Transcript Lecture3 - The University of Texas at Dallas

Data and Applications Security
Developments and Directions
Dr. Bhavani Thuraisingham
The University of Texas at Dallas
Lecture #3
Access Control in Data Management Systems
August 27, 2010
Outline
 Discretionary Access Control in Relational Databases
 Mandatory Access Control in Relational Databases
- Security Constraints
 Types of Access Control
- Inference problem, Role-based, Temporal, Usage
 Access Control in Other Databases
- Objects, Federated
 Current Trends in Access Control
- Date Warehousing, Semantic Web, Privacy Control
 Next Steps in Access Control
Access Control in Relational Databases:
1975 - Present
 Access Control policies were developed initially for file systems
- E.g., Read/write policies for files
 Access control in databases started with the work in System R and
Ingres Projects
- Access Control rules were defined for databases, relations,
tuples, attributes and elements
- SQL and QUEL languages were extended

GRANT and REVOKE Statements

Read access on EMP to User group A Where
EMP.Salary < 30K and EMP.Dept <> Security
- Query Modification:

Modify the query according to the access control rules

Retrieve all employee information where salary < 30K and
Dept is not Security
Query Modification Algorithm
 Inputs: Query, Access Control Rules
 Output: Modified Query
 Algorithm:
- Given a query Q, examine all the access control rules relevant to
the query
- Introduce a Where Clause to the query that negates access to
the relevant attributes in the access control rules

Example: rules are John does not have access to Salary in
EMP and Budget in DEPT

Query is to join the EMP and DEPT relations on Dept #

Modify the query to Join EMP and DEPT on Dept # and
project on all attributes except Salary and Budget
- Output is the resulting query
Mandatory Access Control (MAC) in
Databases: 1982- Present
 Bell and LaPadula Policy adapted for databases
-
Read at or above your level and Write at your level; Granularity of
classification: Databases, Relations, Tuples, Attributes, Elements
 Security Architectures
-
Operating system providing mandatory access control and DBMS is
untrusted with respect to MAC (e.g., SRI’s SeaView)
-
Trusted Subject Architecture where DBMS is trusted with respect to
MAC (e.g., TRW’s ASD and ASD Views)
-
Integrity Lock where Trusted front-end computes checksums (e.g.,
MITRE’s MISTRESS Prototype)
-
Distributed Architecture where data is distributed according to security
levels and access through trusted front-end (e.g., NRL’s SINTRA)
Extended Kernel for Security Policy Enforcement such as constraints
(e.g., Honeywell’s Lock Data Views)
Security Constraints / Access Control Rules
 Simple Constraint: John cannot access the attribute Salary of
relation EMP
 Content-based constraint: If relation MISS contains information
about missions in the Middle East, then John cannot access MISS
 Association-based Constraint: Ship’s location and mission taken
together cannot be accessed by John; individually each attribute can
be accessed by John
 Release constraint: After X is released Y cannot be accessed by
John
 Aggregate Constraints: Ten or more tuples taken together cannot be
accessed by John
 Dynamic Constraints: After the Mission, information about the
mission can be accessed by John
Enforcement of Security Constraints
User Interface Manager
Security
Constraints
Constraint
Manager
Query Processor:
Constraints during
query and release
operations
Update
Processor:
Database Design
Tool
Constraints during
database design
operation
Constraints
during
update
operation
Relational DBMS
Database
Other Developments in Access Control
 Inference Problem and Access Control
- Inference problem occurs when users pose queries and deduce
unauthorized information from the legitimate responses
- Security constraint processing for controlling inferences
- More recently there is work on controlling release information
instead of controlling access to information
 Temporal Access Control Models
- Incorporates time parameter into the access control models
 Role-based access control
- Controlling access based on roles of people and the activities
they carry out; Implemented in commercial systems
 Positive and Negative Authorizations
- Should negative authorizations be explicitly specified? How can
conflicts be resolved?
Some Examples
 Temporal Access Control
- After 1/1/05, only doctors have access to medical records
 Role-based Access Control
- Manager has access to salary information
- Project leader has access to project budgets, but he does not
have access to salary information
- What happens is the manager is also the project leader?
 Positive and Negative Authorizations
- John has write access to EMP
- John does not have read access to DEPT
- John does not have write access to Salary attribute in EMP
- How are conflicts resolved?
Usage Control
 Usage Control (UCON) Model goes beyond traditional access
control
- Developed by Sandhu et al
 Consists of the following
Policies of authorizations, Obligations and Conditions
- Authorization decisions are determined by policies of the
subject, objects and right
- Obligations are actions that are required to be performed
before or during the access process
Conditions are environment restrictions that are required
to be valid before or during the access process
 Many policies can be expressed using UCON
 Extensions being proposed for temporal usage control
-
-
Access Control in Other Types of Databases
 Object Databases
- Controlling access to classes, object instances, instance
variables, method execution etc.
- E.g., MCC’s ORION model both for discretionary security and
mandatory security
 Distributed Databases
- Extend access control for relational databases to a distributed
environment across the nodes
 Federated Databases
- Integrate security policies exported by the component database
systems and form a federated policy
 Deductive Databases
- Logic for secure data and knowledge base systems – e.g., NTML
Non-monotonic Typed Multilevel Logic
Access Control in Databases: Current Trends
(1996 – Present)
 Data Warehousing
- Controlling access to aggregate information in the Warehouse
 Multimedia Database Systems
- Geospatial Information Systems
 Web Databases
- E-Commerce and Knowledge Management,
Collaboration/Workflow
 Semantic Web
- XML, RDF, Information Integration
 Dependable Databases
- Real-time/Embedded Database Systems
- Sensor/Stream Database Systems
Data Warehouse
Challenge: Controlling access to the Warehouse and at the same time
enforcing the access control policies enforced by the back-end
Database systems
Users
Query
the Warehouse
Oracle
DBMS for
Employees
Data
Data Warehouse:
Data correlating
Employees With
Travel patterns
and Projects
Sybase
DBMS for
Projects
Data
Could be
any DBMS
e.g., relational
Informix
DBMS for
Travel
Data
Enforcing Access Control for Data Mining
Algorithms
 Query the data and extract information previously unknown\
 Whenever data is accessed check the access control rules
 Examine the access control rules to determine whether the mined
information can be released to the user
 Extensions to the Inference problem
Access Control for Multimedia Databases
 Access Control for Text, Images, Audio and Video
 Granularity of Protection
- Text

John has access to Chapters 1 and 2 but not to 3 and 4
- Images

John has access to portions of the image

Access control for pixels?
- Video and Audio

John has access to Frames 1000 to 2000

Jane has access only to scenes in US
- Security constraints

Association based constraints
E.g., collections of images are classified
Access Control for Web Databases
 Secure web data management issues include:
- Extending traditional security mechanisms for web databases

Access control models

Integrating security policies

Secure query, indexing and transaction management
strategies

Security impact for integrating heterogeneous databases
- Security specific for the web

Security for unstructured databases such as multimedia,
XML and RDF documents

Security impact on Ontology management

Privacy violations due to data mining

Protecting intellectual property, e-payment systems
Secure Semantic Web
 According to Tim Berners Lee, The Semantic Web supports
-
Machine readable and understandable web pages
 Layers for the semantic web: Security cuts across all layers
 Challenge: Not only integrating the layers for the semantic
web, but also ensuring secure interoperability
S
E
C
U
R
I
T
Y
P
R
I
V
A
C
Y
Logic, Proof and Trust
Rules/Query
RDF, Ontologies
XML, XML Schemas
URI, UNICODE
Other
Services
XML Security
 Some ideas have evolved from research in secure
multimedia/object data management
 Access control and authorization models
- Protecting entire documents, parts of documents, propagations
of access control privileges; Protecting DTDs vs Document
instances; Secure XML Schemas
 Update Policies and Dissemination Policies
 Secure publishing of XML documents
- How do you minimize trust for third party publication
 Use of Encryption
 Inference problem for XML documents
- Portions of documents taken together could be sensitive,
individually not sensitive
Security and Ontologies

Access control for Ontologies
- Who can access which parts of the Ontologies
- E.g, Professor can access all patents of the department while
the Secretary can access only the descriptions of the patents in
the patent ontology
- Can we apply the research on secure metadata management for
secure ontology management?
 Ontologies for Security Applications
- Use ontologies for specifying security/privacy policies
- Integrating heterogeneous policies may involve integrating
ontologies and resolving inconsistencies
Privacy Constraints / Access Control Rules
 Privacy constraints processing
- Simple Constraint: an attribute of a document is private
- Content-based constraint: If document contains information
about X, then it is private
- Association-based Constraint: Two or more documents taken
together is private; individually each document is public
- Release constraint: After X is released Y becomes private
 Augment a database system with a privacy controller for constraint
processing
Integrated Architecture for Privacy
Constraint Processing
User Interface Manager
Privacy
Constraints
Constraint
Manager
Query Processor:
Constraints during
query and release
operations
Update
Processor:
XML Database
Design Tool
Constraints during
database design
operation
Constraints
during
update
operation
Relational DBMS
Database
Federated Data Management Systems for
National Security and Privacy
Federated Data Mining/Federated Security Policy
Export
Data/Policy
Export
Data/Policy
Export
Data/Policy
Component
Data/Policy for
Agency A
Component
Data/Policy for
Agency C
Component
Data/Policy for
Agency B
Other Policies
 Trust Policies
- To what extent do you trust the source of the data
- How can trust be propagated
- Adding trust value to each piece of data
- A trusts B and B trusts C, does this mean A trusts C?
- A department head sends messages to all the faculty; however
he/she may not trust a particular person
- Developing a language to specify trust
 Integrity Policies
- Maintaining the quality of the data
- Adding an attribute to each piece of data to specify the quality
- Quality also depends on how much you trust the source
- Algebra for data quality
Access Control in Databases: Next Steps
 Access Control in Databases will continue to be very important
- We also need to examine alternatives
 We need new kinds of access control models
- 1975 models may not be suitable for emerging applications
such as semantic web, e-commerce and stream data
management
- Role-based access control has become very popular and is
implemented now in commercial systems. What variations of
this model are appropriate for emerging applications?
 End-to-end security is critical
- We cannot have secure databases and have insecure
networks and middleware; Composability
 Flexible security policies
- Confidentiality, Authenticity, Completeness, Integrity, Trust,
Privacy, Data Quality, etc.