Upload
phoebe-cain
View
213
Download
0
Embed Size (px)
Citation preview
Database Security
CSCE 522 - Farkas 2
Reading assignmentsRequired: Pfleeger: Chapter 6 (except 6.3) Multilevel Secure Relational Data Model (S. Jajodia, R. S. Sandhu. Toward a
Multilevel Secure Relational Data Model. Proc. 1991 ACM Int'l. Conf. on Management of Data (SIGMOD), 50-59. http://www.list.gmu.edu/articles/infosec_collection/20.pdf )
Recommended: Polyinstantiation (Sushil Jajodia, Ravi S. Sandhu, and Barbara T. Blaustein,
Solutions to the Polyinstantiation Problem,http://www.acsac.org/secshelf/book001/21.pdf)
MLS/RDMS Architectures (LouAnna Notargiacomo, Architectures for MLS Database Management Systems http://www.acsac.org/secshelf/book001/19.pdf
Database Management System (DBMS) Collection of
interrelated data andset of programs to access the data
Convenient and efficient processing of data
Database Application Software
CSCE 522 - Farkas 3
CSCE 522 - Farkas 4
Data Models
A collection of tools for describing Data Relationships among data itemsSemantics of stored dataDatabase constraints
Relational Data Model
CSCE 522 - Farkas 5
Person-Person-namename
Company-Company-namename
SalarySalary
SmithSmith BB&CBB&C $43,982$43,982
DellDell BellBell $97,900$97,900
Black Black BB&CBB&C $35,652$35,652
Works
Relational Data Model
Set of relation names: R Set of attribute names: A Relation schema: S=(r,{a1, …,an})
r relation name in R{a1, …,an} subset of Ae.g., (Works,{person-name,company-
name,salary})
CSCE 522 - Farkas 6
Tuple (Record)
Tuple over a relation scheme S is a mapping
t: {a1, …,an} dom(a1 … an)
e.g., t(person-name)=Smith
t(company-name)=BB&C
t(salary)= $43,982
CSCE 522 - Farkas 7
Relation
Relation over schema S is a set of tuples over the schemee.g., t(person-name)=Smith, t(company-name)=BB&C, t(salary)=$43,982t’(person-name)=Dell, t’(company-name)=Bell, t’(salary)= $97,900t”(person-name)=Black, t”(company-name)=BB&C, t”(salary)= $35,652
CSCE 522 - Farkas 8
Database
Database: set of relationse.g.,EMPLOYEE database:Lives(person-name,street,city)Works(person-name,company-name,salary)Located-in(company-name,city)Manages(person-name,manager-name)
CSCE 522 - Farkas 9
Query Languages
Relational AlgebraSet operations
SQLBag operations
CSCE 522 - Farkas 10
Relational Algebra
Select () Project () Set difference (-) Union () Rename (Px(r)) Set intersection () Natural join ()
CSCE 522 - Farkas 11
Structured Query LanguageSQL Typical SQL query form:
SELECT A1, A2, ..., An
FROM r1, r2, ..., rm
WHERE CAis represent attributes to be returned
ris represent relations
C is a condition
CSCE 522 - Farkas 12
Constraints
Relationship among data elements DBMS should enforce the constraints Types
Keys Foreign-key (referential integrity) Value-based constraints Integrity constraints Database dependencies (e.g., functional dependencies)
CSCE 522 - Farkas 13
CSCE 522 - Farkas 14
Database Security Requirements
Physical database integrity Logical database integrity Element integrity Auditability Access control User authentication Availability
CSCE 522 - Farkas 15
Sensitive data
Inherently sensitive From a sensitive source Declared sensitive Part of a sensitive attribute or record In relation to previously disclosed
information
CSCE 522 - Farkas 16
Types of disclosures
Exact data Range of data Negative results Existence Probable values
CSCE 522 - Farkas 17
Access control
Operating system Database Management System Granularity!
CSCE 522 - Farkas 18
Granularity
Database Relation Record Attribute Element
Advantages vs. disadvantages of supporting
different granularity levels
Relation-Level Granularity
CSCE 522 - Farkas 19
Person-Person-namename
Company-Company-namename
SalarySalary
SmithSmith BB&CBB&C $43,982$43,982
DellDell BellBell $97,900$97,900
Black Black BB&CBB&C $35,652$35,652
(Works)= Secret
Tuple-level Granularity
CSCE 522 - Farkas 20
Person-Person-namename
Company-Company-namename
Salary Salary
SmithSmith BB&CBB&C $43,982 P$43,982 P
DellDell BellBell $97,900 S$97,900 S
Black Black BB&CBB&C $35,652 P$35,652 P
Works
Attribute-Level Granularity
CSCE 522 - Farkas 21
Person- Person- name name =PP
Company-Company-name name =PP
SalarySalary
=SS
SmithSmith BB&CBB&C $43,982$43,982
DellDell BellBell $97,900$97,900
Black Black BB&CBB&C $35,652$35,652
Works
Cell-Level Granularity
CSCE 522 - Farkas 22
Person-Person-namename
Company-Company-namename
SalarySalary
Smith PSmith P BB&C PBB&C P $43,982 S$43,982 S
Dell SDell S Bell SBell S $97,900 S$97,900 S
Black PBlack P BB&C SBB&C S $35,652 S$35,652 S
Works
CSCE 522 - Farkas 23
Access Control Mechanisms Security through Views Stored Procedures Grant and Revoke Query modification
CSCE 522 - Farkas 24
Security Through Views
Assign rights to access predefined viewsCREATE VIEW Outstanding-Student AS SELECT NAME, COURSE, GRADEFROM StudentWHERE GRADE > B
Problem:
Difficult to maintain updates.
CSCE 522 - Farkas 25
Security Through Views
NAME COURSE GRADE SEMESTER
White CSCE 122 C+ Fall 2000
Black CSCE 313 A Fall 2000
Brown CSCE 580 A Spring 2000
Green CSCE 850 B+ Fall 2000
Blue CSCE 122 B Fall 2000
Student relation
CSCE 522 - Farkas 26
Security Through Views
NAME COURSE GRADE
Black CSCE 313 A
Brown CSCE 580 A
Green CSCE 850 B+
CREATE VIEW Outstanding-Student AS SELECT NAME, COURSE, GRADEFROM StudentWHERE GRADE > B
Outstanding-Student
CSCE 522 - Farkas 27
Security Through Views
NAME COURSE
White CSCE 122
Black CSCE 313
Green CSCE 850
Blue CSCE 122
CREATE VIEW Fall-Student AS SELECT NAME, COURSEFROM StudentWHERE SEMESTER=“Fall 2000”
Fall-Student
CSCE 522 - Farkas 28
Stored Procedures Assign rights to execute compiled programs GRANT RUN ON <program> TO <user>
Problem:
Programs may access resources for which the user who runs the program does not have permission.
CSCE 522 - Farkas 29
Grant and RevokeGRANT <privilege> ON <relation>To <user>[WITH GRANT OPTION]------------------------------------------------------------------------------------------------------------------------------------
GRANT SELECT * ON Student TO Matthews GRANT SELECT *, UPDATE(GRADE) ON Student TO
FARKAS GRANT SELECT(NAME) ON Student TO Brown
GRANT command applies to base relations as well as views
CSCE 522 - Farkas 30
Grant and RevokeREVOKE <privileges> [ON <relation>]
FROM <user>-------------------------------------------------------------------------------------------------------------------------
REVOKE SELECT* ON Student FROM Blue REVOKE UPDATE ON Student FROM Black REVOKE SELECT(NAME) ON Student FROM Brown
CSCE 522 - Farkas 31Lecture 17
Non-cascading Revoke
A
B
C
D
E
F
A
B
C
A revokes D’s privileges
E
F
CSCE 522 - Farkas 32Lecture 17
Cascading Revoke
A
B
C
D
E
F
A
B
C
A revokes D’s privileges
CSCE 522 - Farkas 33Lecture 17
Positive and Negative Authorization
Problem:Contradictory authorizations• GRANT <privilege> ON X TO <user>• DENY <privilege> ON X TO <user>
A
B
C
E
D
+
-
+
-
CSCE 522 - Farkas 34Lecture 17
Negative Authorization
A
B
C
E
D
+
-
+
-
-
Positive authorization granted By A to D becomes blocked but NOT deleted.
CSCE 522 - Farkas 35Lecture 17
Negative Authorization
A
B
C
E
D
+
-
+
-
-
F
+
What should happen with the privilege given by DTo F? (Blocked but not deleted)
CSCE 522 - Farkas 36
Query Modification GRANT SELECT(NAME) ON Student TO Blue WHERE
COURSE=“CSCE 590” Blue’s query:
SELECT * FROM Student
Modified query:SELECT NAMEFROM StudentWHERE COURSE=“CSCE 580”
CSCE 522 - Farkas 37Lecture 17
Next Class: Inference Problem