computer science csc 405dr. peng ning1 csc 405 introduction to computer security topic 6. database...
TRANSCRIPT
CSC 405 Dr. Peng Ning 1
Computer Science
CSC 405Introduction to Computer Security
Topic 6. Database Security
CSC 405 Dr. Peng Ning 2Computer Science
Agenda
• Discretionary access control in DBMS
• Mandatory access control and multi-level databases
• Database inference control
CSC 405 Dr. Peng Ning 3Computer Science
CSC 405 Dr. Peng Ning 4
Computer Science
Topic 6.1 DAC in DBMS
CSC 405 Dr. Peng Ning 5Computer Science
Outline
• Relational model
• Grant and revoke
• Extension to the basic model
• Questions/comments in reviews
CSC 405 Dr. Peng Ning 6Computer Science
Basic Relational Concepts
• Data is organized as a collection of tables, called RELATIONS– Example: two relations - EMP, DEPT– EMP: name, title, department– DEPT: department, location
• Each row (or record) of a relation is called a TUPLE• Each relation has a unique name• Each attribute has a unique name within a relation• All values in a relation are atomic (indecomposable)
– As a consequence , we have two tuples for a user
CSC 405 Dr. Peng Ning 7Computer Science
EMP Name Title Dept
Tom Prof ECE
Tom Prof CS
Adams Prof ECE
Smith Inst CS
DEPT Name Location
CS Wither Hall
ECE Daniels Hall
Math Harrelson Hall
Examples
CSC 405 Dr. Peng Ning 8Computer Science
CREATE TABLE EMP
(Name CHAR(15) NOT NULL,
Title CHAR(4),
Dept CHAR(10),
PRIMARY KEY (Name))
CREATE TABLE DEPT
(Name CHAR(10) NOT NULL,
Location CHAR (15),
PRIMARY KEY (Name))
Relation Schemes
• A relational database consists of 2 relation schemes:• EMP(Name, Title, Dept)• DEPT(Name, Location)• Schemes: structure of the database• Structured Query Language (SQL)• SQL "data definition" statements are used to create relations
CSC 405 Dr. Peng Ning 9Computer Science
• The SELECT statement
SELECT Name
FROM EMP
WHERE Dept = `ECE'
• Joins
SELECT *
FROM EMP, DEPT
WHERE EMP.Dept= DEPT.Name
AND Dept.Location = `Wither Hall'
Tom Prof CS Wither Hall
Smith Inst CS Wither Hall
SQL
Tom
Adams
CSC 405 Dr. Peng Ning 10Computer Science
CREATE VIEW EMP_LOCATION
AS SELECT Name, Dept, Location
FROM EMP, DEPT
WHERE EMP.Dept = DEPT.Name
Views
EMP_LOCATION Name Dept LocationTom ECE Daniels HallTom CS Wither HallAbrams ECE Daniels BldgSmith CS Wither Hall
• Views are "virtual" relations. They can be used to customize relations and to provide security
CSC 405 Dr. Peng Ning 11Computer Science
Discretionary Access Controls
• Decentralized administration– Users can protect what they own– The owner may grant access to others– The owner may define the type of access
(read/write/execute) given to others
CSC 405 Dr. Peng Ning 12Computer Science
Access Control Mechanisms
• Identification and Authentication (I&A)
• Security through Views
• Stored Procedures
• Grant and Revoke
• Query Modification
CSC 405 Dr. Peng Ning 13Computer Science
Identification and Authentication
• Identification provided by DBMS can be distinct from that provided by the underlying OS– Example: MS SQL server
• Two options– I&A through the OS
– Separate I&A
CSC 405 Dr. Peng Ning 14Computer Science
NAME DEPT SALARY MANAGER
Smith Toy 10,000 Jones
Jones Toy 15,000 Baker
Baker Admin 40,000 Harding
Adams Candy 20,000 Harding
Harding Admin 50,000 None
EMP
Security Through Views
Users are allowed to access partial information (such asthe Toy dept data), but not the detailed information.
CSC 405 Dr. Peng Ning 15Computer Science
Example
CREATE VIEW TOY_DEPTAS SELECT NAME, SALARY, MANAGERFROMEMPWHERE DEPT = 'Toy'
TOY_DEPT NAME SALARY MANAGER
Smith 10,000 Jones
Jones 15,000 Baker
CSC 405 Dr. Peng Ning 16Computer Science
Example
CREATE VIEW TOY_EMP_MGRAS SELECT EMP, MANAGERFROMEMPWHERE DEPT = 'Toy'
TOY_EMP_MGR NAME MANAGER
Smith Jones
Jones Baker
CSC 405 Dr. Peng Ning 17Computer Science
Example
CREATE VIEW AVSAL(DEPT, AVG)AS SELECT DEPT, AVG(SALARY)FROM EMPGROUP BY DEPT
AVSAL DEPT AVG
TOY 12,500
CANDY 20,000
ADMIN 45,000
CSC 405 Dr. Peng Ning 18Computer Science
Stored Procedures
• Right to execute compiled programs
• GRANT RUN ON program_A TO ADAMS
• Suppose program_A needs to access the relation EMP. Adams can execute program_A even though he does not have permission to access EMP
CSC 405 Dr. Peng Ning 19Computer Science
Query Modification
• Adams:GRANT SELECT ON EMP TO THOMAS WHERE SALARY < 15000
• THOMAS:
SELECT *
FROM EMP
• DBMS:
SELECT *
FROM EMP
WHERE SALARY < 15000
CSC 405 Dr. Peng Ning 20Computer Science
The Grant Command
• GRANT <privilege> ON <relation> TO <users> [WITH GRANT OPTION]
– GRANT SELECT ON EMP TO ADAMS
– GRANT SELECT ON EMP TO ADAMS WITH GRANT OPTION
– GRANT SELECT, UPDATE(SALARY) ON EMP TO JIM, JILL
• Applied to base relations as well as views
CSC 405 Dr. Peng Ning 21Computer Science
The Revoke Command
• REVOKE <privileges> [ON <relations>]FROM <users>
– REVOKE SELECT ON EMP FROM TOM
– REVOKE UPDATE ON EMP FROM SMITH
– REVOKE RESOURCE FROM ABRAMS
– REVOKE DBA FROM SMITH
CSC 405 Dr. Peng Ning 22Computer Science
Semantics of Revoke
• A sequence of grant command follow by a revoke operation – G1, G2, …, Gn, Rh
• Semantics– Equivalent to: G1, G2, …Gh-1, Gh+1, Gn
CSC 405 Dr. Peng Ning 23Computer Science
Time-stamped Authorizations
A
B
C
D
20g
10g30g
F
E
40g
50g
60g
CSC 405 Dr. Peng Ning 24Computer Science
Cascading Revocation
A B C D20g 10g 30g
A B10g
Grant sequence:
B revokes privilege from C :
CSC 405 Dr. Peng Ning 25Computer Science
Timestamps Make a Difference
A
B
C
D
20g
10g30g
F
E
40g
50g
60g
CSC 405 Dr. Peng Ning 26Computer Science
Timestamps Make a Difference
A
B
C
D
20g
10g30g
F
E
40g
50g
60g
CSC 405 Dr. Peng Ning 27Computer Science
Further Extension
• Make cascading optional
• Permit negative authorizations
CSC 405 Dr. Peng Ning 28Computer Science
The Revoke Command
• REVOKE <privileges> [ON <relations>] FROM <users> [CASCADE]– REVOKE SELECT ON EMP FROM TOM
– REVOKE UPDATE ON EMP FROM SMITH CASCADE
– REVOKE RESOURCE FROM ADAMS
– REVOKE DBA FROM SMITH CASCADE
CSC 405 Dr. Peng Ning 29Computer Science
Non-cascading Revocation
A B C D20g 10g 30g
A B D10g 30g
CSC 405 Dr. Peng Ning 30Computer Science
Why Non-cascading Revoke
• Reasons for revoke– Task is done. No need to have the privilege
anymore
– Task is still in progress. But a member left the project (e.g., promoted)
CSC 405 Dr. Peng Ning 31Computer Science
Example
A
BG
F
E
D
C
2080
70
50
60
40
30
CSC 405 Dr. Peng Ning 32Computer Science
Example
A
BG
F
E
D
C
2080
70
50
60
40
30
A
B
F
D
C
20
706030
After cascadingrevocation
CSC 405 Dr. Peng Ning 33Computer Science
Example
A
BG
F
E
D
C
2080
70
50
60
40
30
After non-cascading revocation
A
BG
F
E
DC
2080
70
50
6030
70
CSC 405 Dr. Peng Ning 34Computer Science
Why Positive & Negative Authorization
• Closed world policy– Cannot access unless explicitly granted the right
• Negative authorization– User A should not be allowed to read table Emp– Need explicit deny policies
CSC 405 Dr. Peng Ning 35Computer Science
Positive & Negative Authorizations
A
B
C
E40 —
10 + g
30 + g
D
20 —
CSC 405 Dr. Peng Ning 36Computer Science
Complication
• It is possible to have two authorizations– Grant A privilege p– Deny A privilege p
• Negative authorizations override positive authorizations
CSC 405 Dr. Peng Ning 37Computer Science
Problem 1
A
B
C
E40 —
10 + g
30 + gD
20 —
50 —
User B gives D negative authorization at time 50 :
In our model, positive authorization granted by A to D becomes blocked, but we do not delete the authorization.
CSC 405 Dr. Peng Ning 38Computer Science
Problem 2
A
B
C
E40 —
10 + g
30 + g
D
20 —
50 +F
Suppose D receives negative authorization from B at time 60 :
60 —
What about the privilege given to F by D?Under our approach, it becomes blocked, but we do not delete it.
CSC 405 Dr. Peng Ning 39Computer Science
Revocation When Negative Authorizations Are Present
A
B E
40 —
10 + g
30 + g
D
20 —
50 +F
60 —
Given :
Suppose A revokes B’ s privilege.
C
CSC 405 Dr. Peng Ning 40Computer Science
Cascading Revocation When Negative Authorizations Are Present
A
C
30 + gD
20 —
50 +F
CSC 405 Dr. Peng Ning 41Computer Science
Non-cascading Revocation When Negative Authorizations Are Present
A
E40 —
30 + g
D
20 —
50 +F
60 —
C