25
Information System Information System Security Security Lecture 6 Lecture 6 Database Security Database Security
| Date post: | 29-May-2015 |
| Category: |
Technology |
| Upload: | ali-habeeb |
| View: | 101 times |
| Download: | 1 times |
Information System Information System SecuritySecurity
Lecture 6Lecture 6
Database SecurityDatabase Security
22
OutlineOutline
Data SecurityData Security Access controlAccess control Security policySecurity policy Access control policyAccess control policy
1.1. Discretionary access controlDiscretionary access control
2.2. Content-based access controlContent-based access control
3.3. Mandatory access controlMandatory access control
4.4. Role-based access controlRole-based access control
33
Data security: ExamplesData security: Examples
1.1. Consider a payroll database in a corporation, it must be ensured Consider a payroll database in a corporation, it must be ensured that:that:– Salaries of individual employeesSalaries of individual employees are not disclosedare not disclosed to arbitrary users of to arbitrary users of
the database, the database,
– Salaries Salaries are modifiedare modified by only those individuals that are properly by only those individuals that are properly authorized,authorized,
– PaychecksPaychecks are printed on timeare printed on time at the end of each pay period.at the end of each pay period.
2.2. In a military environment, it is important that:In a military environment, it is important that:– The target of a missileThe target of a missile is not givenis not given to an unauthorized user,to an unauthorized user,
– The target The target is not arbitrarily modified,is not arbitrarily modified,
– The missileThe missile is launched when it is fired.is launched when it is fired.
44
Data Security: main goalsData Security: main goals
Confidentiality: it refers to data protection from unauthorized read operations.
Integrity: it refers to data protection from unauthorized modification operations.
Availability: it ensures that data access is not denied to authorized subjects.
Others: Authentication, etc.
Confidentiality
IntegrityData
security
availability
55
Data Security: main goalsData Security: main goals
Confidentiality is enforced by the Confidentiality is enforced by the access control mechanism.access control mechanism.
Integrity is enforced by theIntegrity is enforced by the access control mechanismaccess control mechanism and by theand by the semantic integrity constraintssemantic integrity constraints specified during schema specified during schema definition.definition.
Availability is enforced by the Availability is enforced by the recoveryrecovery and and concurrency control concurrency control mechanisms.mechanisms.
66
Access control: Basic Access control: Basic conceptsconcepts
An access control system regulates the operations that can be An access control system regulates the operations that can be executed on data and resources to be protected.executed on data and resources to be protected.
Its goal is to control operations executed by subjects in order to Its goal is to control operations executed by subjects in order to prevent actions that could damage data and resources.prevent actions that could damage data and resources.
Authorization rules
Reference Monitor
Security Policy
Access request
Access denied
Access Permitted
Access partially permitted
77
Security PolicySecurity Policy
Policies deal with defining what is authorized and who can grant Policies deal with defining what is authorized and who can grant authorizations.authorizations.
Existing security policies tend to focus mainly on the Existing security policies tend to focus mainly on the confidentiality (Privacy) requirements of securityconfidentiality (Privacy) requirements of security . .
Policies are used like requirements; they are the starting point in Policies are used like requirements; they are the starting point in the development of any system that has security features .the development of any system that has security features .
Adopted security policies mainly depend on organizational Adopted security policies mainly depend on organizational requirements, such as legal requirements, regulatory requirements, such as legal requirements, regulatory requirements, user requirements.requirements, user requirements.
88
Security Policies andSecurity Policies andAuthorizationsAuthorizations
The security policies are implemented by mapping them into a The security policies are implemented by mapping them into a set of set of authorizationsauthorizations
Authorizations thus establish the operations and rights that Authorizations thus establish the operations and rights that subjects can exercise on the protected objectssubjects can exercise on the protected objects
The The reference monitorreference monitor is a control mechanismis a control mechanism– It has the task of determining whether a given subject is authorized to It has the task of determining whether a given subject is authorized to
access the dataaccess the data
99
Access control policyAccess control policy
Discretionary access controlDiscretionary access control
Mandatory access controlMandatory access control
Role-based access controlRole-based access control
Context-based access controlContext-based access control
1010
Access control PolicyAccess control Policy
Most access control policies are formulated in terms of subjects, Most access control policies are formulated in terms of subjects, objects, and privilegesobjects, and privileges
Authorization Objects: Anything that holds data, such as Authorization Objects: Anything that holds data, such as relations, directories, interprocess messages, network packets, relations, directories, interprocess messages, network packets, I/O devices, or physical mediaI/O devices, or physical media
Authorization Subjects: An abstraction of any active entity that Authorization Subjects: An abstraction of any active entity that performs computation in the systemperforms computation in the system– Examples: users, processes, roles, etc. Examples: users, processes, roles, etc.
Authorization Privileges: Operations that a subject can exercise Authorization Privileges: Operations that a subject can exercise on the objects in the system on the objects in the system – Examples: read, write, execute, select, insert, update, delete, etc. Examples: read, write, execute, select, insert, update, delete, etc.
1111
Discretionary ACPsDiscretionary ACPs
DAC policies govern the access of subjects to objects on the DAC policies govern the access of subjects to objects on the basis of subjects' identity and authorization rulesbasis of subjects' identity and authorization rules
When an access request is submitted to the system, the access When an access request is submitted to the system, the access control mechanism verifies whether there is an authorization rule control mechanism verifies whether there is an authorization rule authorizing the accessauthorizing the access
Such mechanisms are discretionary in that they allow subjects to Such mechanisms are discretionary in that they allow subjects to grant other subjects authorization to access their objects at their grant other subjects authorization to access their objects at their discretiondiscretion
Most of the common commercial DBMSs support itMost of the common commercial DBMSs support it
1212
DAC: SQL commandsDAC: SQL commands
Privilege delegation is supported through the Privilege delegation is supported through the grant optiongrant option: if a : if a privilege is granted with the grant option, the user receiving it privilege is granted with the grant option, the user receiving it can not only exercise the privilege, but can also grant it to other can not only exercise the privilege, but can also grant it to other usersusers
A user can only grant a privilege on a given table if he/she is the A user can only grant a privilege on a given table if he/she is the table owner or if he/she has received the privilege with grant table owner or if he/she has received the privilege with grant optionoption
GRANT GRANT PrivilegeListPrivilegeList| ALL[PRIVILEGES] ON | ALL[PRIVILEGES] ON tabletable||View View TO TO UserList UserList | PUBLIC [WITH GRANT OPTION]| PUBLIC [WITH GRANT OPTION]
1313
DAC: SQL commandsDAC: SQL commands
Example:Example:– Bob: GRANT select, insert ON Employee TO Ann WITH GRANT Bob: GRANT select, insert ON Employee TO Ann WITH GRANT
OPTION;OPTION;
Bob: GRANT select ON Employee TO Jim WITH GRANT OPTION;Bob: GRANT select ON Employee TO Jim WITH GRANT OPTION;
Ann: GRANT select, insert ON Employee TO Jim;Ann: GRANT select, insert ON Employee TO Jim;
– Jim has the Jim has the selectselect privilege (received from both Bob and Ann) and the privilege (received from both Bob and Ann) and the insert privilege (received from Ann).insert privilege (received from Ann).
– Jim can Jim can grantgrant to other users the select privilege (because it has received to other users the select privilege (because it has received it it with grant optionwith grant option); however, he cannot grant the insert privilege.); however, he cannot grant the insert privilege.
1414
DAC in SQL - GrantDAC in SQL - Grant
Grant Command:Grant Command:
1.1. Bob: GRANT select, insert ON Employee TO Jim WITH GRANT Bob: GRANT select, insert ON Employee TO Jim WITH GRANT OPTION;OPTION;
2.2. Bob: GRANT select ON Employee TO Ann WITH GRANT OPTION;Bob: GRANT select ON Employee TO Ann WITH GRANT OPTION;
3.3. Bob: GRANT insert ON Employee TO Ann;Bob: GRANT insert ON Employee TO Ann;
4.4. Jim: GRANT update ON Employee TO Tim WITH GRANT OPTION;Jim: GRANT update ON Employee TO Tim WITH GRANT OPTION;
5.5. Ann: GRANT select, insert ON Employee TO Tim;Ann: GRANT select, insert ON Employee TO Tim;
The first three GRANT commands are fully executed (Bob is the owner of the The first three GRANT commands are fully executed (Bob is the owner of the table)table)
The fourth command is not executed, because Jim does not have the The fourth command is not executed, because Jim does not have the updateupdate privilege on the tableprivilege on the table
The fifth command is partially executed; Ann has the The fifth command is partially executed; Ann has the selectselect and and insertinsert but she but she does not have the grant option for the insertdoes not have the grant option for the insert– Tim only receives the Tim only receives the selectselect privilege privilege
1515
DAC in SQL - RevokeDAC in SQL - Revoke
REVOKE REVOKE PrivilegeListPrivilegeList| ALL[PRIVILEGES] ON | ALL[PRIVILEGES] ON table | View table | View FROM FROM UserList UserList | PUBLIC | PUBLIC
A user can only revoke the privileges he/she has granted; A user can only revoke the privileges he/she has granted;
Upon execution of a revoke operation, the user from whom the Upon execution of a revoke operation, the user from whom the privileges have been revoked looses these privileges, unless has privileges have been revoked looses these privileges, unless has them from some source them from some source independent independent from that has executed the from that has executed the revoke.revoke.
Recursive revocation: whenever a user revokes an authorization Recursive revocation: whenever a user revokes an authorization on a table from another user, all the authorizations that the on a table from another user, all the authorizations that the revokee had granted because of the revoked authorization are revokee had granted because of the revoked authorization are removed.removed.
1616
DAC in SQL - RevokeDAC in SQL - Revoke
Example:Example: – Bob: GRANT select ON Employee TO Jim WITH GRANT OPTION;Bob: GRANT select ON Employee TO Jim WITH GRANT OPTION;
– Bob: GRANT select ON Employee TO Ann WITH GRANT OPTION;Bob: GRANT select ON Employee TO Ann WITH GRANT OPTION;
– Jim: GRANT select ON Employee TO Tim;Jim: GRANT select ON Employee TO Tim;
– Ann: GRANT select ON Employee TO Tim;Ann: GRANT select ON Employee TO Tim;
– Jim: REVOKE select ON Employee FROM Tim;Jim: REVOKE select ON Employee FROM Tim;
– Tim continues to hold the Tim continues to hold the selectselect privilege on table Employee after the privilege on table Employee after the revokerevoke operation, since he has independently obtained such privilege from operation, since he has independently obtained such privilege from Ann.Ann.
1717
Content-Based AC (CBAC)Content-Based AC (CBAC)
Content-based access control conditions the access to a given Content-based access control conditions the access to a given object to its content.object to its content.
As an example, in a RDBMS supporting content-based access As an example, in a RDBMS supporting content-based access control it is possible to authorize a subject to access information control it is possible to authorize a subject to access information only of those employees whose salary is not greater than 30K.only of those employees whose salary is not greater than 30K.
Two are the most common approaches to enforce content-based Two are the most common approaches to enforce content-based access control in a DBMS:access control in a DBMS:– by associating a predicate (or a Boolean combination of predicates) with by associating a predicate (or a Boolean combination of predicates) with
the authorizationthe authorization– by defining a by defining a view view which selects the objects whose content satisfies a which selects the objects whose content satisfies a
given condition, and then granting the authorization on the view instead given condition, and then granting the authorization on the view instead of on the basic objectsof on the basic objects
1818
CBAC: SQL CommandsCBAC: SQL Commands
Example: suppose we want to authorize user Ann to access only Example: suppose we want to authorize user Ann to access only the employees whose salary is lower than 20000 – steps:the employees whose salary is lower than 20000 – steps:– CREATE VIEW Vemp AS CREATE VIEW Vemp AS
SELECT * FROM Employee WHERE Salary < 20000;SELECT * FROM Employee WHERE Salary < 20000;
GRANT Select ON Vemp TO Ann;GRANT Select ON Vemp TO Ann;
Ann:Ann: – SELECT * FROM Vemp WHERE Job = ‘Programmer’;SELECT * FROM Vemp WHERE Job = ‘Programmer’;
– This is equivalent to: This is equivalent to:
– SELECT * FROM Employee WHERE Salary < 20000 AND Job = SELECT * FROM Employee WHERE Salary < 20000 AND Job = ‘Programmer’;‘Programmer’;
1919
Mandatory Access controlMandatory Access control
MAC specifies the access that subjects have to access objects MAC specifies the access that subjects have to access objects based on subjects and objects classification.based on subjects and objects classification.
This type of security has also been referred to as This type of security has also been referred to as multilevel multilevel securitysecurity
Database systems that satisfy multilevel security properties are Database systems that satisfy multilevel security properties are called multilevel secure database management systems called multilevel secure database management systems (MLS/DBMSs)(MLS/DBMSs)
Many of the MLS/DBMSs have been designed based on the Bell Many of the MLS/DBMSs have been designed based on the Bell and LaPadula (BLP) model.and LaPadula (BLP) model.
2020
Role-based AC (RBAC): Role-based AC (RBAC): MotivationMotivation
One challenging problem in managing large systems is the complexity of One challenging problem in managing large systems is the complexity of security administration.security administration.
Whenever the number of subjects and objects is high, the number of Whenever the number of subjects and objects is high, the number of authorizations can become extremely large.authorizations can become extremely large.
Moreover, if the user population is highly dynamic, the number of grant and Moreover, if the user population is highly dynamic, the number of grant and revoke operations to be performed can become very difficult to manage.revoke operations to be performed can become very difficult to manage.
End users often do not own the information for which they are allowed End users often do not own the information for which they are allowed access. The corporation or agency is the actual owner of data objects.access. The corporation or agency is the actual owner of data objects.
Control is often based on employee functions rather than data ownership.Control is often based on employee functions rather than data ownership. RBAC has been proposed as an RBAC has been proposed as an alternative alternative approach to DAC and MAC both approach to DAC and MAC both
to simplify the task of access control management and to directly support to simplify the task of access control management and to directly support function-based access control.function-based access control.
2121
RBAC: Basic ConceptsRBAC: Basic Concepts
Roles represent functions within a given organization and Roles represent functions within a given organization and authorizations are granted to roles instead of to single usersauthorizations are granted to roles instead of to single users
Users are thus simply authorized to "play“ the appropriate roles, Users are thus simply authorized to "play“ the appropriate roles, thereby acquiring the roles’ authorizationsthereby acquiring the roles’ authorizations
RBAC: Benefits RBAC: Benefits – Because roles represent organizational functions, an RBAC model can Because roles represent organizational functions, an RBAC model can
directly support security policies of the organizationdirectly support security policies of the organization
– Granting and revoking of user authorizations is greatly simplifiedGranting and revoking of user authorizations is greatly simplified
Most commercial DBMSs support RBAC features at some extentsMost commercial DBMSs support RBAC features at some extents
2222
RBAC: NIST ModelRBAC: NIST Model
UserUser: : is defined as a human being, a machine, a process, etc.is defined as a human being, a machine, a process, etc. RoleRole: is a function within the context of an organization with an associated : is a function within the context of an organization with an associated
semantic regarding its authority and responsibilitysemantic regarding its authority and responsibility PermissionPermission: : is an access mode that can be exercised on objects in the system. is an access mode that can be exercised on objects in the system.
Both objects and access modes are domain dependent. Both objects and access modes are domain dependent. – For example, in the case of databases, the object set includes tables, columns, and For example, in the case of databases, the object set includes tables, columns, and
rows, and the access mode set includes insert, delete, and update operations.rows, and the access mode set includes insert, delete, and update operations. SessionSession: : it is a particular instance of a connection of a user to the system and it is a particular instance of a connection of a user to the system and
defines the subset of activated roles. defines the subset of activated roles. – At each moment, different sessions for the same user can be active. At each moment, different sessions for the same user can be active.
– When a user logs in the system, he/she establishes a session and, during this When a user logs in the system, he/she establishes a session and, during this session, can request to activate a subset of the roles he/she is authorized to play. session, can request to activate a subset of the roles he/she is authorized to play.
– The user obtains all permissions associated with the role he/she has activated in The user obtains all permissions associated with the role he/she has activated in the sessionthe session
2323
RBACRBAC
Individuals
Roles Resources
Role 1
Role 2
Role 3
Users change frequently, roles don’t
Server 1
Server 2
Server 3
2424
RBAC: SQL CommandsRBAC: SQL Commands
CREATE ROLE role-name IDENTIFIED BY passwd |NOT IDENTIFIED;CREATE ROLE role-name IDENTIFIED BY passwd |NOT IDENTIFIED; example:example:
– CREATE ROLE teller IDENTIFIED BY cashflow;CREATE ROLE teller IDENTIFIED BY cashflow; DROP ROLE role-name;DROP ROLE role-name; GRANT role TO user | role | PUBLIC [WITH ADMIN OPTION];GRANT role TO user | role | PUBLIC [WITH ADMIN OPTION];
To perform the grant of a role, a user must have the privilege for the role with To perform the grant of a role, a user must have the privilege for the role with the ADMIN option, or the system privilege GRANT ANY ROLEthe ADMIN option, or the system privilege GRANT ANY ROLE
The ADMIN option allows the receiver to modify or drop the roleThe ADMIN option allows the receiver to modify or drop the role
Example:Example:
– GRANT teller TO Bob;GRANT teller TO Bob;
2525
RBAC: SQL CommandsRBAC: SQL Commands
The grant command for authorization granting can have roles as The grant command for authorization granting can have roles as subjectssubjects
example:example:– GRANT select ON Employee TO teller;GRANT select ON Employee TO teller;
