View
226
Download
0
Category
Tags:
Preview:
Citation preview
Security in Databases
2Srini & Nandita (CSE2500)DB Security
Outline
• review of databases• reliability & integrity• protection of sensitive data• protection against inference• multi-level security
CSE2500 System Security & Privacy
3Srini & Nandita (CSE2500)DB Security
Database
DBMS
DB Administrator
users
4Srini & Nandita (CSE2500)DB Security
Database concepts
• database– data + rules
• components of data– records: composed of fields / elements
• logical structure schema• attribute name of a column• relation a set of columns
5Srini & Nandita (CSE2500)DB Security
A sample database
NAME SEX AID FINES DRUGS DORM Adams M 5000 45.0 1 Holmes Bailey M 0 0.0 0 Grey Chin F 3000 20.0 0 West Dewitt M 1000 35.0 3 Grey Earhart F 2000 95.0 1 Holmes Fein F 1000 15.0 0 West
6Srini & Nandita (CSE2500)DB Security
DB should deliver (advantages)
• shared access• minimal redundancy• data consistency• data integrity• controlled access
7Srini & Nandita (CSE2500)DB Security
Security requirements
• physical DB integrity• logical DB integrity• element (field) integrity• auditability• access control• user authentication• availability
– (integrity, confidentiality & availability)
8Srini & Nandita (CSE2500)DB Security
Reliability & integrity
• three dimensions:– database integrity– element integrity– element accuracy
• various techniques– 2-phase update– introducing redundancy– recovery– concurrency/consistency control– using monitors
9Srini & Nandita (CSE2500)DB Security
2-phase update
• phase-1: Intent– gathering info & resources– no harm in the case of failure– writing of a commit flag to data base
• phase-2: Commit– set commit flag in the database– causing permanent changes– may be repairable in the case of failure
10Srini & Nandita (CSE2500)DB Security
2-Phase Update (Example)
• Suppose DB query asks to add 1 to fields X and Y.• Phase 1 (Intent):
– Compute updated values in temporary “Shadow” variables Xnew and Ynew:
> Xnew := X + 1, Ynew := Y + 1
• Phase 2 (Commit):– Set “Commit” flag (i.e. DB changes started, do not
repeat Intent phase!)– Copy shadow values into DB:
> X := Xnew, Y := Ynew– Write “Update Complete”, Clear Commit flag.
11Srini & Nandita (CSE2500)DB Security
Redundancy/internal consistency
• using error detection / correction codes– entire database
– records
– fields / elements
• shadow fields– duplication of attributes / records
12Srini & Nandita (CSE2500)DB Security
Recovery
• one way to achieve this is to have a log file for all recent changes (since last backup)
13Srini & Nandita (CSE2500)DB Security
Concurrency/Consistency
• In a multi-user/process/client environment, concurrency and consistency control is vitally important.
• Basic techniques– using “atomic operation”
> Read-then-(if OK)Write: A Write query to a field is conditioned on its current contents being as specified (in case it was modified recently by someone else)
– using “locking” mechanisms> Read queries to a record are blocked while a write is
performed to the record by someone else
14Srini & Nandita (CSE2500)DB Security
Monitors
• checking the structural consistency of data entered or modified
– range comparison -- field specific– state constraints
> describe of the condition of entire DB> (Properties which should be satisfied by DB contents at all times)
– transition constraints> describe the conditions necessary before a change can be made
• (Properties which should be satisfied by DB contents so that a change to DB is valid) Collectively called Integrity Constraints
15Srini & Nandita (CSE2500)DB Security
On sensitive data
• factors that make data sensitive– inherently sensitive
– from a sensitive source
– declared sensitive
– of a sensitive attribute or a sensitive record
– sensitive in relation to previously disclosed information
• sensitivity of data in a DB may vary !
16Srini & Nandita (CSE2500)DB Security
A sample database
NAME SEX AID FINES DRUGS DORM Adams M 5000 45.0 1 Holmes Bailey M 0 0.0 0 Grey Chin F 3000 20.0 0 West Dewitt M 1000 35.0 3 Grey Earhart F 2000 95.0 1 Holmes Fein F 1000 15.0 0 West
17Srini & Nandita (CSE2500)DB Security
Access decisions on sensitive data
• factors to be considered when permitting “user x to access data y”
– availability of data> Record is blocked from read while it is modified
– acceptability of access> No disclosure (even ‘partial’) of sensitive values to
unauthorized users
– assurance of authenticity of user> Limit access based on other considerations (time of
access, previous accesses,…)
18Srini & Nandita (CSE2500)DB Security
Types of disclosure of sensitive data
• exact data (field = x)• Bounds
– x < field < y• negative result
– field is not equal to x• Existence
– an Attribute of a field exists in DB• probable value
– reducing the number of possible values for a field, Improving knowledge of their relative likelihoods.
19Srini & Nandita (CSE2500)DB Security
Inference Problem
• definition:– infer or derive sensitive data from non-
sensitive or (seemingly) un-related data
• “inference” is a subtle vulnerability in database security
20Srini & Nandita (CSE2500)DB Security
A sample database
NAME SEX AID FINES DRUGS DORM Adams M 5000 45.0 1 Holmes Bailey M 0 0.0 0 Grey Chin F 3000 20.0 0 West Dewitt M 1000 35.0 3 Grey Earhart F 2000 95.0 1 Holmes Fein F 1000 15.0 0 West
21Srini & Nandita (CSE2500)DB Security
Direct attack
• list NAME where SEX = M & DRUGS = 1
• list NAME where(SEX = M & DRUGS = 1) |(SEX != M & SEX != F) |(DORM != East)
22Srini & Nandita (CSE2500)DB Security
Indirect attack (statistical inference)
• Sum
sum of financial aid by dorm & sex
Holmes Grey West Total M 5000 1000 0 6000F 2000 0 4000 6000Total 7000 1000 4000 12000
23Srini & Nandita (CSE2500)DB Security
Indirect attack (cont.)
• Count– count of students by dorm & sex
Holmes Grey West Total M 1 2 0 3F 1 0 2 3 Total 2 2 2 6
– can be used in combination with “sum”
24Srini & Nandita (CSE2500)DB Security
Indirect attack (cont.)
• Median
highest value forattribute 1
lowest value forattribute 1
lowest value forattribute 2
highest value forattribute 2
median forattribute 1 &median forattribute 2
25Srini & Nandita (CSE2500)DB Security
revealing Earhart’s drug
• Earhart is the only person who has the median of AID and DRUGS, so if data on AID is known, the following query reveals Earhart’s DRUGS:
p = median (DRUGS where AID=2000)
26Srini & Nandita (CSE2500)DB Security
Indirect attack (cont.)
• Linear system attack– by solving a set of equations
e.g.
q1 = c1 + c2 + c3
q2 = c2 + c3
q3 = c1 + c3
27Srini & Nandita (CSE2500)DB Security
Controls for statistical inference
• 2 types of control– applied to queries --- very hard !
– applied to data items --- relatively easy> suppression --- sensitive data are not
provided> concealing --- precise data are not provided
28Srini & Nandita (CSE2500)DB Security
Summary of inference
• no perfect solution to inference problem• 3 common approaches
– suppress obviously sensitive data fairly easy
– track what the user knows costly
– disguise data may result in incorrect or wrong responses to legitimate queries
29Srini & Nandita (CSE2500)DB Security
Multi-level security
• The 2 level security model, sensitive or non-sensitive, is inadequate in many practical applications:
– The security of a data element may be different from that of other elements in the same row or column.
– In practice many grades of security may be needed.
– The security of an aggregate may be different from that of the individual elements
30Srini & Nandita (CSE2500)DB Security
Realising Multi-level Security
• Partitioning– each sub-database corresponds to a security level
• Encryption– each record (or field) can be encrypted using a
different key
• Integrity lock• Trusted Front End• Commutative Filter• Window/View
Recommended