Transcript Security - Computer Science and Engineering Department

SECURITY OF DATABASE
SYSTEMS
Dr. Awad Khalil
Computer Science Department
AUC
CSCI 453 -- Database Security
1
Content
Database Security
 Threats
 Countermeasures – Computer Based
Controls
 Countermeasures – Non Computer Based
Controls
 Database Security on the Web

CSCI 453 -- Database Security
2
Database Security

Database security is the protection of the Database against
intentional or unintentional threats using computer-based or noncomputer-based controls.

A database represents an essential corporate resource that should be
properly secured using appropriate controls. We consider database
security in relation to the following situations:
1. Theft and fraud.
2. Loss of confidentiality (secrecy).
3. Loss of privacy.
4. Loss of integrity.
5. Loss of availability.

Database security aims to minimize losses caused by anticipated
events in a cost-effective manner without unduly constraining the
users.
CSCI 453 -- Database Security
3
Threats
A
threat is any
situation or event,
whether intentional or
unintentional,
involving a person,
action,
or
circumstance,
that
will adversely affect a
system
and
consequently
an
organization.
CSCI 453 -- Database Security
4
Potential threats to computer systems
CSCI 453 -- Database Security
5
Countermeasures
(I)Computer-Based Controls
1. Authorization & Access
Controls.
2. Firewalls
3. Views.
4. Backup and recovery.
5. Integrity.
6. Encryption.
7. RAID Technology.
CSCI 453 -- Database Security
6
(1) Authorization & Access Controls (Privileges)

Authorization is the granting of a right or privilege, which
enables a subject to have legitimate access to a system’s object

Authorization controls can be built into the software, and govern
not only what system or object a specified user can have access
to, but also what the user may do with it.

The process of authorization involves authentication of subjects
requesting access to objects.
Authentication

A mechanism that determines whether a user is, who he or she
claims to be.
CSCI 453 -- Database Security
7
(1) Authorization & Privileges (Cont’d)
Privileges: Privileges may include the right to access or create
certain database objects such as relations, views, and indexes, or
to run various DBMS utilities.
Select(0001) Update(0010) Insert(0100) Delete(1000) All(1111)

CSCI 453 -- Database Security
8
(2) Views
A
view is a dynamic result of one or more relational
operations operating on the base relations, to produce
another relation. A view is a virtual relation that does
not actually exist in the database, but is produced upon
request by a particular user, at the time of request.
CSCI 453 -- Database Security
9
(3) Backup and Recovery

The process of periodically taking a copy of the
database and log file (and possibly programs) onto
offline storage media.
JOURNALING

The process of keeping and maintaining a log file (or
journal) of all changes made to the database to enable
recovery to be undertaken effectively in the event of
failure.
CHECKPOINTING

The Point of synchronization between the database and
the transaction log file. All buffers are force-written to
secondary storage.
CSCI 453 -- Database Security
10
(4) Integrity
 Integrity
controls (entity integrity and referential
integrity constraints) contribute to maintaining a secure
database system by preventing data from becoming
invalid, and hence giving misleading or incorrect
results.
CSCI 453 -- Database Security
11
(5) Encryption

Encryption is the encoding of the data by a special algorithm
that renders the data unreadable by any program without the
decryption key.
CRYPTOSYSTEM
 To transmit data securely over insecure networks requires the use of
cryptosystem, which includes:
1. Encryption key to encrypt the data (plain text).
2. Encryption algorithm that, with the encryption key, transforms the plain
text into ciphertext.
3. Decryption key to decrypt the cyphertext.
4. Decryption algorithm that, with the decryption key, transforms the
cyphertext back into plain text.
CSCI 453 -- Database Security
12
(5) Encryption (Cont’d)
Symmetric Cryptosystem

This technique uses the same key for both encryption and decryption and relies on
safe communication lines for exchanging the key.

One scheme used for symmetric encryption is the Data Encryption Standard (DES),
developed by IBM. This scheme uses one key for both encryption and decryption,
which must be kept secret, although the algorithm need not be.

The algorithm transforms each 64-bit block of plaintext using a 56-bit key.

The DES is not universally regarded as being very secure.

A scheme called PGP (Pretty Good Privacy) uses a 128-bit symmetric algorithm for
bulk encryption of data it sends.

Keys with 64 bits are now probably breakable by major governments with special
hardware, albeit at substantial cost.

While. keys with 80 bits will also become breakable in the future, keys with 128 bits
will remain unbreakable for the foreseeable future.
CSCI 453 -- Database Security
13
(5) Encryption (Cont’d)
Asymmetric Cryptosystem

This cryptosystem uses two different keys for encryption and decryption.

One example is public key cryptosystems, which uses two keys, one of which is
public and the other private.

The encryption algorithm may also be public, so that anyone wishing to send a user
message can use the user's publicly known key in conjunction with the algorithm to
encrypt it. Only the owner of the private key can then decipher the message.

Public key cryptosystems can also be used to send a 'digital signature' with a message
and prove that the message came from the person who claimed to have sent it.

The most well known asymmetric encryption is RSA.

Generally, symmetric algorithms are much faster to execute on a computer than those
that are asymmetric.

However, in practice, they are often used together, so that a public key algorithm is
used to encrypt a randomly generated encryption key, and the random key is used to
encrypt the actual message using a symmetric algorithm.
CSCI 453 -- Database Security
14
(5) Using Encryption
Security

Is ensured if the sender uses the recipient’s public key to encrypt
and the recipient uses his/her private key to decrypt.
Authentication

Is achieved if the sender uses his/her private key to encrypt and
the recipient uses the public to decrypt.
CSCI 453 -- Database Security
15
(6) RAID Technology
RAID (Redundant Array of Independent Disks)

The Hardware that the DBMS is running on must be faulttolerant, meaning that the DBMS should continue to operate even
if one of the hardware components fails.

This suggests having redundant components that can de
seamlessly integrated into the working system whenever there is
one or more component failures.

The main hardware components that should be fault-tolerant
include disk drives, disk controllers, CPU, power supplies, and
cooling fans.
Disk drives are the most vulnerable components with the shortest
times between failure of any of the hardware components.

CSCI 453 -- Database Security
16
(7) RAID Technology (Cont’d)

One solution is the use of RAID technology. RAID works on having a large
array comprising an arrangement of several independent disks that are
organized to improve reliability and at the same time increase performance.

Performance is increased through data stripping; the data is segmented into
equal-size portions (the stripping unit) which are transparently distributed
across multiple disks.

This gives the appearance of a single large, fast disk where in actual fact the
data is distributed across several smaller disks.

Stripping improves overall I/O performance by allowing multiple I/Os to be
serviced in parallel.

At the same time, data stripping also balances the load among disks.

Reliability is improved through storing redundant information across the disks
using a parity scheme or an error-correcting scheme, such as Reed-Solomon
codes.
CSCI 453 -- Database Security
17
(7) RAID Technology (Cont’d)

There are a number of different disk configurations with RAID, termed RAID levels:
1. RAID 0 - Nonredundant: This level maintains no redundant data and so has the best write
performance since updates do not have to be replicated. Data stripping is performed at the level
of blocks.
2. RAID 1 - Mirrored: This level maintains (mirrors) two identical copies of the data across
different disks. To maintain consistency in the presence of disk failure, writes may not performed
simultaneously. This is the most expensive storage solution.
3. RAID 0+1 - Nonredundant and Mirrored: This level combines stripping and mirroring.
4. RAID 2 - Memory-style Error-Correcting Codes: With this level, the stripping unit is a single bit
and Hamming codes are used as the redundancy scheme.
5. RAID 3 - Bit-Interleaved Parity: This level provides redundancy by storing parity information on
a single disk in the array.
6. RAID 4 - Block-Interleaved Parity: With this level, the stripping unit is a disk block - a parity
block is maintained on a separate disk for corresponding blocks from a number of other disks.
7. RAID 5 - Block-Interleaved Distributed Parity: This level uses parity data for redundancy in a
similar way to RAID 3 but stripes the parity data across all the disks, similar to the way in which
the source data is stripped.
8. RAID P+Q: This level is similar to RAID 5 but additional redundant data is maintained to protect
against multiple disk failures.

Oracle, for example, recommends use of RAID 1 for the redo log files. For the database
files, Oracle, recommends either RAID 5, provided the write overhead is acceptable,
otherwise Oracle recommends either RAID 1 or RAID 0+1.
CSCI 453 -- Database Security
18
Countermeasures
(II) Non-Computer-Based Controls
1. Security policy and contingency plan.
2. Personnel control.
3. Secure positioning of equipment.
4. Escrow agreements.
5. Maintenance agreements.
6. Physical access control.
CSCI 453 -- Database Security
19
Web Security

Proxy servers.

Firewalls.

Digital signatures.

Message digest and digital signatures.

Digital certificates.

Kerberos.

Secure Sockets Layer (SSL) and Secure HTTP
(SHTTP).
CSCI 453 -- Database Security
20
Proxy Servers
 In a Web environment, a proxy server is a computer that sits
between a Web browser and a Web server.

It intercepts all requests to the Web server to determine if it can
fulfill the requests itself. If not, it forwards the requests to the
Web server.

Proxy servers have two main purposes: to improve performance
and filter requests.

Improve Performance: Since a proxy server saves the results of
all requests for a certain amount of time, it can significantly
improve performance for group of users.

Filter requests: Proxy servers can also be used to filter requests.
For example, an organization might use a proxy server to prevent
its employees from accessing a specific set of Web sites.
CSCI 453 -- Database Security
21
Firewalls



A firewall is a system designed to prevent unauthorized access to or from a
private network (Intranet).
Firewalls can be implemented in both hardware and software, or a
combination of both.
All messages entering or leaving the Intranet pass through the firewall, which
examines each message and blocks those that do not meet the specified
security criteria. There are several types of firewall techniques:
 Packet filter: which looks at each packet entering or leaving the network
and accepts or rejects it based on user-defined rules.
 Application gateway: which applies security mechanisms to specific
applications, such as FTP and Telnet servers.
 Circuit-level gateway: which applies security mechanisms when a TCP or
UDP (User Datagram Protocol) connection is established. Once the
connection has been made, packets can flow between the hosts without
further checks.
 Proxy server, which intercepts all messages entering and leaving the
network. The proxy server in effect hides the true network addresses.
CSCI 453 -- Database Security
22
Message Digest Algorithms and Digital Signature




A message digest algorithm, or one-way hash function, takes an
arbitrary-sized string (the message) and generates a fixed-length
string (the digest or hash).
A digest has the following characteristics:
 It should be computationally infeasible to find another
message that will generate the same digest.
 The digest doesn’t reveal anything about the message.
A digital signature consists of two pieces of information: a string
of bits that is computed from the data that is being ‘signed’, along
with the private key of the individual or organization wishing the
signature.
The signature can be used to verify that the data comes from this
individual or organization.
CSCI 453 -- Database Security
23
Message Digest Algorithms and Digital Signature (Cont’d)

Like a handwritten signature, a digital signature has many useful
properties:
 Its authenticity can be verified, using a computation based on
the corresponding public key.
 It cannot be forged (assuming the private key is kept secret).
 It is a function of the data signed and cannot be claimed to be
the signature for any other data.
 The signed data cannot be changed, otherwise the signature
will no longer verify the data as being authentic

Some digital signature algorithms use message digest algorithms
for parts of their computations; others for efficiency, compute the
digest of a message and digitally sign the digest rather than
signing the message itself.
CSCI 453 -- Database Security
24
Digital Certificates





A digital certificate is an attachment to an electronic message
used for security purposes, most commonly to verify that a user
sending a message is who he or she claims to be, and to provide
the receiver with the means to encode a reply.
An individual wishing to send an encrypted message applies for a
digital certificate from a Certificate Authority (CA).
The CA issues an encrypted digital certificate containing the
applicant’s public key and a variety of other identification
information.
The recipient of an encrypted message uses the CA’s public key
to decode the digital certificate attached to the message, verifies it
as issued by the CA, and then obtains the sender’s public key and
identification information held within the certificate.
With this information, the recipient can send an encrypted reply.
CSCI 453 -- Database Security
25
Kerberos
 Kerberos
is a server of secured user names and
passwords (named after the three-headed monster in
Greek mythology that guarded the gate of hell).
 The importance of Kerberos is that it provides one
centralized security server for all data and resources on
the network.
 Kerberos has a similar function to that of a Certificate
server to identify and validate a user.
 Security companies are currently investigating a merger
of Kerberos and Certificate servers to provide a
network-wide secure system
CSCI 453 -- Database Security
26
Secure Sockets Layer and Secure HTTP




SSL is an encryption protocol developed by Netscape for transmitting private
documents over the Internet.
SSL works by using private key to encrypt data that is transferred over the
SSL connection.
The protocol, layered between application-level protocols such as HTTP and
the TCP/IP transport-level protocol, is designed to prevent eavesdropping
tampering, and message forgery.
Through the use of cryptographic techniques such as encryption, and digital
signatures, these protocols:
 Allow Web browsers and servers to authenticate each other.
 Permit Web site owners to control access to particular servers,
directories, files, or services.
 Allow sensitive information (for example, credit card numbers) to be
shared between browser and server, yet remain inaccessible to third
parties.
 Ensure that data exchanged between browser and server is reliable (that
is , cannot be corrupted either accidentally or deliberately, without
detection).
CSCI 453 -- Database Security
27
DATABASE SECURITY and AUTHORIZATION

A DBMS typically includes a database security and
authorization subsystem that is responsible for ensuring the
security portions of a database against unauthorized access.

The DBA is the central authority for managing a database system.

The DBA has a privileged account in the DBMS, is sometimes
called a system account, which provides powerful capabilities
that are not made available to regular database accounts and
users.

DBA privileged commands include commands for granting
and revoking privileges to individual accounts, users, or user
groups and for performing the following types of actions:
CSCI 453 -- Database Security
28
DBA Privileged Commands
1. Account creation: This action creates a new account and
password for a user or a group of users to enable them to access
the DBMS.
2. Privilege granting: This action permits the DBA to grant
certain privileges to certain accounts.
3. Privilege revocation: This action permits the DBA to revoke
(cancel) certain privileges that were previously given to certain
accounts.
4. Security level assignment: This action consists of assigning
user accounts to the appropriate security classification level.
CSCI 453 -- Database Security
29
Access Control Based on Privileges
 There
are two levels for which assigning privileges to
use the database system:
1.The Account level: At this level, the DBA specifies the
particular privileges that each account holds
independently of relations in the database.
2.The Relation level: At this level, we can control the
privilege to access each individual relation or view in
the database.
CSCI 453 -- Database Security
30
The Account Level Privileges

The CREATE SCHEMA or CREATE TABLE privilege to
create schema or base relation.

The CREATE VIEW privilege to create views.

The ALTER privilege to add or remove attributes from
relations.

The DROP privilege to delete relations or views.

The MODIFY privilege to insert, delete, or update tuples.

The SELECT privilege to retrieve information from the
database using a SELECT query.
CSCI 453 -- Database Security
31
The Relation Level Privileges

Privileges at the relation level specify for each user the individual
relations on which each type of command can be applied.

Some privileges also refer to individual attributes of relations.

To control the granting and revoking of relation privileges, each
relation R in a database is assigned an owner account.
The owner of a relation is given all privileges on that relation.


The owner account holder can pass privileges on any of the
owned relations to other users by granting privileges to their
accounts.

In SQL, the following types of privileges can be granted on each
individual relation R:
CSCI 453 -- Database Security
32
The Relation Level Privileges (Cont’d)
 SELECT

(retrieval) privilege.
MODIFY privileges on R: This gives the account the
capability to modify tuples of R. In SQL this privilege
is further divided into UPDATE, DELETE, and
INSERT privileges to apply the corresponding SQL
command to R. In addition, both the INSERT and
UPDATE privileges can specify that only certain
attributes of R can be updated by the account.
 REFERENCES
privilege on R: This gives the
account the capability to reference the relation R when
specifying integrity constraints. This privilege can also
be restricted to specific attributes of R.
CSCI 453 -- Database Security
33
Specifying Authorization by Using Views
create a view, the account must have SELECT
privileges on all relations involved in the view
definition
 To
mechanism of views is an important access
mechanism in its own right.
 The
example, if the owner A of a relation R wants
another account B to be able to retrieve only some fields
of R, then A can create a view V of R that includes only
those attributes and then grant SELECT on V to B.
 For
CSCI 453 -- Database Security
34
Revoking Privileges
 In
some cases it is desirable to grant some
privilege to a user temporarily.
A
mechanism for
privileges is needed.
revoking
(canceling)
SQL, a REVOKE command is included for
the purpose of canceling privileges.
 In
CSCI 453 -- Database Security
35
Propagation of Privileges and the
GRANT OPTION

Whenever the owner A of relation R grants a privilege on R to another account B, the
privilege can be given to B with or without the GRANT OPTION.

If the GRANT OPTION is given, this means that B can also grant that privilege on R to
other accounts.

If the owner account A revokes the privilege granted to B, all the privileges that B
propagated based on that privilege should automatically be revoked by the system.

Techniques to limit the propagation of privileges have been developed, although they
have not yet been implemented in most DBMSs.

Limiting horizontal propagation to an integer number i means that an account B
given the GRANT OPTION can grant the privilege to at most i other accounts.

Vertical propagation limits the depth of the granting of the privileges. Granting a
privilege with vertical propagation of zero is equivalent to granting the privilege with
no GRANT OPTION. If account A grants a privilege to account B with vertical
propagation set to an integer number j>0, this means that account B has the GRANT
OPTION on that privilege, but B can grant the privilege to other accounts with a
vertical propagation less than j.
CSCI 453 -- Database Security
36
An Example

Suppose that the DBA creates four accounts - A1, A2, A3, and
A4 - and wants only A1 to be able to create base relations, then
the DBA must issue a CREATE SCHEMA command as
follows:
CREATE SCHEMA NWDB AUTHORIZATION A1;

Suppose that A1 creates the two base relations EMPLOYEE and
DEPARTMENT.

Suppose that A1 wants to grant to account A2 the privilege to
insert and delete tuples in both of these relations. A1 does not
want A2 to be able to propagate these privileges to additional
accounts. Then, A1 can issue the following command:
GRANT INSERT, DELETE ON EMPLOYEE, DEPARTMENT TO A2;
CSCI 453 -- Database Security
37
An Example (Cont’d)

Suppose that A1 wants to allow account A3 to retrieve
information from either of the two tables and also be able to
propagate the SELECT privilege to other accounts. Then A1 can
issue the following command:
GRANT SELECT ON EMPLOYEE, DEPARTMENT TO A3 WITH GRANT OPTION;

A3 can grant the SELECT privilege on the EMPLOYEE relation
to A4 by issuing the following command:
GRANT SELECT ON EMPLOYEE TO A4;

Suppose that A1 decides to revoke the SELECT privilege on the
EMPLOYEE relation from A3; then A1 can issue the following
command:
REVOKE SELECT ON EMPLOYEE FROM A3;
CSCI 453 -- Database Security
38
An Example (Cont’d)

Suppose that A1 wants to give back to A3 a limited capability to SELECT
from the EMPLOYEE relation and wants to allow A3 to propagate the
privilege. The limitation is to retrieve only the NAME, BDATE, and
ADDRESS attributes and only the tuples with DNO = 5. Then A1 can create
the following view:
CREATE
SELECT
FROM
WHERE

VIEW A3EMPLOYEE AS
NAME, BDATE, ADDRESS
EMPLOYEE
DNO = 5;
After the view is created , A1 can grant SELECT on the view A3EMPLOYEE
to A3 as follows:
GRANT SELECT ON A3EMPLOYEE TO A3
WITH GRANT OPTION;

Suppose that A1 wants to allow A4 to update only the SALARY attribute of
EMPLOYEE:
GRANT UPDATE ON EMPLOYEE(SALARY) TO A4;
CSCI 453 -- Database Security
39
Mandatory Access Control for Multilevel
Security
 In
many government, military, and intelligence
applications, a particular security policy is needed that
classifies data and users based on security classes.
typical security classes used are top secret (TS),
secret (S), confidential (C), and unclassified (U),
where TS>S>C>U.
 The
CSCI 453 -- Database Security
40
Bell LaPadula
Multilevel Security Model

The commonly used model for multilevel security, known as the BellLaPadula model, classifies each subject (user, account, program) and
object (relation, tuple, column, view, operation) into one of the security
classifications TS, S, C, and U. We refer to the classification of a subject S
as class(S) and the classification of an object O as class(O).

Two restrictions are enforced on data access:
A subject S is not allowed read access to an object O unless
class(S)class(O).
A subject S is not allowed write access to an object O unless
class(O)class(S).
1.
2.

The first restriction enforces the obvious rule that no subject can read an
object whose security classification is higher than the subject’s security
clearance.

The second restriction prohibits a subject from writing an object that has
lower security classification than the subject’s security clearance.
CSCI 453 -- Database Security
41
Multilevel Security Implementation in The
Relational Model

To incorporate multilevel security notions into the relational
model, it is common to consider attribute values and tuples as
data objects.

Each attribute A is associated with a classification attribute C
in the schema, and each attribute value in a tuple is associated
with a corresponding security classification.

A tuple classification attribute TC is added to the relation
attributes to provide a classification for each tuple as a whole.

A multilevel relation schema R with n attributes would be
represented as:
R(A1, C1, A2, C2, …, An, Cn, TC)

A multilevel relation will appear to contain different data to
subjects (users) with different classification levels.
CSCI 453 -- Database Security
42
Multilevel Security Implementation in The
Relational Model
 It
is possible to store a single tuple in the relation at a
higher classification level and produce the
corresponding tuples at a lower level classification
through a process known as filtering.
 In
other cases, it is necessary to store two or more
tuples at different classification levels with the same
value for the apparent key (primary key). This leads to
the concept of polyinstantiation.
CSCI 453 -- Database Security
43
Multilevel Security Implementation in The
Relational Model
A multilevel relation: Employee
Name
Salary
JobPerformance
TC
____________________________________________
Smith U 40000 C
Fair
S
S
Brown C 80000 S
Good C
S
-----------------------------------------------------------------------------Appearance of Employee after filtering for classification C users
Name
Salary
JobPerformance
TC
_____________________________________________
Smith U 40000 C
Null
C
C
Brown C Null
C
Good C
C
CSCI 453 -- Database Security
44
Multilevel Security Implementation in The
Relational Model
A multilevel relation: Employee
Name
Salary
JobPerformance
TC
____________________________________________
Smith U 40000 C
Fair
S
S
Brown C 80000 S
Good C
S
-----------------------------------------------------------------------------------------------
Appearance of Employee after filtering for classification U users
Name
Salary
JobPerformance
TC
_____________________________________________
Smith U Null U
Null
U
U
CSCI 453 -- Database Security
45
Multilevel Security Implementation in The
Relational Model
A multilevel relation: Employee
Name
Salary
JobPerformance
TC
____________________________________________
Smith U 40000 C
Fair
S
S
Brown C 80000 S
Good C
S
------------------------------------------------------------------------------------Polyinstantiation of the Smith tuple
Name
Salary
JobPerformance
TC
____________________________________________
Smith U 40000 C
Fair
S
S
Smith U 40000 C
Excellent C
C
Brown C 80000 S
Good
C
S
CSCI 453 -- Database Security
46
Thank you
CSCI 453 -- Database Security
47