1

DatabaseSecurity

Floris Geerts

Course organization

• One introductory lecture (this one)

• Then, a range of db security topics presented by you

• You will be graded on the quality of presentation, technical depth, critical assessment of the topic and ability to answer questions raised in class

• No exam.2

Course organization• Today, after this lecture:

– Send me an email floris.geerts@ua.ac.be– with your name and at most two partners (in

case we need to assign multiple persons to the same topic)

– A ranked list of the top 10 topics (11 topics)• Then I will assign the topics.• You’ll get time to study and prepare presentations • You send the slides to me, and incorporate

comments3

Topics1. Access control• Getting access

• Access control mechanisms

2. Safety & integrity• Redundancy

• Data integrity

3. Intrusion• DB specific

• Software specific

4

Topics4. Cryptography

• Symmetric

• Asymmetric

• Quantum (optional)

4. Privacy & Security• Statistical DB

• Privacy preservation

5

6

Data Security

Dorothy Denning, 1982:

• Data Security is the science and study of methods of protecting data (...) from unauthorized disclosure and modification

• Data Security = Confidentiality + Integrity

7

Data Security

• Distinct from systems and network security– Assumes these are already secure

• Tools:– Cryptography, information theory, statistics, …

• Applications:– Everywhere

Topic 1Access methods: “Getting in”

• It is all about passwords and authentication- How are passwords used for authentication in

DBMS?- What kind of password control mechanisms do

DBMS have? (e.g., Oracle,…)- What makes a password good or bad?

- Techniques to check this

- Techniques to generate one

- Alternatives to passwords (e.g., captcha)8

Captcha• CAPTCHA stands for

Completely Automated Public Turing test to tell Computers and Humans Apart

• A.K.A. Reverse Turing Test, Human Interaction Proof

• The challenge: develop a software program that can create and grade challenges most humans can pass but computers cannot

9

Topic 2:Access methods: control mechanisms

• How do DBMS control access to different users?

• How do DBMS assure that users can only change/query data to which they have access?

• As an example

10

11

Discretionary Access Control (DAC) in SQL

GRANT privileges ON object TO users [WITH GRANT OPTIONS]

GRANT privileges ON object TO users [WITH GRANT OPTIONS]

privileges = SELECT | INSERT(column-name) | UPDATE(column-name) | DELETE | REFERENCES(column-name)object = table | attribute

12

Examples

GRANT INSERT, DELETE ON Customers TO Yuppy WITH GRANT OPTIONS

GRANT INSERT, DELETE ON Customers TO Yuppy WITH GRANT OPTIONS

Queries allowed to Yuppy:

Queries denied to Yuppy:

INSERT INTO Customers(cid, name, address) VALUES(32940, ‘Joe Blow’, ‘Seattle’)

DELETE Customers WHERE LastPurchaseDate < 1995

INSERT INTO Customers(cid, name, address) VALUES(32940, ‘Joe Blow’, ‘Seattle’)

DELETE Customers WHERE LastPurchaseDate < 1995

SELECT Customer.addressFROM CustomerWHERE name = ‘Joe Blow’

SELECT Customer.addressFROM CustomerWHERE name = ‘Joe Blow’

13

Examples

GRANT SELECT ON Customers TO MichaelGRANT SELECT ON Customers TO Michael

Now Michael can SELECT, but not INSERT or DELETE

14

Examples

GRANT SELECT ON Customers TO Michael WITH GRANT OPTIONS

GRANT SELECT ON Customers TO Michael WITH GRANT OPTIONS

Michael can say this: GRANT SELECT ON Customers TO Yuppi

Now Yuppi can SELECT on Customers

15

Examples

GRANT UPDATE (price) ON Product TO LeahGRANT UPDATE (price) ON Product TO Leah

Leah can update, but only Product.price, but not Product.name

16

Examples

GRANT REFERENCES (cid) ON Customer TO BillGRANT REFERENCES (cid) ON Customer TO Bill

Customer(cid, name, address, balance)Orders(oid, cid, amount) cid= foreign key

Customer(cid, name, address, balance)Orders(oid, cid, amount) cid= foreign key

Now Bill can INSERT tuples into Orders

Bill has INSERT/UPDATE rights to Orders.BUT HE CAN’T INSERT ! (why ?)

17

Views and Security

CREATE VIEW PublicCustomers SELECT Name, Address FROM CustomersGRANT SELECT ON PublicCustomers TO Fred

CREATE VIEW PublicCustomers SELECT Name, Address FROM CustomersGRANT SELECT ON PublicCustomers TO Fred

David says

Name Address Balance

Mary Huston 450.99

Sue Seattle -240

Joan Seattle 333.25

Ann Portland -520

David owns

Customers:Fred is notallowed to

see this

18

Views and Security

Name Address Balance

Mary Huston 450.99

Sue Seattle -240

Joan Seattle 333.25

Ann Portland -520

CREATE VIEW BadCreditCustomers SELECT * FROM Customers WHERE Balance > 0GRANT SELECT ON BadCreditCustomers TO John

CREATE VIEW BadCreditCustomers SELECT * FROM Customers WHERE Balance > 0GRANT SELECT ON BadCreditCustomers TO John

David says

David owns

Customers: John isallowed tosee only >0

balances

19

Revocation

REVOKE [GRANT OPTION FOR] privileges ON object FROM users { RESTRICT | CASCADE }

REVOKE [GRANT OPTION FOR] privileges ON object FROM users { RESTRICT | CASCADE }

Administrator says:

REVOKE SELECT ON Customers FROM David CASCADEREVOKE SELECT ON Customers FROM David CASCADE

John loses SELECT privileges on BadCreditCustomers

20

Revocation

Joe: GRANT [….] TO Art …Art: GRANT [….] TO Bob …Bob: GRANT [….] TO Art …Joe: GRANT [….] TO Cal …Cal: GRANT [….] TO Bob …Joe: REVOKE [….] FROM Art CASCADE

Joe: GRANT [….] TO Art …Art: GRANT [….] TO Bob …Bob: GRANT [….] TO Art …Joe: GRANT [….] TO Cal …Cal: GRANT [….] TO Bob …Joe: REVOKE [….] FROM Art CASCADE

Same privilege,same object,

GRANT OPTION

What happens ??

21

Revocation

Admin

Joe Art

Cal Bob

0

1

234

5

Revoke

According to SQL everyone keeps the privilege

22

Other approaches

Discretionary Access Control (DAC)

Label-based Access Control (LBAC)Role-based Access Control (RBAC)Mandatory Access Control (MAC)

Pro’s and con’s of these control mechanisms?

Topic:Safety & Integrity

23

It is about keeping our precious bits safe from harm.

•Disk failure which mostly goes together with data loss• System failure which can cause data inconsistency. (For example a Denial-Of-Service attack can result in system failures because of the exhaustion of system resources.

Topic 3: Recovery

• Mostly solved by redundancy:– having and organizing redundant information

so that the data stored can be recovered in case there is a disk failure.

– Where and how to store? Secondary storage, RAIDs

– How to assure that all the data has a copy somewhere

24

Topic 4: Integrity

• How to assure that all data is consistent– The same data in all copies

• How to assure that nothing gets corrupted during transmission– Error correcting codes

• How to keep track of changes and possible unauthorized access– Transaction log/data auditing

25

Topic 5: DB intrusion

• Intrusion prevention– detecting ongoing attacks in real time in order

to prevent damage to the database.

• Intrusion detection– Use of database auditing

• Example: SQL injection

26

27

Search claims by:

SQL InjectionYour health insurance company lets you see the claims online:

Now search through the claims :

Dr. Lee

First login: User:

Password:

fred

********

SELECT…FROM…WHERE doctor=‘Dr. Lee’ and patientID=‘fred’SELECT…FROM…WHERE doctor=‘Dr. Lee’ and patientID=‘fred’

28

SQL InjectionNow try this:

Search claims by: Dr. Lee’ OR patientID = ‘suciu’; --

Better:

Search claims by: Dr. Lee’ OR 1 = 1; --

…..WHERE doctor=‘Dr. Lee’ OR patientID=‘suciu’; --’ and patientID=‘fred’…..WHERE doctor=‘Dr. Lee’ OR patientID=‘suciu’; --’ and patientID=‘fred’

29

SQL InjectionWhen you’re done, do this:

Search claims by: Dr. Lee’; DROP TABLE Patients; --

30

SQL Injection

• The DBMS works perfectly. So why is SQL injection possible so often ?

Topic 6: Software intrusion

• Leveraging Stack and Buffer overflow in programs

• How to prevent/detect such intrusions?

31

Topic 7: Cryptography - symmetric

32

Commonly used techniques

Same encryption and decryption key

DES, AES

Topic 8: Cryptography – asymmetric

• Different encoding and decoding keys

• Public key

• RSA

33

Topic 9: Cryptography - Quantum

• Newest methods based on quantum computing

• You need to ask if you want this – it is a bit math heavy.

34

35

Topic 10: Security in Statistical DBs

Goal:

• Allow arbitrary aggregate SQL queries

• Hide confidential data

• Inference

SELECT count(*)FROM PatientsWHERE age=42 and sex=‘M ’ and diagnostic=‘schizophrenia’

SELECT count(*)FROM PatientsWHERE age=42 and sex=‘M ’ and diagnostic=‘schizophrenia’

OK

SELECT nameFROM PatientWHERE age=42 and sex=‘M ’ and diagnostic=‘schizophrenia’

SELECT nameFROM PatientWHERE age=42 and sex=‘M ’ and diagnostic=‘schizophrenia’

Not OK

36

First Last Age Race

Harry Stone 34 Afr-Am

John Reyser 36 Cauc

Beatrice Stone 47 Afr-am

John Ramos 22 Hisp

First Last Age Race

* Stone 30-50 Afr-Am

John R* 20-40 *

* Stone 30-50 Afr-am

John R* 20-40 *

Topic 11: Privacy preservation k-Anonymity/Randomization

Definition: each tuple is equal to at least k-1 others

Anonymizing: