1 / 48

Introduction Database Security Overview

Explore database security requirements such as physical database integrity, auditability, and sensitive data handling in this lecture on database security. Gain insights into different levels of granularity, access control mechanisms, and protection methods. Learn about statistical compromises, covert channels, and inference channels in database security.

lvandenbosch
Download Presentation

Introduction Database Security Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction Database Security Overview

  2. Readings • This lecture: • Textbook: Chapter 5.2 • Lecture materials from CSCE 522, Nov. 3, Lecture 20 at http://www.cse.sc.edu/~farkas/csce522-2010/lectures.htm • For next class: • Textbook: Chapter 10.1, 10.2 CSCE 824

  3. Database Security Requirements • Physical database integrity • Logical database integrity • Element integrity • Auditability • Access control • User authentication • Availability CSCE 824

  4. Sensitive data • Inherently sensitive • From a sensitive source • Declared sensitive • Part of a sensitive attribute or record • In relation to previously disclosed information CSCE 824

  5. Types of disclosures • Exact data • Range of data • Negative results • Existence • Probable values CSCE 824

  6. Access control • Operating system • Database Management System • Granularity! CSCE 824

  7. Granularity • Database • Relation • Record • Attribute • Element Advantages vs. disadvantages of supporting different granularity levels CSCE 824

  8. Granularity • Database • Relation • Record • Attribute • Element Advantages vs. disadvantages of supporting different granularity levels CSCE 824

  9. Relation-Level Granularity (Works)= Secret CSCE 824

  10. Tuple-level Granularity Works CSCE 824

  11. Attribute-Level Granularity Works CSCE 824

  12. Cell-Level Granularity Works CSCE 824

  13. Access Control Mechanisms • Security through Views • Stored Procedures • Grant and Revoke • Query modification CSCE 824

  14. Security Through Views • Assign rights to access predefined views CREATE VIEW Outstanding-Student AS SELECT NAME, COURSE, GRADE FROM Student WHERE GRADE > B Problem: Difficult to maintain updates. CSCE 824

  15. Security Through Views Studentrelation CSCE 824

  16. Security Through Views CREATE VIEW Outstanding-Student AS SELECT NAME, COURSE, GRADE FROM Student WHERE GRADE > B Outstanding-Student CSCE 824

  17. Security Through Views CREATE VIEW Fall-Student AS SELECT NAME, COURSE FROM Student WHERE SEMESTER=“Fall 2000” Fall-Student CSCE 824

  18. Stored Procedures • Assign rights to execute compiled programs • GRANT RUN ON <program> TO <user> Problem: Programs may access resources for which the user who runs the program does not have permission. CSCE 824

  19. Grant and Revoke GRANT <privilege> ON <relation> To <user> [WITH GRANT OPTION] ------------------------------------------------------------------------------------------------------------------------------------ • GRANT SELECT * ON Student TO Matthews • GRANT SELECT *, UPDATE(GRADE) ON Student TO FARKAS • GRANT SELECT(NAME) ON Student TO Brown GRANT command applies to base relations as well as views CSCE 824

  20. Grant and Revoke REVOKE <privileges> [ON <relation>] FROM <user> ------------------------------------------------------------------------------------------------------------------------- • REVOKE SELECT* ON Student FROM Blue • REVOKE UPDATE ON Student FROM Black • REVOKE SELECT(NAME) ON Student FROM Brown CSCE 824

  21. Query Modification • GRANT SELECT(NAME) ON Student TO Blue WHERE COURSE=“CSCE 590” • Blue’s query: SELECT * FROM Student • Modified query: SELECT NAME FROM Student WHERE COURSE=“CSCE 580” CSCE 824

  22. Indirect Information Flow Channels • Covert channels • Inference channels CSCE 824

  23. Communication Channels • Overt Channel: designed into a system and documented in the user's manual • Covert Channel: not documented. Covert channels may be deliberately inserted into a system, but most such channels are accidents of the system design. CSCE 824

  24. Covert Channel • Timing Channel: based on system times • Storage channels: not time related communication • Can be turned into each other CSCE 824

  25. Inference Channels Non-sensitive information Sensitive Information + Meta-data = CSCE 824

  26. Inference Channels • Statistical Database Inferences • General Purpose Database Inferences CSCE 824

  27. Statistical Databases • Goal: provide aggregate information about groups of individuals • E.g., average grade point of students • Security risk: specific information about a particular individual • E.g., grade point of student John Smith • Meta-data: • Working knowledge about the attributes • Supplementary knowledge (not stored in database) CSCE 824

  28. Types of Statistics • Macro-statistics: collections of related statistics presented in 2-dimensional tables • Micro-statistics: Individual data records used for statistics after identifying information is removed CSCE 824

  29. Statistical Compromise • Exact compromise: find exact value of an attribute of an individual (e.g., John Smith’s GPA is 3.8) • Partial compromise: find an estimate of an attribute value corresponding to an individual (e.g., John Smith’s GPA is between 3.5 and 4.0) CSCE 824

  30. Methods of Attacks and Protection • Small/Large Query Set Attack • C: characteristic formula that identifies groups of individuals If C identifies a single individual I, e.g., count(C) = 1 • Find out existence of property • If count(C and D)=1 means I has property D • If count(C and D)=0 means I does not have D OR • Find value of property • Sum(C, D), gives value of D CSCE 824

  31. Small/Large Query Set Attack cont. • Protection from small/large query set attack: query-set-size control • A query q(C) is permitted only if N-n  |C|  n , where n  0 is a parameter of the database and N is all the records in the database CSCE 824

  32. Tracker attack q(C) is disallowed C=C1 and C2 T=C1 and ~C2 Tracker C C2 C1 q(C)=q(C1) – q(T) CSCE 824

  33. Tracker attack q(C and D) is disallowed C=C1 and C2 T=C1 and ~C2 C Tracker C2 C1 C and D q(C and D)= q(T or C and D) – q(T) D CSCE 824

  34. Query overlap attack Q(John)=q(C1)-q(C2) C1 C2 Kathy Paul John Eve Max Fred Mitch Protection: query-overlap control CSCE 824

  35. Insertion/Deletion Attack • Observing changes overtime • q1=q(C) • insert(i) • q2=q(C) • q(i)=q2-q1 • Protection: insertion/deletion performed as pairs CSCE 824

  36. Statistical Inference Theory • Give unlimited number of statistics and correct statistical answers, all statistical databases can be compromised (Ullman) CSCE 824

  37. Inferences in General-Purpose Databases • Queries based on sensitive data • Inference via database constraints • Inferences via updates CSCE 824

  38. Queries based on sensitive data • Sensitive information is used in selection condition but not returned to the user. • Example: Salary: secret, Name: public NameSalary=$25,000 • Protection: apply query of database views at different security levels CSCE 824

  39. Database Constraints • Integrity constraints • Database dependencies • Key integrity CSCE 824

  40. Integrity Constraints • C=A+B • A=public, C=public, and B=secret • B can be calculated from A and C, i.e., secret information can be calculated from public data CSCE 824

  41. Database Dependencies Metadata: • Functional dependencies • Multi-valued dependencies • Join dependencies • etc. CSCE 824

  42. Functional Dependency • FD: A  B, that is for any two tuples in the relation, if they have the same value for A, they must have the same value for B. • Example: FD: Rank  Salary Secret information: Name and Salary together • Query1: Name and Rank • Query2: Rank and Salary • Combine answers for query1 and 2 to reveal Name and Salary together CSCE 824

  43. Key integrity • Every tuple in the relation have a unique key • Users at different levels, see different versions of the database • Users might attempt to update data that is not visible for them CSCE 824

  44. Example Secret View Public View CSCE 824

  45. Updates Public User: • Update Black’s address to Orlando • Add new tuple: (Red, 22,000, Manassas) • If • Refuse update: covert channel • Allow update: • Overwrite high data – may be incorrect • Create new tuple – which data it correct • (polyinstantiation) – violate key constraints CSCE 824

  46. Updates Secret user: • Update Black’s salary to 45,000 • If • Refuse update: denial of service • Allow update: • Overwrite low data – covert channel • Create new tuple – which data it correct • (polyinstantiation) – violate key constraints CSCE 824

  47. Inference Problem • No general technique is available to solve the problem • Need assurance of protection • Hard to incorporate outside knowledge CSCE 824

  48. Next Class • Transaction Processing CSCE 824

More Related