Slides

S1: Database Security

Learning Goals:
- Understand Data Security Problems
- Database security features
Outline
- Database Security Issues
- Discretionary Access Control (grant, revoke)
- Mandatory Access Control (Multilevel)
- Statistiscal Data Security
- Flow Control, Encryption
Readings
- Textbook Chapter 23
- Supplementary Chapter 5.2

S2: 23.1 Database Security Issues

Motivation
- Personal Privacy
- ...Q? Have you watched "The Net" movie?
- ...Q? Have you read the book "Database Nation"?
- ...Customer profile databases, health info. DB
- Corporate security
- ...trade secrets - Coke's formula
- ...client privacy - Swiss Banks, Financial Inst.
- ...competitive information (Watergate scandal)
- System resource security
- ...password databases, worms, viruses
Risk Management
- Identify goals, policies
- Assess significant threats and risks
- Risk mitigation - choose mechanisms

S3: 23.1 Database Security Framework

Goals and Services
- Confidentiality : Users only see the data they're supposed to.
- ...Scope of chapter 23
- Integrity: Guard against updates by malicious users
- ...Scope of chapter 23, Other chapters cover
- ...triggers, integrity constraints, ACID properties
- Availability: System is available to authorized users
- ...Covered in Database Recovery, Computer Networks,
Threats
- Usurpations: Unauthorized control of the DBMS
- Disruptions: Interruption or prevention of correct operation
- Deceptions: Acceptance of false data
- Disclosures: Unauthorized access to data-items
Policies
- Organizations identify who should access which data-items
- Principles: need to know principle, privacy, ...
- Major area of public discussions today!
- Example: http://www1.umn.edu/regents/policies/administrative/StudentRecords.pdf

S4: 23.1 Database Security Mechanisms

Mechnisms
- Preventive - try to avoid breeches
- Detection - Identify breaches
- Recuperation - recover from a breech
Q? Classify the following mechanisms ?
- Authentication
- ...e.g. login / password
- Access control
- ...Discretionary - grant, revoke
- ...Mandatory - levels
- ...encryption, public key, private key
- Intrusion detection
- ...look for suspicious activity in system log (audit)
- ...Prevent future attack
- Scan all data-items for virus, trojan horse, corruption
Q? What is new in databases security?
- Statistical Inference Control

S5: User Account Level Access Control

Database Administrator
- Create User account and password
- Grant or revoke previlege
- Assign security levels
Discretionary Access Control
- Two Levels : User account, data (tables)
- SQL Syntax - grant, revoke (sec. 23.2.5, pp. 738-9)
SQL GRANT
- Creator of relation is OWNER.
- Owner has all privileges and may GRANT privileges.
- ...GRANT < privileges > ON R TO < subject > [ WITH GRANT OPTION ]
- ... < privileges > : ALL, alter, select, insert,
- ... ... update, delete, select, references, index, execute
- ... < subject > : user, role, PUBLIC
  grant delete, update(address) on employee to user2;
- ...GRANT OPTION:-
- ...user2 may grant equal or lesser privileges to other users.
SQL REVOKE
- REVOKE < privileges > ON R FROM < subjects > [ CASCADE | RESTRICT ]
  revoke delete on employee from user2;
- CASCADE: transitively revokes existing privileges
- ...may revoke previously granted previlege

S6: 23.2 Grant/Revoke Semantics

Grant Graph
- Nodes = users union system
- Edges = grant(user1, user2, permission, resource, grant option)
- Grant statement = add an edge if allowed
- Revoke statement = remove one or more edges
- ...Cascade removes permissions propagated via grant option
- ...Remove edge-cycles unreachable from System
Consider following sequence of grant and revoke statements:
GRANT select ON account TO Anja WITH GRANT OPTION --(implicit System)
GRANT select ON account TO Bill WITH GRANT OPTION --(G1 executed by Anja)
GRANT select ON account TO Cain WITH GRANT OPTION --(G2 executed by Anja)
GRANT select ON account TO Didi WITH GRANT OPTION --(G3 executed by Bill)
GRANT select ON account TO Didi WITH GRANT OPTION --(G4 executed by Cain)
GRANT select ON account TO Bill WITH GRANT OPTION --(G5 executed by Didi)
REVOKE select ON account FROM Bill --(R1 executed by Anja)
REVOKE select ON account FROM Cain --(R2 executed by Anja)
REVOKE select ON account FROM Bill CASCADE --(R3 executed by Anja)
REVOKE select ON account FROM Cain CASCADE --(R3 executed by Anja)
Q? Does Bill have select access on account after R1?
Q? Does Bill have select access on account after R2?
Q? Does Didi have select access on account after R3?
Q? Does Didi have select access on account after R4?

S7: 23.3 Mandatory Access Control (Multilevel)

Not supported by SQL standard
- Specialized software vendors support it
- Used by Swiss banks, US Dept. of defense, etc.
Five Components
- (i) Security Classes
- ...Ex. top secret, secret, confidential, unclassified
- (ii) subjects (users, accounts, programs)
- ...(iii) objects (table, rows, columns, operation)
- ...(iv) class(S) = security level of subject S
- ...(v) class(O) = security level of object O
Bell LaPadula Security Model
- Simple security property:
- ...S can not read O unless class(S) > = class(O)
- star property:
- ...Prevent flow of info to less secure subjects
- ...S can not write O unless class(S) < = class(O)
- ...write types: lossy (delete, overwrite), lossless (append)
- ...Convert lossy write to lossless (poly-instantiation)
Example : Fig. 23.2, pp. 742
- Q? Determine five components.
- Poly-instantiation converts lossy update:
  update employee set jobPerformance = 'excellent'
  where name = 'Smith
- ...TO lossless append
  insert employee set jobPerformance = 'excellent'
  where name = 'Smith
- ...since class(person) < = class(data-item)
Question on Fig. 23.2
Can someone with TS clearance update Smith's job-performance?
What is the job-performance of Smith for
... a user with TS clearance
... a user with S clearance
... a user with C clearance
... a user with U clearance
What is the primary key for the Employee table?
What is the security clearance level for the Employee table?
Can someone with TS clearance delete Smith's records?

S8: 23.4 Statistiscal Data Security

Motivation - Census data, Health research
- Provide aggregate information (e.g. avg, sum, ...)
- But no individual information
Problem
- Individual information can be derived from
- ...difference of two aggregates AVG and COUNT
- Ex. Q1, Q2 (pp. 746)
- ...Solution - do not answer query if group size is small, e.g. 5
But one can get around that easily!
- Hard to ban large group query related to previous queries!!
- Exercise: Write 4 SQL queries to infer individual information.
- Exercise: What can be infered about (S1 - S2) if
- ...Ex. (S2 subset_of S1) and (median(S2) = M2 > M1 = median(S1) )
Statistical Solution:
- Ensure each aggregate is large
- Add noise to individual data-items
- ...Zero mean, inpedendent identical distributions
- ...Aggregate properties not affect
Solution to SQL problem
- Idea: C1 and C2 produce large groups with difference of 1
  Q1a: select count(*) from T where C1
  Q2a: select sum(salary) from T where C1
  Q1b: select count(*) from T where C2
  Q2b: select sum(salary) from T where C2
Solution to Median problem
median(S1 - S2) < median(S1) = M1

S9: 23.4 Statistiscal Data Security -

This slide refers to concepts in Data Warehouse chapter
- May be replicated in that chapter
- Or the categorization of aggregate functions should be covered with SQL
3 kinds of statistical aggregate functions
- Distributive - can be computed incrementally with 1 register
- ...Sum, Count Regression
- Algebraic - can be computed incrementally with limited memory
- ...Average, Standard Deviation, Linear Regression coefficients
- Holistic - hard to compute incrementally!
- ...Median, Percentiles, Quartiles, ...
What can be inferred?
- Incremental computability = > easy to infer individual information!
- ...Ex. individual salary inferred from sum and average over groups
- Hard to infer precise information from holistic functions
- ...But median itself is information about some individual in the group
- ...Can ne identify the median individual ?
Ex. Given the following about groups G1 and G2
- m1 = median(G1) < median(G2) = m2
- G2 is a proper subset of G1
- Q? What can be inferred about median(G1 - G2) ?
- Q? What can be inferred about average(G1 - G2) ?

S10: 23.5 Covert Channels, Encryption

S11: 23.6 Encryption