Iss lecture 6

306 views

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
306
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • The reference monitor checks the access rights, and then grants or deny access accordingly.
  • A role is a named collections of privileges / functional entities within the organization
  • Iss lecture 6

    1. 1. Information System SecurityInformation System SecurityLecture 6Lecture 6Database SecurityDatabase Security
    2. 2. 22OutlineOutline Data SecurityData Security Access controlAccess control Security policySecurity policy Access control policyAccess control policy1.1. Discretionary access controlDiscretionary access control2.2. Content-based access controlContent-based access control3.3. Mandatory access controlMandatory access control4.4. Role-based access controlRole-based access control
    3. 3. 33Data security: ExamplesData security: Examples1.1. Consider a payroll database in a corporation, it must be ensuredConsider a payroll database in a corporation, it must be ensuredthat:that:– Salaries of individual employeesSalaries of individual employees are not disclosedare not disclosed to arbitrary users ofto arbitrary users ofthe database,the database,– SalariesSalaries are modifiedare modified by only those individuals that are properlyby only those individuals that are properlyauthorized,authorized,– PaychecksPaychecks are printed on timeare printed on time at the end of each pay period.at the end of each pay period.1.1. In a military environment, it is important that:In a military environment, it is important that:– The target of a missileThe target of a missile is not givenis not given to an unauthorized user,to an unauthorized user,– The targetThe target is not arbitrarily modified,is not arbitrarily modified,– The missileThe missile is launched when it is fired.is launched when it is fired.
    4. 4. 44Data Security: main goalsData Security: main goals Confidentiality: it refers to data protection from unauthorizedread operations. Integrity: it refers to data protection from unauthorizedmodification operations. Availability: it ensures that data access is not denied toauthorized subjects. Others: Authentication, etc.Confidentiality IntegrityDatasecurityavailability
    5. 5. 55Data Security: main goalsData Security: main goals Confidentiality is enforced by theConfidentiality is enforced by the access control mechanism.access control mechanism. Integrity is enforced by theIntegrity is enforced by the access control mechanismaccess control mechanism and by theand by thesemantic integrity constraintssemantic integrity constraints specified during schemaspecified during schemadefinition.definition. Availability is enforced by theAvailability is enforced by the recoveryrecovery andand concurrency controlconcurrency controlmechanisms.mechanisms.
    6. 6. 66Access control: BasicAccess control: Basicconceptsconcepts An access control system regulates the operations that can beAn access control system regulates the operations that can beexecuted on data and resources to be protected.executed on data and resources to be protected. Its goal is to control operations executed by subjects in order toIts goal is to control operations executed by subjects in order toprevent actions that could damage data and resources.prevent actions that could damage data and resources.AuthorizationrulesReferenceMonitorSecurityPolicyAccessrequestAccess deniedAccess PermittedAccess partiallypermitted
    7. 7. 77Security PolicySecurity Policy Policies deal with defining what is authorized and who can grantPolicies deal with defining what is authorized and who can grantauthorizations.authorizations. Existing security policies tend to focus mainly on theExisting security policies tend to focus mainly on theconfidentiality (Privacy) requirements of securityconfidentiality (Privacy) requirements of security .. Policies are used like requirements; they are the starting point inPolicies are used like requirements; they are the starting point inthe development of any system that has security features .the development of any system that has security features . Adopted security policies mainly depend on organizationalAdopted security policies mainly depend on organizationalrequirements, such as legal requirements, regulatoryrequirements, such as legal requirements, regulatoryrequirements, user requirements.requirements, user requirements.
    8. 8. 88Security Policies andSecurity Policies andAuthorizationsAuthorizations The security policies are implemented by mapping them into aThe security policies are implemented by mapping them into aset ofset of authorizationsauthorizations Authorizations thus establish the operations and rights thatAuthorizations thus establish the operations and rights thatsubjects can exercise on the protected objectssubjects can exercise on the protected objects TheThe reference monitorreference monitor is a control mechanismis a control mechanism– It has the task of determining whether a given subject is authorized toIt has the task of determining whether a given subject is authorized toaccess the dataaccess the data
    9. 9. 99Access control policyAccess control policy Discretionary access controlDiscretionary access control Mandatory access controlMandatory access control Role-based access controlRole-based access control Context-based access controlContext-based access control
    10. 10. 1010Access control PolicyAccess control Policy Most access control policies are formulated in terms of subjects,Most access control policies are formulated in terms of subjects,objects, and privilegesobjects, and privileges Authorization Objects: Anything that holds data, such asAuthorization Objects: Anything that holds data, such asrelations, directories, interprocess messages, network packets,relations, directories, interprocess messages, network packets,I/O devices, or physical mediaI/O devices, or physical media Authorization Subjects: An abstraction of any active entity thatAuthorization Subjects: An abstraction of any active entity thatperforms computation in the systemperforms computation in the system– Examples: users, processes, roles, etc.Examples: users, processes, roles, etc. Authorization Privileges: Operations that a subject can exerciseAuthorization Privileges: Operations that a subject can exerciseon the objects in the systemon the objects in the system– Examples: read, write, execute, select, insert, update, delete, etc.Examples: read, write, execute, select, insert, update, delete, etc.
    11. 11. 1111Discretionary ACPsDiscretionary ACPs DAC policies govern the access of subjects to objects on theDAC policies govern the access of subjects to objects on thebasis of subjects identity and authorization rulesbasis of subjects identity and authorization rules When an access request is submitted to the system, the accessWhen an access request is submitted to the system, the accesscontrol mechanism verifies whether there is an authorization rulecontrol mechanism verifies whether there is an authorization ruleauthorizing the accessauthorizing the access Such mechanisms are discretionary in that they allow subjects toSuch mechanisms are discretionary in that they allow subjects togrant other subjects authorization to access their objects at theirgrant other subjects authorization to access their objects at theirdiscretiondiscretion Most of the common commercial DBMSs support itMost of the common commercial DBMSs support it
    12. 12. 1212DAC: SQL commandsDAC: SQL commands Privilege delegation is supported through thePrivilege delegation is supported through the grant optiongrant option: if a: if aprivilege is granted with the grant option, the user receiving itprivilege is granted with the grant option, the user receiving itcan not only exercise the privilege, but can also grant it to othercan not only exercise the privilege, but can also grant it to otherusersusers A user can only grant a privilege on a given table if he/she is theA user can only grant a privilege on a given table if he/she is thetable owner or if he/she has received the privilege with granttable owner or if he/she has received the privilege with grantoptionoption GRANTGRANT PrivilegeListPrivilegeList| ALL[PRIVILEGES] ON| ALL[PRIVILEGES] ON tabletable||ViewView TOTOUserListUserList | PUBLIC [WITH GRANT OPTION]| PUBLIC [WITH GRANT OPTION]
    13. 13. 1313DAC: SQL commandsDAC: SQL commands Example:Example:– Bob: GRANT select, insert ON Employee TO Ann WITH GRANTBob: GRANT select, insert ON Employee TO Ann WITH GRANTOPTION;OPTION;Bob: GRANT select ON Employee TO Jim WITH GRANT OPTION;Bob: GRANT select ON Employee TO Jim WITH GRANT OPTION;Ann: GRANT select, insert ON Employee TO Jim;Ann: GRANT select, insert ON Employee TO Jim;– Jim has theJim has the selectselect privilege (received from both Bob and Ann) and theprivilege (received from both Bob and Ann) and theinsert privilege (received from Ann).insert privilege (received from Ann).– Jim canJim can grantgrant to other users the select privilege (because it has receivedto other users the select privilege (because it has receiveditit with grant optionwith grant option); however, he cannot grant the insert privilege.); however, he cannot grant the insert privilege.
    14. 14. 1414DAC in SQL - GrantDAC in SQL - Grant Grant Command:Grant Command:1.1. Bob: GRANT select, insert ON Employee TO Jim WITH GRANTBob: GRANT select, insert ON Employee TO Jim WITH GRANTOPTION;OPTION;2.2. Bob: GRANT select ON Employee TO Ann WITH GRANT OPTION;Bob: GRANT select ON Employee TO Ann WITH GRANT OPTION;3.3. Bob: GRANT insert ON Employee TO Ann;Bob: GRANT insert ON Employee TO Ann;4.4. Jim: GRANT update ON Employee TO Tim WITH GRANT OPTION;Jim: GRANT update ON Employee TO Tim WITH GRANT OPTION;5.5. Ann: GRANT select, insert ON Employee TO Tim;Ann: GRANT select, insert ON Employee TO Tim; The first three GRANT commands are fully executed (Bob is the owner of theThe first three GRANT commands are fully executed (Bob is the owner of thetable)table) The fourth command is not executed, because Jim does not have theThe fourth command is not executed, because Jim does not have the updateupdateprivilege on the tableprivilege on the table The fifth command is partially executed; Ann has theThe fifth command is partially executed; Ann has the selectselect andand insertinsert but shebut shedoes not have the grant option for the insertdoes not have the grant option for the insert– Tim only receives theTim only receives the selectselect privilegeprivilege
    15. 15. 1515DAC in SQL - RevokeDAC in SQL - Revoke REVOKEREVOKE PrivilegeListPrivilegeList| ALL[PRIVILEGES] ON| ALL[PRIVILEGES] ON table | Viewtable | ViewFROMFROM UserListUserList | PUBLIC| PUBLIC A user can only revoke the privileges he/she has granted;A user can only revoke the privileges he/she has granted; Upon execution of a revoke operation, the user from whom theUpon execution of a revoke operation, the user from whom theprivileges have been revoked looses these privileges, unless hasprivileges have been revoked looses these privileges, unless hasthem from some sourcethem from some source independentindependent from that has executed thefrom that has executed therevoke.revoke. Recursive revocation: whenever a user revokes an authorizationRecursive revocation: whenever a user revokes an authorizationon a table from another user, all the authorizations that theon a table from another user, all the authorizations that therevokee had granted because of the revoked authorization arerevokee had granted because of the revoked authorization areremoved.removed.
    16. 16. 1616DAC in SQL - RevokeDAC in SQL - Revoke Example:Example:– Bob: GRANT select ON Employee TO Jim WITH GRANT OPTION;Bob: GRANT select ON Employee TO Jim WITH GRANT OPTION;– Bob: GRANT select ON Employee TO Ann WITH GRANT OPTION;Bob: GRANT select ON Employee TO Ann WITH GRANT OPTION;– Jim: GRANT select ON Employee TO Tim;Jim: GRANT select ON Employee TO Tim;– Ann: GRANT select ON Employee TO Tim;Ann: GRANT select ON Employee TO Tim;– Jim: REVOKE select ON Employee FROM Tim;Jim: REVOKE select ON Employee FROM Tim;– Tim continues to hold theTim continues to hold the selectselect privilege on table Employee after theprivilege on table Employee after therevokerevoke operation, since he has independently obtained such privilege fromoperation, since he has independently obtained such privilege fromAnn.Ann.
    17. 17. 1717Content-Based AC (CBAC)Content-Based AC (CBAC) Content-based access control conditions the access to a givenContent-based access control conditions the access to a givenobject to its content.object to its content. As an example, in a RDBMS supporting content-based accessAs an example, in a RDBMS supporting content-based accesscontrol it is possible to authorize a subject to access informationcontrol it is possible to authorize a subject to access informationonly of those employees whose salary is not greater than 30K.only of those employees whose salary is not greater than 30K. Two are the most common approaches to enforce content-basedTwo are the most common approaches to enforce content-basedaccess control in a DBMS:access control in a DBMS:– by associating a predicate (or a Boolean combination of predicates) withby associating a predicate (or a Boolean combination of predicates) withthe authorizationthe authorization– by defining aby defining a viewview which selects the objects whose content satisfies awhich selects the objects whose content satisfies agiven condition, and then granting the authorization on the view insteadgiven condition, and then granting the authorization on the view insteadof on the basic objectsof on the basic objects
    18. 18. 1818CBAC: SQL CommandsCBAC: SQL Commands Example: suppose we want to authorize user Ann to access onlyExample: suppose we want to authorize user Ann to access onlythe employees whose salary is lower than 20000 – steps:the employees whose salary is lower than 20000 – steps:– CREATE VIEW Vemp ASCREATE VIEW Vemp ASSELECT * FROM Employee WHERE Salary < 20000;SELECT * FROM Employee WHERE Salary < 20000;GRANT Select ON Vemp TO Ann;GRANT Select ON Vemp TO Ann; Ann:Ann:– SELECT * FROM Vemp WHERE Job = ‘Programmer’;SELECT * FROM Vemp WHERE Job = ‘Programmer’;– This is equivalent to:This is equivalent to:– SELECT * FROM Employee WHERE Salary < 20000 AND Job =SELECT * FROM Employee WHERE Salary < 20000 AND Job =‘Programmer’;‘Programmer’;
    19. 19. 1919Mandatory Access controlMandatory Access control MAC specifies the access that subjects have to access objectsMAC specifies the access that subjects have to access objectsbased on subjects and objects classification.based on subjects and objects classification. This type of security has also been referred to asThis type of security has also been referred to as multilevelmultilevelsecuritysecurity Database systems that satisfy multilevel security properties areDatabase systems that satisfy multilevel security properties arecalled multilevel secure database management systemscalled multilevel secure database management systems(MLS/DBMSs)(MLS/DBMSs) Many of the MLS/DBMSs have been designed based on the BellMany of the MLS/DBMSs have been designed based on the Belland LaPadula (BLP) model.and LaPadula (BLP) model.
    20. 20. 2020Role-based AC (RBAC):Role-based AC (RBAC):MotivationMotivation One challenging problem in managing large systems is the complexity ofOne challenging problem in managing large systems is the complexity ofsecurity administration.security administration. Whenever the number of subjects and objects is high, the number ofWhenever the number of subjects and objects is high, the number ofauthorizations can become extremely large.authorizations can become extremely large. Moreover, if the user population is highly dynamic, the number of grant andMoreover, if the user population is highly dynamic, the number of grant andrevoke operations to be performed can become very difficult to manage.revoke operations to be performed can become very difficult to manage. End users often do not own the information for which they are allowedEnd users often do not own the information for which they are allowedaccess. The corporation or agency is the actual owner of data objects.access. The corporation or agency is the actual owner of data objects. Control is often based on employee functions rather than data ownership.Control is often based on employee functions rather than data ownership. RBAC has been proposed as anRBAC has been proposed as an alternativealternative approach to DAC and MAC bothapproach to DAC and MAC bothto simplify the task of access control management and to directly supportto simplify the task of access control management and to directly supportfunction-based access control.function-based access control.
    21. 21. 2121RBAC: Basic ConceptsRBAC: Basic Concepts Roles represent functions within a given organization andRoles represent functions within a given organization andauthorizations are granted to roles instead of to single usersauthorizations are granted to roles instead of to single users Users are thus simply authorized to "play“ the appropriate roles,Users are thus simply authorized to "play“ the appropriate roles,thereby acquiring the roles’ authorizationsthereby acquiring the roles’ authorizations RBAC: BenefitsRBAC: Benefits– Because roles represent organizational functions, an RBAC model canBecause roles represent organizational functions, an RBAC model candirectly support security policies of the organizationdirectly support security policies of the organization– Granting and revoking of user authorizations is greatly simplifiedGranting and revoking of user authorizations is greatly simplified Most commercial DBMSs support RBAC features at some extentsMost commercial DBMSs support RBAC features at some extents
    22. 22. 2222RBAC: NIST ModelRBAC: NIST Model UserUser:: is defined as a human being, a machine, a process, etc.is defined as a human being, a machine, a process, etc. RoleRole: is a function within the context of an organization with an associated: is a function within the context of an organization with an associatedsemantic regarding its authority and responsibilitysemantic regarding its authority and responsibility PermissionPermission:: is an access mode that can be exercised on objects in the system.is an access mode that can be exercised on objects in the system.Both objects and access modes are domain dependent.Both objects and access modes are domain dependent.– For example, in the case of databases, the object set includes tables, columns, andFor example, in the case of databases, the object set includes tables, columns, androws, and the access mode set includes insert, delete, and update operations.rows, and the access mode set includes insert, delete, and update operations. SessionSession:: it is a particular instance of a connection of a user to the system andit is a particular instance of a connection of a user to the system anddefines the subset of activated roles.defines the subset of activated roles.– At each moment, different sessions for the same user can be active.At each moment, different sessions for the same user can be active.– When a user logs in the system, he/she establishes a session and, during thisWhen a user logs in the system, he/she establishes a session and, during thissession, can request to activate a subset of the roles he/she is authorized to play.session, can request to activate a subset of the roles he/she is authorized to play.– The user obtains all permissions associated with the role he/she has activated inThe user obtains all permissions associated with the role he/she has activated inthe sessionthe session
    23. 23. 2323RBACRBACIndividuals Roles ResourcesRole 1Role 2Role 3Users change frequently, roles don’tServer 1Server 2Server 3
    24. 24. 2424RBAC: SQL CommandsRBAC: SQL Commands CREATE ROLE role-name IDENTIFIED BY passwd |NOT IDENTIFIED;CREATE ROLE role-name IDENTIFIED BY passwd |NOT IDENTIFIED; example:example:– CREATE ROLE teller IDENTIFIED BY cashflow;CREATE ROLE teller IDENTIFIED BY cashflow; DROP ROLE role-name;DROP ROLE role-name; GRANT role TO user | role | PUBLIC [WITH ADMIN OPTION];GRANT role TO user | role | PUBLIC [WITH ADMIN OPTION]; To perform the grant of a role, a user must have the privilege for the role withTo perform the grant of a role, a user must have the privilege for the role withthe ADMIN option, or the system privilege GRANT ANY ROLEthe ADMIN option, or the system privilege GRANT ANY ROLE The ADMIN option allows the receiver to modify or drop the roleThe ADMIN option allows the receiver to modify or drop the role Example:Example:– GRANT teller TO Bob;GRANT teller TO Bob;
    25. 25. 2525RBAC: SQL CommandsRBAC: SQL Commands The grant command for authorization granting can have roles asThe grant command for authorization granting can have roles assubjectssubjects example:example:– GRANT select ON Employee TO teller;GRANT select ON Employee TO teller;

    ×