chapter 6 – database security integrity for databases: record integrity, data correctness, update...

Chapter 6 – Database SecurityChapter 6 – Database Security

Integrity for databases: record Integrity for databases: record integrity, data correctness, update integrity, data correctness, update integrityintegrity

Security for databases: access Security for databases: access control, inference, and aggregationcontrol, inference, and aggregation

Multilevel secure databases: Multilevel secure databases: partitioned, cryptographically sealed, partitioned, cryptographically sealed, filteredfiltered

Introduction to DatabasesIntroduction to Databases

Database – collection of data and set Database – collection of data and set of rules that organize the data by of rules that organize the data by specifying certain relationships specifying certain relationships among the dataamong the data

Database administrator (DBA)Database administrator (DBA) Database management system Database management system

(DBMS) – database manager, front-(DBMS) – database manager, front-endend

Introduction to DatabasesIntroduction to Databases

Records – contain related group of Records – contain related group of datadata

Fields (elements) – elementary data Fields (elements) – elementary data itemsitems

Schema – logical structure of Schema – logical structure of databasedatabase

Subschema – view into databaseSubschema – view into database

Introduction to DatabasesIntroduction to Databases

RelationalRelational• Rows (relation); columns (attributes)Rows (relation); columns (attributes)• DB2, Oracle, AccessDB2, Oracle, Access

HierarchicalHierarchical• IMSIMS

Object-orientedObject-oriented

Introduction to DatabasesIntroduction to Databases

QueriesQueries• SELECT NAME = ‘ADAMS’SELECT NAME = ‘ADAMS’• SELECT (ZIP = ‘43210’) ^ (NAME = ‘ADAMS’)SELECT (ZIP = ‘43210’) ^ (NAME = ‘ADAMS’)

ProjectProject• SHOW FIRST WHERE (ZIP = ‘43210’) ^ (NAME SHOW FIRST WHERE (ZIP = ‘43210’) ^ (NAME

= ‘ADAMS’)= ‘ADAMS’) JoinJoin

• SHOW NAME, AIRPORT WHERESHOW NAME, AIRPORT WHERE

NAME.ZIP = AIRPORT.ZIPNAME.ZIP = AIRPORT.ZIP

Advantages of Using DatabasesAdvantages of Using Databases

Shared accessShared access Minimal redundancyMinimal redundancy Data consistencyData consistency Data integrityData integrity Controlled accessControlled access

Security RequirementsSecurity Requirements

Physical database integrityPhysical database integrity Logical database integrityLogical database integrity Element integrityElement integrity AuditabilityAuditability Access controlAccess control User authenticationUser authentication AvailabilityAvailability

Integrity of the DatabaseIntegrity of the Database

Users must be able to trust the Users must be able to trust the accuracy of the data valuesaccuracy of the data values

Updates are performed by authorized Updates are performed by authorized individualsindividuals

Integrity is the responsibility of the Integrity is the responsibility of the DBMS, the OS, and the computing DBMS, the OS, and the computing system managersystem manager

Must be able to reconstruct the Must be able to reconstruct the database at the point of a failuredatabase at the point of a failure

Element IntegrityElement Integrity

Correctness or accuracy of elementsCorrectness or accuracy of elements Field checksField checks Access controlAccess control Maintain a change log – list every Maintain a change log – list every

change made to the databasechange made to the database

Auditability & Access ControlAuditability & Access Control

Desirable to generate an audit record Desirable to generate an audit record of all access to the database of all access to the database (reads/writes)(reads/writes)

Pass-through problemPass-through problem – accessing – accessing a record or element without a record or element without transferring the data received to the transferring the data received to the user (no reads/writes)user (no reads/writes)

Databases separated logically by Databases separated logically by user access privilegesuser access privileges

Other Security RequirementsOther Security Requirements

User AuthenticationUser Authentication Confidentiality Confidentiality AvailabilityAvailability

Reliability and IntegrityReliability and Integrity

Database integrityDatabase integrity Element integrityElement integrity Element accuracyElement accuracy

Some protection from OSSome protection from OS• File accessFile access• Data integrity checksData integrity checks

Two-Phase UpdateTwo-Phase Update

Failure of computing system in Failure of computing system in middle of modifying datamiddle of modifying data

Intent Phase – gather resources Intent Phase – gather resources needed for update; write needed for update; write commit commit flagflag to the database to the database

Update Phase – make permanent Update Phase – make permanent changeschanges

Redundancy / Internal ConsistencyRedundancy / Internal Consistency

Error detection / Correction codes Error detection / Correction codes (parity bits, Hamming codes, CRCs)(parity bits, Hamming codes, CRCs)

Shadow fieldsShadow fields

Log of user accesses and changesLog of user accesses and changes

Concurrency/ConsistencyConcurrency/Consistency

Access by two users sharing the same Access by two users sharing the same database must be constrained (lock)database must be constrained (lock)

Monitors –check entered values to ensure Monitors –check entered values to ensure consistency with rest of DBconsistency with rest of DB

Range ComparisonsRange Comparisons State Constraints – describes condition of State Constraints – describes condition of

database (unique employee #)database (unique employee #) Transition Constraints – conditions before Transition Constraints – conditions before

changes are applied to DBchanges are applied to DB

Sensitive DataSensitive Data

Data that should not be made publicData that should not be made public What if some but not all of the What if some but not all of the

elements of a DB are sensitiveelements of a DB are sensitive• Inherently sensitiveInherently sensitive• From a sensitive sourceFrom a sensitive source• Declared sensitiveDeclared sensitive• Part of a sensitive attribute or recordPart of a sensitive attribute or record• Sensitive in relation to previously Sensitive in relation to previously

disclosed informationdisclosed information

Access DecisionsAccess Decisions

Need an access policy (programmed Need an access policy (programmed into DBMS)into DBMS)

Availability – blocking; permanent Availability – blocking; permanent blockingblocking

Acceptability of Access (sensitive Acceptability of Access (sensitive data)data)

Assurance of AuthenticityAssurance of Authenticity

Types of DisclosuresTypes of Disclosures

Exact DataExact Data

BoundsBounds

Negative ResultsNegative Results

Existence of DataExistence of Data

Probable ValuesProbable Values

Security vs. PrecisionSecurity vs. Precision

Aim to protect all sensitive data Aim to protect all sensitive data while revealing as much nonsensitive while revealing as much nonsensitive data as possibledata as possible

Want to maintain perfect Want to maintain perfect confidentiality with maximum confidentiality with maximum precisionprecision

InferenceInference

Way to infer / derive sensitive data Way to infer / derive sensitive data from nonsensitive datafrom nonsensitive data

Direct AttackDirect Attack• List NAME where SEX=M ^ DRUGS=1List NAME where SEX=M ^ DRUGS=1• List NAME where (SEX=M ^ DRUGS=1) List NAME where (SEX=M ^ DRUGS=1)

v (SEX#M ^ SEX#F) v (DORM=AYRES)v (SEX#M ^ SEX#F) v (DORM=AYRES)

Indirect AttackIndirect Attack

SumSum• Show STUDENT-AID WHERE SEX=F ^ Show STUDENT-AID WHERE SEX=F ^

DORM=GreyDORM=Grey CountCount

• Show Count, STUDENT-AID WHERE SEX=M ^ Show Count, STUDENT-AID WHERE SEX=M ^ DORM=HolmesDORM=Holmes

• List NAME where (SEX=M ^ DORM=Holmes)List NAME where (SEX=M ^ DORM=Holmes) MedianMedian Tracker Attacks – using additional queries Tracker Attacks – using additional queries

that produce small resultsthat produce small results

ControlsControls

SuppressionSuppression – don’t provide – don’t provide sensitive datasensitive data

ConcealingConcealing – don’t provide actual – don’t provide actual values (“close to”)values (“close to”)

Limited Response SuppressionLimited Response Suppression• n-item k-percent rule eliminates low n-item k-percent rule eliminates low

frequency elements from being frequency elements from being displayed (may need to suppress displayed (may need to suppress additional rows/columns)additional rows/columns)

ControlsControls

Combined ResultsCombined Results• SumsSums• RangesRanges• RoundingRounding

Random SampleRandom Sample Random Data PerturbationRandom Data Perturbation Query Analysis – “should the result Query Analysis – “should the result

be provided”be provided”

Conclusion on the Inference Conclusion on the Inference ProblemProblem

Suppress obviously sensitive Suppress obviously sensitive informationinformation

Track what the user knowsTrack what the user knows

Disguise the dataDisguise the data

AggregationAggregation

Building sensitive results from less Building sensitive results from less sensitive inputssensitive inputs

Data miningData mining – process of sifting – process of sifting through multiple databases and through multiple databases and correlating multiple data elements to correlating multiple data elements to find useful informationfind useful information

Multilevel DatabasesMultilevel Databases

Differentiated SecurityDifferentiated Security• Security of single element may be Security of single element may be

different from security of other elementsdifferent from security of other elements• Two levels – sensitive and nonsensitive Two levels – sensitive and nonsensitive

are inadequate to represent some are inadequate to represent some security situationssecurity situations

• Security of an aggregate (sum, count,…) Security of an aggregate (sum, count,…) may be different from security of the may be different from security of the individual elementsindividual elements

GranularityGranularity

Security IssuesSecurity Issues

IntegrityIntegrity• *-property for access control*-property for access control• Either process cleared at a high level cannot Either process cleared at a high level cannot

write to a lower level or process must be a write to a lower level or process must be a “trusted process”“trusted process”

ConfidentialityConfidentiality• Different users at different levels may get Different users at different levels may get

different query resultsdifferent query results• PolyinstantiationPolyinstantiation – record can appear more – record can appear more

than once with different levels of than once with different levels of confidentialityconfidentiality

Proposals for Multilevel SecurityProposals for Multilevel Security

SeparationSeparation• Partitioning – divide DB into separate Partitioning – divide DB into separate

DBs with own level of sensitivityDBs with own level of sensitivity• Encryption (time consuming)Encryption (time consuming)• Integrity Lock – each data item contains Integrity Lock – each data item contains

a sensitivity label and a checksuma sensitivity label and a checksum Sensitivity label must be Sensitivity label must be unforgeable, unforgeable,

unique, concealedunique, concealed Checksum must be uniqueChecksum must be unique Sensitivity lockSensitivity lock

Design of Multilevel Secure Design of Multilevel Secure DatabasesDatabases

Integrity Lock – not efficient Integrity Lock – not efficient (space/time)(space/time)

Trusted Front-end (Guard) – does Trusted Front-end (Guard) – does authentication and filteringauthentication and filtering

Commutative Filters – Commutative Filters – • screen user’s requests, reformats, so screen user’s requests, reformats, so

that only appropriate data is returnedthat only appropriate data is returned

Design of Multilevel Secure Design of Multilevel Secure DatabasesDatabases

Distributed (federated) databaseDistributed (federated) database• Trusted front-end controls access to two Trusted front-end controls access to two

DBMSs – one for high-sensitivity data DBMSs – one for high-sensitivity data and one for low-sensitivity dataand one for low-sensitivity data

• Very complexVery complex Window/ViewWindow/View

• Subset of a database containing exactly Subset of a database containing exactly the information that the user is entitled the information that the user is entitled to accessto access