Database Security

CSCE 522 - Farkas 2

Reading assignmentsRequired: Pfleeger: Chapter 6 (except 6.3) Multilevel Secure Relational Data Model (S. Jajodia, R. S. Sandhu. Toward a

Multilevel Secure Relational Data Model. Proc. 1991 ACM Int'l. Conf. on Management of Data (SIGMOD), 50-59. http://www.list.gmu.edu/articles/infosec_collection/20.pdf )

Recommended: Polyinstantiation (Sushil Jajodia, Ravi S. Sandhu, and Barbara T. Blaustein,

Solutions to the Polyinstantiation Problem,http://www.acsac.org/secshelf/book001/21.pdf)

MLS/RDMS Architectures (LouAnna Notargiacomo, Architectures for MLS Database Management Systems http://www.acsac.org/secshelf/book001/19.pdf

Database Management System (DBMS) Collection of

interrelated data andset of programs to access the data

Convenient and efficient processing of data

Database Application Software

CSCE 522 - Farkas 3

CSCE 522 - Farkas 4

Data Models

A collection of tools for describing Data Relationships among data itemsSemantics of stored dataDatabase constraints

Relational Data Model

CSCE 522 - Farkas 5

Person-Person-namename

Company-Company-namename

SalarySalary

SmithSmith BB&CBB&C $43,982$43,982

DellDell BellBell $97,900$97,900

Black Black BB&CBB&C $35,652$35,652

Works

Relational Data Model

Set of relation names: R Set of attribute names: A Relation schema: S=(r,{a1, …,an})

r relation name in R{a1, …,an} subset of Ae.g., (Works,{person-name,company-

name,salary})

CSCE 522 - Farkas 6

Tuple (Record)

Tuple over a relation scheme S is a mapping

t: {a1, …,an} dom(a1 … an)

e.g., t(person-name)=Smith

t(company-name)=BB&C

t(salary)= $43,982

CSCE 522 - Farkas 7

Relation

Relation over schema S is a set of tuples over the schemee.g., t(person-name)=Smith, t(company-name)=BB&C, t(salary)=$43,982t’(person-name)=Dell, t’(company-name)=Bell, t’(salary)= $97,900t”(person-name)=Black, t”(company-name)=BB&C, t”(salary)= $35,652

CSCE 522 - Farkas 8

Database

Database: set of relationse.g.,EMPLOYEE database:Lives(person-name,street,city)Works(person-name,company-name,salary)Located-in(company-name,city)Manages(person-name,manager-name)

CSCE 522 - Farkas 9

Query Languages

Relational AlgebraSet operations

SQLBag operations

CSCE 522 - Farkas 10

Relational Algebra

Select () Project () Set difference (-) Union () Rename (Px(r)) Set intersection () Natural join ()

CSCE 522 - Farkas 11

Structured Query LanguageSQL Typical SQL query form:

SELECT A1, A2, ..., An

FROM r1, r2, ..., rm

WHERE CAis represent attributes to be returned

ris represent relations

C is a condition

CSCE 522 - Farkas 12

Constraints

Relationship among data elements DBMS should enforce the constraints Types

Keys Foreign-key (referential integrity) Value-based constraints Integrity constraints Database dependencies (e.g., functional dependencies)

CSCE 522 - Farkas 13

CSCE 522 - Farkas 14

Database Security Requirements

Physical database integrity Logical database integrity Element integrity Auditability Access control User authentication Availability

CSCE 522 - Farkas 15

Sensitive data

Inherently sensitive From a sensitive source Declared sensitive Part of a sensitive attribute or record In relation to previously disclosed

information

CSCE 522 - Farkas 16

Types of disclosures

Exact data Range of data Negative results Existence Probable values

CSCE 522 - Farkas 17

Access control

Operating system Database Management System Granularity!

CSCE 522 - Farkas 18

Granularity

Database Relation Record Attribute Element

Advantages vs. disadvantages of supporting

different granularity levels

Relation-Level Granularity

CSCE 522 - Farkas 19

Person-Person-namename

Company-Company-namename

SalarySalary

SmithSmith BB&CBB&C $43,982$43,982

DellDell BellBell $97,900$97,900

Black Black BB&CBB&C $35,652$35,652

(Works)= Secret

Tuple-level Granularity

CSCE 522 - Farkas 20

Person-Person-namename

Company-Company-namename

Salary Salary

SmithSmith BB&CBB&C $43,982 P$43,982 P

DellDell BellBell $97,900 S$97,900 S

Black Black BB&CBB&C $35,652 P$35,652 P

Works

Attribute-Level Granularity

CSCE 522 - Farkas 21

Person- Person- name name =PP

Company-Company-name name =PP

SalarySalary

=SS

SmithSmith BB&CBB&C $43,982$43,982

DellDell BellBell $97,900$97,900

Black Black BB&CBB&C $35,652$35,652

Works

Cell-Level Granularity

CSCE 522 - Farkas 22

Person-Person-namename

Company-Company-namename

SalarySalary

Smith PSmith P BB&C PBB&C P $43,982 S$43,982 S

Dell SDell S Bell SBell S $97,900 S$97,900 S

Black PBlack P BB&C SBB&C S $35,652 S$35,652 S

Works

CSCE 522 - Farkas 23

Access Control Mechanisms Security through Views Stored Procedures Grant and Revoke Query modification

CSCE 522 - Farkas 24

Security Through Views

Assign rights to access predefined viewsCREATE VIEW Outstanding-Student AS SELECT NAME, COURSE, GRADEFROM StudentWHERE GRADE > B

Problem:

Difficult to maintain updates.

CSCE 522 - Farkas 25

Security Through Views

NAME COURSE GRADE SEMESTER

White CSCE 122 C+ Fall 2000

Black CSCE 313 A Fall 2000

Brown CSCE 580 A Spring 2000

Green CSCE 850 B+ Fall 2000

Blue CSCE 122 B Fall 2000

Student relation

CSCE 522 - Farkas 26

Security Through Views

NAME COURSE GRADE

Black CSCE 313 A

Brown CSCE 580 A

Green CSCE 850 B+

CREATE VIEW Outstanding-Student AS SELECT NAME, COURSE, GRADEFROM StudentWHERE GRADE > B

Outstanding-Student

CSCE 522 - Farkas 27

Security Through Views

NAME COURSE

White CSCE 122

Black CSCE 313

Green CSCE 850

Blue CSCE 122

CREATE VIEW Fall-Student AS SELECT NAME, COURSEFROM StudentWHERE SEMESTER=“Fall 2000”

Fall-Student

CSCE 522 - Farkas 28

Stored Procedures Assign rights to execute compiled programs GRANT RUN ON <program> TO <user>

Problem:

Programs may access resources for which the user who runs the program does not have permission.

CSCE 522 - Farkas 29

Grant and RevokeGRANT <privilege> ON <relation>To <user>[WITH GRANT OPTION]------------------------------------------------------------------------------------------------------------------------------------

GRANT SELECT * ON Student TO Matthews GRANT SELECT *, UPDATE(GRADE) ON Student TO

FARKAS GRANT SELECT(NAME) ON Student TO Brown

GRANT command applies to base relations as well as views

CSCE 522 - Farkas 30

Grant and RevokeREVOKE <privileges> [ON <relation>]

FROM <user>-------------------------------------------------------------------------------------------------------------------------

REVOKE SELECT* ON Student FROM Blue REVOKE UPDATE ON Student FROM Black REVOKE SELECT(NAME) ON Student FROM Brown

CSCE 522 - Farkas 31Lecture 17

Non-cascading Revoke

A

B

C

D

E

F

A

B

C

A revokes D’s privileges

E

F

CSCE 522 - Farkas 32Lecture 17

Cascading Revoke

A

B

C

D

E

F

A

B

C

A revokes D’s privileges

CSCE 522 - Farkas 33Lecture 17

Positive and Negative Authorization

Problem:Contradictory authorizations• GRANT <privilege> ON X TO <user>• DENY <privilege> ON X TO <user>

A

B

C

E

D

+

-

+

-

CSCE 522 - Farkas 34Lecture 17

Negative Authorization

A

B

C

E

D

+

-

+

-

-

Positive authorization granted By A to D becomes blocked but NOT deleted.

CSCE 522 - Farkas 35Lecture 17

Negative Authorization

A

B

C

E

D

+

-

+

-

-

F

+

What should happen with the privilege given by DTo F? (Blocked but not deleted)

CSCE 522 - Farkas 36

Query Modification GRANT SELECT(NAME) ON Student TO Blue WHERE

COURSE=“CSCE 590” Blue’s query:

SELECT * FROM Student

Modified query:SELECT NAMEFROM StudentWHERE COURSE=“CSCE 580”

CSCE 522 - Farkas 37Lecture 17

Next Class: Inference Problem