csce824-lecture4

Csce824-lecture4 - Introduction Introduction Database Security Overview Readings Readings Aug 31 – Textbook Chapter 5.2 – Lecture materials

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Introduction Introduction Database Security Overview Readings Readings Aug. 31: – Textbook: Chapter 5.2 – Lecture materials from CSCE 522, Nov. 3, Lecture 20 at http://www.cse.sc.edu/~farkas/csce522­2010/lect For next class: – Textbook: Chapter 10.1, 10.2 Farkas CSCE 824 ­ Spring 2011 2 Database Security Requirements Physical database integrity Logical database integrity Element integrity Auditability Access control User authentication Availability CSCE 522 ­ Farkas CSCE 522 ­ Farkas 3 Sensitive data Inherently sensitive From a sensitive source Declared sensitive Part of a sensitive attribute or record In relation to previously disclosed information CSCE 522 ­ Farkas CSCE 522 ­ Farkas 4 Types of disclosures Exact data Range of data Negative results Existence Probable values CSCE 522 ­ Farkas CSCE 522 ­ Farkas 5 Access control Operating system Database Management System Granularity! CSCE 522 ­ Farkas CSCE 522 ­ Farkas 6 Granularity Database Relation Advantages vs. disadvantages of supporting Record different granularity levels Attribute Element CSCE 522 ­ Farkas CSCE 522 ­ Farkas 7 Granularity Database Relation Advantages vs. disadvantages of supporting Record different granularity levels Attribute Element CSCE 522 ­ Farkas CSCE 522 ­ Farkas 8 Relation­Level Granularity Relation­Level Granularity λ(Works)= Secret Person­name Salary Smith Company­ name BB&C Dell Bell $97,900 Black BB&C $35,652 CSCE 522 ­ Farkas 9 $43,982 Tuple­level Granularity Tuple­level Granularity Works Person­name Salary λ Smith Company­ name BB&C Dell Bell $97,900 S Black BB&C $35,652 P CSCE 522 ­ Farkas 10 $43,982 P Attribute­Level Granularity Attribute­Level Granularity Works Person­ name λ=P Smith Company­ name λ=P BB&C Salary Dell Bell $97,900 Black BB&C $35,652 CSCE 522 ­ Farkas 11 λ=S $43,982 Cell­Level Granularity Cell­Level Granularity Works Person­name Salary Smith P Company­ name BB&C P Dell S Bell S $97,900 S Black P BB&C S $35,652 S CSCE 522 ­ Farkas 12 $43,982 S Access Control Mechanisms Security through Views Stored Procedures Grant and Revoke Query modification CSCE 522 ­ Farkas CSCE 522 ­ Farkas 13 Security Through Views Assign rights to access predefined views CREATE VIEW Outstanding-Student AS SELECT NAME, COURSE, GRADE FROM Student WHERE GRADE > B Problem: Difficult to maintain updates. CSCE 522 ­ Farkas CSCE 522 ­ Farkas 14 Security Through Views Student relation NAME COURSE GRADE SEMESTER White CSCE 122 C+ Fall 2000 Black CSCE 313 A Fall 2000 Brown CSCE 580 A Spring 2000 Green CSCE 850 B+ Fall 2000 Blue CSCE 122 B Fall 2000 CSCE 522 ­ Farkas CSCE 522 ­ Farkas 15 Security Through Views CREATE VIEW Outstanding-Student AS SELECT NAME, COURSE, GRADE FROM Student WHERE GRADE > B Outstanding-Student NAME COURSE GRADE Black CSCE 313 A Brown CSCE 580 A Green CSCE 850 B+ CSCE 522 ­ Farkas CSCE 522 ­ Farkas 16 Security Through Views CREATE VIEW Fall-Student AS SELECT NAME, COURSE FROM Student WHERE SEMESTER=“Fall 2000” NAME CSCE 122 CSCE 313 Green CSCE 850 Blue CSCE 522 ­ Farkas CSCE 522 ­ Farkas White Black Fall-Student COURSE CSCE 122 17 Stored Procedures Assign rights to execute compiled programs GRANT RUN ON <program> TO <user> Problem: Problem: Programs may access resources for which the Programs user who runs the program does not have permission. CSCE 522 ­ Farkas CSCE 522 ­ Farkas 18 Grant and Revoke GRANT <privilege> ON <relation> To <user> [WITH GRANT OPTION] ­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­ GRANT SELECT * ON Student TO Matthews GRANT SELECT *, UPDATE(GRADE) ON Student TO FARKAS GRANT SELECT(NAME) ON Student TO Brown GRANT command applies to base relations as well as views CSCE 522 ­ Farkas CSCE 522 ­ Farkas 19 Grant and Revoke REVOKE <privileges> [ON <relation>] FROM <user> ­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­ ­­ REVOKE SELECT* ON Student FROM Blue REVOKE UPDATE ON Student FROM Black REVOKE SELECT(NAME) ON Student FROM Brown CSCE 522 ­ Farkas CSCE 522 ­ Farkas 20 Query Modification GRANT SELECT(NAME) ON Student TO Blue WHERE COURSE=“CSCE 590” Blue’s query: SELECT * FROM Student Modified query: SELECT NAME FROM Student WHERE COURSE=“CSCE 580” CSCE 522 ­ Farkas CSCE 522 ­ Farkas 21 Indirect Information Flow Channels Covert channels Inference channels CSCE 522 ­ Farkas CSCE 522 ­ Farkas 22 Lecture 19 Communication Channels Overt Channel: designed into a designed system and documented in the user's manual manual Covert Channel: not documented. not Covert channels may be deliberately inserted into a system, but most such channels are accidents of the system design. CSCE 522 ­ Farkas CSCE 522 ­ Farkas 23 Lecture 19 Covert Channel Timing Channel: based on system times Storage channels: not time related Storage communication communication Can be turned into each other CSCE 522 ­ Farkas CSCE 522 ­ Farkas 24 Lecture 19 Inference Channels Non-sensitive information CSCE 522 ­ Farkas CSCE 522 ­ Farkas + Meta-data 25 = Sensitive Information Lecture 19 Inference Channels Statistical Database Inferences General Purpose Database Inferences CSCE 522 ­ Farkas CSCE 522 ­ Farkas 26 Lecture 19 Statistical Databases Goal: provide aggregate information about Goal: groups of individuals groups – E.g., average grade point of students Security risk: specific information about a Security particular individual particular – E.g., grade point of student John Smith Meta-data: – Working knowledge about the attributes – Supplementary knowledge (not stored in database) CSCE 522 ­ Farkas CSCE 522 ­ Farkas 27 Lecture 19 Types of Statistics Macro-statistics: collections of related statistics Macro-statistics: presented in 2-dimensional tables presented Sex\Year 1997 1998 Sum Female 4 1 5 Male 6 13 19 Sum 10 14 24 Micro-statistics: Individual data records used for Micro-statistics: statistics after identifying information is removed statistics Sex Course GPA Year F CSCE 590 3.5 2000 M CSCE 590 3.0 2000 F CSCE 790 4.0 2001 CSCE 522 ­ Farkas CSCE 522 ­ Farkas 28 Lecture 19 Statistical Compromise Exact compromise: find exact value of Exact an attribute of an individual (e.g., John Smith’s GPA is 3.8) Partial compromise: find an estimate of Partial an attribute value corresponding to an individual (e.g., John Smith’s GPA is between 3.5 and 4.0) between CSCE 522 ­ Farkas CSCE 522 ­ Farkas 29 Lecture 19 Methods of Attacks and Protection Small/Large Query Set Attack – C: characteristic formula that identifies groups of C: individuals individuals If C identifies a single individual I, e.g., count(C) = If identifies 1 – Find out existence of property If count(C and D)=1 means I has property D If count(C and D)=0 means I does not have D OR – Find value of property CSCE 522 ­ Farkas CSCE 522 ­ Farkas 30 Sum(C, D), gives value of D Lecture 19 Small/Large Query Set Attack Small/Large cont. cont. Protection from small/large query set Protection attack: query-set-size control attack: A query q(C) is permitted only if query N-n ≥ |C| ≥ n , where n ≥ 0 is a parameter of the database and N is all the records in the database records CSCE 522 ­ Farkas CSCE 522 ­ Farkas 31 Lecture 19 Tracker attack q(C) is disallowed C=C1 and C2 T=C1 and ~C2 Tracker C C2 C1 q(C)=q(C1) – q(T) CSCE 522 ­ Farkas CSCE 522 ­ Farkas 32 Lecture 19 Tracker attack q(C and D) is disallowed C=C1 and C2 T=C1 and ~C2 C Tracker C2 C1 C and D q(C and D)= q(T or C and D) – q(T) CSCE 522 ­ Farkas CSCE 522 ­ Farkas D 33 Lecture 19 Query overlap attack Q(John)=q(C1)-q(C2) C1 C2 Kathy John Max Paul Eve Fred CSCE 522 ­ Farkas CSCE 522 ­ Farkas Mitch 34 Protection: query-overlap control Lecture 19 Insertion/Deletion Attack Observing changes overtime Observing – q1=q(C) – insert(i) – q2=q(C) – q(i)=q2-q1 Protection: insertion/deletion performed Protection: as pairs as CSCE 522 ­ Farkas CSCE 522 ­ Farkas 35 Lecture 19 Statistical Inference Theory Give unlimited number of statistics and Give correct statistical answers, all statistical databases can be compromised (Ullman) databases CSCE 522 ­ Farkas CSCE 522 ­ Farkas 36 Lecture 19 Inferences in GeneralPurpose Databases Queries based on sensitive data Inference via database constraints Inferences via updates CSCE 522 ­ Farkas CSCE 522 ­ Farkas 37 Lecture 19 Queries based on sensitive data Sensitive information is used in selection Sensitive condition but not returned to the user. condition Example: Salary: secret, Name: public πNameσSalary=$25,000 Protection: apply query of database Protection: views at different security levels views CSCE 522 ­ Farkas CSCE 522 ­ Farkas 38 Lecture 19 Database Constraints Integrity constraints Database dependencies Key integrity CSCE 522 ­ Farkas CSCE 522 ­ Farkas 39 Lecture 19 Integrity Constraints C=A+B A=public, C=public, and B=secret A=public, B can be calculated from A and C, i.e., can secret information can be calculated from public data from CSCE 522 ­ Farkas CSCE 522 ­ Farkas 40 Lecture 19 Database Dependencies Metadata: Functional dependencies Multi-valued dependencies Join dependencies etc. CSCE 522 ­ Farkas CSCE 522 ­ Farkas 41 Lecture 19 Functional Dependency FD: A B, that is for any two tuples in the FD: relation, if they have the same value for A, they must have the same value for B. they Example: FD: Rank Salary Example: Secret information: Name and Salary together – – – Query1: Name and Rank Query2: Rank and Salary Combine answers for query1 and 2 to reveal Name Combine and Salary together and CSCE 522 ­ Farkas CSCE 522 ­ Farkas 42 Lecture 19 Key integrity Every tuple in the relation have a unique Every key key Users at different levels, see different Users versions of the database versions Users might attempt to update data that Users is not visible for them is CSCE 522 ­ Farkas CSCE 522 ­ Farkas 43 Lecture 19 Example Secret View Name (key) Salary Address Black P 38,000 P Columbia S Red S 42,000 S Irmo S Name (key) Salary Address Black P 38,000 P Null P Public View CSCE 522 ­ Farkas CSCE 522 ­ Farkas 44 Lecture 19 Updates Public User: Name (key) Salary Address Black P 38,000 P Null P 1. Update Black’s address to Orlando 2. Add new tuple: (Red, 22,000, Manassas) If Refuse update: covert channel Allow update: • Overwrite high data – may be incorrect • Create new tuple – which data it correct (polyinstantiation) – violate45key constraints CSCE 522 ­ Farkas CSCE 522 ­ Farkas Lecture 19 Updates Secret user: Name (key) Black P Salary Address 38,000 P Columbia S Red S 42,000 S Irmo S 1. Update Black’s salary to 45,000 If Refuse update: denial of service Allow update: • Overwrite low data – covert channel • Create new tuple – which data it correct (polyinstantiation) – violate key constraints CSCE 522 ­ Farkas CSCE 522 ­ Farkas 46 Lecture 19 Inference Problem No general technique is available to No solve the problem solve Need assurance of protection Hard to incorporate outside knowledge CSCE 522 ­ Farkas CSCE 522 ­ Farkas 47 Lecture 19 Next Class Next Class Farkas Transaction Processing CSCE 824 ­ Spring 2011 48 ...
View Full Document

This note was uploaded on 12/13/2011 for the course CSCE 824 taught by Professor Staff during the Fall '11 term at South Carolina.

Ask a homework question - tutors are online