database security and privacy
DESCRIPTION
Database Security and Privacy. Prevent/detect/deter improper Disclosure of information. Secrecy. Prevent/detect/deter Improper modification of information. Integrity. Availability. Prevent/detect/deter improper Denial of access to services. Security Objectives. Policy. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Database Security and Privacy](https://reader035.vdocuments.us/reader035/viewer/2022070409/56814477550346895db10d4a/html5/thumbnails/1.jpg)
Database Security - Farkas 1
Database SecurityDatabase Securityand Privacyand Privacy
![Page 2: Database Security and Privacy](https://reader035.vdocuments.us/reader035/viewer/2022070409/56814477550346895db10d4a/html5/thumbnails/2.jpg)
2Database Security - Farkas
Security ObjectivesSecurity Objectives
Secrecy
Prevent/detect/deter improperDisclosure of information
Availability
Prevent/detect/deter improperDenial of access to services
Integrity
Prevent/detect/deter Improper modificationof information
![Page 3: Database Security and Privacy](https://reader035.vdocuments.us/reader035/viewer/2022070409/56814477550346895db10d4a/html5/thumbnails/3.jpg)
3Database Security - Farkas
PolicyPolicyOrganizational policyOrganizational policy
Information systems policyInformation systems policy
![Page 4: Database Security and Privacy](https://reader035.vdocuments.us/reader035/viewer/2022070409/56814477550346895db10d4a/html5/thumbnails/4.jpg)
DatabasesDatabases
Collection of Collection of interrelated data andinterrelated data and set of programs to access the data set of programs to access the data
ConvenientConvenient and and efficientefficient processing processing of dataof data
Database Application SoftwareDatabase Application Software
4Database Security - Farkas
![Page 5: Database Security and Privacy](https://reader035.vdocuments.us/reader035/viewer/2022070409/56814477550346895db10d4a/html5/thumbnails/5.jpg)
Database SecurityDatabase Security Protect Sensitive Data fromProtect Sensitive Data from
Unauthorized disclosureUnauthorized disclosure Unauthorized modificationUnauthorized modification Denial of service attacksDenial of service attacks
Security ControlsSecurity Controls Security PolicySecurity Policy Access control modelsAccess control models Integrity protectionIntegrity protection Privacy problemsPrivacy problems Fault tolerance and recoveryFault tolerance and recovery Auditing Auditing and intrusion detectionand intrusion detection
5Database Security - Farkas
![Page 6: Database Security and Privacy](https://reader035.vdocuments.us/reader035/viewer/2022070409/56814477550346895db10d4a/html5/thumbnails/6.jpg)
6Database Security - Farkas
Protection of Data Confidentiality
Access control Access control – which data users can access
Information flow control Information flow control – what users can do with the accessed data
Data MiningData Mining
![Page 7: Database Security and Privacy](https://reader035.vdocuments.us/reader035/viewer/2022070409/56814477550346895db10d4a/html5/thumbnails/7.jpg)
7Database Security - Farkas
Access Control
Ensures that all direct accesses direct accesses to object are authorized
Protects against accidental and malicious threats by regulating the read, write and read, write and execution execution of data and programs
![Page 8: Database Security and Privacy](https://reader035.vdocuments.us/reader035/viewer/2022070409/56814477550346895db10d4a/html5/thumbnails/8.jpg)
8Database Security - Farkas
Access ControlAccess Control
Requires:Requires:
- Proper - Proper user identificationuser identification
- Information specifying the - Information specifying the access rights access rights is protected is protected form modificationform modification
![Page 9: Database Security and Privacy](https://reader035.vdocuments.us/reader035/viewer/2022070409/56814477550346895db10d4a/html5/thumbnails/9.jpg)
9Database Security - Farkas
Access control components:- Access control policyAccess control policy: specifies the authorized accesses of a system- Access control mechanismAccess control mechanism: implements and enforces the policy
Access Control
![Page 10: Database Security and Privacy](https://reader035.vdocuments.us/reader035/viewer/2022070409/56814477550346895db10d4a/html5/thumbnails/10.jpg)
HOW TO SPECIFY ACCESS HOW TO SPECIFY ACCESS CONTROL?CONTROL?
10Database Security - Farkas
![Page 11: Database Security and Privacy](https://reader035.vdocuments.us/reader035/viewer/2022070409/56814477550346895db10d4a/html5/thumbnails/11.jpg)
11Database Security - Farkas
Access ControlAccess Control
SubjectSubject:: active entity that requests access to an active entity that requests access to an object object - e.g., user or program- e.g., user or program
Object: Object: passive entity accessed by a subjectpassive entity accessed by a subject- e.g., record, relation, file- e.g., record, relation, file
Access right Access right (privileges): how a subject is (privileges): how a subject is allowed to access an objectallowed to access an object- e.g., subject - e.g., subject ss can read object can read object oo
![Page 12: Database Security and Privacy](https://reader035.vdocuments.us/reader035/viewer/2022070409/56814477550346895db10d4a/html5/thumbnails/12.jpg)
12Database Security - Farkas
Protection ObjectProtection Object
DatabaseDatabase RelationRelation RecordRecord AttributeAttribute Element Element
Advantages vs. disadvantages of supporting
different granularity levels
![Page 13: Database Security and Privacy](https://reader035.vdocuments.us/reader035/viewer/2022070409/56814477550346895db10d4a/html5/thumbnails/13.jpg)
13Database Security - Farkas
Relation-Level Relation-Level GranularityGranularity
Person-Person-namename
Company-Company-namename
SalarySalary
SmithSmith BB&CBB&C $43,982$43,982
DellDell BellBell $97,900$97,900
Black Black BB&CBB&C $35,652$35,652
Confidential relation
![Page 14: Database Security and Privacy](https://reader035.vdocuments.us/reader035/viewer/2022070409/56814477550346895db10d4a/html5/thumbnails/14.jpg)
14Database Security - Farkas
Tuple-level GranularityTuple-level Granularity
Person-namePerson-name Company-Company-namename
Salary Salary
SmithSmith BB&CBB&C $43,982 Public$43,982 Public
DellDell BellBell $97,900 Conf.$97,900 Conf.
Black Black BB&CBB&C $35,652 Public$35,652 Public
Works
![Page 15: Database Security and Privacy](https://reader035.vdocuments.us/reader035/viewer/2022070409/56814477550346895db10d4a/html5/thumbnails/15.jpg)
15Database Security - Farkas
Attribute-Level Attribute-Level GranularityGranularity
Person- Person- name name Publ.
Company-Company-name Publ.name Publ.
SalarySalary
Conf.Conf.
SmithSmith BB&CBB&C $43,982$43,982
DellDell BellBell $97,900$97,900
Black Black BB&CBB&C $35,652$35,652
Works
![Page 16: Database Security and Privacy](https://reader035.vdocuments.us/reader035/viewer/2022070409/56814477550346895db10d4a/html5/thumbnails/16.jpg)
16Database Security - Farkas
Cell-Level GranularityCell-Level Granularity
Person-Person-namename
Company-Company-namename
SalarySalary
Smith PSmith P BB&C PBB&C P $43,982 C$43,982 C
Dell CDell C Bell CBell C $97,900 C$97,900 C
Black PBlack P BB&C CBB&C C $35,652 C$35,652 C
Works
![Page 17: Database Security and Privacy](https://reader035.vdocuments.us/reader035/viewer/2022070409/56814477550346895db10d4a/html5/thumbnails/17.jpg)
17Database Security - Farkas
Access Control Policies
Discretionary Access Control (DACDAC) Mandatory Access Control (MACMAC) Role-Based Access Control (RBACRBAC)
![Page 18: Database Security and Privacy](https://reader035.vdocuments.us/reader035/viewer/2022070409/56814477550346895db10d4a/html5/thumbnails/18.jpg)
18Database Security - Farkas
Discretionary Access Control (DAC)
For each subject each subject access right to the objects are defined (subject, object, +/- access mode) (Black, Employee-relation, read)
User based Grant and RevokeGrant and Revoke Problems:
- Propagation of access rights- Revocation of propagated access rights
![Page 19: Database Security and Privacy](https://reader035.vdocuments.us/reader035/viewer/2022070409/56814477550346895db10d4a/html5/thumbnails/19.jpg)
19Database Security - Farkas
DAC by Grant and RevokeDAC by Grant and Revoke
Brown (owner)
Black Red
White
GRANT SELECT ON EmployeeTO Red
GRANT SELECT ON EmployeeTO BlackWITH GRANT OPTION ?
Brown revokes grantgiven to Black
?Brown does not want Red to access the Employee relation
GRANT UPDATE(Salary) ON Employee TO White
![Page 20: Database Security and Privacy](https://reader035.vdocuments.us/reader035/viewer/2022070409/56814477550346895db10d4a/html5/thumbnails/20.jpg)
20Database Security - Farkas
ImplementationImplementationAccess Control List (column)
File 1 File 2Joe:Read Joe:ReadJoe:Write Sam:ReadJoe:Own Sam:Write
Sam:OwnCapability List (row)Joe: File 1/Read, File 1/Write, File 1/Own, File 2/ReadSam: File 2/Read, File 2/Write, File 2/Own
Access Control TriplesSubject Access ObjectJoe Read File 1Joe Write File 1Joe Own File 1Joe Read File 2Sam Read File 2Sam Write File 2Sam Own File 2
(ACL)
![Page 21: Database Security and Privacy](https://reader035.vdocuments.us/reader035/viewer/2022070409/56814477550346895db10d4a/html5/thumbnails/21.jpg)
21Database Security - Farkas
Access Control MechanismsAccess Control Mechanisms
Security through ViewsSecurity through Views Stored ProceduresStored Procedures Grant and RevokeGrant and Revoke Query modificationQuery modification
![Page 22: Database Security and Privacy](https://reader035.vdocuments.us/reader035/viewer/2022070409/56814477550346895db10d4a/html5/thumbnails/22.jpg)
22Database Security - Farkas
Security Through Views
Assign rights to access predefined viewsCREATE VIEW Outstanding-Student AS SELECT NAME, COURSE, GRADEFROM StudentWHERE GRADE > B
Problem:
Difficult to maintain updates.
![Page 23: Database Security and Privacy](https://reader035.vdocuments.us/reader035/viewer/2022070409/56814477550346895db10d4a/html5/thumbnails/23.jpg)
23Database Security - Farkas
Stored ProceduresStored Procedures Assign rights to execute compiled programsAssign rights to execute compiled programs GRANT RUN ON <program> TO <user>GRANT RUN ON <program> TO <user>
Problem:Problem:
Programs may access resources for which the user Programs may access resources for which the user who runs the program does not have permission. who runs the program does not have permission.
![Page 24: Database Security and Privacy](https://reader035.vdocuments.us/reader035/viewer/2022070409/56814477550346895db10d4a/html5/thumbnails/24.jpg)
24Database Security - Farkas
Grant and RevokeGrant and RevokeGRANT <privilege> ON <relation>GRANT <privilege> ON <relation>To <user>To <user>[WITH GRANT OPTION][WITH GRANT OPTION]------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
GRANT SELECT * ON GRANT SELECT * ON StudentStudent TO Matthews TO Matthews GRANT SELECT *, UPDATE(GRADE) ON GRANT SELECT *, UPDATE(GRADE) ON StudentStudent
TO FARKASTO FARKAS GRANT SELECT(NAME) ON GRANT SELECT(NAME) ON StudentStudent TO Brown TO Brown
GRANT command applies to base relations as well GRANT command applies to base relations as well as viewsas views
![Page 25: Database Security and Privacy](https://reader035.vdocuments.us/reader035/viewer/2022070409/56814477550346895db10d4a/html5/thumbnails/25.jpg)
25Database Security - Farkas
Grant and RevokeGrant and RevokeREVOKE <privileges> [ON REVOKE <privileges> [ON
<relation>]<relation>]
FROM <user>FROM <user>--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
REVOKE SELECT* ON REVOKE SELECT* ON StudentStudent FROM Blue FROM Blue REVOKE UPDATE ON REVOKE UPDATE ON StudentStudent FROM Black FROM Black REVOKE SELECT(NAME) ON REVOKE SELECT(NAME) ON StudentStudent FROM FROM
BrownBrown
![Page 26: Database Security and Privacy](https://reader035.vdocuments.us/reader035/viewer/2022070409/56814477550346895db10d4a/html5/thumbnails/26.jpg)
26Database Security - Farkas
Non-cascading RevokeNon-cascading Revoke
A
B
C
D
E
F
A
B
C
A revokes D’s privileges
E
F
![Page 27: Database Security and Privacy](https://reader035.vdocuments.us/reader035/viewer/2022070409/56814477550346895db10d4a/html5/thumbnails/27.jpg)
27Database Security - Farkas
Cascading RevokeCascading Revoke
A
B
C
D
E
F
A
B
C
A revokes D’s privileges
![Page 28: Database Security and Privacy](https://reader035.vdocuments.us/reader035/viewer/2022070409/56814477550346895db10d4a/html5/thumbnails/28.jpg)
28Database Security - Farkas
Positive and Negative Positive and Negative AuthorizationAuthorization
Problem:Contradictory authorizations• GRANT <privilege> ON X TO <user>• DENY <privilege> ON X TO <user>
A
B
C
E
D
+
-
+
-
![Page 29: Database Security and Privacy](https://reader035.vdocuments.us/reader035/viewer/2022070409/56814477550346895db10d4a/html5/thumbnails/29.jpg)
29Database Security - Farkas
Negative AuthorizationNegative Authorization
A
B
C
E
D
+
-
+
-
-
F
+
What should happen with the privilege given by DTo F?
![Page 30: Database Security and Privacy](https://reader035.vdocuments.us/reader035/viewer/2022070409/56814477550346895db10d4a/html5/thumbnails/30.jpg)
30Database Security - Farkas
Query ModificationQuery Modification GRANT SELECT(NAME) ON GRANT SELECT(NAME) ON StudentStudent TO Blue TO Blue
WHERE COURSE=“CSCEWHERE COURSE=“CSCE 590” 590”
Blue’s query:Blue’s query:SELECT * SELECT * FROM FROM StudentStudent
Modified query:Modified query:SELECT NAMESELECT NAMEFROM FROM StudentStudentWHERE COURSE=“CSCE 590”WHERE COURSE=“CSCE 590”
![Page 31: Database Security and Privacy](https://reader035.vdocuments.us/reader035/viewer/2022070409/56814477550346895db10d4a/html5/thumbnails/31.jpg)
31Database Security - Farkas
DAC OverviewDAC Overview Advantages:Advantages:
IntuitiveIntuitive Easy to implementEasy to implement
Disadvantages:Disadvantages: Inherent vulnerability (look TH Inherent vulnerability (look TH
example)example) Maintenance of ACL or Capability listsMaintenance of ACL or Capability lists Maintenance of Grant/RevokeMaintenance of Grant/Revoke Limited power of negative authorizationLimited power of negative authorization
![Page 32: Database Security and Privacy](https://reader035.vdocuments.us/reader035/viewer/2022070409/56814477550346895db10d4a/html5/thumbnails/32.jpg)
32Database Security - Farkas
Mandatory Access Control (MAC)
Security labelSecurity label- Top-Secret, Secret, Public
ObjectsObjects: security classification - File 1 is Secret, File 2 is Public
SubjectsSubjects: security clearances- Brown is cleared to Secret, Black is cleared to Public
DominanceDominance ()- Top-Secret Secret Public
![Page 33: Database Security and Privacy](https://reader035.vdocuments.us/reader035/viewer/2022070409/56814477550346895db10d4a/html5/thumbnails/33.jpg)
33Database Security - Farkas
MAC
Access rightsAccess rights: defined by comparing the security classification of the requested objects with the security clearance of the subject
If access control rules access control rules are satisfied, access is permitted
Otherwise access is rejected GranularityGranularity of access rights!
![Page 34: Database Security and Privacy](https://reader035.vdocuments.us/reader035/viewer/2022070409/56814477550346895db10d4a/html5/thumbnails/34.jpg)
34Database Security - Farkas
MAC – Bell-LaPadula (BLP) ModelMAC – Bell-LaPadula (BLP) Model
Single security propertySingle security property: a subject S is allowed a : a subject S is allowed a read access to an object O only if label(S) read access to an object O only if label(S) dominates label(O)dominates label(O)
Star-property:Star-property: a subject S is allowed a write access a subject S is allowed a write access to an object O only if label(O) dominates label(S) to an object O only if label(O) dominates label(S)
No direct flow of information from high security objects to low security objects!
![Page 35: Database Security and Privacy](https://reader035.vdocuments.us/reader035/viewer/2022070409/56814477550346895db10d4a/html5/thumbnails/35.jpg)
Multilevel Security Multilevel Security
Multilevel security Multilevel security users at users at different security level, see different different security level, see different versions of the databaseversions of the database
ProblemProblem: : different versionsdifferent versions need to need to be kept consistent and coherent be kept consistent and coherent without downward signaling channelwithout downward signaling channel (covert channel)(covert channel)
35Database Security - Farkas
![Page 36: Database Security and Privacy](https://reader035.vdocuments.us/reader035/viewer/2022070409/56814477550346895db10d4a/html5/thumbnails/36.jpg)
Multilevel RelationMultilevel Relation
Schema R(ASchema R(A11,C,C11,…,A,…,Ann,C,Cnn,T,Tcc)) R: relation nameR: relation name AAii: attribute name: attribute name CCii: security classes: security classes TTcc: Tuple security classes: Tuple security classes
Instantiation of relation: sets of tuples of Instantiation of relation: sets of tuples of the form <athe form <a11,c,c11,…,a,…,ann,c,cnn,t,tcc>> aaii: attribute value: attribute value ccii: attribute classification label: attribute classification label ttcc: tuple classification label: tuple classification label
36Database Security - Farkas
![Page 37: Database Security and Privacy](https://reader035.vdocuments.us/reader035/viewer/2022070409/56814477550346895db10d4a/html5/thumbnails/37.jpg)
37Database Security - FarkasCSCE 790 - Farkas37
Multilevel Relation Multilevel Relation ExampleExample
SSN (SSN) Course (Course) Grade (Grade)
111-22-3333 S CSCE 786 S A TS
444-55-6666 S CSCE 567 S C TS
Top-secret user sees all dataSecret user sees Secret-ViewSecret-View:
SSN (SSN) Course (Course) Grade (Grade)
111-22-3333 S CSCE 786 S null S
444-55-6666 S CSCE 567 S null S
![Page 38: Database Security and Privacy](https://reader035.vdocuments.us/reader035/viewer/2022070409/56814477550346895db10d4a/html5/thumbnails/38.jpg)
38Database Security - Farkas
PolyinstantiationSecret user sees Secret-View:
SSN (SSN) Course (Course) Grade (Grade)
111-22-3333 S CSCE 786 S null S
444-55-6666 S CSCE 567 S null S
•SSN is primary key•Secret user wants to update Grade for 111-22-3333 from null (i.e., missing value) to F
•Allow update: inconsistent database, at TS level two different tuples exist with the same primary key (see next slide)
•Not allow update: downward signaling channel, update isbecause of the existence of a TS value
![Page 39: Database Security and Privacy](https://reader035.vdocuments.us/reader035/viewer/2022070409/56814477550346895db10d4a/html5/thumbnails/39.jpg)
39Database Security - Farkas
Polyinstantiation
SSN (SSN) Course (Course) Grade (Grade)
111-22-3333 S CSCE 786 S A TS
111-22-3333 S CSCE 786 S F S
444-55-6666 S CSCE 567 S C TS
Top-Secret View: