Chapter23

Elmasri/Navathe, Fundamentals of Database Systems, 4th Edition


Database Security And Authorization

Chapter 23


Introduction to Database Security Issues

Discretionary Access Control Based on Granting and Revoking Privileges

Mandatory Access Control and Role-Based Access Control for Multilevel Security

Introduction to Statistical Database Security

Introduction to Flow Control

Encryption and Public Key Infrastructures

Chapter Outline


Database security considers the following types of security:

Legal and ethical issues regarding the right to access certain information

Policy issues (e.g., personal medical records should not be made public).

System-related issues (e.g., whether a security function should be handled at the physical hardware level, the operating system level, or the DBMS level).

Classification of security levels (e.g., top secret, secret, confidential, and unclassified).

Database Security Issues


A DBMS includes a database security and authorization subsystem.

Two types of database security mechanisms:

1) Discretionary security mechanism: these are used to grant privilege to users (e.g., the capability to access specific data files, records, or fields).

2) Mandatory security mechanism: these are used to enforce multilevel security by classifying the data and users into various security classes.

A common security problem is that of preventing unauthorized persons from accessing the system itself.



Threats to Databases:Loss of integrity: information must be protected from improper modification.

Loss of availability: information must be available to users/programs to which they have a legitimate right.

Loss of confidentiality: information must be protected from unauthorized disclosure.

Protection of databases against the above threats can be achieved by employing: access control, flow control, inference control, and encryption.



The DBA is responsible for the overall security of the database system.

The DBA has a DBA account in the DBMS, which can be used to perform the following types of actions (not available to regular users):

1) Account creation: creates a new account and password for a user or a group of users.

2) Privilege granting: permits the DBA to grant certain privileges to certain accounts.

3) Privilege revocation: permits the DBA to revoke (cancel) certain privilege that were previously given to certain accounts.

4) Security level assignment: assigning user accounts to the appropriate security classification level.

Database Security and the DBA


In order to access the system, users must obtain (from the DBA) a user-name and a password.

The user must log in to the DBMS whenever database access is needed.

The DBMS keeps track of all operations on the database that are applied by a certain user. If any tampering with the database is suspected, a database audit is performed.

A database log that is used mainly for security purposes is sometimes called an audit trail.

Access Protection and Database Audits


This mechanism is based on granting and revoking of privileges.

There are two levels for assigning privileges:

1) The account level: the DBA specifies the particular privileges that each account holds independently of the relations in the database (CREATE TABLE, CREATE VIEW, DROP, and ALTER).

2) The relation/table level: the DBA can control the privilege to access each individual relation or view in the database.

Discretionary Access Control


To control the granting and revoking of relation privileges, each relation R in a database is assigned an owner account.

In SQL the following types of privileges can be granted on each individual relation R:

SELECT privilege: Gives the account retrieval privilege

Modify privilege: Gives the account the capability to modify tuples of R.

References privilege: Gives the account the capability to reference relation R.



The mechanism of VIEWS is an important discretionary authorization mechanism.

Whenever the owner A of a relation R grants a privilege on R to another account B, the privilege can be given to B with or without the GRANT OPTION.

The GRANT OPTION enables the propagation of privileges (e.g., user B can propagate the privilege to other accounts without the knowledge of the user A)



An Example: Suppose that the DBA creates four accounts (A1, A2, A3, and A4), and issuesGRANT CREATETAB TO A1;

Now A1 can create tables. Let A1 creates the two base relations EMPLOYEE and DEPARTMENT.



Next, A1 can issue

GRANT INSERT, DELETE, ON EMPLOYEE, DEPARTMENT TO A2;

Now A2 can perform insert/delete operation on these two tables, but cannot propagate these privileges.

Next, suppose that A1 issues

GRANT SELECT ON EMPLOYEE, DEPARTMENT TO A3 WITH GRANT OPTION;

Now A3 can issue

GRANT SELECT ON EMPLOYEE TO A4;



Now suppose that A1 decides to revoke the SELECT privilege on the EMPLOYEE relation from A3,

REVOKE SELECT ON EMPLOYEE FROM A3;

The DBMS now automatically revokes the SELECT privilege on EMPLOYEE from A4, too.

Next, suppose A1 wants to give A3 a limited capability to SELECT from EMPLOYEE relation.

The limitation is to retrieve only the NAME, BDATE, and ADDRESS attributes and only for the tuples with DNO=5.



Hence, A1 creates the following view:CREATE VIEW A3EMPLOYEE AS SELECT NAME, BDATE, ADDRESS FROM EMPLOYEEWHERE DNO = 5;

After the view is created, A1 issues

GRANT SELECT ON A3EMPLOYEE TO A3 WITH GRANT OPTION;

Finally, suppose A1 wants to allow A4 to update only the SALARY attribute from EMPLOYEE;

GRANT UPDATE ON EMPLOYEE (SALARY) TO A4;



This mechanism provides multilevel security which is desirable in government, military, and intelligence applications.

Typical security classes are:Top secret (TS)Secret (S), Confidential (C), and Unclassified (U).

Where TS ≥ S ≥ C ≥ U.

Mandatory Access Control


A commonly used model for multilevel security, known as the Bell-Lapadual model, classifies each subject (user, account, program) and object (relation, tuple, column, view, operation) into one of the security classes TS, S, C, or U.

Two restricyions on data access based on the subject/object (S/O) classifications are:

1) A subject S is not allowed read access to an object O unless class (S) ≥ class (O). This is known as the simple security property.

2) A subject S is not allowed to write an object O unless class (S) ≤ class (O). This is known as the star property (or *-property).



Incorporation of multilevel security notions with relational databases requires that each attribute A be associated with a classification attribute C in the schema. In some relational models, a tuple classification attribute TC is added to the relation attributes. Hence a multilevel relation schema R would be represented as:

R(A1 ,C1 ,A2 ,C2 , … An, Cn, TC)

The apparent key of a multilevel relation is the set of attributes that would have formed the primary key in a regular (single-level) relation.



It is possible to store a single tuple in the relation at a higher classification level and produce the corresponding tuples at a lower classification level through a process known as filtering.

Sometimes, it is necessary to store two or more tuples at different classification levels with the same value for the apparent key.This leads to the concept of polyinstantiation, where several tuples can have the same apparent key value but have different attribute values for users at different classification levels.



FIGURE 23.2

A multilevel relation to illustrate multilevel security. (a) The original EMPLOYEE tuples. (b) Appearance of EMPLOYEE after filtering for classification C users. (c) Appearance of EMPLOYEE after filtering for

classification U users. (d) Polyinstantiation ofthe Smith tuple: A Cuser updatesJobPerformanceto Excellent



Role-based access control (RBAC) is a technology for managing an enforcing security in large-scale enterprisewide systems.

Permissions are associated with roles, and users are assigned to appropriate roles.

Roles can be created using the CREATE ROLE and DESTROY ROLE commands (GRANT and REVOKE commands can then be used to assign and revoke privileges from roles.)

Role-Based Access Control


A statistical database may contain confidential data on individuals, but users are permitted to retrieve statistical information on the population.

A population is a set of tuples of a relation that satisfy some selection condition.

Statistical database security techniques must prevent the retrieval of individual data.

In some cases it is possible to infer the values of individual tuples from a sequence of statistical queries ―this must be prevented by the statistical database security mechanism.

Statistical Databases Security


FIGURE 23.3The PERSON relation schema for illustrating statistical database

security.

Statistical Database Security

An example:Q1: SELECT COUNT (*) FROM PERSON WHERE <CONDITION>;Q2: SELECT AVG (INCOME) FROM PERSON

WHERE <CONDITION>;Now suppose that we know ‘Jane Smith’ is the only female that has a Ph.D. degree and lives in Bellaire, Texas. So, the following query returns her salary:

Q3: SELECT AVG (INCOME) FROM PERSONWHERE LAST_DEGREE = ‘Ph.D.’ AND Sex = ‘F’ AND

CITY = ‘Bellaire’ AND STATE = Texas’;


A flow between object X and object Y occurs when a program reads values from X and writes values into Y.

Flow controls must prevent any information leakage (a user cannot get indirectly in Y what s/he cannot get directly from X).

A flow policy specifies the channels along which information is allowed to move. It specifies two classes of information: confidential (C) and nonconfidential (N), and allows all flows except those from class C to class N.

Introduction To Flow Control


A covert channel allows a transfer of information that violates the security or the policy, that is, it allows information to pass from a higher classification level to a lower classification level through improper means.

Covert channels can be classified into:1) Timing channels: the information is conveyed

by the timing of events or processesExample: influence system load→time task execution

2) Storage channels: information conveyed through variables and attributes other than timeExample: cause resource exhaustion→request resources

Introduction To Flow Control


Encryption consists of applying an encryption algorithm to data using some prespecified encryption key. The resulting data (cryptogram) has to be decrypted using a decryption key to recover the original data.

Cryptographic algorithms can be classified into tow main categories:

1) Private key (symmetric) algorithms: knowledge of one of the encryption/decryption keys is sufficient to learn the other key.

2) Public key (asymmetric) algorithms: knowledge of one of the encryption/decryption keys gives no idea about the other key.



A public key algorithm has six ingredients:1) Plaintext: the data or readable message,

2) Encryption algorithm: performs transformation on the plaintext and generates the ciphertext,

3) Public key: one of the keys (encryption key) which is made public (applies to encryption algorithm),

4) Private/secret key: the other key (decryption key), which is kept secure (applies to decryption algorithm),

5) Ciphertext: the scrambled message produced as output of the encryption algorithm,

6) Decryption algorithm: accepts the ciphertext and and the decryption key and produces the original plaintext.



The RSA public key system introduced in 1978. It operates with modular arithmetic mode n,

n = p * q where p and q are large and distinct primes.

The encryption key, e, is chosen such that gcd (e, (n)) = 1

where (n) = (p-1) * (q-1).

The decryption key, d, then is calculated such that

e * d = 1 mod (n)The owner of the system makes (e, n) public, but keeps d secret (destroys p and q).



Encryption of the message, M, is possible by anyone who knows the public key, e,:

C = Me mod n Decryption of the ciphertext, C, requires to

knowledge of the secret key, d,:M = Cd mod n

The owner of the private key can sign a message M,

S = Md mod nS is the digital signature of the owner of the

system (nobody can generate this, since they do not know d), but everybody can verify that this is the signature of message M, using S and e, as:

Se = M mod n


Date post:	28-Nov-2014
Category:	Documents
Upload:	gourab87
View:	1,730 times
Download:	0 times

Chapter23

Documents