csci 5707: database security pusheng zhang university of minnesota email:...
Post on 21-Dec-2015
226 views
TRANSCRIPT
![Page 1: CSCI 5707: Database Security Pusheng Zhang University of Minnesota Email: pusheng@cs.umn.edupusheng@cs.umn.edu March 2, 2004](https://reader035.vdocument.in/reader035/viewer/2022062300/56649d5e5503460f94a3da6f/html5/thumbnails/1.jpg)
CSCI 5707: Database SecurityCSCI 5707: Database Security
Pusheng Zhang
University of Minnesota
Email: [email protected]
March 2, 2004
![Page 2: CSCI 5707: Database Security Pusheng Zhang University of Minnesota Email: pusheng@cs.umn.edupusheng@cs.umn.edu March 2, 2004](https://reader035.vdocument.in/reader035/viewer/2022062300/56649d5e5503460f94a3da6f/html5/thumbnails/2.jpg)
21.2CSCI 5707, Spring 2004. University of Minnesota, Pusheng Zhang
MotivationMotivation Personal Privacy
Q? Have you watched “LOR: The Return of The King”?
Q? Do you like the movie?
Customer profile DB, health information DB, credit rating DB
Corporate Security Trade Secrets – Coke’s Formula
Client Privacy – Swiss Banks, Financial Inst.
System Resource Security Password DB, Worm, Virus, and Hackers
Cyber Security Eavesdropping (unauthorized reading of messages)
Masquerading (pretending to be an authorized user or sending messages supposed from authorized users)
![Page 3: CSCI 5707: Database Security Pusheng Zhang University of Minnesota Email: pusheng@cs.umn.edupusheng@cs.umn.edu March 2, 2004](https://reader035.vdocument.in/reader035/viewer/2022062300/56649d5e5503460f94a3da6f/html5/thumbnails/3.jpg)
21.3CSCI 5707, Spring 2004. University of Minnesota, Pusheng Zhang
Database SecurityDatabase Security
This figure is courtesy of Peter J. Braam, CMU
![Page 4: CSCI 5707: Database Security Pusheng Zhang University of Minnesota Email: pusheng@cs.umn.edupusheng@cs.umn.edu March 2, 2004](https://reader035.vdocument.in/reader035/viewer/2022062300/56649d5e5503460f94a3da6f/html5/thumbnails/4.jpg)
21.4CSCI 5707, Spring 2004. University of Minnesota, Pusheng Zhang
![Page 5: CSCI 5707: Database Security Pusheng Zhang University of Minnesota Email: pusheng@cs.umn.edupusheng@cs.umn.edu March 2, 2004](https://reader035.vdocument.in/reader035/viewer/2022062300/56649d5e5503460f94a3da6f/html5/thumbnails/5.jpg)
21.5CSCI 5707, Spring 2004. University of Minnesota, Pusheng Zhang
Database SecurityDatabase Security Goal:
Users only see the data they’re supposed to. (S and A)
Guard against modifications by malicious users (I)
What security mechanisms do software systems provide? User Account Level Access Control
Discretionary: grant/revoke
Mandatory: security levels
Audit Trails: logs
Statistical Database Security: Inference Control
Data Object Level Access Control: encryption
![Page 6: CSCI 5707: Database Security Pusheng Zhang University of Minnesota Email: pusheng@cs.umn.edupusheng@cs.umn.edu March 2, 2004](https://reader035.vdocument.in/reader035/viewer/2022062300/56649d5e5503460f94a3da6f/html5/thumbnails/6.jpg)
21.6CSCI 5707, Spring 2004. University of Minnesota, Pusheng Zhang
Database AdministratorDatabase Administrator Database Administrator (DBA)
Central authority for managing a database system
Responsibilities include: Create user account and password
Grant privileges
Revoke privileges
Assign security levels
![Page 7: CSCI 5707: Database Security Pusheng Zhang University of Minnesota Email: pusheng@cs.umn.edupusheng@cs.umn.edu March 2, 2004](https://reader035.vdocument.in/reader035/viewer/2022062300/56649d5e5503460f94a3da6f/html5/thumbnails/7.jpg)
21.7CSCI 5707, Spring 2004. University of Minnesota, Pusheng Zhang
![Page 8: CSCI 5707: Database Security Pusheng Zhang University of Minnesota Email: pusheng@cs.umn.edupusheng@cs.umn.edu March 2, 2004](https://reader035.vdocument.in/reader035/viewer/2022062300/56649d5e5503460f94a3da6f/html5/thumbnails/8.jpg)
21.8CSCI 5707, Spring 2004. University of Minnesota, Pusheng Zhang
GRANT CommandGRANT Command GRANT Command
In SQL: GRANT privileges ON objects TO users [WITH GRANT OPTION]
Privileges: SELECT: can read all columns
INSERT (col-name):
– Can insert tuples with non-null or non-default values in this column.
– INSERT means same right with respect to all columns
DELECT: can delete tuples
UPDATE (col-name): can update this column
REFERENCE (col-name): can define foreign keys (in other tables) that refer to this column.
WITH GRANT OPTION can pass privilege on to other users
![Page 9: CSCI 5707: Database Security Pusheng Zhang University of Minnesota Email: pusheng@cs.umn.edupusheng@cs.umn.edu March 2, 2004](https://reader035.vdocument.in/reader035/viewer/2022062300/56649d5e5503460f94a3da6f/html5/thumbnails/9.jpg)
21.9CSCI 5707, Spring 2004. University of Minnesota, Pusheng Zhang
Example of GRANTExample of GRANT Joe created tables Sailors, Boats, Reserves
Q: Joe runs the following Q1: GRANT SELECT ON Reserves TO Mike
Mike can execute SELECT queries on Reserves
Q2: GRANT SELECT ON Sailors TO Mike WITH GRANT OPTION
Mike can execute SELECT queries on Sailors
Mike can pass this privilege to others for Sailors NOT for Reserves
Q3: GRANT UPDATE (rating) ON Sailors TO Bill
Bill can update the rating column in the Sailors.
![Page 10: CSCI 5707: Database Security Pusheng Zhang University of Minnesota Email: pusheng@cs.umn.edupusheng@cs.umn.edu March 2, 2004](https://reader035.vdocument.in/reader035/viewer/2022062300/56649d5e5503460f94a3da6f/html5/thumbnails/10.jpg)
21.10CSCI 5707, Spring 2004. University of Minnesota, Pusheng Zhang
REVOKE CommandREVOKE Command REVOKE Command
In SQL: REVOKE [GRANT OPTION FOR] privileges ON objects FROM user {RESTRICT | CASCADE}
Privileges are the same with GRANT
GRANT OPTION FOR: revoke just the grant option on a privilege For example: Joe is the creator of the Sailors. Joe runs the following
GRANT SELECT ON Sailors TO Art WITH GRANT OPTION
REVOKE GRANT OPTION FOR SELECT ON Sailors FROM Art CASCADE
Art still holds SELECT privilege on Sailors
However, Art no longer can’t pass it on to other users
![Page 11: CSCI 5707: Database Security Pusheng Zhang University of Minnesota Email: pusheng@cs.umn.edupusheng@cs.umn.edu March 2, 2004](https://reader035.vdocument.in/reader035/viewer/2022062300/56649d5e5503460f94a3da6f/html5/thumbnails/11.jpg)
21.11CSCI 5707, Spring 2004. University of Minnesota, Pusheng Zhang
REVOKE Command (cont)REVOKE Command (cont) CASCADE and RESTRICT
CASCADE: recursively revokes existing privileges
RESTRICT: revoking is rejected if resulting in other privileges becoming abandoned For example: Joe is the creator of the Sailors
GRANT SELECT ON Sailors TO Art WITH GRANT OPTION (by Joe)
GRANT SELECT ON Sailors TO Bob WITH GRANT OPTION (by Art)
REVOKE SELECT ON Sailors FROM Art CASCADE (by Joe)
Art and Bob lost SELECT privilege on Sailors
What happens if we use RESTRICT instead of CASCADE in the example above?
![Page 12: CSCI 5707: Database Security Pusheng Zhang University of Minnesota Email: pusheng@cs.umn.edupusheng@cs.umn.edu March 2, 2004](https://reader035.vdocument.in/reader035/viewer/2022062300/56649d5e5503460f94a3da6f/html5/thumbnails/12.jpg)
21.12CSCI 5707, Spring 2004. University of Minnesota, Pusheng Zhang
ExamplesExamples Example 1:
GRANT SELECT ON Sailors TO Art WITH GRANT OPTION (by Joe)
GRANT SELECT ON Sailors TO Bob WITH GRANT OPTION (by Art)
GRANT SELECT ON Sailors TO Bob WITH GRANT OPTION (by Joe)
REVOKE SELECT ON Sailors FROM Art CASCADE (by Joe)
Art lost the SELECT on Sailors
What about Bob?
Example 2: GRANT SELECT ON Sailors TO Art WITH GRANT OPTION (by Joe)
GRANT SELECT ON Sailors TO Art WITH GRANT OPTION (by Joe)
REVOKE SELECT ON Sailors FROM Art CASCADE (by Joe)
Does Art lose the SELECT on Sailors or not?
![Page 13: CSCI 5707: Database Security Pusheng Zhang University of Minnesota Email: pusheng@cs.umn.edupusheng@cs.umn.edu March 2, 2004](https://reader035.vdocument.in/reader035/viewer/2022062300/56649d5e5503460f94a3da6f/html5/thumbnails/13.jpg)
21.13CSCI 5707, Spring 2004. University of Minnesota, Pusheng Zhang
Authorization GraphAuthorization Graph Authorization Graph
Nodes: Users
Arcs: Indications of how privileges are passes
Joe
Art Bob
(Joe, Art, Select on Sailors, Yes)
(Art, Bob, Select on Sailors, Yes)
![Page 14: CSCI 5707: Database Security Pusheng Zhang University of Minnesota Email: pusheng@cs.umn.edupusheng@cs.umn.edu March 2, 2004](https://reader035.vdocument.in/reader035/viewer/2022062300/56649d5e5503460f94a3da6f/html5/thumbnails/14.jpg)
21.14CSCI 5707, Spring 2004. University of Minnesota, Pusheng Zhang
![Page 15: CSCI 5707: Database Security Pusheng Zhang University of Minnesota Email: pusheng@cs.umn.edupusheng@cs.umn.edu March 2, 2004](https://reader035.vdocument.in/reader035/viewer/2022062300/56649d5e5503460f94a3da6f/html5/thumbnails/15.jpg)
21.15CSCI 5707, Spring 2004. University of Minnesota, Pusheng Zhang
Example of ViewExample of View For example: Joe runs
CREAT VIEW ActiveSailors (name, age, day)
AS SELECT S.sname, S.sage, R.day
FROM Sailor S, Reserves R
WHERE S.sid = R.sid AND S.rating > 6
Joe can grant SELECT on the view ActiveSailors to Art GRANT SELECT ON ActiveSailors TO Art WITH GRANT OPTION
Art only has the access to the ActiveSailors, not the base tables
Art can run:
– SELECT name FROM ActiveSailors WHERE age < 30
![Page 16: CSCI 5707: Database Security Pusheng Zhang University of Minnesota Email: pusheng@cs.umn.edupusheng@cs.umn.edu March 2, 2004](https://reader035.vdocument.in/reader035/viewer/2022062300/56649d5e5503460f94a3da6f/html5/thumbnails/16.jpg)
21.16CSCI 5707, Spring 2004. University of Minnesota, Pusheng Zhang
RoleRole Roles are named groups of related privileges
Can be assigned to users and even to other roles Reduced privilege administration Dynamic privilege management
Privileges can be granted to or revoked from roles, just like user
SQL:1999 standard supports roles CREATE ROLE Role-name DROP ROLE Role-name GRANT privileges ON objects TO Role-name
![Page 17: CSCI 5707: Database Security Pusheng Zhang University of Minnesota Email: pusheng@cs.umn.edupusheng@cs.umn.edu March 2, 2004](https://reader035.vdocument.in/reader035/viewer/2022062300/56649d5e5503460f94a3da6f/html5/thumbnails/17.jpg)
21.17CSCI 5707, Spring 2004. University of Minnesota, Pusheng Zhang
Example of RoleExample of Role Example
CREATE ROLE manager
GRANT SELECT, INSERT ON Sailors TO manager
GRANT UPDATE (sid) ON Sailors TO manager
GRANT SELECT, UPDATE, INSERT ON Reserves TO manager
GRANT manager TO Joe
![Page 18: CSCI 5707: Database Security Pusheng Zhang University of Minnesota Email: pusheng@cs.umn.edupusheng@cs.umn.edu March 2, 2004](https://reader035.vdocument.in/reader035/viewer/2022062300/56649d5e5503460f94a3da6f/html5/thumbnails/18.jpg)
21.18CSCI 5707, Spring 2004. University of Minnesota, Pusheng Zhang
Mandatory Access ControlMandatory Access Control Main drawback of discretionary access control (DAC):
Vulnerable to malicious attacks, e.g., Trojan horses whereby a devious unauthorized user can trick an authorized user into disclosing sensitive data.
DAC doesn’t impose any control on how info is propagated.
Supported by most commercial DBMSs.
Mandatory access control (MAC): Multilevel security:
Top secret, secret, confidential, and unclassified
Needed for government, military, and intelligence applications
![Page 19: CSCI 5707: Database Security Pusheng Zhang University of Minnesota Email: pusheng@cs.umn.edupusheng@cs.umn.edu March 2, 2004](https://reader035.vdocument.in/reader035/viewer/2022062300/56649d5e5503460f94a3da6f/html5/thumbnails/19.jpg)
21.19CSCI 5707, Spring 2004. University of Minnesota, Pusheng Zhang
![Page 20: CSCI 5707: Database Security Pusheng Zhang University of Minnesota Email: pusheng@cs.umn.edupusheng@cs.umn.edu March 2, 2004](https://reader035.vdocument.in/reader035/viewer/2022062300/56649d5e5503460f94a3da6f/html5/thumbnails/20.jpg)
21.20CSCI 5707, Spring 2004. University of Minnesota, Pusheng Zhang
![Page 21: CSCI 5707: Database Security Pusheng Zhang University of Minnesota Email: pusheng@cs.umn.edupusheng@cs.umn.edu March 2, 2004](https://reader035.vdocument.in/reader035/viewer/2022062300/56649d5e5503460f94a3da6f/html5/thumbnails/21.jpg)
21.21CSCI 5707, Spring 2004. University of Minnesota, Pusheng Zhang
![Page 22: CSCI 5707: Database Security Pusheng Zhang University of Minnesota Email: pusheng@cs.umn.edupusheng@cs.umn.edu March 2, 2004](https://reader035.vdocument.in/reader035/viewer/2022062300/56649d5e5503460f94a3da6f/html5/thumbnails/22.jpg)
21.22CSCI 5707, Spring 2004. University of Minnesota, Pusheng Zhang
![Page 23: CSCI 5707: Database Security Pusheng Zhang University of Minnesota Email: pusheng@cs.umn.edupusheng@cs.umn.edu March 2, 2004](https://reader035.vdocument.in/reader035/viewer/2022062300/56649d5e5503460f94a3da6f/html5/thumbnails/23.jpg)
21.23CSCI 5707, Spring 2004. University of Minnesota, Pusheng Zhang
![Page 24: CSCI 5707: Database Security Pusheng Zhang University of Minnesota Email: pusheng@cs.umn.edupusheng@cs.umn.edu March 2, 2004](https://reader035.vdocument.in/reader035/viewer/2022062300/56649d5e5503460f94a3da6f/html5/thumbnails/24.jpg)
21.24CSCI 5707, Spring 2004. University of Minnesota, Pusheng Zhang
PolyinstantiationPolyinstantiation Solution to the dilemma
Add one tuple with security class C: 101 Salsa Red S
101 Pasta Blue C
102 Pinto Brown C
Polyinstantiation: The presence of data objects that appear to have different
values to users with different clearances. E.g., the boat with bid 101
![Page 25: CSCI 5707: Database Security Pusheng Zhang University of Minnesota Email: pusheng@cs.umn.edupusheng@cs.umn.edu March 2, 2004](https://reader035.vdocument.in/reader035/viewer/2022062300/56649d5e5503460f94a3da6f/html5/thumbnails/25.jpg)
21.25CSCI 5707, Spring 2004. University of Minnesota, Pusheng Zhang
Comparison Between DAC and MACComparison Between DAC and MAC
Discretionary access control (DAC): Flexible
Supported by most commercial DBMSs
Applicable to a large variety of domains
Vulnerable to Trojan Horses
Mandatory access control (DAC): Very Rigid
Not supported in most Commercial DBMSs
Only applicable in military, intelligence, and government
Prevent flow from higher to lower security level