Transcript slides
Introduction
Database Security
Overview
Readings
This lecture:
– Textbook: Chapter 5.2
– Lecture materials from CSCE 522, Nov. 3,
Lecture 20 at
http://www.cse.sc.edu/~farkas/csce5222010/lectures.htm
For next class:
– Textbook: Chapter 10.1, 10.2
CSCE 824
2
Database Security
Requirements
CSCE 824
Physical database integrity
Logical database integrity
Element integrity
Auditability
Access control
User authentication
Availability
3
Sensitive data
CSCE 824
Inherently sensitive
From a sensitive source
Declared sensitive
Part of a sensitive attribute or
record
In relation to previously disclosed
information
4
Types of disclosures
CSCE 824
Exact data
Range of data
Negative results
Existence
Probable values
5
Access control
CSCE 824
Operating system
Database Management System
Granularity!
6
Granularity
CSCE 824
Database
Relation Advantages vs. disadvantages
of supporting
Record
different granularity levels
Attribute
Element
7
Granularity
CSCE 824
Database
Relation
Record
Attribute
Element
Advantages vs. disadvantages
of supporting
different granularity levels
8
Relation-Level
Granularity
(Works)= Secret
Personname
Smith
Companyname
BB&C
Salary
Dell
Bell
$97,900
Black
BB&C
$35,652
CSCE 824
9
$43,982
Tuple-level Granularity
Works
Personname
Smith
Companyname
BB&C
Salary
$43,982
P
Dell
Bell
$97,900
S
Black
BB&C
$35,652
P
CSCE 824
10
Attribute-Level
Granularity
Works
PersonCompanySalary
name
=P name
=P
Smith
BB&C
$43,982
Dell
Bell
$97,900
Black
BB&C
$35,652
CSCE 824
11
=S
Cell-Level Granularity
Works
Personname
Smith
Salary
P
Companyname
BB&C
P
$43,982
S
Dell
S
Bell
$97,900
S
Black
P BB&C
S $35,652
S
CSCE 824
S
12
Access Control Mechanisms
CSCE 824
Security through Views
Stored Procedures
Grant and Revoke
Query modification
13
Security Through Views
Assign rights to access predefined views
CREATE VIEW Outstanding-Student
AS SELECT NAME, COURSE, GRADE
FROM Student
WHERE GRADE > B
Problem:
Difficult to maintain updates.
CSCE 824
14
Security Through Views
Student relation
NAME
White
COURSE
CSCE 122
GRADE
C+
SEMESTER
Fall 2000
Black
Brown
Green
Blue
CSCE 313
CSCE 580
CSCE 850
CSCE 122
A
A
B+
B
Fall 2000
Spring 2000
Fall 2000
Fall 2000
CSCE 824
15
Security Through Views
CREATE VIEW Outstanding-Student
AS SELECT NAME, COURSE, GRADE
FROM Student
WHERE GRADE > B
Outstanding-Student
CSCE 824
NAME
Black
Brown
COURSE
CSCE 313
CSCE 580
GRADE
A
A
Green
CSCE 850
B+
16
Security Through Views
CREATE VIEW Fall-Student
AS SELECT NAME, COURSE
FROM Student
WHERE SEMESTER=“Fall 2000”
Fall-Student
CSCE 824
NAME
COURSE
White
CSCE 122
Black
CSCE 313
Green
Blue
CSCE 850
CSCE 122
17
Stored Procedures
Assign rights to execute compiled programs
GRANT RUN ON <program> TO <user>
Problem:
Programs may access resources for which the
user who runs the program does not have
permission.
CSCE 824
18
Grant and Revoke
GRANT <privilege> ON <relation>
To <user>
[WITH GRANT OPTION]
-----------------------------------------------------------------------------------------------------------------------------------
GRANT SELECT * ON Student TO Matthews
GRANT SELECT *, UPDATE(GRADE) ON
Student TO FARKAS
GRANT SELECT(NAME) ON Student TO
Brown
GRANT command applies to base relations as
well as views
CSCE 824
19
Grant and Revoke
REVOKE <privileges> [ON
<relation>]
FROM <user>
------------------------------------------------------------------------------------------------------------------------
CSCE 824
REVOKE SELECT* ON Student FROM Blue
REVOKE UPDATE ON Student FROM Black
REVOKE SELECT(NAME) ON Student FROM
Brown
20
Query Modification
CSCE 824
GRANT SELECT(NAME) ON Student TO Blue
WHERE COURSE=“CSCE 590”
Blue’s query:
SELECT *
FROM Student
Modified query:
SELECT NAME
FROM Student
WHERE COURSE=“CSCE 580”
21
Indirect Information Flow Channels
CSCE 824
Covert channels
Inference channels
22
Communication Channels
CSCE 824
Overt Channel: designed into a
system and documented in the user's
manual
Covert Channel: not documented.
Covert channels may be deliberately
inserted into a system, but most such
channels are accidents of the system
design.
23
Covert Channel
CSCE 824
Timing Channel: based on system times
Storage channels: not time related
communication
Can be turned into each other
24
Inference Channels
Non-sensitive
information
CSCE 824
+
Meta-data
25
=
Sensitive
Information
Inference Channels
CSCE 824
Statistical Database Inferences
General Purpose Database Inferences
26
Statistical Databases
Goal: provide aggregate information about
groups of individuals
– E.g., average grade point of students
Security risk: specific information about a
particular individual
– E.g., grade point of student John Smith
Meta-data:
– Working knowledge about the attributes
– Supplementary knowledge (not stored in database)
CSCE 824
27
Types of Statistics
Macro-statistics: collections of related statistics
presented in 2-dimensional tables
Sex\Year
1997
1998
Sum
Female
4
1
5
Male
6
13
19
Sum
10
14
24
CSCE 824
Micro-statistics: Individual data records used for
statistics after identifying information is removed
Sex
Course
GPA
Year
F
CSCE 590
3.5
2000
M
CSCE 590
3.0
2000
F
CSCE 790
4.0
2001
28
Statistical Compromise
CSCE 824
Exact compromise: find exact value of
an attribute of an individual (e.g., John
Smith’s GPA is 3.8)
Partial compromise: find an estimate of
an attribute value corresponding to an
individual (e.g., John Smith’s GPA is
between 3.5 and 4.0)
29
Methods of Attacks and Protection
Small/Large Query Set Attack
– C: characteristic formula that identifies groups of
individuals
If C identifies a single individual I, e.g., count(C) =
1
– Find out existence of property
If count(C and D)=1 means I has property D
If count(C and D)=0 means I does not have D
OR
– Find value of property
CSCE 824
Sum(C, D), gives value
30 of D
Small/Large Query Set Attack
cont.
CSCE 824
Protection from small/large query set
attack: query-set-size control
A query q(C) is permitted only if
N-n |C| n , where n 0 is a parameter
of the database and N is all the records in
the database
31
Tracker attack
q(C) is disallowed
C=C1 and C2
T=C1 and ~C2
Tracker
C
C2
C1
q(C)=q(C1) – q(T)
CSCE 824
32
Tracker attack
q(C and D) is disallowed
C=C1 and C2
T=C1 and ~C2
C
Tracker
C2
C1
C and D
q(C and D)=
q(T or C and D) – q(T)
CSCE 824
D
33
Query overlap attack
Q(John)=q(C1)-q(C2)
C1
C2
Kathy
John
Paul
Eve
Max
Fred
CSCE 824
Mitch
34
Protection:
query-overlap control
Insertion/Deletion Attack
Observing changes overtime
–
–
–
–
CSCE 824
q1=q(C)
insert(i)
q2=q(C)
q(i)=q2-q1
Protection: insertion/deletion performed
as pairs
35
Statistical Inference Theory
CSCE 824
Give unlimited number of statistics and
correct statistical answers, all statistical
databases can be compromised (Ullman)
36
Inferences in GeneralPurpose Databases
CSCE 824
Queries based on sensitive data
Inference via database constraints
Inferences via updates
37
Queries based on sensitive data
Sensitive information is used in selection
condition but not returned to the user.
Example: Salary: secret, Name: public
NameSalary=$25,000
CSCE 824
Protection: apply query of database
views at different security levels
38
Database Constraints
CSCE 824
Integrity constraints
Database dependencies
Key integrity
39
Integrity Constraints
CSCE 824
C=A+B
A=public, C=public, and B=secret
B can be calculated from A and C, i.e.,
secret information can be calculated
from public data
40
Database Dependencies
Metadata:
Functional dependencies
Multi-valued dependencies
Join dependencies
etc.
CSCE 824
41
Functional Dependency
FD: A B, that is for any two tuples in the
relation, if they have the same value for A,
they must have the same value for B.
Example: FD: Rank Salary
Secret information: Name and Salary together
– Query1: Name and Rank
– Query2: Rank and Salary
– Combine answers for query1 and 2 to reveal Name
and Salary together
CSCE 824
42
Key integrity
CSCE 824
Every tuple in the relation have a unique
key
Users at different levels, see different
versions of the database
Users might attempt to update data that
is not visible for them
43
Example
Secret View
Name (key)
Black P
Red S
Salary
38,000 P
42,000 S
Address
Columbia S
Irmo S
Name (key)
Salary
Address
Black P
38,000 P
Null P
Public View
CSCE 824
44
Updates
Public User:
Name (key)
Black P
Salary
38,000 P
Address
Null P
1. Update Black’s address to Orlando
2. Add new tuple: (Red, 22,000, Manassas)
If
Refuse update: covert channel
Allow update:
• Overwrite high data – may be incorrect
• Create new tuple – which data it correct
(polyinstantiation) – violate
key constraints
CSCE 824
45
Updates
Secret user:
Name (key)
Salary
Address
Black P
38,000 P
Columbia S
Red S
42,000 S
Irmo S
1. Update Black’s salary to 45,000
If
Refuse update: denial of service
Allow update:
• Overwrite low data – covert channel
• Create new tuple
– which data it correct
(polyinstantiation) – violate key constraints
CSCE 824
46
Inference Problem
CSCE 824
No general technique is available to
solve the problem
Need assurance of protection
Hard to incorporate outside knowledge
47
Next Class
Transaction Processing
CSCE 824
48