database security


Published on

  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Users can be given authorization on views, without being given any authorization on the relations used in the view definition. By defining views on the base tables, we can present needed info to a user while binding other information that the user should not be given access to. Ability of views to hide data serves both to simplify usage of the system and to enhance security by allowing users access only to data they need for their job
  • database security

    1. 1. CSCI 5707: Database Security Pusheng Zhang University of Minnesota Email: [email_address] March 2, 2004
    2. 2. Motivation <ul><li>Personal Privacy </li></ul><ul><ul><li>Q? Have you watched “ LOR: The Return of The King ”? </li></ul></ul><ul><ul><li>Q? Do you like the movie? </li></ul></ul><ul><ul><li>Customer profile DB, health information DB, credit rating DB </li></ul></ul><ul><li>Corporate Security </li></ul><ul><ul><li>Trade Secrets – Coke’s Formula </li></ul></ul><ul><ul><li>Client Privacy – Swiss Banks, Financial Inst. </li></ul></ul><ul><li>System Resource Security </li></ul><ul><ul><li>Password DB, Worm, Virus, and Hackers </li></ul></ul><ul><li>Cyber Security </li></ul><ul><ul><li>Eavesdropping (unauthorized reading of messages) </li></ul></ul><ul><ul><li>Masquerading (pretending to be an authorized user or sending messages supposed from authorized users) </li></ul></ul>
    3. 3. Database Security This figure is courtesy of Peter J. Braam, CMU
    4. 5. Database Security <ul><li>Goal: </li></ul><ul><ul><li>Users only see the data they’re supposed to. (S and A) </li></ul></ul><ul><ul><li>Guard against modifications by malicious users (I) </li></ul></ul><ul><li>What security mechanisms do software systems provide? </li></ul><ul><ul><li>User Account Level Access Control </li></ul></ul><ul><ul><ul><li>Discretionary: grant/revoke </li></ul></ul></ul><ul><ul><ul><li>Mandatory: security levels </li></ul></ul></ul><ul><ul><li>Audit Trails: logs </li></ul></ul><ul><ul><li>Statistical Database Security: Inference Control </li></ul></ul><ul><ul><li>Data Object Level Access Control: encryption </li></ul></ul>
    5. 6. Database Administrator <ul><li>Database Administrator (DBA) </li></ul><ul><ul><li>Central authority for managing a database system </li></ul></ul><ul><ul><li>Responsibilities include: </li></ul></ul><ul><ul><ul><li>Create user account and password </li></ul></ul></ul><ul><ul><ul><li>Grant privileges </li></ul></ul></ul><ul><ul><ul><li>Revoke privileges </li></ul></ul></ul><ul><ul><ul><li>Assign security levels </li></ul></ul></ul>
    6. 8. GRANT Command <ul><li>GRANT Command </li></ul><ul><ul><li>In SQL: GRANT privileges ON objects TO users [ WITH GRANT OPTION ] </li></ul></ul><ul><ul><li>Privileges: </li></ul></ul><ul><ul><ul><li>SELECT : can read all columns </li></ul></ul></ul><ul><ul><ul><li>INSERT (col-name): </li></ul></ul></ul><ul><ul><ul><ul><li>Can insert tuples with non-null or non-default values in this column. </li></ul></ul></ul></ul><ul><ul><ul><ul><li>INSERT means same right with respect to all columns </li></ul></ul></ul></ul><ul><ul><ul><li>DELECT : can delete tuples </li></ul></ul></ul><ul><ul><ul><li>UPDATE (col-name): can update this column </li></ul></ul></ul><ul><ul><ul><li>REFERENCE (col-name): can define foreign keys (in other tables) that refer to this column. </li></ul></ul></ul><ul><ul><li>WITH GRANT OPTION can pass privilege on to other users </li></ul></ul>
    7. 9. Example of GRANT <ul><li>Joe created tables Sailors, Boats, Reserves </li></ul><ul><li>Q: Joe runs the following </li></ul><ul><ul><li>Q1: GRANT SELECT ON Reserves TO Mike </li></ul></ul><ul><ul><ul><li>Mike can execute SELECT queries on Reserves </li></ul></ul></ul><ul><ul><li>Q2: GRANT SELECT ON Sailors TO Mike WITH GRANT OPTION </li></ul></ul><ul><ul><ul><li>Mike can execute SELECT queries on Sailors </li></ul></ul></ul><ul><ul><ul><li>Mike can pass this privilege to others for Sailors NOT for Reserves </li></ul></ul></ul><ul><ul><li>Q3: GRANT UPDATE (rating) ON Sailors TO Bill </li></ul></ul><ul><ul><ul><li>Bill can update the rating column in the Sailors. </li></ul></ul></ul>
    8. 10. REVOKE Command <ul><li>REVOKE Command </li></ul><ul><ul><li>In SQL: REVOKE [ GRANT OPTION FOR ] privileges ON objects FROM user { RESTRICT | CASCADE } </li></ul></ul><ul><ul><li>Privileges are the same with GRANT </li></ul></ul><ul><ul><li>GRANT OPTION FOR : revoke just the grant option on a privilege </li></ul></ul><ul><ul><ul><li>For example: Joe is the creator of the Sailors. Joe runs the following </li></ul></ul></ul><ul><ul><ul><li>GRANT SELECT ON Sailors TO Art WITH GRANT OPTION </li></ul></ul></ul><ul><ul><ul><li>REVOKE GRANT OPTION FOR SELECT ON Sailors FROM Art CASCADE </li></ul></ul></ul><ul><ul><ul><li>Art still holds SELECT privilege on Sailors </li></ul></ul></ul><ul><ul><ul><li>However, Art no longer can’t pass it on to other users </li></ul></ul></ul>
    9. 11. REVOKE Command (cont) <ul><li>CASCADE and RESTRICT </li></ul><ul><ul><li>CASCADE: recursively revokes existing privileges </li></ul></ul><ul><ul><li>RESTRICT : revoking is rejected if resulting in other privileges becoming abandoned </li></ul></ul><ul><ul><ul><li>For example: Joe is the creator of the Sailors </li></ul></ul></ul><ul><ul><ul><li>GRANT SELECT ON Sailors TO Art WITH GRANT OPTION ( by Joe) </li></ul></ul></ul><ul><ul><ul><li>GRANT SELECT ON Sailors TO Bob WITH GRANT OPTION (by Art) </li></ul></ul></ul><ul><ul><ul><li>REVOKE SELECT ON Sailors FROM Art CASCADE (by Joe) </li></ul></ul></ul><ul><ul><ul><li>Art and Bob lost SELECT privilege on Sailors </li></ul></ul></ul><ul><ul><ul><li>What happens if we use RESTRICT instead of CASCADE in the example above? </li></ul></ul></ul>
    10. 12. Examples <ul><li>Example 1: </li></ul><ul><ul><ul><li>GRANT SELECT ON Sailors TO Art WITH GRANT OPTION ( by Joe) </li></ul></ul></ul><ul><ul><ul><li>GRANT SELECT ON Sailors TO Bob WITH GRANT OPTION (by Art) </li></ul></ul></ul><ul><ul><ul><li>GRANT SELECT ON Sailors TO Bob WITH GRANT OPTION (by Joe) </li></ul></ul></ul><ul><ul><ul><li>REVOKE SELECT ON Sailors FROM Art CASCADE (by Joe) </li></ul></ul></ul><ul><ul><ul><li>Art lost the SELECT on Sailors </li></ul></ul></ul><ul><ul><ul><li>What about Bob? </li></ul></ul></ul><ul><li>Example 2: </li></ul><ul><ul><ul><li>GRANT SELECT ON Sailors TO Art WITH GRANT OPTION ( by Joe) </li></ul></ul></ul><ul><ul><ul><li>GRANT SELECT ON Sailors TO Art WITH GRANT OPTION (by Joe) </li></ul></ul></ul><ul><ul><ul><li>REVOKE SELECT ON Sailors FROM Art CASCADE (by Joe) </li></ul></ul></ul><ul><ul><ul><li>Does Art lose the SELECT on Sailors or not? </li></ul></ul></ul>
    11. 13. Authorization Graph <ul><li>Authorization Graph </li></ul><ul><ul><li>Nodes: Users </li></ul></ul><ul><ul><li>Arcs: Indications of how privileges are passes </li></ul></ul>Joe Art Bob (Joe, Art, Select on Sailors, Yes) (Art, Bob, Select on Sailors, Yes)
    12. 15. Example of View <ul><li>For example: Joe runs </li></ul><ul><ul><li>CREAT VIEW ActiveSailors (name, age, day) </li></ul></ul><ul><ul><li>AS SELECT S.sname, S.sage, </li></ul></ul><ul><ul><li>FROM Sailor S, Reserves R </li></ul></ul><ul><ul><li> WHERE S.sid = R.sid AND S.rating > 6 </li></ul></ul><ul><ul><li>Joe can grant SELECT on the view ActiveSailors to Art </li></ul></ul><ul><ul><ul><li>GRANT SELECT ON ActiveSailors TO Art WITH GRANT OPTION </li></ul></ul></ul><ul><ul><ul><li>Art only has the access to the ActiveSailors, not the base tables </li></ul></ul></ul><ul><ul><ul><li>Art can run: </li></ul></ul></ul><ul><ul><ul><ul><li>SELECT name FROM ActiveSailors WHERE age < 30 </li></ul></ul></ul></ul>
    13. 16. Role <ul><li>Roles are named groups of related privileges </li></ul><ul><ul><li>Can be assigned to users and even to other roles </li></ul></ul><ul><ul><li>Reduced privilege administration </li></ul></ul><ul><ul><li>Dynamic privilege management </li></ul></ul><ul><li>Privileges can be granted to or revoked from roles, just like user </li></ul><ul><li>SQL:1999 standard supports roles </li></ul><ul><ul><li>CREATE ROLE Role-name </li></ul></ul><ul><ul><li>DROP ROLE Role-name </li></ul></ul><ul><ul><li>GRANT privileges ON objects TO Role-name </li></ul></ul>
    14. 17. Example of Role <ul><li>Example </li></ul><ul><li> CREATE ROLE manager </li></ul><ul><ul><li>GRANT SELECT, INSERT ON Sailors TO manager </li></ul></ul><ul><ul><li>GRANT UPDATE (sid) ON Sailors TO manager </li></ul></ul><ul><ul><li>GRANT SELECT, UPDATE, INSERT ON Reserves TO manager </li></ul></ul><ul><li>GRANT manager TO Joe </li></ul>
    15. 18. Mandatory Access Control <ul><li>Main drawback of discretionary access control (DAC): </li></ul><ul><ul><li>Vulnerable to malicious attacks, e.g., Trojan horses whereby a devious unauthorized user can trick an authorized user into disclosing sensitive data. </li></ul></ul><ul><ul><li>DAC doesn’t impose any control on how info is propagated. </li></ul></ul><ul><ul><li>Supported by most commercial DBMSs. </li></ul></ul><ul><li>Mandatory access control (MAC): </li></ul><ul><ul><li>Multilevel security: </li></ul></ul><ul><ul><ul><li>Top secret, secret, confidential, and unclassified </li></ul></ul></ul><ul><ul><ul><li>Needed for government, military, and intelligence applications </li></ul></ul></ul>
    16. 24. Polyinstantiation <ul><li>Solution to the dilemma </li></ul><ul><ul><li>Add one tuple with security class C: </li></ul></ul><ul><ul><ul><li>101 Salsa Red S </li></ul></ul></ul><ul><ul><ul><li>101 Pasta Blue C </li></ul></ul></ul><ul><ul><ul><li>102 Pinto Brown C </li></ul></ul></ul><ul><li>Polyinstantiation: </li></ul><ul><ul><li>The presence of data objects that appear to have different values to users with different clearances. </li></ul></ul><ul><ul><ul><li>E.g., the boat with bid 101 </li></ul></ul></ul>
    17. 25. Comparison Between DAC and MAC <ul><li>Discretionary access control (DAC): </li></ul><ul><ul><li>Flexible </li></ul></ul><ul><ul><li>Supported by most commercial DBMSs </li></ul></ul><ul><ul><li>Applicable to a large variety of domains </li></ul></ul><ul><ul><li>Vulnerable to Trojan Horses </li></ul></ul><ul><li>Mandatory access control (DAC): </li></ul><ul><ul><li>Very Rigid </li></ul></ul><ul><ul><li>Not supported in most Commercial DBMSs </li></ul></ul><ul><ul><li>Only applicable in military, intelligence, and government </li></ul></ul><ul><ul><li>Prevent flow from higher to lower security level </li></ul></ul>