Security in Databases

2Srini & Nandita (CSE2500)DB Security

Outline

• review of databases• reliability & integrity• protection of sensitive data• protection against inference• multi-level security

CSE2500 System Security & Privacy

3Srini & Nandita (CSE2500)DB Security

Database

DBMS

DB Administrator

users

4Srini & Nandita (CSE2500)DB Security

Database concepts

• database– data + rules

• components of data– records: composed of fields / elements

• logical structure schema• attribute name of a column• relation a set of columns

5Srini & Nandita (CSE2500)DB Security

A sample database

NAME SEX AID FINES DRUGS DORM Adams M 5000 45.0 1 Holmes Bailey M 0 0.0 0 Grey Chin F 3000 20.0 0 West Dewitt M 1000 35.0 3 Grey Earhart F 2000 95.0 1 Holmes Fein F 1000 15.0 0 West

6Srini & Nandita (CSE2500)DB Security

DB should deliver (advantages)

• shared access• minimal redundancy• data consistency• data integrity• controlled access

7Srini & Nandita (CSE2500)DB Security

Security requirements

• physical DB integrity• logical DB integrity• element (field) integrity• auditability• access control• user authentication• availability

– (integrity, confidentiality & availability)

8Srini & Nandita (CSE2500)DB Security

Reliability & integrity

• three dimensions:– database integrity– element integrity– element accuracy

• various techniques– 2-phase update– introducing redundancy– recovery– concurrency/consistency control– using monitors

9Srini & Nandita (CSE2500)DB Security

2-phase update

• phase-1: Intent– gathering info & resources– no harm in the case of failure– writing of a commit flag to data base

• phase-2: Commit– set commit flag in the database– causing permanent changes– may be repairable in the case of failure

10Srini & Nandita (CSE2500)DB Security

2-Phase Update (Example)

• Suppose DB query asks to add 1 to fields X and Y.• Phase 1 (Intent):

– Compute updated values in temporary “Shadow” variables Xnew and Ynew:

> Xnew := X + 1, Ynew := Y + 1

• Phase 2 (Commit):– Set “Commit” flag (i.e. DB changes started, do not

repeat Intent phase!)– Copy shadow values into DB:

> X := Xnew, Y := Ynew– Write “Update Complete”, Clear Commit flag.

11Srini & Nandita (CSE2500)DB Security

Redundancy/internal consistency

• using error detection / correction codes– entire database

– records

– fields / elements

• shadow fields– duplication of attributes / records

12Srini & Nandita (CSE2500)DB Security

Recovery

• one way to achieve this is to have a log file for all recent changes (since last backup)

13Srini & Nandita (CSE2500)DB Security

Concurrency/Consistency

• In a multi-user/process/client environment, concurrency and consistency control is vitally important.

• Basic techniques– using “atomic operation”

> Read-then-(if OK)Write: A Write query to a field is conditioned on its current contents being as specified (in case it was modified recently by someone else)

– using “locking” mechanisms> Read queries to a record are blocked while a write is

performed to the record by someone else

14Srini & Nandita (CSE2500)DB Security

Monitors

• checking the structural consistency of data entered or modified

– range comparison -- field specific– state constraints

> describe of the condition of entire DB> (Properties which should be satisfied by DB contents at all times)

– transition constraints> describe the conditions necessary before a change can be made

• (Properties which should be satisfied by DB contents so that a change to DB is valid) Collectively called Integrity Constraints

15Srini & Nandita (CSE2500)DB Security

On sensitive data

• factors that make data sensitive– inherently sensitive

– from a sensitive source

– declared sensitive

– of a sensitive attribute or a sensitive record

– sensitive in relation to previously disclosed information

• sensitivity of data in a DB may vary !

16Srini & Nandita (CSE2500)DB Security

A sample database

NAME SEX AID FINES DRUGS DORM Adams M 5000 45.0 1 Holmes Bailey M 0 0.0 0 Grey Chin F 3000 20.0 0 West Dewitt M 1000 35.0 3 Grey Earhart F 2000 95.0 1 Holmes Fein F 1000 15.0 0 West

17Srini & Nandita (CSE2500)DB Security

Access decisions on sensitive data

• factors to be considered when permitting “user x to access data y”

– availability of data> Record is blocked from read while it is modified

– acceptability of access> No disclosure (even ‘partial’) of sensitive values to

unauthorized users

– assurance of authenticity of user> Limit access based on other considerations (time of

access, previous accesses,…)

18Srini & Nandita (CSE2500)DB Security

Types of disclosure of sensitive data

• exact data (field = x)• Bounds

– x < field < y• negative result

– field is not equal to x• Existence

– an Attribute of a field exists in DB• probable value

– reducing the number of possible values for a field, Improving knowledge of their relative likelihoods.

19Srini & Nandita (CSE2500)DB Security

Inference Problem

• definition:– infer or derive sensitive data from non-

sensitive or (seemingly) un-related data

• “inference” is a subtle vulnerability in database security

20Srini & Nandita (CSE2500)DB Security

A sample database

NAME SEX AID FINES DRUGS DORM Adams M 5000 45.0 1 Holmes Bailey M 0 0.0 0 Grey Chin F 3000 20.0 0 West Dewitt M 1000 35.0 3 Grey Earhart F 2000 95.0 1 Holmes Fein F 1000 15.0 0 West

21Srini & Nandita (CSE2500)DB Security

Direct attack

• list NAME where SEX = M & DRUGS = 1

• list NAME where(SEX = M & DRUGS = 1) |(SEX != M & SEX != F) |(DORM != East)

22Srini & Nandita (CSE2500)DB Security

Indirect attack (statistical inference)

• Sum

sum of financial aid by dorm & sex

Holmes Grey West Total M 5000 1000 0 6000F 2000 0 4000 6000Total 7000 1000 4000 12000

23Srini & Nandita (CSE2500)DB Security

Indirect attack (cont.)

• Count– count of students by dorm & sex

Holmes Grey West Total M 1 2 0 3F 1 0 2 3 Total 2 2 2 6

– can be used in combination with “sum”

24Srini & Nandita (CSE2500)DB Security

Indirect attack (cont.)

• Median

highest value forattribute 1

lowest value forattribute 1

lowest value forattribute 2

highest value forattribute 2

median forattribute 1 &median forattribute 2

25Srini & Nandita (CSE2500)DB Security

revealing Earhart’s drug

• Earhart is the only person who has the median of AID and DRUGS, so if data on AID is known, the following query reveals Earhart’s DRUGS:

p = median (DRUGS where AID=2000)

26Srini & Nandita (CSE2500)DB Security

Indirect attack (cont.)

• Linear system attack– by solving a set of equations

e.g.

q1 = c1 + c2 + c3

q2 = c2 + c3

q3 = c1 + c3

27Srini & Nandita (CSE2500)DB Security

Controls for statistical inference

• 2 types of control– applied to queries --- very hard !

– applied to data items --- relatively easy> suppression --- sensitive data are not

provided> concealing --- precise data are not provided

28Srini & Nandita (CSE2500)DB Security

Summary of inference

• no perfect solution to inference problem• 3 common approaches

– suppress obviously sensitive data fairly easy

– track what the user knows costly

– disguise data may result in incorrect or wrong responses to legitimate queries

29Srini & Nandita (CSE2500)DB Security

Multi-level security

• The 2 level security model, sensitive or non-sensitive, is inadequate in many practical applications:

– The security of a data element may be different from that of other elements in the same row or column.

– In practice many grades of security may be needed.

– The security of an aggregate may be different from that of the individual elements

30Srini & Nandita (CSE2500)DB Security

Realising Multi-level Security

• Partitioning– each sub-database corresponds to a security level

• Encryption– each record (or field) can be encrypted using a

different key

• Integrity lock• Trusted Front End• Commutative Filter• Window/View