S1: Database Security
- Learning Goals:
- Understand Data Security Problems
- Database security features
- Outline
- Database Security Issues
- Discretionary Access Control (grant, revoke)
- Mandatory Access Control (Multilevel)
- Statistiscal Data Security
- Flow Control, Encryption
- Readings
- Textbook Chapter 23
- Supplementary Chapter 5.2
Copyright: S. Shekhar, C. S. Dept.,
University of Minnesota, Minneapolis, MN 55455. ,,.(home)
S2: 23.1 Database Security Issues
- Motivation
- Personal Privacy
- ...Q? Have you watched "The Net" movie?
- ...Q? Have you read the book "Database Nation"?
- ...Customer profile databases, health info. DB
- Corporate security
- ...trade secrets - Coke's formula
- ...client privacy - Swiss Banks, Financial Inst.
- ...competitive information (Watergate scandal)
- System resource security
- ...password databases, worms, viruses
- Risk Management
- Identify goals, policies
- Assess significant threats and risks
- Risk mitigation - choose mechanisms
Copyright: S. Shekhar, C. S. Dept.,
University of Minnesota, Minneapolis, MN 55455. ,,.(home)
S3: 23.1 Database Security Framework
- Goals and Services
- Confidentiality : Users only see the data they're supposed to.
- ...Scope of chapter 23
- Integrity: Guard against updates by malicious users
- ...Scope of chapter 23, Other chapters cover
- ...triggers, integrity constraints, ACID properties
- Availability: System is available to authorized users
- ...Covered in Database Recovery, Computer Networks,
- Threats
- Usurpations: Unauthorized control of the DBMS
- Disruptions: Interruption or prevention of correct operation
- Deceptions: Acceptance of false data
- Disclosures: Unauthorized access to data-items
- Policies
- Organizations identify who should access which data-items
- Principles: need to know principle, privacy, ...
- Major area of public discussions today!
- Example: http://www1.umn.edu/regents/policies/administrative/StudentRecords.pdf
Copyright: S. Shekhar, C. S. Dept.,
University of Minnesota, Minneapolis, MN 55455. ,,.(home)
S4: 23.1 Database Security Mechanisms
- Mechnisms
- Preventive - try to avoid breeches
- Detection - Identify breaches
- Recuperation - recover from a breech
- Q? Classify the following mechanisms ?
- Authentication
- ...e.g. login / password
- Access control
- ...Discretionary - grant, revoke
- ...Mandatory - levels
- ...encryption, public key, private key
- Intrusion detection
- ...look for suspicious activity in system log (audit)
- ...Prevent future attack
- Scan all data-items for virus, trojan horse, corruption
- Q? What is new in databases security?
- Statistical Inference Control
Copyright: S. Shekhar, C. S. Dept.,
University of Minnesota, Minneapolis, MN 55455. ,,.(home)
S5: User Account Level Access Control
- Database Administrator
- Create User account and password
- Grant or revoke previlege
- Assign security levels
- Discretionary Access Control
- Two Levels : User account, data (tables)
- SQL Syntax - grant, revoke (sec. 23.2.5, pp. 738-9)
- SQL GRANT
- Creator of relation is OWNER.
- Owner has all privileges and may GRANT privileges.
- ...GRANT < privileges > ON R TO < subject > [ WITH GRANT OPTION ]
- ... < privileges > : ALL, alter, select, insert,
- ... ... update, delete, select, references, index, execute
- ... < subject > : user, role, PUBLIC
grant delete, update(address) on employee to user2;
- ...GRANT OPTION:-
- ...user2 may grant equal or lesser privileges to other users.
- SQL REVOKE
- REVOKE < privileges > ON R FROM < subjects > [ CASCADE | RESTRICT ]
revoke delete on employee from user2;
- CASCADE: transitively revokes existing privileges
- ...may revoke previously granted previlege
Copyright: S. Shekhar, C. S. Dept.,
University of Minnesota, Minneapolis, MN 55455. ,,.(home)
S6: 23.2 Grant/Revoke Semantics
- Grant Graph
- Nodes = users union system
- Edges = grant(user1, user2, permission, resource, grant option)
- Grant statement = add an edge if allowed
- Revoke statement = remove one or more edges
- ...Cascade removes permissions propagated via grant option
- ...Remove edge-cycles unreachable from System
- Consider following sequence of grant and revoke statements:
GRANT select ON account TO Anja WITH GRANT OPTION --(implicit System)
GRANT select ON account TO Bill WITH GRANT OPTION --(G1 executed by Anja)
GRANT select ON account TO Cain WITH GRANT OPTION --(G2 executed by Anja)
GRANT select ON account TO Didi WITH GRANT OPTION --(G3 executed by Bill)
GRANT select ON account TO Didi WITH GRANT OPTION --(G4 executed by Cain)
GRANT select ON account TO Bill WITH GRANT OPTION --(G5 executed by Didi)
REVOKE select ON account FROM Bill --(R1 executed by Anja)
REVOKE select ON account FROM Cain --(R2 executed by Anja)
REVOKE select ON account FROM Bill CASCADE --(R3 executed by Anja)
REVOKE select ON account FROM Cain CASCADE --(R3 executed by Anja)
- Q? Does Bill have select access on account after R1?
- Q? Does Bill have select access on account after R2?
- Q? Does Didi have select access on account after R3?
- Q? Does Didi have select access on account after R4?
Copyright: S. Shekhar, C. S. Dept.,
University of Minnesota, Minneapolis, MN 55455. ,,.(home)
S7: 23.3 Mandatory Access Control (Multilevel)
- Not supported by SQL standard
- Specialized software vendors support it
- Used by Swiss banks, US Dept. of defense, etc.
- Five Components
- (i) Security Classes
- ...Ex. top secret, secret, confidential, unclassified
- (ii) subjects (users, accounts, programs)
- ...(iii) objects (table, rows, columns, operation)
- ...(iv) class(S) = security level of subject S
- ...(v) class(O) = security level of object O
- Bell LaPadula Security Model
- Simple security property:
- ...S can not read O unless class(S) > = class(O)
- star property:
- ...Prevent flow of info to less secure subjects
- ...S can not write O unless class(S) < = class(O)
- ...write types: lossy (delete, overwrite), lossless (append)
- ...Convert lossy write to lossless (poly-instantiation)
- Example : Fig. 23.2, pp. 742
- Q? Determine five components.
- Poly-instantiation converts lossy update:
update employee set jobPerformance = 'excellent'
where name = 'Smith
- ...TO lossless append
insert employee set jobPerformance = 'excellent'
where name = 'Smith
- ...since class(person) < = class(data-item)
- Question on Fig. 23.2
- Can someone with TS clearance update Smith's job-performance?
- What is the job-performance of Smith for
- ... a user with TS clearance
- ... a user with S clearance
- ... a user with C clearance
- ... a user with U clearance
- What is the primary key for the Employee table?
- What is the security clearance level for the Employee table?
- Can someone with TS clearance delete Smith's records?
Copyright: S. Shekhar, C. S. Dept.,
University of Minnesota, Minneapolis, MN 55455. ,,.(home)
S8: 23.4 Statistiscal Data Security
- Motivation - Census data, Health research
- Provide aggregate information (e.g. avg, sum, ...)
- But no individual information
- Problem
- Individual information can be derived from
- ...difference of two aggregates AVG and COUNT
- Ex. Q1, Q2 (pp. 746)
- ...Solution - do not answer query if group size is small, e.g. 5
- But one can get around that easily!
- Hard to ban large group query related to previous queries!!
- Exercise: Write 4 SQL queries to infer individual information.
- Exercise: What can be infered about (S1 - S2) if
- ...Ex. (S2 subset_of S1) and (median(S2) = M2 > M1 = median(S1) )
- Statistical Solution:
- Ensure each aggregate is large
- Add noise to individual data-items
- ...Zero mean, inpedendent identical distributions
- ...Aggregate properties not affect
- Solution to SQL problem
- Idea: C1 and C2 produce large groups with difference of 1
Q1a: select count(*) from T where C1
Q2a: select sum(salary) from T where C1
Q1b: select count(*) from T where C2
Q2b: select sum(salary) from T where C2
- Solution to Median problem
- median(S1 - S2) < median(S1) = M1
Copyright: S. Shekhar, C. S. Dept.,
University of Minnesota, Minneapolis, MN 55455. ,,.(home)
S9: 23.4 Statistiscal Data Security -
- This slide refers to concepts in Data Warehouse chapter
- May be replicated in that chapter
- Or the categorization of aggregate functions should be covered with SQL
- 3 kinds of statistical aggregate functions
- Distributive - can be computed incrementally with 1 register
- ...Sum, Count Regression
- Algebraic - can be computed incrementally with limited memory
- ...Average, Standard Deviation, Linear Regression coefficients
- Holistic - hard to compute incrementally!
- ...Median, Percentiles, Quartiles, ...
- What can be inferred?
- Incremental computability = > easy to infer individual information!
- ...Ex. individual salary inferred from sum and average over groups
- Hard to infer precise information from holistic functions
- ...But median itself is information about some individual in the group
- ...Can ne identify the median individual ?
- Ex. Given the following about groups G1 and G2
- m1 = median(G1) < median(G2) = m2
- G2 is a proper subset of G1
- Q? What can be inferred about median(G1 - G2) ?
- Q? What can be inferred about average(G1 - G2) ?
Copyright: S. Shekhar, C. S. Dept.,
University of Minnesota, Minneapolis, MN 55455. ,,.(home)
S10: 23.5 Covert Channels, Encryption
Copyright: S. Shekhar, C. S. Dept.,
University of Minnesota, Minneapolis, MN 55455. ,,.(home)
S11: 23.6 Encryption
Copyright: S. Shekhar, C. S. Dept.,
University of Minnesota, Minneapolis, MN 55455. ,,.(home)