chapter 5: database security - missouri s&t - missouri …taylorpat/courses_files/intro... ·...
TRANSCRIPT
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
Chapter 5: Database Security
Comp Sci 3600 Security
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
Outline
1 Database SecurityDBMSRelational ModelSQL
2 SQLiInjection techniqueAttack TypesCountermeasures
3 Access ControlsSQL Access ControlsRole-based Access Control
4 Inference AttacksAttack MethodInference Detection
5 Database EncryptionRemote EncryptionIndexing
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
Outline
1 Database SecurityDBMSRelational ModelSQL
2 SQLiInjection techniqueAttack TypesCountermeasures
3 Access ControlsSQL Access ControlsRole-based Access Control
4 Inference AttacksAttack MethodInference Detection
5 Database EncryptionRemote EncryptionIndexing
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
What is a Database
• Structured collection of data stored for use by one or moreapplications
• Contains the relationships between data items and groupsof data items
• Can sometimes contain sensitive data that needs to besecured
• Query language provides a uniform interface to thedatabase
• Database management system (DBMS)• Suite of programs for constructing and maintaining the
database• Offers ad hoc query facilities to multiple users and
applications
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
Database Management System
Userqueries
Userapplications
Databaseutilities
DDLprocessor DML and query
language processor
DBMS
DDL = data definition languageDML = data manipulation language
Figure 5.1 DBMS Architecture
Transactionmanager File manager
Databasedescription
tables
Authorizationtables
Concurrentaccesstables
Physicaldatabase
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
Outline
1 Database SecurityDBMSRelational ModelSQL
2 SQLiInjection techniqueAttack TypesCountermeasures
3 Access ControlsSQL Access ControlsRole-based Access Control
4 Inference AttacksAttack MethodInference Detection
5 Database EncryptionRemote EncryptionIndexing
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
Relational Databases
• Table of data consisting of rows and columns• Each column holds a particular type of data• Each row contains a specific value for each column• Ideally has one column where all values are unique, forming
an identifier/key for that row
• Enables the creation of multiple tables linked together bya unique identifier that is present in all tables
• Use a relational query language to access the database• Allows the user to request data that fit a given set of
criteria
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
Multi-table Database with Unifying Primary Key
CALLER ID TABLEPhoneNumber
Has service? (Y/N)
PRIMARY TABLEPhoneNumber
Last nameFirst name
address
ADDITIONALSUBSCRIBER TABLE
PhoneNumberList of subscribers
BILLING HISTORYTABLE
PhoneNumberDate
Transaction typeTransaction amount
CURRENT BILLTABLE
PhoneNumberCurrent date
Previous balanceCurrent charges
Date of last paymentAmount of last payment
Figure 5.2 Example Relational Database Model. A relational database uses multiple tables related to one another by a designated key; in this case the key is the PhoneNumber field.
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
Relational Database Elements
Primary key
• Uniquely identifies a row
• Consists of one or more column names
Foreign key
• Links one table to attributes in another
View/virtual table
• Result of a query that returns selected rows and columnsfrom one or more tables
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
Relational Database
Attributes A1 • • • Aj • • • AM
Rec
ords
1 x11 • • • x1j • • • x1M
• • • •
• • • •
• • • •
i xi1 • • • xij • • • xiM
• • • •
• • • •
• • • •
N xN1 • • • xNj • • • xNM
Figure 5.3 Abstract Model of a Relational Database
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
View on a Database
Did Did Eid
Eid
4 15 2345
2345
5088
5088
6127092485
6127092485
human resources
human resources
528221 Robin
Robin
2313 6127092246
6127092246
Neil
Neil
124 7712
7712
6127099348
6127099348
Jasmine
Jasmine
2615 9664
9664
6127093148
6127093148
Cody
Cody
228 3054
3054
6127092729
6127092729
Holly
Holly
238 2976
2976
6127091945
6127091945
Robin
Robin
249 4490
4490
6127099380
6127099380
Smith
Smith
21
8 education
educationeducation
2020359 accounts
accounts
70925713 public relations 75582715
primarykey
services
public relationsservicesservices
223945
Dname
Dname
Ename
Ename
Salarycode Ephone
Ephone
Department TableDacctno
Employee Table
foreignkey
(a) Two tables in a relational database
(b) A view derived from the database
Figure 5.4 Relational Database Example
primarykey
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
Outline
1 Database SecurityDBMSRelational ModelSQL
2 SQLiInjection techniqueAttack TypesCountermeasures
3 Access ControlsSQL Access ControlsRole-based Access Control
4 Inference AttacksAttack MethodInference Detection
5 Database EncryptionRemote EncryptionIndexing
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
Structured Query Language (SQL)
• Standardized language to define schema, manipulate, andquery data in a relational database
• Several similar versions of ANSI/ISO standard
• All follow the same basic syntax and semantics
• SQL statements can be used to:• Create tables• Insert and delete data in tables• Create views• Retrieve data with query statements
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
Table Creation
CREATE TABLE department (Did INTEGER PRIMARY KEY,Dname CHAR ( 3 0 ) ,Dacctno CHAR ( 6 ) )
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
Table Creation
CREATE TABLE employee (Ename CHAR (30 ) ,Did INTEGER ,Sa la ryCode INTEGER ,Eid INTEGER PRIMARY KEY,Ephone CHAR (10 ) ,FOREIGN KEY (Did ) REFERENCES department ( Did ) )
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
Retrieving Information
• The basic command for retrieving information is theSELECT statement
SELECT Ename , Eid , EphoneFROM EmployeeWHERE Did = 15
• This query returns the Ename, Eid, and Ephone fieldsfrom the Employee table for all employees assigned todepartment 15
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
View Creation
• The view in Figure 5.4(b) is created using the followingSQL statement:
CREATE VIEW newtab l e (Dname , Ename , Eid , Ephone )AS SELECT D.Dname E . Ename , E . Eid , E . EphoneFROM Department D Employee EWHERE E . Did = D. Did
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
SQL Injection Attacks (SQLi)
• One of the most prevalent and dangerous network-basedsecurity threats
• Designed to exploit the nature of Web application pages
• Sends malicious SQL commands to the database server
• Most common attack goal is bulk extraction of data
• Depending on the environment, SQL injection can also beexploited to:
• Modify or delete data• Execute arbitrary operating system commands• Launch denial-of-service (DoS) attacks
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
SQLi overview
Figure 5.5 Typical SQL Injection Attack
Legend:.
InternetRouter
Firewall
Switch
Wirelessaccess point
Web servers
Webapplicationserver
Database servers
Database
Data exchangedbetween hackerand serversTwo-way trafficbetween hackerand Web serverCredit card data isretrieved from database
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
Outline
1 Database SecurityDBMSRelational ModelSQL
2 SQLiInjection techniqueAttack TypesCountermeasures
3 Access ControlsSQL Access ControlsRole-based Access Control
4 Inference AttacksAttack MethodInference Detection
5 Database EncryptionRemote EncryptionIndexing
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
Injection Technique
• The SQLi attack typically works by prematurelyterminating a text string and appending a new command
• Because the inserted command may have additionalstrings appended to it before it is executed, the attackerterminates the injected string with a comment mark “- -”
• Subsequent text is ignored at execution time
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
Example
• As a simple example, consider a script that build an SQLquery by combining predefined strings with text entered bya user:
var Shipcity;ShipCity = Request.form (“ShipCity”);var sql = “select * from OrdersTablewhere ShipCity = ’ ” +ShipCity + “ ’ ”;
• The intention of the script’s designer is that a user willenter the name of a city
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
Example
• When the script is executed, the user is prompted to entera city, and if the user enters Redmond, then the followingSQL query is generated:
SELECT * FROM OrdersTable WHERE ShipCity = ‘Redmond’
• Suppose, however, the user enters the following:‘Redmond’; DROP table OrdersTable- -
• This results in the following SQL query:SELECT * FROM OrdersTable WHERE ShipCity =
‘Redmond’; DROP table OrdersTable- -
• The semicolon is an indicator that separates twocommands, and the double dash is an indicator that theremaining text of the current line is a comment and not tobe executed
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
SQLi Attack Avenues
• User input: Attackers inject SQL commands by providingsuitable crafted user input
• Server variables: Attackers can forge the values that areplaced in HTTP and network headers and exploit thisvulnerability by placing data directly into the headers
• Second-order injection: A malicious user could rely ondata already present in the system or database to triggeran SQL injection attack, so when the attack occurs, theinput that modifies the query to cause an attack does notcome from the user, but from within the system itself
• Cookies: An attacker could alter cookies such that whenthe application server builds an SQL query based on thecookie’s content, the structure and function of the query ismodified
• Physical user input: Applying user input that constructsan attack outside the realm of web requests
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
Outline
1 Database SecurityDBMSRelational ModelSQL
2 SQLiInjection techniqueAttack TypesCountermeasures
3 Access ControlsSQL Access ControlsRole-based Access Control
4 Inference AttacksAttack MethodInference Detection
5 Database EncryptionRemote EncryptionIndexing
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
Attack Types
• Inband
• Inferential
• Out-of-band
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
Inband Attacks
• Uses the same communication channel for injecting SQLcode and retrieving results
• The retrieved data are presented directly in applicationWeb page Include:
• Tautology: This form of attack injects code in one ormore conditional statements so that they always evaluateto true
• End-of-line comment: After injecting code into aparticular field, legitimate code that follows are nullifiedthrough usage of end of line comments
• Piggybacked queries: The attacker adds additionalqueries beyond the intended query, piggy-backing theattack on top of a legitimate request
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
Tautology Example
• Consider the following script, whose intent is to requirethe user to enter a valid name and password:
$query = ”SELECT info FROM user WHERE name =′ $ GET [”name”] ′AND pwd = ‘ $ GET [”pwd”] ′ ”;
• Suppose the attacker submits “ ‘ OR 1 = 1−−” for thename field. The resulting query would look like this:
SELECT info FROM users WHERE
name = ′ ′ OR 1 = 1−−AND pwpd = ′ ′
• The injected code disables the password check (due to thecomment indicator - -) and turns the entire WHEREclause into a tautology
• The database uses the conditional as the basis forevaluating each row and deciding which ones to return
• The conditional is a tautology, the query evaluates to truefor each row in the table and returns all
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
Inferential Attack
• There is no actual transfer of data, but the attacker is ableto reconstruct the information by sending particularrequests and observing the resulting behavior of theWebsite/database server
• Illegal/logically incorrect queries• This attack lets an attacker gather important information
about the type and structure of the backend database of aWeb application
• The attack is considered a preliminary,information-gathering step for other attacks
• Blind SQL injection• Allows attackers to infer the data present in a database
system even when the system is sufficiently secure to notdisplay any erroneous information back to the attacker
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
Out-of-Band Attack
• Data are retrieved using a different channel
• This can be used when there are limitations oninformation retrieval, but outbound connectivity from thedatabase server is lax
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
Outline
1 Database SecurityDBMSRelational ModelSQL
2 SQLiInjection techniqueAttack TypesCountermeasures
3 Access ControlsSQL Access ControlsRole-based Access Control
4 Inference AttacksAttack MethodInference Detection
5 Database EncryptionRemote EncryptionIndexing
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
SQLi Countermeasures
• Defensive coding
• Detection
• Run-time prevention
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
Defensive Coding
• Manual defensive coding practices: a common vulnerabilityexploited by SQLi attacks is insufficient input validation
• One solution is to apply defensive coding practices• Input type checking: e.g., to check that inputs that match
the expected types and formats• Performs pattern matching to try to distinguish normal
input from abnormal input
• Parameterized query insertion:• Allowing developers to more accurately specify the
structure of an SQL query• Passing the parameters separately such that any unsanitary
user input is not allowed to modify the query structure
• SQL DOM:• A set of classes that enables automated data type
validation and escaping• This approach uses encapsulation of database queries to
provide a safe and reliable way to access databases
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
Detection
• Signature based• This technique attempts to match specific attack patterns• Must be constantly updated and may not work against
self- modifying attacks
• Anomaly based• Define normal behavior and then detect behavior patterns
outside the normal range• There is a training phase, in which the system learns the
range of normal behavior, followed by the actual detection
• Code analysis• Using a test suite to detect SQLi vulnerabilities• The test suite is designed to generate a wide range of
SQLi attacks and assess the response of the system
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
Run-time Prevention
• Check queries at runtime to see if they conform to amodel of expected queries
• Various automated tools are available for this purpose
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
Database Access Control
• Database access control system determines:• If the user has access to the entire database or just
portions of it• What access rights the user has (create, insert, delete,
update, read, write)
• Can support a range of administrative policies• Centralized administration: Small number of privileged
users may grant and revoke access rights• Ownership-based administration: The creator of a table
may grant and revoke access rights to the table• Decentralized administration: The owner of the table
may grant and revoke authorization rights to other users,allowing them to grant and revoke access rights to thetable
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
Outline
1 Database SecurityDBMSRelational ModelSQL
2 SQLiInjection techniqueAttack TypesCountermeasures
3 Access ControlsSQL Access ControlsRole-based Access Control
4 Inference AttacksAttack MethodInference Detection
5 Database EncryptionRemote EncryptionIndexing
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
SQL Access Controls
Two commands for managing access rights:
1 Grant: Used to grant one or more access rights or can beused to assign a user to a role
2 Revoke: Revokes the access rights
Typical access rights are:
• Select
• Insert
• Update
• Delete
• References
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
The Grant Command
GRANT {privileges | role}[ON table]TO {user | role | PUBLIC}[IDENTIFIED BY password][WITH GRANT OPTION]
Example
GRANT SELECT ON ANY TABLE TO ricflair
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
The Revoke Command
REVOKE {privileges | role}[ON table]FROM {user | role | PUBLIC}
Example
REVOKE SELECT ON ANY TABLE FROM ricflair
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
Cascading Authorizations
• The grant option enables an access right to cascadethrough a number of users
• The revocation of privileges also cascaded
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
Privilege Revocation
Ann David Frank
Ellen JimBob
Chris
t = 10
t = 50
t = 40
t = 20
t = 30
t = 70
t = 60
Ann David Frank
Bob
Chris
t = 10
t = 50t = 20
t = 60
Figure 5.6 Bob Revokes Privilege from David
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
Outline
1 Database SecurityDBMSRelational ModelSQL
2 SQLiInjection techniqueAttack TypesCountermeasures
3 Access ControlsSQL Access ControlsRole-based Access Control
4 Inference AttacksAttack MethodInference Detection
5 Database EncryptionRemote EncryptionIndexing
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
Role-Based Access Control (RBAC)
• Role-based access control eases administrative burden andimproves security
• A database RBAC needs to provide the followingcapabilities:
• Create and delete roles• Define permissions for a role• Assign and cancel assignment of users to roles
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
Categories of Database Users
• Application owner: An end user who owns databaseobjects as part of an application
• End user: An end user who operates on database objectsvia a particular application but does not own any of thedatabase objects
• Administrator: User who has administrative responsibilityfor part or all of the database
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
Microsoft SQL Server Roles
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
Outline
1 Database SecurityDBMSRelational ModelSQL
2 SQLiInjection techniqueAttack TypesCountermeasures
3 Access ControlsSQL Access ControlsRole-based Access Control
4 Inference AttacksAttack MethodInference Detection
5 Database EncryptionRemote EncryptionIndexing
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
What is an Inference Attack?
• The process of performing authorized queries anddeducing unauthorized information from the legitimateresponses received
• The inference problem arises when the combination of anumber of data items is more sensitive than the individualitems, or when a combination of data items can be used toinfer data of a higher sensitivity
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
Inference Attacks
Sensitivedata
Metadata
Authorizedaccess Unauthorized
access
Inference
Access Control
Non-sensitive
data
Figure 5.7 Indirect Information Access Via Inference Channel
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
Example of an Inference Attack on (Salary-Name)
Name Position Salary ($) Department Dept. Manager Andy senior 43,000 strip Cathy Calvin junior 35,000 strip Cathy
Cathy senior 48,000 strip Cathy
Dennis junior 38,000 panel Herman
Herman senior 55,000 panel Herman
Ziggy senior 67,000 panel Herman
(a) Employee table
Position Salary ($) Name Department senior 43, 000 Andy strip
junior 35,000 Calvin strip
senior 48,000 Cathy strip
(b) Two views
Name Position Salary ($) Department Andy senior 43,000 strip
Calvin junior 35,000 strip Cathy senior 48,000 strip
(c) Table derived from combining query answers
Figure 5.8 Inference Example
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
Outline
1 Database SecurityDBMSRelational ModelSQL
2 SQLiInjection techniqueAttack TypesCountermeasures
3 Access ControlsSQL Access ControlsRole-based Access Control
4 Inference AttacksAttack MethodInference Detection
5 Database EncryptionRemote EncryptionIndexing
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
Inference Detection
• Inference detection during database design• Approach removes an inference channel by altering the
database structure or by changing the access controlregime to prevent inference
• Techniques in this category often result in unnecessarilystricter access controls that reduce availability
• Inference detection at query time• Approach seeks to eliminate an inference channel violation
during a query or series of queries• If an inference channel is detected, the query is denied or
altered
• Some inference detection algorithm is needed for either ofthese approaches
• Progress has been made in devising specific inferencedetection techniques for multilevel secure databases andstatistical databases
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
Outline
1 Database SecurityDBMSRelational ModelSQL
2 SQLiInjection techniqueAttack TypesCountermeasures
3 Access ControlsSQL Access ControlsRole-based Access Control
4 Inference AttacksAttack MethodInference Detection
5 Database EncryptionRemote EncryptionIndexing
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
Database Encryption
• The database is typically the most valuable informationresource for any organization
• Protected by multiple layers of security
• Firewalls, authentication, general access control systems,DB access control systems, database encryption
• Encryption becomes the last line of defense in databasesecurity
• Can be applied to the entire database, at the record level,the attribute level, or level of the individual field
• Disadvantages to encryption:• Key management: Authorized users must have access to
the decryption key for the data for which they have access• Inflexibility: When part or all of the database is encrypted
it becomes more difficult to perform record searching
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
How to Process Encrypted Query
1 The user issues an SQL query for fields from one or morerecords with a specific value of the primary key
2 The query processor at the client encrypts the primary key,modifies the SQL query accordingly, and transmits thequery to the server
3 The server processes the query using the encrypted valueof the primary key and returns the appropriate record orrecords
4 The query processor decrypts the data and returns theresults
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
Database Encryption: Decrypt only Locally
QueryProcessor
1. Original querymetadata
4. Plaintextresult
2. Transformedquery
3. Encryptedresult
Client
UserData owner
Server
Figure 5.9 A Database Encryption Scheme
Encrypt/Decrypt
QueryExecutor
MetaData
MetaData
Encrypteddatabase
Data-base
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
Encrypted Query
SELECT Ename , Eid , EphoneFROM EmployeeWHERE Did = 15
SELECT Ename , Eid , EphoneFROM EmployeeWHERE Did = 1000110111001110
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
Outline
1 Database SecurityDBMSRelational ModelSQL
2 SQLiInjection techniqueAttack TypesCountermeasures
3 Access ControlsSQL Access ControlsRole-based Access Control
4 Inference AttacksAttack MethodInference Detection
5 Database EncryptionRemote EncryptionIndexing
DatabaseSecurity
DBMS
Relational Model
SQL
SQLi
Injectiontechnique
Attack Types
Countermeasures
AccessControls
SQL AccessControls
Role-basedAccess Control
InferenceAttacks
Attack Method
InferenceDetection
DatabaseEncryption
RemoteEncryption
Indexing
Indexing on Encrypted Data
• Indexing can Improve Usability for Encryption
• However, it can provide information for inference attacks
E(k, B1) I11 • • • I1j • • • I1M • • •
• • •
• • •
• • •
E(k, Bi) Ii1 • • • Iij • • • IiM • • •
• • •
• • •
• • •
E(k, BN) IN1 • • • INj • • • INM
Bi = (xi1 || xi2 || … || xiM)
Figure 5.10 Encryption Scheme for Database of Figure 5.3