chapter 5: database security - missouri s&t - missouri …taylorpat/courses_files/intro... ·...

DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls

Role-basedAccess Control

InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

Chapter 5: Database Security

Comp Sci 3600 Security

DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

Outline

1 Database SecurityDBMSRelational ModelSQL

2 SQLiInjection techniqueAttack TypesCountermeasures

3 Access ControlsSQL Access ControlsRole-based Access Control

4 Inference AttacksAttack MethodInference Detection

5 Database EncryptionRemote EncryptionIndexing

DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

What is a Database

• Structured collection of data stored for use by one or moreapplications

• Contains the relationships between data items and groupsof data items

• Can sometimes contain sensitive data that needs to besecured

• Query language provides a uniform interface to thedatabase

• Database management system (DBMS)• Suite of programs for constructing and maintaining the

database• Offers ad hoc query facilities to multiple users and

applications

DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

Database Management System

Userqueries

Userapplications

Databaseutilities

DDLprocessor DML and query

language processor

DBMS

DDL = data definition languageDML = data manipulation language

Figure 5.1 DBMS Architecture

Transactionmanager File manager

Databasedescription

tables

Authorizationtables

Concurrentaccesstables

Physicaldatabase

DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

Outline






DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

Relational Databases

• Table of data consisting of rows and columns• Each column holds a particular type of data• Each row contains a specific value for each column• Ideally has one column where all values are unique, forming

an identifier/key for that row

• Enables the creation of multiple tables linked together bya unique identifier that is present in all tables

• Use a relational query language to access the database• Allows the user to request data that fit a given set of

criteria

DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

Multi-table Database with Unifying Primary Key

CALLER ID TABLEPhoneNumber

Has service? (Y/N)

PRIMARY TABLEPhoneNumber

Last nameFirst name

address

ADDITIONALSUBSCRIBER TABLE

PhoneNumberList of subscribers

BILLING HISTORYTABLE

PhoneNumberDate

Transaction typeTransaction amount

CURRENT BILLTABLE

PhoneNumberCurrent date

Previous balanceCurrent charges

Date of last paymentAmount of last payment

Figure 5.2 Example Relational Database Model. A relational database uses multiple tables related to one another by a designated key; in this case the key is the PhoneNumber field.

DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

Relational Database Elements

Primary key

• Uniquely identifies a row

• Consists of one or more column names

Foreign key

• Links one table to attributes in another

View/virtual table

• Result of a query that returns selected rows and columnsfrom one or more tables

DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

Relational Database

Attributes A1 • • • Aj • • • AM

Rec

ords

1 x11 • • • x1j • • • x1M

• • • •

• • • •

• • • •

i xi1 • • • xij • • • xiM

• • • •

• • • •

• • • •

N xN1 • • • xNj • • • xNM

Figure 5.3 Abstract Model of a Relational Database

DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

View on a Database

Did Did Eid

Eid

4 15 2345

2345

5088

5088

6127092485

6127092485

human resources

human resources

528221 Robin

Robin

2313 6127092246

6127092246

Neil

Neil

124 7712

7712

6127099348

6127099348

Jasmine

Jasmine

2615 9664

9664

6127093148

6127093148

Cody

Cody

228 3054

3054

6127092729

6127092729

Holly

Holly

238 2976

2976

6127091945

6127091945

Robin

Robin

249 4490

4490

6127099380

6127099380

Smith

Smith

21

8 education

educationeducation

2020359 accounts

accounts

70925713 public relations 75582715

primarykey

services

public relationsservicesservices

223945

Dname

Dname

Ename

Ename

Salarycode Ephone

Ephone

Department TableDacctno

Employee Table

foreignkey

(a) Two tables in a relational database

(b) A view derived from the database

Figure 5.4 Relational Database Example

primarykey

DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

Outline






DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

Structured Query Language (SQL)

• Standardized language to define schema, manipulate, andquery data in a relational database

• Several similar versions of ANSI/ISO standard

• All follow the same basic syntax and semantics

• SQL statements can be used to:• Create tables• Insert and delete data in tables• Create views• Retrieve data with query statements

DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

Table Creation

CREATE TABLE department (Did INTEGER PRIMARY KEY,Dname CHAR ( 3 0 ) ,Dacctno CHAR ( 6 ) )

DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

Table Creation

CREATE TABLE employee (Ename CHAR (30 ) ,Did INTEGER ,Sa la ryCode INTEGER ,Eid INTEGER PRIMARY KEY,Ephone CHAR (10 ) ,FOREIGN KEY (Did ) REFERENCES department ( Did ) )

DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

Retrieving Information

• The basic command for retrieving information is theSELECT statement

SELECT Ename , Eid , EphoneFROM EmployeeWHERE Did = 15

• This query returns the Ename, Eid, and Ephone fieldsfrom the Employee table for all employees assigned todepartment 15

DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

View Creation

• The view in Figure 5.4(b) is created using the followingSQL statement:

CREATE VIEW newtab l e (Dname , Ename , Eid , Ephone )AS SELECT D.Dname E . Ename , E . Eid , E . EphoneFROM Department D Employee EWHERE E . Did = D. Did

DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

SQL Injection Attacks (SQLi)

• One of the most prevalent and dangerous network-basedsecurity threats

• Designed to exploit the nature of Web application pages

• Sends malicious SQL commands to the database server

• Most common attack goal is bulk extraction of data

• Depending on the environment, SQL injection can also beexploited to:

• Modify or delete data• Execute arbitrary operating system commands• Launch denial-of-service (DoS) attacks

DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

SQLi overview

Figure 5.5 Typical SQL Injection Attack

Legend:.

InternetRouter

Firewall

Switch

Wirelessaccess point

Web servers

Webapplicationserver

Database servers

Database

Data exchangedbetween hackerand serversTwo-way trafficbetween hackerand Web serverCredit card data isretrieved from database

DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

Outline






DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

Injection Technique

• The SQLi attack typically works by prematurelyterminating a text string and appending a new command

• Because the inserted command may have additionalstrings appended to it before it is executed, the attackerterminates the injected string with a comment mark “- -”

• Subsequent text is ignored at execution time

DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

Example

• As a simple example, consider a script that build an SQLquery by combining predefined strings with text entered bya user:

var Shipcity;ShipCity = Request.form (“ShipCity”);var sql = “select * from OrdersTablewhere ShipCity = ’ ” +ShipCity + “ ’ ”;

• The intention of the script’s designer is that a user willenter the name of a city

DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

Example

• When the script is executed, the user is prompted to entera city, and if the user enters Redmond, then the followingSQL query is generated:

SELECT * FROM OrdersTable WHERE ShipCity = ‘Redmond’

• Suppose, however, the user enters the following:‘Redmond’; DROP table OrdersTable- -

• This results in the following SQL query:SELECT * FROM OrdersTable WHERE ShipCity =

‘Redmond’; DROP table OrdersTable- -

• The semicolon is an indicator that separates twocommands, and the double dash is an indicator that theremaining text of the current line is a comment and not tobe executed

DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

SQLi Attack Avenues

• User input: Attackers inject SQL commands by providingsuitable crafted user input

• Server variables: Attackers can forge the values that areplaced in HTTP and network headers and exploit thisvulnerability by placing data directly into the headers

• Second-order injection: A malicious user could rely ondata already present in the system or database to triggeran SQL injection attack, so when the attack occurs, theinput that modifies the query to cause an attack does notcome from the user, but from within the system itself

• Cookies: An attacker could alter cookies such that whenthe application server builds an SQL query based on thecookie’s content, the structure and function of the query ismodified

• Physical user input: Applying user input that constructsan attack outside the realm of web requests

DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

Outline






DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

Attack Types

• Inband

• Inferential

• Out-of-band

DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

Inband Attacks

• Uses the same communication channel for injecting SQLcode and retrieving results

• The retrieved data are presented directly in applicationWeb page Include:

• Tautology: This form of attack injects code in one ormore conditional statements so that they always evaluateto true

• End-of-line comment: After injecting code into aparticular field, legitimate code that follows are nullifiedthrough usage of end of line comments

• Piggybacked queries: The attacker adds additionalqueries beyond the intended query, piggy-backing theattack on top of a legitimate request

DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

Tautology Example

• Consider the following script, whose intent is to requirethe user to enter a valid name and password:

$query = ”SELECT info FROM user WHERE name =′ $ GET [”name”] ′AND pwd = ‘ $ GET [”pwd”] ′ ”;

• Suppose the attacker submits “ ‘ OR 1 = 1−−” for thename field. The resulting query would look like this:

SELECT info FROM users WHERE

name = ′ ′ OR 1 = 1−−AND pwpd = ′ ′

• The injected code disables the password check (due to thecomment indicator - -) and turns the entire WHEREclause into a tautology

• The database uses the conditional as the basis forevaluating each row and deciding which ones to return

• The conditional is a tautology, the query evaluates to truefor each row in the table and returns all

DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

Inferential Attack

• There is no actual transfer of data, but the attacker is ableto reconstruct the information by sending particularrequests and observing the resulting behavior of theWebsite/database server

• Illegal/logically incorrect queries• This attack lets an attacker gather important information

about the type and structure of the backend database of aWeb application

• The attack is considered a preliminary,information-gathering step for other attacks

• Blind SQL injection• Allows attackers to infer the data present in a database

system even when the system is sufficiently secure to notdisplay any erroneous information back to the attacker

DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

Out-of-Band Attack

• Data are retrieved using a different channel

• This can be used when there are limitations oninformation retrieval, but outbound connectivity from thedatabase server is lax

DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

Outline






DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

SQLi Countermeasures

• Defensive coding

• Detection

• Run-time prevention

DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

Defensive Coding

• Manual defensive coding practices: a common vulnerabilityexploited by SQLi attacks is insufficient input validation

• One solution is to apply defensive coding practices• Input type checking: e.g., to check that inputs that match

the expected types and formats• Performs pattern matching to try to distinguish normal

input from abnormal input

• Parameterized query insertion:• Allowing developers to more accurately specify the

structure of an SQL query• Passing the parameters separately such that any unsanitary

user input is not allowed to modify the query structure

• SQL DOM:• A set of classes that enables automated data type

validation and escaping• This approach uses encapsulation of database queries to

provide a safe and reliable way to access databases

DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

Detection

• Signature based• This technique attempts to match specific attack patterns• Must be constantly updated and may not work against

self- modifying attacks

• Anomaly based• Define normal behavior and then detect behavior patterns

outside the normal range• There is a training phase, in which the system learns the

range of normal behavior, followed by the actual detection

• Code analysis• Using a test suite to detect SQLi vulnerabilities• The test suite is designed to generate a wide range of

SQLi attacks and assess the response of the system

DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

Run-time Prevention

• Check queries at runtime to see if they conform to amodel of expected queries

• Various automated tools are available for this purpose

DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

Database Access Control

• Database access control system determines:• If the user has access to the entire database or just

portions of it• What access rights the user has (create, insert, delete,

update, read, write)

• Can support a range of administrative policies• Centralized administration: Small number of privileged

users may grant and revoke access rights• Ownership-based administration: The creator of a table

may grant and revoke access rights to the table• Decentralized administration: The owner of the table

may grant and revoke authorization rights to other users,allowing them to grant and revoke access rights to thetable

DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

Outline






DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

SQL Access Controls

Two commands for managing access rights:

1 Grant: Used to grant one or more access rights or can beused to assign a user to a role

2 Revoke: Revokes the access rights

Typical access rights are:

• Select

• Insert

• Update

• Delete

• References

DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

The Grant Command

GRANT {privileges | role}[ON table]TO {user | role | PUBLIC}[IDENTIFIED BY password][WITH GRANT OPTION]

Example

GRANT SELECT ON ANY TABLE TO ricflair

DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

The Revoke Command

REVOKE {privileges | role}[ON table]FROM {user | role | PUBLIC}

Example

REVOKE SELECT ON ANY TABLE FROM ricflair

DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

Cascading Authorizations

• The grant option enables an access right to cascadethrough a number of users

• The revocation of privileges also cascaded

DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

Privilege Revocation

Ann David Frank

Ellen JimBob

Chris

t = 10

t = 50

t = 40

t = 20

t = 30

t = 70

t = 60

Ann David Frank

Bob

Chris

t = 10

t = 50t = 20

t = 60

Figure 5.6 Bob Revokes Privilege from David

DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

Outline






DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

Role-Based Access Control (RBAC)

• Role-based access control eases administrative burden andimproves security

• A database RBAC needs to provide the followingcapabilities:

• Create and delete roles• Define permissions for a role• Assign and cancel assignment of users to roles

DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

Categories of Database Users

• Application owner: An end user who owns databaseobjects as part of an application

• End user: An end user who operates on database objectsvia a particular application but does not own any of thedatabase objects

• Administrator: User who has administrative responsibilityfor part or all of the database

DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

Microsoft SQL Server Roles

DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

Outline






DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

What is an Inference Attack?

• The process of performing authorized queries anddeducing unauthorized information from the legitimateresponses received

• The inference problem arises when the combination of anumber of data items is more sensitive than the individualitems, or when a combination of data items can be used toinfer data of a higher sensitivity

DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

Inference Attacks

Sensitivedata

Metadata

Authorizedaccess Unauthorized

access

Inference

Access Control

Non-sensitive

data

Figure 5.7 Indirect Information Access Via Inference Channel

DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

Example of an Inference Attack on (Salary-Name)

Name Position Salary ($) Department Dept. Manager Andy senior 43,000 strip Cathy Calvin junior 35,000 strip Cathy

Cathy senior 48,000 strip Cathy

Dennis junior 38,000 panel Herman

Herman senior 55,000 panel Herman

Ziggy senior 67,000 panel Herman

(a) Employee table

Position Salary ($) Name Department senior 43, 000 Andy strip

junior 35,000 Calvin strip

senior 48,000 Cathy strip

(b) Two views

Name Position Salary ($) Department Andy senior 43,000 strip

Calvin junior 35,000 strip Cathy senior 48,000 strip

(c) Table derived from combining query answers

Figure 5.8 Inference Example

DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

Outline






DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

Inference Detection

• Inference detection during database design• Approach removes an inference channel by altering the

database structure or by changing the access controlregime to prevent inference

• Techniques in this category often result in unnecessarilystricter access controls that reduce availability

• Inference detection at query time• Approach seeks to eliminate an inference channel violation

during a query or series of queries• If an inference channel is detected, the query is denied or

altered

• Some inference detection algorithm is needed for either ofthese approaches

• Progress has been made in devising specific inferencedetection techniques for multilevel secure databases andstatistical databases

DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

Outline






DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

Database Encryption

• The database is typically the most valuable informationresource for any organization

• Protected by multiple layers of security

• Firewalls, authentication, general access control systems,DB access control systems, database encryption

• Encryption becomes the last line of defense in databasesecurity

• Can be applied to the entire database, at the record level,the attribute level, or level of the individual field

• Disadvantages to encryption:• Key management: Authorized users must have access to

the decryption key for the data for which they have access• Inflexibility: When part or all of the database is encrypted

it becomes more difficult to perform record searching

DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

How to Process Encrypted Query

1 The user issues an SQL query for fields from one or morerecords with a specific value of the primary key

2 The query processor at the client encrypts the primary key,modifies the SQL query accordingly, and transmits thequery to the server

3 The server processes the query using the encrypted valueof the primary key and returns the appropriate record orrecords

4 The query processor decrypts the data and returns theresults

DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

Database Encryption: Decrypt only Locally

QueryProcessor

1. Original querymetadata

4. Plaintextresult

2. Transformedquery

3. Encryptedresult

Client

UserData owner

Server

Figure 5.9 A Database Encryption Scheme

Encrypt/Decrypt

QueryExecutor

MetaData

MetaData

Encrypteddatabase

Data-base

DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

Encrypted Query



DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

Outline






DatabaseSecurity

DBMS

Relational Model

SQL

SQLi

Injectiontechnique

Attack Types

Countermeasures

AccessControls

SQL AccessControls


InferenceAttacks

Attack Method

InferenceDetection

DatabaseEncryption

RemoteEncryption

Indexing

Indexing on Encrypted Data

• Indexing can Improve Usability for Encryption

• However, it can provide information for inference attacks

E(k, B1) I11 • • • I1j • • • I1M • • •

• • •

• • •

• • •

E(k, Bi) Ii1 • • • Iij • • • IiM • • •

• • •

• • •

• • •

E(k, BN) IN1 • • • INj • • • INM

Bi = (xi1 || xi2 || … || xiM)

Figure 5.10 Encryption Scheme for Database of Figure 5.3

chapter 5: database security - missouri s&t - missouri …taylorpat/courses_files/intro... ·...

Documents