Embed Size (px)
Citation preview
Chapter 9: 1
Computer Security 3e
Dieter Gollmann
www.wiley.com/college/gollmann
Chapter 9: 2
Chapter 9:Database Security
Chapter 9: 3
Database Security
Databases store data and provide information to their users.
Database Security: protection of sensitive data and mechanisms that allow users to retrieve information in a controlled manner.
Difference to Operating System Security: Database Security control access to information more than access to data.
Focus on principals requesting access to database.
Chapter 9: 4
Objectives
Analyze the security issues specific to database systems.
Show how to use views for access control in relational databases.
Protect information in statistical databases.
Examine interactions between security mechanisms in the database management system and in the underlying operating system.
Chapter 9: 5
Man-machine scale: DBsec
specificcomplex
focus on users
genericsimple
focus on data
manoriented
machineoriented
Chapter 9: 6
Agenda
Protection requirements
Relational databases
SQL security model
Access control through views
Statistical database security Tracker attacks
Integrating database security and operating system security
Privacy
Chapter 9: 7
DBsec: Attack Goals
Exact data: the values stored in the database;
Bounds: lower or upper bounds on a numerical value like a salary can already be useful information;
Negative results: e.g. if a database contains numbers of criminal convictions, then the information that a particular person does not have zero convictions is sensitive.
Existence: the existence of data may already be sensitive information;
Probable value: being able to guess some information from the results of other queries.
Chapter 9: 8
Design Requirements
Precision: protect sensitive information while revealing as much non-sensitive information as possible.
Internal consistency: the entries in the database obey some prescribed rules. E.g., stock levels cannot fall below zero.
External consistency: the entries in the database are correct. E.g., stock levels given in the database match stock levels in
the warehouse; however, the database management system (DBMS) alone cannot keep the database in a consistent state.
This property is also called accuracy.
Chapter 9: 9
Relational Databases
A relational database is a database that is perceived by its users as a collection of tables (and tables only).
A relation R is a subset of D1 Dn where D1, , Dn are the domains on n attributes.
The elements in the relation are n-tuples (v1, , vn) with vi Di; the value of the i-th attribute has to be an element from Di.
Elements in a tuple are often called fields.
A special null value indicates that a field does not contain any value.
Chapter 9: 10
Types of Relations
Base relations (real relations): named, autonomous relations; exist in their own right, are not derived from other relations, and have ‘their own’ stored data.
Views: named, derived relations, defined in terms of other named relations; no stored data of their own.
Snapshots: named, derived relations, defined in terms of other named relations; have stored data of their own.
Query results: may or may not have a name; no persistent existence in the database per se.
Chapter 9: 11
Database Keys
Tuples in a relation must be uniquely identifiable.
A primary key K of a relation R has to fulfil the following conditions: Uniqueness: at any time, no tuples of R have the same value
for K; Minimality: if K is composite, no component of K can be
omitted without destroying uniqueness.
Every relation must have a primary key.
A primary key of one relation that is an attribute in some other relation is a foreign key in that relation.
Chapter 9: 12
Integrity Rules
Entity Integrity Rule: no component of the primary key of a base relation is allowed to accept nulls.
Referential Integrity Rule: the database must not contain unmatched foreign key values.
Application specific integrity rules: Field checks: to prevent errors on data entry. Scope checks. Consistency checks.
Chapter 9: 13
SQL
Structured Query Language (SQL): standard language for describing how information in a relational database can be retrieved and updated.
SQL operations: SELECT: retrieves data from a relation. UPDATE: update fields in a relation. DELETE: deletes tuples from a relation. INSERT: adds tuples to a relation.
Chapter 9: 14
SQL Security Model Discretionary access control using privileges and
views, based on: users: authenticated during logon; actions: include SELECT, UPDATE, DELETE, and INSERT; objects: tables, views, columns (attributes) of tables and
views;
Users invoke actions on objects; the DBMS decides whether to permit the requested action.
When an object is created, it is assigned an owner; initially only the owner has access to the object; other users have to be issued with a privilege:
(grantor, grantee, object, action, grantable).
Chapter 9: 15
Granting & Revoking Privileges
Privileges managed with GRANT and REVOKE. GRANT SELECT, UPDATE (Day,Flight)
ON TABLE Diary TO Art, Zoe
Selective revocation of privileges: REVOKE UPDATE
ON TABLE Diary FROM Art
Right to delegate privileges given through GRANT option:
GRANT SELECTON TABLE DiaryTO ArtWITH GRANT OPTION
Chapter 9: 16
Access Control through Views
Views: derived relations, created by CREATE VIEW view_name [ ( column [, column ] ... ) ]
AS subquery [ WITH CHECK OPTION ]
Many security policies better expressed by privileges on views than by privileges on base relations.
Access conditions described through subquery in the view definition:CREATE VIEW business_trips AS SELECT * FROM Diary WHERE Status = `business' WITH CHECK OPTION;
Chapter 9: 17
Advantages
Views are flexible and allow access control policies to be defined at a level of description that is close to the application requirements.
Views can enforce context-dependent and data-dependent security policies.
Views can implement controlled invocation.
Secure views can replace security labels.
Data can be easily reclassified.
Chapter 9: 18
More ExamplesCREATE VIEW Top_of_the_Class AS SELECT * FROM Students WHERE Grade <
(SELECT Grade FROM Students WHERE Name = current_user());
CREATE VIEW My_Journeys AS SELECT * FROM Diary
WHERE Customer = current_user());display journeys booked by the customer using the view.
displays students whose grade average is less than that of the person using the view
Chapter 9: 19
CHECK Option INSERT and UPDATE can interfere with view-based
access control. Views may not be updatable because they do not
contain the information that is needed to maintain the integrity of the corresponding base relation. E.g., a view that does not contain the primary key of an
underlying base relation cannot be used for updates.
Blind writes: updates that overwrite an existing entry. For views defined WITH CHECK OPTION, UPDATE
and INSERT can only write entries to the database that meet the definition of the view.
Blind writes possible if CHECK option is omitted.
Chapter 9: 20
Disadvantages Access checking may become complicated and slow. View definitions have to be checked for ‘correctness’;
do they really capture the intended security policy? Completeness and consistency are not achieved
automatically, views may overlap or may fail to capture the entire database.
The security relevant part of the DBMS (the TCB) becomes very large.
It may be difficult to determine for individual data items who has access; thus, views are less suitable in situations where it is necessary to protect the data items rather than controlling the users’ actions.
Chapter 9: 21
Statistical Database Security
Statistical database: information retrieved by means of statistical (aggregate) queries on attributes (columns) of a table.
Aggregate functions in SQL: COUNT: the number of values in a column, SUM: the sum of the values in a column, AVG: the average of the values in a column, MAX: the largest value in a column, MIN: the smallest value in a column.
Query predicate of a statistical query: specifies the tuples used for computing the aggregate,
Query set: tuples matching the query predicate.
Chapter 9: 22
Security Challenge The database contains data that are individually
sensitive; direct access to data items is therefore not permitted.
Statistical queries to the database are permitted, but these queries will read individual data items.
It thus becomes possible to infer information; it is thus no longer sufficient to police access requests individually.
In a statistical database, there must be some information flow from the data to their aggregate.
We can only try to reduce it to an acceptable level.
Chapter 9: 23
Attacks Aggregation: sensitivity level of an aggregate
computed over a group of values may differ from the sensitivity levels of the individual elements; e.g., an aggregate may be sensitive information derived from a collection of less sensitive business data.
Inference problem: derivation of sensitive information from non-sensitive data: Direct Attack: aggregate computed over a small sample so
that information about individual data items is leaked. Indirect Attack: combine information relating to several
aggregates; Tracker Attack: a particularly effective type of indirect attack; Linear System Vulnerability: use algebraic relations between
query sets to construct equations which yield the desired information.
Chapter 9: 24
Example RelationName Sex Program Units Grade Ave.
Alma F MBA 8 63
Bill M CS 15 58
Carol F CS 16 70
Don M MIS 22 75
Errol M CS 8 66
Flora F MIS 16 81
Gala F MBA 23 68
Homer M CS 7 50
Igor M MIS 21 70
Chapter 9: 25
Direct Attack
Q1 : SELECT COUNT(*)
FROM Students
WHERE Sex = 'F' AND Program = 'CS'
Q2 : SELECT AVG(Grade Ave.)
FROM Students
WHERE Sex = 'F' AND Program = 'CS'
Returns count 1
Returns 70: average for a single student
Chapter 9: 26
Tracker Attacks Individual tracker for a given tuple: query predicate T
that allows to derive information about that tuple. General tracker: predicate that can be used to find
the answer to any inadmissible query. Let T be a general tracker and let R be a predicate
that uniquely identifies the tuple r we want to probe; T chosen so that the query set and its complement are large enough for the query to be permitted.
Make two queries to the database with the predicates R T and R T; the target r is the only tuple used by both queries.
‘Add’ the two results and ‘subtract’ the result of a query over the entire database; only the target is left.
Chapter 9: 27
Tracker AttackQ3 : SELECT COUNT(*) FROM Students WHERE Programme = 'CS'
Q4 : SELECT COUNT(*) FROM Students WHERE Programme = 'CS' AND Sex = 'M'
Q5 : SELECT AVG(Grade Ave.) FROM Students WHERE Program = 'CS'
Q6 : SELECT AVG(Grade Ave.) FROM Students WHERE Program = 'CS' AND Sex = 'M'
Returns count 4
Returns count 3
Returns average 61
Returns average 68
Carol’s grade average:4 61 – 3 58 = 70
Chapter 9: 28
General Tracker
Q7 : SELECT SUM(Units) FROM Students WHERE Name = 'Carol' OR Program = 'MIS'
Q8 : SELECT SUM(Units) FROM Students WHERE Name = 'Carol' OR NOT (Program = 'MIS')
Q9 : SELECT SUM(Units) FROM Students
Returns sum 75
Returns sum 77
Returns sum 136
Carol has passed (75 + 77) - 136 = 16 units
Chapter 9: 29
Countermeasures Suppress obviously sensitive information. Disguise the data:
Randomly swap entries in the database so that an individual query will give a wrong result although the statistical queries still would be correct;
Add small random perturbations to query result so that the value returned is close to the real value but not quite correct.
Drawback: reduced precision and usability.
Better design of the database schema. Track what the user knows: user actions recorded in
an audit log, a query analysis checks for suspicious sequences of queries.
Chapter 9: 30
Integration with Operating System
Like an operating system, a DBMS has to stop users from interfering with each other, and with the DBMS.
To avoid duplicating efforts, you could give these tasks to the operating system.
DBMS runs as a set of operating system processes; system processes for general database management tasks and each database user is mapped to a separate operating system process.
Operating system can distinguish between users; if each database object is stored in its own file, the operating system can do all the access control.
DBMS only translates user queries into operations the operating system understands.
Chapter 9: 31
Users isolated by O/S
Art Zoe
Art Zoe
DBMS
DBsys-tem
operating system processes
Chapter 9: 32
Integration with Operating System
Allocating an individual operating system process to every database users wastes memory resources and does not scale up to large user numbers.
Letting processes handle the database requests of several users saves memory but the DBMS becomes responsible for access control.
Similar considerations for storing database objects; for small objects, having a separate file for each object is wasteful.
If the operating system does not control access of database users, several database objects can be collected in one operating system file.
Chapter 9: 33
Users isolated by DBMS
Art Zoe
usersArtZoe
otherusers
DBMS
DBsys-tem
operating system processes
Chapter 9: 34
Privacy
Organisations that store personal data of their customers, e.g. name, address, age, credit card number, meal preference, must comply with data protection laws and regulations.
Examples: OECD Guidelines on the Protection of Privacy and
Transborder Flows of Personal Data. EU Data Protection Directive US: HIPAA (Health Insurance Portability and Accountability
Act of 1996)
Chapter 9: 35
OECD Guidelines (1980)
Organisation for Economic Co-operation and Development.
OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
“There is a danger that disparities in national [privacy] legislations could hamper the free flow of personal data across frontiers”.
Goal of guidelines: help harmonising national privacy legislation.
Chapter 9: 36
Basic Protection Principles Collection Limitation Principle
There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
Data Quality PrinciplePersonal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.
Purpose Specification Principle (§9)The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfilment of those purposes or such others as are … specified on each occasion of change of purpose.
Chapter 9: 37
Basic protection principles
Use Limitation PrinciplePersonal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with §9 except:a)with the consent of the data subject; orb)by the authority of law
Security Safeguards PrinciplePersonal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.
Openness PrincipleThere should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.
Chapter 9: 38
Basic Protection Principles
Individual Participation PrincipleAn individual should have the right:a) to obtain from a data controller, or otherwise, confirmation of
whether or not the data controller has data relating to him;b) to have communicated to him, data relating to him
a)within a reasonable time; b)at a charge, if any, that is not excessive; c) in a reasonable manner; and d)in a form that is readily intelligible to him;
c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and
d) to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended.
Chapter 9: 39
Basic Protection Principles Individual Participation Principle
An individual should have the right:a) to obtain from a data controller, or otherwise, confirmation of
whether or not the data controller has data relating to him;b) to have communicated to him, data relating to him
a)within a reasonable time; b)at a charge, if any, that is not excessive; c)in a reasonable manner; and d)in a form that is readily intelligible to him;
c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and
d) to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended.
Accountability PrincipleA data controller should be accountable for complying with measures which give effect to the principles stated above.
Chapter 9: 40
P3P Privacy: users should be in control of their personal
data, even after the data have been disclosed!? Can technology help to achieve this goal? Platform for Privacy Preferences 1.1 (P3P1.1)
W3C Working Draft 27 April 2004.
Enables Web sites to express their data-collection and data-use practices in a standardized machine-readable XML format known as a P3P policy.
P3P user agents: built into Web browsers, browser plug-ins, or proxy servers.
Chapter 9: 41
P3P
“P3P enables Web users to understand what data will be collected by sites they visit, how that data will be used, and what data/uses they may opt-out of or opt-in to.”
“P3P user agents can automate decision-making based on these practices by comparing a site’s P3P policy with the privacy preferences set by the user.”
“Thus users need not read the privacy policies at every site they visit.”
Chapter 9: 42
Comments
P3P is a descriptive language.
Users have to ‘trust’ web sites that they adhere to their stated policies; data protection laws can stipulate that they have to.
Can actions by the user agent imply the user’s consent?
(At least in an earlier version): only policies about retrieving cookies could be expressed Reasonable from a technical point of view but the Directive
would refer to the setting of cookies (“writing”).
Little impact on the Web so far.
Chapter 9: 43
Summary
In database security, access control requirements may conflict with application-level integrity requirements.
Statistical database security shows that it may be insufficient to control direct access to data.
Similar issues have to be addressed in data mining.
Privacy laws imply access control requirements on personal data.
Putting users (data subjects) in control of their personal data asks them to define security policies; this is a difficult job most users will try to avoid.
