to add or remove attributes from relations.relations.

The The DROPDROP privilege to delete relations or views. privilege to delete relations or views.

The The MODIFYMODIFY privilege to insert, delete, or update tuples. privilege to insert, delete, or update tuples.

The The SELECTSELECT privilege to retrieve information from the privilege to retrieve information from the database using a database using a SELECTSELECT query. query.


The Relation Level Privileges

Privileges at the relation level specify for each user the individual Privileges at the relation level specify for each user the individual relations on which each type of command can be applied.relations on which each type of command can be applied.

Some privileges also refer to individual attributes of relations.Some privileges also refer to individual attributes of relations.

To control the granting and revoking of relation privileges, each To control the granting and revoking of relation privileges, each relation R in a database is assigned an relation R in a database is assigned an owner accountowner account..

The owner of a relation is given all privileges on that relation.The owner of a relation is given all privileges on that relation.

The The owner accountowner account holder can pass privileges on any of the holder can pass privileges on any of the owned relations to other users by owned relations to other users by grantinggranting privileges to their privileges to their accounts.accounts.

In In SQL,SQL, the following types of privileges can be granted on each the following types of privileges can be granted on each individual relation individual relation RR::


The Relation Level Privileges (Cont’d)

SELECTSELECT (retrieval) privilege. (retrieval) privilege.

MODIFYMODIFY privileges on privileges on RR: This gives the account the : This gives the account the capability to modify tuples of capability to modify tuples of RR. In . In SQLSQL this privilege is this privilege is further divided into further divided into UPDATEUPDATE, , DELETEDELETE, and , and INSERTINSERT privileges to apply the corresponding privileges to apply the corresponding SQLSQL command to command to RR. In addition, both the . In addition, both the INSERTINSERT and and UPDATEUPDATE privileges can specify that only certain attributes ofprivileges can specify that only certain attributes of R R can be updated by the account.can be updated by the account.

REFERENCESREFERENCES privilege on privilege on RR: This gives the account : This gives the account the capability to reference the relation R when the capability to reference the relation R when specifying integrity constraints. This privilege can also specifying integrity constraints. This privilege can also be restricted to specific attributes of be restricted to specific attributes of RR..


Specifying Authorization by Using Views

To To create a viewcreate a view, the account must have , the account must have SELECTSELECT privileges on all relations involved in the view privileges on all relations involved in the view definitiondefinition

The mechanism ofThe mechanism of views views is an important access is an important access mechanism in its own right.mechanism in its own right.

For example, if the owner For example, if the owner AA of a relation of a relation RR wants wants another account another account BB to be able to retrieve only some fields to be able to retrieve only some fields of of RR, then , then AA can create a view can create a view VV of of R R that includes only that includes only those attributes and then grantthose attributes and then grant SELECT SELECT on on VV to to BB..


Revoking Privileges

In some cases it is desirable to grant some In some cases it is desirable to grant some privilege to a user temporarily.privilege to a user temporarily.

A mechanism for revoking (canceling) A mechanism for revoking (canceling) privileges is needed.privileges is needed.

In In SQL,SQL, a a REVOKEREVOKE command is included for command is included for the purpose of canceling privileges.the purpose of canceling privileges.


Propagation of Privileges and the GRANT OPTION

Whenever the owner Whenever the owner AA of relation of relation RR grants a privilege on grants a privilege on RR to another account to another account BB, the , the privilege can be given toprivilege can be given to B B with or without the with or without the GRANT OPTIONGRANT OPTION..

If the If the GRANT OPTIONGRANT OPTION is given, this means that is given, this means that BB can also grant that privilege on can also grant that privilege on RR to to other accounts.other accounts.

If the owner account If the owner account AA revokes the privilege granted to revokes the privilege granted to BB, all the privileges that , all the privileges that BB propagated based on that privilege should automatically be revoked by the system.propagated based on that privilege should automatically be revoked by the system.

Techniques to limit the propagation of privileges have been developed, although they Techniques to limit the propagation of privileges have been developed, although they have not yet been implemented in mosthave not yet been implemented in most DBMSs DBMSs..

Limiting Limiting horizontal propagationhorizontal propagation to an integer number to an integer number ii means that an account B means that an account B given thegiven the GRANT OPTION GRANT OPTION can grant the privilege to at most can grant the privilege to at most ii other accounts. other accounts.

Vertical propagationVertical propagation limits the depth of the granting of the privileges. Granting a limits the depth of the granting of the privileges. Granting a privilege with vertical propagation of zero is equivalent to granting the privilege with privilege with vertical propagation of zero is equivalent to granting the privilege with no no GRANT OPTION.GRANT OPTION. If account If account AA grants a privilege to account grants a privilege to account BB with vertical with vertical propagation set to an integer number propagation set to an integer number j>0j>0, this means that account , this means that account BB has the has the GRANT GRANT OPTIONOPTION on that privilege, but on that privilege, but BB can grant the privilege to other accounts with a can grant the privilege to other accounts with a vertical propagation less thanvertical propagation less than j j..


An Example

Suppose that the Suppose that the DBADBA creates four accounts - creates four accounts - A1A1, , A2A2, , A3A3, and , and A4 A4 - and wants only - and wants only A1A1 to be able to create base relations, then to be able to create base relations, then the the DBADBA must issue a must issue a CREATE SCHEMACREATE SCHEMA command as command as follows:follows:

CREATE SCHEMA NWDB AUTHORIZATION A1;

Suppose that Suppose that A1A1 creates the two base relations creates the two base relations EMPLOYEEEMPLOYEE and and DEPARTMENTDEPARTMENT..

Suppose that Suppose that A1A1 wants to grant to account wants to grant to account A2A2 the privilege to the privilege to insert and delete tuples in both of these relations. insert and delete tuples in both of these relations. A1A1 does not does not want want A2A2 to be able to propagate these privileges to additional to be able to propagate these privileges to additional accounts. Then, accounts. Then, A1A1 can issue the following command: can issue the following command:

GRANT INSERT, DELETE ON EMPLOYEE, DEPARTMENT TO A2;


An Example (Cont’d)

Suppose that Suppose that A1A1 wants to allow account wants to allow account A3A3 to retrieve to retrieve information from either of the two tables and also be able to information from either of the two tables and also be able to propagate thepropagate the SELECT SELECT privilege to other accounts. Then privilege to other accounts. Then A1 A1 can can issue the following command:issue the following command:

GRANT SELECT ON EMPLOYEE, DEPARTMENT TO A3 WITH GRANT OPTION;

A3A3 can grant the can grant the SELECTSELECT privilege on the privilege on the EMPLOYEEEMPLOYEE relation to relation to A4A4 by issuing the following command: by issuing the following command:

GRANT SELECT ON EMPLOYEE TO A4;

Suppose that Suppose that A1A1 decides to revoke the decides to revoke the SELECTSELECT privilege on the privilege on the EMPLOYEEEMPLOYEE relation from relation from A3; A3; then then A1 A1 can issue the following can issue the following command:command:

REVOKE SELECT ON EMPLOYEE FROM A3;


An Example (Cont’d) Suppose that Suppose that A1A1 wants to give back to wants to give back to A3A3 a limited capability to a limited capability to SELECTSELECT

from the from the EMPLOYEEEMPLOYEE relation and wants to allow relation and wants to allow A3A3 to propagate the to propagate the privilege. The limitation is to retrieve only the privilege. The limitation is to retrieve only the NAMENAME, , BDATEBDATE, and , and ADDRESSADDRESS attributes and only the tuples with attributes and only the tuples with DNO = 5DNO = 5. Then. Then A1 A1 can create can create the following view:the following view:

CREATE VIEW A3EMPLOYEE ASSELECT NAME, BDATE, ADDRESSFROM EMPLOYEEWHERE DNO = 5; After the view is created , After the view is created , A1A1 can grant can grant SELECTSELECT on the view on the view A3EMPLOYEE A3EMPLOYEE

to to A3A3 as follows: as follows:

GRANT SELECT ON A3EMPLOYEE TO A3WITH GRANT OPTION;

Suppose that Suppose that A1A1 wants to allow wants to allow A4A4 to update only the to update only the SALARYSALARY attribute of attribute of EMPLOYEE:EMPLOYEE:

GRANT UPDATE ON EMPLOYEE(SALARY) TO A4;


Mandatory Access Control for Multilevel Security

In many government, military, and intelligence In many government, military, and intelligence applications, a particular security policy is needed that applications, a particular security policy is needed that classifies data and users based on security classes. classifies data and users based on security classes.

The typical security classes used are top secretThe typical security classes used are top secret (TS), (TS),

secretsecret (S), (S), confidentialconfidential (C), and (C), and unclassifiedunclassified (U), (U), wherewhere TS>S>C>U. TS>S>C>U.


Bell LaPadulaMultilevel Security Model

The commonly used model for multilevel security, known as the The commonly used model for multilevel security, known as the Bell-Bell-LaPadulaLaPadula model, classifies each model, classifies each subjectsubject (user, account, program) and (user, account, program) and objectobject (relation, tuple, column, view, operation) into one of the security (relation, tuple, column, view, operation) into one of the security classifications classifications TS, S, C, TS, S, C, andand U U. We refer to the classification of a subject . We refer to the classification of a subject SS asas class(S) class(S) and the classification of an object and the classification of an object O O as as class(O). class(O).

Two restrictions are enforced on data access:Two restrictions are enforced on data access: A subject A subject SS is not allowed read access to an object is not allowed read access to an object OO unless unless

classclass(S)(S)classclass(O)(O). . A subject A subject SS is not allowed write access to an object is not allowed write access to an object OO unless unless

classclass(O)(O)classclass(S).(S).

The first restriction enforces the obvious rule that no subject can read an The first restriction enforces the obvious rule that no subject can read an object whose security classification is higher than the subject’s security object whose security classification is higher than the subject’s security clearance.clearance.

The second restriction prohibits a subject from writing an object that has The second restriction prohibits a subject from writing an object that has lower security classification than the subject’s security clearance.lower security classification than the subject’s security clearance.


Multilevel Security Implementation in The Relational Model

To incorporate multilevel security notions into the relational To incorporate multilevel security notions into the relational model, it is common to consider attribute values and tuples as model, it is common to consider attribute values and tuples as data objects.data objects.

Each attribute Each attribute AA is associated with a classification attribute is associated with a classification attribute CC in the schema, and each attribute value in a tuple is associated in the schema, and each attribute value in a tuple is associated with a corresponding security classification.with a corresponding security classification.

A tuple classification attribute A tuple classification attribute TCTC is added to the relation is added to the relation attributes to provide a classification for each tuple as a whole.attributes to provide a classification for each tuple as a whole.

A multilevel relation schema R with n attributes would be A multilevel relation schema R with n attributes would be represented as:represented as:

R(A1, C1, A2, C2, …, An, Cn, TC)

A multilevel relation will appear to contain different data to A multilevel relation will appear to contain different data to subjects (users) with different classification levels.subjects (users) with different classification levels.



It is possible to store a single tuple in the relation at a It is possible to store a single tuple in the relation at a higher classification level and produce the higher classification level and produce the corresponding tuples at a lower level classification corresponding tuples at a lower level classification through a process known as through a process known as filtering..

In other cases, it is necessary to store two or more In other cases, it is necessary to store two or more tuples at different classification levels with the same tuples at different classification levels with the same value for the apparent key (primary key). This leads to value for the apparent key (primary key). This leads to the concept of the concept of polyinstantiation. .



A multilevel relation:A multilevel relation: EmployeeEmployee

NameName Salary Salary JobPerformance TC JobPerformance TC ________________________________________________________________________________________

Smith Smith U 40000 40000 C Fair Fair S S Brown Brown C 80000 80000 S Good Good C S------------------------------------------------------------------------------------------------------------------------------------------------------------Appearance ofAppearance of Employee Employee after filtering for classificationafter filtering for classification C C users users

NameName Salary Salary JobPerformance TC JobPerformance TC __________________________________________________________________________________________

Smith Smith U 40000 40000 C Null Null C C Brown Brown C Null C Good Null C Good C C



A multilevel relation: A multilevel relation: EmployeeEmployee

NameName Salary Salary JobPerformance TC JobPerformance TC ________________________________________________________________________________________

Smith Smith U 40000 40000 C Fair Fair S S

Brown Brown C 80000 80000 S Good Good C S----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Appearance ofAppearance of Employee Employee after filtering for classificationafter filtering for classification U U users users

NameName Salary JobPerformance TC Salary JobPerformance TC __________________________________________________________________________________________

Smith Smith U Null Null U Null Null U U



A multilevel relation: A multilevel relation: EmployeeEmployeeName SalaryName Salary JobPerformance TC JobPerformance TC ________________________________________________________________________________________

Smith Smith U 40000 40000 C Fair Fair S S Brown Brown C 80000 80000 S Good Good C S--------------------------------------------------------------------------------------------------------------------------------------------------------------------------PolyinstantiationPolyinstantiation of the Smith tuple of the Smith tuple

Name Salary JobPerformance TC Name Salary JobPerformance TC ________________________________________________________________________________________

Smith Smith U 40000 40000 C Fair Fair S S Smith Smith U 40000 40000 C Excellent Excellent C C Brown Brown C 80000 80000 S Good Good C S


Thank you

Documents

CSCI 453 -- Database Security1 SECURITY OF DATABASE SYSTEMS Dr. Awad Khalil Computer Science Department AUC