database-security-design

database-security-design - Database Security and Privacy...

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Database Security and Privacy Database Security - Farkas 1 Security Objectives Prevent/detect/deter improper Disclosure of information Prevent/detect/deter Improper modification of information Secrecy Integrity Availability Prevent/detect/deter improper Denial of access to services Database Security - Farkas 2 Policy Organizational policy Information systems policy Database Security - Farkas 3 Databases Databases Collection of interrelated data and set of programs to access the data Convenient and efficient processing of data Database Application Software Database Security - Farkas 4 Database Security Database Security Protect Sensitive Data from Unauthorized disclosure Unauthorized modification Denial of service attacks Security Controls Security Policy Access control models Integrity protection Privacy problems Fault tolerance and recovery Auditing and intrusion detection Database Security - Farkas 5 Protection of Data Confidentiality Access control – which data users can Access access Information flow control – what users can Information do with the accessed data Data Mining Database Security - Farkas 6 Access Control Ensures that all direct accesses to object are authorized Protects against accidental and malicious threats by regulating the read, write and execution of data and programs Database Security - Farkas 7 Access Control Requires: - Proper user identification Proper user - Information specifying the access rights is Information protected form modification form Database Security - Farkas 8 Access Control Access control components: - Access control policy: specifies the Access authorized accesses of a system - Access control mechanism: implements Access and enforces the policy Database Security - Farkas 9 HOW TO SPECIFY ACCESS HOW TO SPECIFY ACCESS CONTROL? Database Security - Farkas 10 Access Control Subject: active entity that requests access to an object - e.g., user or program e.g., Object: passive entity accessed by a subject Object: passive - e.g., record, relation, file Access right (privileges): how a subject is Access allowed to access an object allowed - e.g., subject s can read object o e.g., Database Security - Farkas 11 Protection Object Database Relation Record Attribute Element Advantages vs. disadvantages of supporting different granularity levels Database Security - Farkas 12 Relation­Level Granularity Confidential relation Person­name Salary Smith Company­ name BB&C Dell Bell $97,900 Black BB&C $35,652 Database Security - Farkas $43,982 13 Tuple­level Granularity Works Person­name Salary Smith Company­ name BB&C Dell Bell $97,900 Conf. Black BB&C $35,652 Public Database Security - Farkas $43,982 Public 14 Attribute­Level Granularity Works Person­ name Company­name Salary Publ. Publ. Conf. $43,982 Smith BB&C Dell Bell $97,900 Black BB&C $35,652 Database Security - Farkas 15 Cell­Level Granularity Works Person­name Salary Smith P Company­ name BB&C P Dell C Bell C $97,900 C Black P BB&C C $35,652 C Database Security - Farkas $43,982 C 16 Access Control Policies Discretionary Access Control (DAC) Mandatory Access Control (MAC) Role-Based Access Control (RBAC) Database Security - Farkas 17 Discretionary Access Control (DAC) For each subject access right to the objects are defined (subject, object, +/- access mode) (Black, Employee-relation, read) User based Grant and Revoke Problems: - Propagation of access rights - Revocation of propagated access rights Database Security - Farkas 18 DAC by Grant and Revoke GRANT SELECT ON Employee TO Black WITH GRANT OPTION ? Black GRANT SELECT ON Employee TO Red Red Brown revokes grant given to Black ? Brown (owner) GRANT UPDATE(Salary) ON Employee TO White Brown does not want Red to access the Employee relation White Database Security - Farkas 19 ImplementationFile 2 File 1 Access Control List (column) Joe:Read (ACL) Joe:Write Joe:Own Capability List (row) Joe:Read Sam:Read Sam:Write Sam:Own Joe: File 1/Read, File 1/Write, File 1/Own, File 2/Read Sam: File 2/Read, File 2/Write, File 2/Own Access Control Triples Subject Joe Joe Joe Joe Sam Sam Sam Database Security - Farkas Access Read Write Own Read Read Write Own Object File 1 File 1 File 1 File 2 File 2 File 2 File 2 20 Access Control Mechanisms Security through Views Stored Procedures Grant and Revoke Query modification Database Security - Farkas 21 Security Through Views Assign rights to access predefined views CREATE VIEW Outstanding-Student AS SELECT NAME, COURSE, GRADE FROM Student WHERE GRADE > B Problem: Difficult to maintain updates. Database Security - Farkas 22 Stored Procedures Assign rights to execute compiled programs GRANT RUN ON <program> TO <user> Problem: Problem: Programs may access resources for which the user Programs who runs the program does not have permission. Database Security - Farkas 23 Grant and Revoke GRANT <privilege> ON <relation> To <user> [WITH GRANT OPTION] ­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­ GRANT SELECT * ON Student TO Matthews GRANT SELECT *, UPDATE(GRADE) ON Student TO FARKAS GRANT SELECT(NAME) ON Student TO Brown GRANT command applies to base relations as well as views Database Security - Farkas 24 Grant and Revoke REVOKE <privileges> [ON <relation>] FROM <user> ­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­ REVOKE SELECT* ON Student FROM Blue REVOKE UPDATE ON Student FROM Black REVOKE SELECT(NAME) ON Student FROM Brown Database Security - Farkas 25 Non-cascading Revoke B E A D C F A revokes D’s privileges E B A F C Database Security - Farkas 26 Cascading Revoke B E A D C F A revokes D’s privileges B A C Database Security - Farkas 27 Positive and Negative Authorization B - E + + A C D Problem: Contradictory authorizations • GRANT <privilege> ON X TO <user> • DENY <privilege> ON X TO <user> Database Security - Farkas 28 Negative Authorization B + - - + A E D + F C What should happen with the privilege given by D To F? Database Security - Farkas 29 Query Modification GRANT SELECT(NAME) ON Student TO Blue WHERE COURSE=“CSCE 590” Blue’s query: SELECT * FROM Student Modified query: SELECT NAME FROM Student WHERE COURSE=“CSCE 590” Database Security - Farkas 30 DAC Overview Advantages: Intuitive Easy to implement Disadvantages: Inherent vulnerability (look TH example) Maintenance of ACL or Capability lists Maintenance of Grant/Revoke Limited power of negative authorization Database Security - Farkas 31 Mandatory Access Control (MAC) Security label - Top-Secret, Secret, Public Objects: security classification - File 1 is Secret, File 2 is Public Subjects: security clearances - Brown is cleared to Secret, Black is cleared to Public Dominance (≥ ) - Top-Secret ≥ Secret ≥ Public Database Security - Farkas 32 MAC Access rights: defined by comparing the security classification of the requested objects with the security clearance of the subject If access control rules are satisfied, access is permitted Otherwise access is rejected Granularity of access rights! Database Security - Farkas 33 MAC – Bell-LaPadula (BLP) Model Single security property: a subject S is allowed a subject read access to an object O only if label(S) dominates label(O) dominates Star-property: a subject S is allowed a write access to an object O only if label(O) dominates label(S) No direct flow of information from high security objects to low security objects! Database Security - Farkas 34 Multilevel Security Multilevel Security Multilevel security users at different security level, see different versions of the database Problem: different versions need to be kept consistent and coherent without downward signaling channel (covert channel) Database Security - Farkas 35 Multilevel Relation Multilevel Relation Schema R(A1,C1,…,An,Cn,Tc) R: relation name Ai: attribute name Ci: security classes Tc: Tuple security classes Instantiation of relation: sets of tuples of the form <a1,c1,…,an,cn,tc> ai: attribute value ci: attribute classification label tc: tuple classification label Database Security - Farkas 36 Multilevel Relation Example SSN λ(SSN) Course λ(Course) Grade λ(Grade) 111-22-3333 S CSCE 786 S A TS 444-55-6666 S CSCE 567 S C TS Top­secret user sees all data Secret user sees Secret­View: SSN λ(SSN) Course λ(Course) Grade λ(Grade) 111-22-3333 S CSCE 786 S null S 444-55-6666 S CSCE 567 S null S CSCE 790 - Farkas Database Security - Farkas 37 37 Polyinstantiation Secret user sees Secret­View: SSN λ(SSN) Course λ(Course) Grade λ(Grade) 111-22-3333 S CSCE 786 S null S 444-55-6666 S CSCE 567 S null S •SSN is primary key •Secret user wants to update Grade for 111­22­3333 from null (i.e., missing value) to F •Allow update: inconsistent database, at TS level two different tuples exist with the same primary key (see next slide) •Not allow update: downward signaling channel, update is because of the existence of a TS value Database Security - Farkas 38 Polyinstantiation Top­Secret View: SSN λ(SSN) Course λ(Course) Grade λ(Grade) 111-22-3333 S CSCE 786 S A TS 111-22-3333 S CSCE 786 S F S 444-55-6666 S CSCE 567 S C TS Database Security - Farkas 39 ...
View Full Document

Ask a homework question - tutors are online