• No results found

Lec 12-database-security-design

N/A
N/A
Protected

Academic year: 2020

Share "Lec 12-database-security-design"

Copied!
48
0
0

Loading.... (view fulltext now)

Full text

(1)

Database Security

Database Security

and Privacy

(2)

Security Objectives

Security Objectives

Secrecy

Prevent/detect/deter improper

Disclosure of information

Availability

Prevent/detect/deter improper

Integrity

Prevent/detect/deter Improper modification

(3)

Policy

Policy

(4)

Databases

Databases

 Collection of Collection of

 interrelated data andinterrelated data and

 set of programs to access the data set of programs to access the data

 ConvenientConvenient and and efficientefficient processing processing

of data of data

(5)

Database Security

Database Security

 Protect Sensitive Data fromProtect Sensitive Data from  Unauthorized disclosureUnauthorized disclosure

 Unauthorized modificationUnauthorized modification  Denial of service attacksDenial of service attacks  Security ControlsSecurity Controls

 Security PolicySecurity Policy

 Access control modelsAccess control models  Integrity protectionIntegrity protection  Privacy problemsPrivacy problems

(6)

Protection of Data Confidentiality

 Access control – which data users can Access control

access

 Information flow control – what users can Information flow control

do with the accessed data

(7)

Access Control

 Ensures that all direct accesses to object are direct accesses

authorized

 Protects against accidental and malicious

threats by regulating the read, write and read, write and execution

(8)

Access Control

Access Control

Requires: Requires:

- Proper

- Proper user identificationuser identification - Information specifying the

- Information specifying the access rights access rights is protected

(9)

Access control components:

- Access control policy: specifies the Access control policy authorized accesses of a system

- Access control mechanism: implements Access control mechanism and enforces the policy

(10)

HOW TO SPECIFY ACCESS

HOW TO SPECIFY ACCESS

(11)

Access Control

Access Control

 SubjectSubject:: active entity that requests access to an active entity that requests access to an

object object

- e.g., user or program

- e.g., user or program

 Object: Object: passive entity accessed by a subjectpassive entity accessed by a subject

- e.g., record, relation, file

- e.g., record, relation, file

 Access right Access right (privileges): how a subject is (privileges): how a subject is

allowed to access an object allowed to access an object

- e.g., subject

(12)

Protection Object

Protection Object

 DatabaseDatabase  RelationRelation  RecordRecord  AttributeAttribute  Element Element

Advantages vs. disadvantages of supporting

(13)

Relation-Level

Relation-Level

Granularity

Granularity

Person-name

name Company-nameCompany-name SalarySalary

Smith

Smith BB&CBB&C $43,982$43,982

Dell

Dell BellBell $97,900$97,900

Black

Black BB&CBB&C $35,652$35,652

(14)

Tuple-level Granularity

Tuple-level Granularity

Person-name

Person-name Company-

Company-name

name Salary Salary

Smith

Smith BB&CBB&C $43,982 Public$43,982 Public

Dell

Dell BellBell $97,900 Conf.$97,900 Conf.

Black

Black BB&CBB&C $35,652 Public$35,652 Public

(15)

Attribute-Level

Attribute-Level

Granularity

Granularity

Person-

Person-

name

name Publ. Company-name Publ.Company-name Publ. Salary Salary Conf.Conf.

Smith

Smith BB&CBB&C $43,982$43,982

Dell

Dell BellBell $97,900$97,900

Black

Black BB&CBB&C $35,652$35,652

(16)

Cell-Level Granularity

Cell-Level Granularity

Person-name

name Company-nameCompany-name SalarySalary

Smith P

Smith P BB&C PBB&C P $43,982 C$43,982 C

Dell C

Dell C Bell CBell C $97,900 C$97,900 C

Black P

Black P BB&C CBB&C C $35,652 C$35,652 C

(17)

Access Control Policies

 Discretionary Access Control (DAC)DAC

 Mandatory Access Control (MAC)MAC

(18)

Discretionary Access Control (DAC)

For each subject access right to the objects are each subject

defined

 (subject, object, +/- access mode)

 (Black, Employee-relation, read)

 User based

 Grant and RevokeGrant and Revoke

 Problems:

(19)

DAC by Grant and Revoke

DAC by Grant and Revoke

Brown (owner)

Black Red

GRANT SELECT ON Employee TO Red

GRANT SELECT ON Employee TO Black

WITH GRANT OPTION

?

Brown revokes grant given to Black

?

Brown does not want Red to access the

Employee relation

(20)

Implementation

Implementation

Access Control List (column) File 1Joe:Read File 2Joe:Read

Joe:Write Sam:Read Joe:Own Sam:Write

Sam:Own Capability List (row)

Joe: File 1/Read, File 1/Write, File 1/Own, File 2/Read Sam: File 2/Read, File 2/Write, File 2/Own

Access Control Triples

Subject Access Object

Joe Read File 1

Joe Write File 1

Joe Own File 1

Joe Read File 2

Sam Read File 2

(21)

Access Control Mechanisms

Access Control Mechanisms

 Security through ViewsSecurity through Views

 Stored ProceduresStored Procedures

 Grant and RevokeGrant and Revoke

(22)

Security Through Views

 Assign rights to access predefined views

CREATE VIEW Outstanding-Student

AS SELECT NAME, COURSE, GRADE FROM Student

WHERE GRADE > B

Problem:

(23)

Stored Procedures

Stored Procedures

 Assign rights to execute compiled programsAssign rights to execute compiled programs

GRANT RUN ON <program> TO <user>GRANT RUN ON <program> TO <user>

Problem:

Problem:

Programs may access resources for which the user Programs may access resources for which the user

(24)

Grant and Revoke

Grant and Revoke

GRANT <privilege> ON <relation>

GRANT <privilege> ON <relation>

To <user>

To <user>

[WITH GRANT OPTION]

[WITH GRANT OPTION]

--- GRANT SELECT * ON GRANT SELECT * ON StudentStudent TO Matthews TO Matthews

 GRANT SELECT *, UPDATE(GRADE) ON GRANT SELECT *, UPDATE(GRADE) ON StudentStudent

TO FARKAS

TO FARKAS

 GRANT SELECT(NAME) ON GRANT SELECT(NAME) ON StudentStudent TO Brown TO Brown

GRANT command applies to base relations as well

GRANT command applies to base relations as well

as views

(25)

Grant and Revoke

Grant and Revoke

REVOKE <privileges> [ON REVOKE <privileges> [ON

<relation>] <relation>] FROM <user> FROM <user>

--- REVOKE SELECT* ON REVOKE SELECT* ON StudentStudent FROM Blue FROM Blue

 REVOKE UPDATE ON REVOKE UPDATE ON StudentStudent FROM Black FROM Black

 REVOKE SELECT(NAME) ON REVOKE SELECT(NAME) ON StudentStudent FROM FROM

Brown

(26)

Non-cascading Revoke

Non-cascading Revoke

A

B

C

D

E

F

A

B A revokes D’s privileges

(27)

Cascading Revoke

Cascading Revoke

A

B

C

D

E

F

A

(28)

Query Modification

Query Modification

 GRANT SELECT(NAME) ON GRANT SELECT(NAME) ON StudentStudent TO Blue TO Blue

WHERE COURSE=“CSCE

WHERE COURSE=“CSCE 590” 590”

Blue’s query:Blue’s query:

SELECT *

SELECT *

FROM

FROM StudentStudent

Modified query:Modified query:

SELECT NAME

SELECT NAME

FROM

(29)

DAC Overview

DAC Overview

 Advantages:Advantages:

 IntuitiveIntuitive

 Easy to implementEasy to implement

 Disadvantages:Disadvantages:

 Inherent vulnerability (look TH Inherent vulnerability (look TH

example)

example)

 Maintenance of ACL or Capability listsMaintenance of ACL or Capability lists

(30)

Mandatory Access Control (MAC)

 Security labelSecurity label

- Top-Secret, Secret, Public

 ObjectsObjects: security classification

- File 1 is Secret, File 2 is Public

 SubjectsSubjects: security clearances

- Brown is cleared to Secret, Black is cleared to Public

 DominanceDominance ()

(31)

MAC

 Access rights: defined by comparing the security Access rights

classification of the requested objects with the security clearance of the subject

 If access control rules are satisfied, access is access control rules

permitted

 Otherwise access is rejected

(32)

MAC – Bell-LaPadula (BLP) Model

MAC – Bell-LaPadula (BLP) Model

 Single security propertySingle security property: a subject S is allowed a : a subject S is allowed a

read access to an object O only if label(S) read access to an object O only if label(S)

dominates label(O) dominates label(O)

 Star-property:Star-property: a subject S is allowed a write access a subject S is allowed a write access

to an object O only if label(O) dominates label(S) to an object O only if label(O) dominates label(S)

(33)

Multilevel Security

Multilevel Security

 Multilevel security Multilevel security  users at users at

different security level, see different different security level, see different

versions of the database versions of the database

 ProblemProblem: : different versionsdifferent versions need to need to

be kept consistent and coherent be kept consistent and coherent

without downward signaling channel without downward signaling channel

(34)

Statistical Databases

Statistical Databases

 A database limited to statistical A database limited to statistical

measures (primarily counts and sums) measures (primarily counts and sums)

 Example: medical record database Example: medical record database

where researchers access only where researchers access only

statistical measures statistical measures

 In a statistical database, information In a statistical database, information

retrieved by means of statistical retrieved by means of statistical

(35)

Inference

Inference

 Security issue with statistical Security issue with statistical

databases databases

 Inference problem exists when Inference problem exists when

sensitive data can be deduced from sensitive data can be deduced from

non sensitive data non sensitive data

 attacker combines information from attacker combines information from

outside the database with database

outside the database with database

responses

(36)

Inference

Inference

 Sensitive fields exist in database Sensitive fields exist in database  Only when viewed row wiseOnly when viewed row wise

 DBA must not allow names to be DBA must not allow names to be

associated with sensitive attributes associated with sensitive attributes

 ““nn items over items over kk percent” rule (do not percent” rule (do not

respond if

respond if nn items represents over items represents over kk

(37)

Inference

Inference

SSN Name Race DOB Sex Zip Marital Heath Asian 09/07/64 F 22030 Married Obesity Black 05/14/61 M 22030 Married Obesity White 05/08/61 M 22030 Married Chest pain White 09/15/61 F 22031 Widow Aids

Anonymous medical data:

Name Address City Zip DOB Sex Party

…. …. …. …. …. …. ….

Sue Carlson 900 Market St.

Fairfax 22031 09/15/61 F Democrat

(38)

Inference

Inference

 Types of attackTypes of attack

 direct attack: aggregate computed over a direct attack: aggregate computed over a small sample so individual data items leaked

small sample so individual data items leaked

 indirect attackindirect attack:: combines several aggregates; combines several aggregates;

 tracker attack: type of indirect attack (very tracker attack: type of indirect attack (very effective)

effective)

 linear system vulnerability: takes tracker linear system vulnerability: takes tracker attacks further, using algebraic relations

attacks further, using algebraic relations

between query sets to construct equations

(39)

Inference

Inference

NAME SEX RACE AID FINES DRUGS DORM

Adams M C 5000 45 1 Holmes Bailey M B 0 0 0 Grey

Chin F A 3000 20 0 West

Dewitt M B 1000 35 3 Grey Earhart F C 2000 95 1 Holmes

Fein F C 1000 15 0 West

Groff M C 4000 0 3 West

Hill F B 5000 10 2 Holmes

(40)

Inference

Inference

 Direct AttackDirect Attack

 determine values of sensitive fields by determine values of sensitive fields by

seeking them directly with queries that

seeking them directly with queries that

yield few records

yield few records

 request LIST which is a union of 3 setsrequest LIST which is a union of 3 sets

LIST NAME where (SEX =M

LIST NAME where (SEX =M  DRUGS = 1) DRUGS = 1) 

(SEX

(SEX  M M  SEX SEX F) F)  (DORM = Ayres) (DORM = Ayres)

 No dorm named Ayres , Sex either M or FNo dorm named Ayres , Sex either M or F

(41)

Inference

Inference

Indirect attack

Indirect attack: : combines several aggregatescombines several aggregates

 1 Male in Holmes receives 50001 Male in Holmes receives 5000  1 Female in Grey received no aid1 Female in Grey received no aid

 request a list of names by dorm (non sensitive)request a list of names by dorm (non sensitive)

Students by Dorm and Sex

  Holmes Grey West Total

M 1 3 1 5

F 2 1 3 6

Total 3 4 4 11 Sums of Financial Aid by Dorm and Sex

  Holmes Grey West Total

(42)

Inference

Inference

 Often databases protected against Often databases protected against

delivering small response sets to delivering small response sets to

queries queries

 Trackers can identify unique valueTrackers can identify unique value

 request (n) and (n-1) valuesrequest (n) and (n-1) values

 given given nn and and nn – 1, we can easily – 1, we can easily

compute the desired single element

(43)

Inference

Inference

 How many caucasian females live in How many caucasian females live in

Holmes Hall?

Holmes Hall?

 count((SEX=F)count((SEX=F)(RACE=C) (RACE=C) (DORM=Holmes)(DORM=Holmes)

 result: refused because one record dominates result: refused because one record dominates the result

the result

 now issue two queries on databasenow issue two queries on database

 count(SEX=F) response = 6count(SEX=F) response = 6

 count((SEX=F) count((SEX=F) (RACE(RACE C) C) (DORM (DORM Holmes)) Holmes))

response=5

(44)

Inference

Inference

 Tracker is a specific case of ‘Linear Tracker is a specific case of ‘Linear

system vulnerability’

system vulnerability’

 result of the query is a set of records result of the query is a set of records

 q1 = c1+c2+c3+c4+c5q1 = c1+c2+c3+c4+c5  q2 = c1+c2 +c4q2 = c1+c2 +c4

 q3 = c3+c4q3 = c3+c4

 q4 = c4+c5q4 = c4+c5  q5 = c2 +c5q5 = c2 +c5

(45)

Inference

Inference

 Protection techniquesProtection techniques

 Only queries disclosing non sensitive Only queries disclosing non sensitive

data allowed

data allowed

 difficult to discriminate between queriesdifficult to discriminate between queries

 effective primarily against direct attackseffective primarily against direct attacks

 Controls applied to individual items Controls applied to individual items

within the database

within the database

 suppression: don’t provider sensitive data suppression: don’t provider sensitive data

concealing: provider slightly modified

(46)

Inference

Inference

 ““n item over k percent rule” not n item over k percent rule” not

sufficient in itself prevent inference sufficient in itself prevent inference

 We must suppress one other value in We must suppress one other value in

Students by Dorm and Sex, with Low Count Suppression

  Holmes Grey West Total

M – 3 – 5

F 2 – 3 6

(47)

Inference

Inference

 Suppression by Combining resultsSuppression by Combining results

 combines rows or columns to protect combines rows or columns to protect

sensitive values

sensitive values

Suppression by Combining Revealing Values

  Drug Use Sex 0 or 1 2 or 3

(48)

Inference

Inference

 Random sampleRandom sample

 partition data and take random sample partition data and take random sample

from partition

from partition

 equivalent queries may or may not result equivalent queries may or may not result

in the same sample

in the same sample

 Random data perturbationRandom data perturbation

 intentionally introduce error into responseintentionally introduce error into response

 Query analysisQuery analysis

References

Related documents

This could be achieved through information extracted from the data of remote sensing images and the results of laboratory analyses to analyze the local soil in the region,

SELECT Student, Avg(Grade), RANK () OVER (ORDER BY Avg(Grade) DESC) FROM Students grades GROUP BY Student;. I To sort according to rank, we need to order the

o Student - Create/Update Assignment in Kronos Select this option if you are hiring a new hourly student employee or making changes to a current student employee's

Abstract Background/Purpose: To measure the inflammatory response in terms of tumor ne- crosis factor-alpha (TNF- a) levels in cerebrospinal fluid (CSF), using bacteriolytic versus

[Update Existing Printer Drivers]: Select this if you want to update drivers only. When you select this, in the next screen, click [Select Printers to Update] → select the device

• Coordinating parole in absentia cases for offenders serving state sentences in other jurisd iction s.. FYll

In addition, the PWHT chart should be marked, prior to PWHT, with identification number of the weld(s). 13.19 All machined surfaces, such as flange faces, threaded bolt

Engaged 8 faculty QM Leaders and 2 instructional designers, representing each of the Colleges and University Extended Education, in taking the Quality Matters &#34;Applying the