Chapter 6 – Database SecurityChapter 6 – Database Security
Integrity for databases: record Integrity for databases: record integrity, data correctness, update integrity, data correctness, update integrityintegrity
Security for databases: access Security for databases: access control, inference, and aggregationcontrol, inference, and aggregation
Multilevel secure databases: Multilevel secure databases: partitioned, cryptographically sealed, partitioned, cryptographically sealed, filteredfiltered
Introduction to DatabasesIntroduction to Databases
Database – collection of data and set Database – collection of data and set of rules that organize the data by of rules that organize the data by specifying certain relationships specifying certain relationships among the dataamong the data
Database administrator (DBA)Database administrator (DBA) Database management system Database management system
(DBMS) – database manager, front-(DBMS) – database manager, front-endend
Introduction to DatabasesIntroduction to Databases
Records – contain related group of Records – contain related group of datadata
Fields (elements) – elementary data Fields (elements) – elementary data itemsitems
Schema – logical structure of Schema – logical structure of databasedatabase
Subschema – view into databaseSubschema – view into database
Introduction to DatabasesIntroduction to Databases
RelationalRelational• Rows (relation); columns (attributes)Rows (relation); columns (attributes)• DB2, Oracle, AccessDB2, Oracle, Access
HierarchicalHierarchical• IMSIMS
Object-orientedObject-oriented
Introduction to DatabasesIntroduction to Databases
QueriesQueries• SELECT NAME = ‘ADAMS’SELECT NAME = ‘ADAMS’• SELECT (ZIP = ‘43210’) ^ (NAME = ‘ADAMS’)SELECT (ZIP = ‘43210’) ^ (NAME = ‘ADAMS’)
ProjectProject• SHOW FIRST WHERE (ZIP = ‘43210’) ^ (NAME SHOW FIRST WHERE (ZIP = ‘43210’) ^ (NAME
= ‘ADAMS’)= ‘ADAMS’) JoinJoin
• SHOW NAME, AIRPORT WHERESHOW NAME, AIRPORT WHERE
NAME.ZIP = AIRPORT.ZIPNAME.ZIP = AIRPORT.ZIP
Advantages of Using DatabasesAdvantages of Using Databases
Shared accessShared access Minimal redundancyMinimal redundancy Data consistencyData consistency Data integrityData integrity Controlled accessControlled access
Security RequirementsSecurity Requirements
Physical database integrityPhysical database integrity Logical database integrityLogical database integrity Element integrityElement integrity AuditabilityAuditability Access controlAccess control User authenticationUser authentication AvailabilityAvailability
Integrity of the DatabaseIntegrity of the Database
Users must be able to trust the Users must be able to trust the accuracy of the data valuesaccuracy of the data values
Updates are performed by authorized Updates are performed by authorized individualsindividuals
Integrity is the responsibility of the Integrity is the responsibility of the DBMS, the OS, and the computing DBMS, the OS, and the computing system managersystem manager
Must be able to reconstruct the Must be able to reconstruct the database at the point of a failuredatabase at the point of a failure
Element IntegrityElement Integrity
Correctness or accuracy of elementsCorrectness or accuracy of elements Field checksField checks Access controlAccess control Maintain a change log – list every Maintain a change log – list every
change made to the databasechange made to the database
Auditability & Access ControlAuditability & Access Control
Desirable to generate an audit record Desirable to generate an audit record of all access to the database of all access to the database (reads/writes)(reads/writes)
Pass-through problemPass-through problem – accessing – accessing a record or element without a record or element without transferring the data received to the transferring the data received to the user (no reads/writes)user (no reads/writes)
Databases separated logically by Databases separated logically by user access privilegesuser access privileges
Other Security RequirementsOther Security Requirements
User AuthenticationUser Authentication Confidentiality Confidentiality AvailabilityAvailability
Reliability and IntegrityReliability and Integrity
Database integrityDatabase integrity Element integrityElement integrity Element accuracyElement accuracy
Some protection from OSSome protection from OS• File accessFile access• Data integrity checksData integrity checks
Two-Phase UpdateTwo-Phase Update
Failure of computing system in Failure of computing system in middle of modifying datamiddle of modifying data
Intent Phase – gather resources Intent Phase – gather resources needed for update; write needed for update; write commit commit flagflag to the database to the database
Update Phase – make permanent Update Phase – make permanent changeschanges
Redundancy / Internal ConsistencyRedundancy / Internal Consistency
Error detection / Correction codes Error detection / Correction codes (parity bits, Hamming codes, CRCs)(parity bits, Hamming codes, CRCs)
Shadow fieldsShadow fields
Log of user accesses and changesLog of user accesses and changes
Concurrency/ConsistencyConcurrency/Consistency
Access by two users sharing the same Access by two users sharing the same database must be constrained (lock)database must be constrained (lock)
Monitors –check entered values to ensure Monitors –check entered values to ensure consistency with rest of DBconsistency with rest of DB
Range ComparisonsRange Comparisons State Constraints – describes condition of State Constraints – describes condition of
database (unique employee #)database (unique employee #) Transition Constraints – conditions before Transition Constraints – conditions before
changes are applied to DBchanges are applied to DB
Sensitive DataSensitive Data
Data that should not be made publicData that should not be made public What if some but not all of the What if some but not all of the
elements of a DB are sensitiveelements of a DB are sensitive• Inherently sensitiveInherently sensitive• From a sensitive sourceFrom a sensitive source• Declared sensitiveDeclared sensitive• Part of a sensitive attribute or recordPart of a sensitive attribute or record• Sensitive in relation to previously Sensitive in relation to previously
disclosed informationdisclosed information
Access DecisionsAccess Decisions
Need an access policy (programmed Need an access policy (programmed into DBMS)into DBMS)
Availability – blocking; permanent Availability – blocking; permanent blockingblocking
Acceptability of Access (sensitive Acceptability of Access (sensitive data)data)
Assurance of AuthenticityAssurance of Authenticity
Types of DisclosuresTypes of Disclosures
Exact DataExact Data
BoundsBounds
Negative ResultsNegative Results
Existence of DataExistence of Data
Probable ValuesProbable Values
Security vs. PrecisionSecurity vs. Precision
Aim to protect all sensitive data Aim to protect all sensitive data while revealing as much nonsensitive while revealing as much nonsensitive data as possibledata as possible
Want to maintain perfect Want to maintain perfect confidentiality with maximum confidentiality with maximum precisionprecision
InferenceInference
Way to infer / derive sensitive data Way to infer / derive sensitive data from nonsensitive datafrom nonsensitive data
Direct AttackDirect Attack• List NAME where SEX=M ^ DRUGS=1List NAME where SEX=M ^ DRUGS=1• List NAME where (SEX=M ^ DRUGS=1) List NAME where (SEX=M ^ DRUGS=1)
v (SEX#M ^ SEX#F) v (DORM=AYRES)v (SEX#M ^ SEX#F) v (DORM=AYRES)
Indirect AttackIndirect Attack
SumSum• Show STUDENT-AID WHERE SEX=F ^ Show STUDENT-AID WHERE SEX=F ^
DORM=GreyDORM=Grey CountCount
• Show Count, STUDENT-AID WHERE SEX=M ^ Show Count, STUDENT-AID WHERE SEX=M ^ DORM=HolmesDORM=Holmes
• List NAME where (SEX=M ^ DORM=Holmes)List NAME where (SEX=M ^ DORM=Holmes) MedianMedian Tracker Attacks – using additional queries Tracker Attacks – using additional queries
that produce small resultsthat produce small results
ControlsControls
SuppressionSuppression – don’t provide – don’t provide sensitive datasensitive data
ConcealingConcealing – don’t provide actual – don’t provide actual values (“close to”)values (“close to”)
Limited Response SuppressionLimited Response Suppression• n-item k-percent rule eliminates low n-item k-percent rule eliminates low
frequency elements from being frequency elements from being displayed (may need to suppress displayed (may need to suppress additional rows/columns)additional rows/columns)
ControlsControls
Combined ResultsCombined Results• SumsSums• RangesRanges• RoundingRounding
Random SampleRandom Sample Random Data PerturbationRandom Data Perturbation Query Analysis – “should the result Query Analysis – “should the result
be provided”be provided”
Conclusion on the Inference Conclusion on the Inference ProblemProblem
Suppress obviously sensitive Suppress obviously sensitive informationinformation
Track what the user knowsTrack what the user knows
Disguise the dataDisguise the data
AggregationAggregation
Building sensitive results from less Building sensitive results from less sensitive inputssensitive inputs
Data miningData mining – process of sifting – process of sifting through multiple databases and through multiple databases and correlating multiple data elements to correlating multiple data elements to find useful informationfind useful information
Multilevel DatabasesMultilevel Databases
Differentiated SecurityDifferentiated Security• Security of single element may be Security of single element may be
different from security of other elementsdifferent from security of other elements• Two levels – sensitive and nonsensitive Two levels – sensitive and nonsensitive
are inadequate to represent some are inadequate to represent some security situationssecurity situations
• Security of an aggregate (sum, count,…) Security of an aggregate (sum, count,…) may be different from security of the may be different from security of the individual elementsindividual elements
GranularityGranularity
Security IssuesSecurity Issues
IntegrityIntegrity• *-property for access control*-property for access control• Either process cleared at a high level cannot Either process cleared at a high level cannot
write to a lower level or process must be a write to a lower level or process must be a “trusted process”“trusted process”
ConfidentialityConfidentiality• Different users at different levels may get Different users at different levels may get
different query resultsdifferent query results• PolyinstantiationPolyinstantiation – record can appear more – record can appear more
than once with different levels of than once with different levels of confidentialityconfidentiality
Proposals for Multilevel SecurityProposals for Multilevel Security
SeparationSeparation• Partitioning – divide DB into separate Partitioning – divide DB into separate
DBs with own level of sensitivityDBs with own level of sensitivity• Encryption (time consuming)Encryption (time consuming)• Integrity Lock – each data item contains Integrity Lock – each data item contains
a sensitivity label and a checksuma sensitivity label and a checksum Sensitivity label must be Sensitivity label must be unforgeable, unforgeable,
unique, concealedunique, concealed Checksum must be uniqueChecksum must be unique Sensitivity lockSensitivity lock
Design of Multilevel Secure Design of Multilevel Secure DatabasesDatabases
Integrity Lock – not efficient Integrity Lock – not efficient (space/time)(space/time)
Trusted Front-end (Guard) – does Trusted Front-end (Guard) – does authentication and filteringauthentication and filtering
Commutative Filters – Commutative Filters – • screen user’s requests, reformats, so screen user’s requests, reformats, so
that only appropriate data is returnedthat only appropriate data is returned
Design of Multilevel Secure Design of Multilevel Secure DatabasesDatabases
Distributed (federated) databaseDistributed (federated) database• Trusted front-end controls access to two Trusted front-end controls access to two
DBMSs – one for high-sensitivity data DBMSs – one for high-sensitivity data and one for low-sensitivity dataand one for low-sensitivity data
• Very complexVery complex Window/ViewWindow/View
• Subset of a database containing exactly Subset of a database containing exactly the information that the user is entitled the information that the user is entitled to accessto access