CSCI 5707: Database Security CSCI 5707: Database Security Pusheng Zhang University of Minnesota Email: [email protected] March 2, 2004
Jan 11, 2016
CSCI 5707: Database SecurityCSCI 5707: Database Security
Pusheng Zhang
University of Minnesota
Email: [email protected]
March 2, 2004
21.2CSCI 5707, Spring 2004. University of Minnesota, Pusheng Zhang
MotivationMotivation Personal Privacy
Q? Have you watched “LOR: The Return of The King”?
Q? Do you like the movie?
Customer profile DB, health information DB, credit rating DB
Corporate Security Trade Secrets – Coke’s Formula
Client Privacy – Swiss Banks, Financial Inst.
System Resource Security Password DB, Worm, Virus, and Hackers
Cyber Security Eavesdropping (unauthorized reading of messages)
Masquerading (pretending to be an authorized user or sending messages supposed from authorized users)
21.3CSCI 5707, Spring 2004. University of Minnesota, Pusheng Zhang
Database SecurityDatabase Security
This figure is courtesy of Peter J. Braam, CMU
21.4CSCI 5707, Spring 2004. University of Minnesota, Pusheng Zhang
21.5CSCI 5707, Spring 2004. University of Minnesota, Pusheng Zhang
Database SecurityDatabase Security Goal:
Users only see the data they’re supposed to. (S and A)
Guard against modifications by malicious users (I)
What security mechanisms do software systems provide? User Account Level Access Control
Discretionary: grant/revoke
Mandatory: security levels
Audit Trails: logs
Statistical Database Security: Inference Control
Data Object Level Access Control: encryption
21.6CSCI 5707, Spring 2004. University of Minnesota, Pusheng Zhang
Database AdministratorDatabase Administrator Database Administrator (DBA)
Central authority for managing a database system
Responsibilities include: Create user account and password
Grant privileges
Revoke privileges
Assign security levels
21.7CSCI 5707, Spring 2004. University of Minnesota, Pusheng Zhang
21.8CSCI 5707, Spring 2004. University of Minnesota, Pusheng Zhang
GRANT CommandGRANT Command GRANT Command
In SQL: GRANT privileges ON objects TO users [WITH GRANT OPTION]
Privileges: SELECT: can read all columns
INSERT (col-name):
– Can insert tuples with non-null or non-default values in this column.
– INSERT means same right with respect to all columns
DELECT: can delete tuples
UPDATE (col-name): can update this column
REFERENCE (col-name): can define foreign keys (in other tables) that refer to this column.
WITH GRANT OPTION can pass privilege on to other users
21.9CSCI 5707, Spring 2004. University of Minnesota, Pusheng Zhang
Example of GRANTExample of GRANT Joe created tables Sailors, Boats, Reserves
Q: Joe runs the following Q1: GRANT SELECT ON Reserves TO Mike
Mike can execute SELECT queries on Reserves
Q2: GRANT SELECT ON Sailors TO Mike WITH GRANT OPTION
Mike can execute SELECT queries on Sailors
Mike can pass this privilege to others for Sailors NOT for Reserves
Q3: GRANT UPDATE (rating) ON Sailors TO Bill
Bill can update the rating column in the Sailors.
21.10CSCI 5707, Spring 2004. University of Minnesota, Pusheng Zhang
REVOKE CommandREVOKE Command REVOKE Command
In SQL: REVOKE [GRANT OPTION FOR] privileges ON objects FROM user {RESTRICT | CASCADE}
Privileges are the same with GRANT
GRANT OPTION FOR: revoke just the grant option on a privilege For example: Joe is the creator of the Sailors. Joe runs the following
GRANT SELECT ON Sailors TO Art WITH GRANT OPTION
REVOKE GRANT OPTION FOR SELECT ON Sailors FROM Art CASCADE
Art still holds SELECT privilege on Sailors
However, Art no longer can’t pass it on to other users
21.11CSCI 5707, Spring 2004. University of Minnesota, Pusheng Zhang
REVOKE Command (cont)REVOKE Command (cont) CASCADE and RESTRICT
CASCADE: recursively revokes existing privileges
RESTRICT: revoking is rejected if resulting in other privileges becoming abandoned For example: Joe is the creator of the Sailors
GRANT SELECT ON Sailors TO Art WITH GRANT OPTION (by Joe)
GRANT SELECT ON Sailors TO Bob WITH GRANT OPTION (by Art)
REVOKE SELECT ON Sailors FROM Art CASCADE (by Joe)
Art and Bob lost SELECT privilege on Sailors
What happens if we use RESTRICT instead of CASCADE in the example above?
21.12CSCI 5707, Spring 2004. University of Minnesota, Pusheng Zhang
ExamplesExamples Example 1:
GRANT SELECT ON Sailors TO Art WITH GRANT OPTION (by Joe)
GRANT SELECT ON Sailors TO Bob WITH GRANT OPTION (by Art)
GRANT SELECT ON Sailors TO Bob WITH GRANT OPTION (by Joe)
REVOKE SELECT ON Sailors FROM Art CASCADE (by Joe)
Art lost the SELECT on Sailors
What about Bob?
Example 2: GRANT SELECT ON Sailors TO Art WITH GRANT OPTION (by Joe)
GRANT SELECT ON Sailors TO Art WITH GRANT OPTION (by Joe)
REVOKE SELECT ON Sailors FROM Art CASCADE (by Joe)
Does Art lose the SELECT on Sailors or not?
21.13CSCI 5707, Spring 2004. University of Minnesota, Pusheng Zhang
Authorization GraphAuthorization Graph Authorization Graph
Nodes: Users
Arcs: Indications of how privileges are passes
Joe
Art Bob
(Joe, Art, Select on Sailors, Yes)
(Art, Bob, Select on Sailors, Yes)
21.14CSCI 5707, Spring 2004. University of Minnesota, Pusheng Zhang
21.15CSCI 5707, Spring 2004. University of Minnesota, Pusheng Zhang
Example of ViewExample of View For example: Joe runs
CREAT VIEW ActiveSailors (name, age, day)
AS SELECT S.sname, S.sage, R.day
FROM Sailor S, Reserves R
WHERE S.sid = R.sid AND S.rating > 6
Joe can grant SELECT on the view ActiveSailors to Art GRANT SELECT ON ActiveSailors TO Art WITH GRANT OPTION
Art only has the access to the ActiveSailors, not the base tables
Art can run:
– SELECT name FROM ActiveSailors WHERE age < 30
21.16CSCI 5707, Spring 2004. University of Minnesota, Pusheng Zhang
RoleRole Roles are named groups of related privileges
Can be assigned to users and even to other roles Reduced privilege administration Dynamic privilege management
Privileges can be granted to or revoked from roles, just like user
SQL:1999 standard supports roles CREATE ROLE Role-name DROP ROLE Role-name GRANT privileges ON objects TO Role-name
21.17CSCI 5707, Spring 2004. University of Minnesota, Pusheng Zhang
Example of RoleExample of Role Example
CREATE ROLE manager
GRANT SELECT, INSERT ON Sailors TO manager
GRANT UPDATE (sid) ON Sailors TO manager
GRANT SELECT, UPDATE, INSERT ON Reserves TO manager
GRANT manager TO Joe
21.18CSCI 5707, Spring 2004. University of Minnesota, Pusheng Zhang
Mandatory Access ControlMandatory Access Control Main drawback of discretionary access control (DAC):
Vulnerable to malicious attacks, e.g., Trojan horses whereby a devious unauthorized user can trick an authorized user into disclosing sensitive data.
DAC doesn’t impose any control on how info is propagated.
Supported by most commercial DBMSs.
Mandatory access control (MAC): Multilevel security:
Top secret, secret, confidential, and unclassified
Needed for government, military, and intelligence applications
21.19CSCI 5707, Spring 2004. University of Minnesota, Pusheng Zhang
21.20CSCI 5707, Spring 2004. University of Minnesota, Pusheng Zhang
21.21CSCI 5707, Spring 2004. University of Minnesota, Pusheng Zhang
21.22CSCI 5707, Spring 2004. University of Minnesota, Pusheng Zhang
21.23CSCI 5707, Spring 2004. University of Minnesota, Pusheng Zhang
21.24CSCI 5707, Spring 2004. University of Minnesota, Pusheng Zhang
PolyinstantiationPolyinstantiation Solution to the dilemma
Add one tuple with security class C: 101 Salsa Red S
101 Pasta Blue C
102 Pinto Brown C
Polyinstantiation: The presence of data objects that appear to have different
values to users with different clearances. E.g., the boat with bid 101
21.25CSCI 5707, Spring 2004. University of Minnesota, Pusheng Zhang
Comparison Between DAC and MACComparison Between DAC and MAC
Discretionary access control (DAC): Flexible
Supported by most commercial DBMSs
Applicable to a large variety of domains
Vulnerable to Trojan Horses
Mandatory access control (DAC): Very Rigid
Not supported in most Commercial DBMSs
Only applicable in military, intelligence, and government
Prevent flow from higher to lower security level