database’security’ - inovadora, transformadora e...
TRANSCRIPT
Database Security
Sarajane Marques Peres, Ph.D. – University of São Paulo www.each.usp.br/sarajane Based on Elsmari x Navathe / Silberschatz, Korth, Sudarshan ‘s books
Types of security • Legal and ethical issues regarding the right to access certain
informaLon. – Some informaLon may be private and cannot be accessed legally by
unauthorized organizaLons or persons.
• Policy issues at the governmental, insLtuLonal, or corporate level. – Credit raLngs or personal medical records.
• System-‐related issues such as the system levels at which various security funcLons should be enforce. – A security funcLon should be handled at the physical hardware level, or OS
level or DBMS level.
• The need in some organiza8ons to idenLfy mulLple security level and to categorize the data and users based on these classificaLons: – Top secret, secret, confidenLal, and unclassified
Threats to databases
• Integrity: the requirement that informaLon be protected from improper modificaLon. – Loss of integrity: unauthorized changes, by either intenLonal or accidental acts.
• Availability: making objects available to a human user or a program to which they have a legiLmate right.
• Confiden8ality: the protecLon of data from unauthorized disclosure.
Control measures • Three important factors need to be considered before
deciding whether it is safe to reveal the data: – Data availability: If a user is updaLng a field, then this field becomes
inaccessible and other users should not be able to view this data (concurrency control).
– Access acceptability: Data should only be revealed to authorized users. Be careful: data can reveal informaLon
– Authen8city assurance: Before granLng access, certain external characterisLcs about the user may also be considered (working hours).
The system may track previous queries to ensure that a combinaLon of queries does not reveal sensiLve data.
Control measures
– System log • Recovery purposes
– Id transac8ons – Start / commit transac8ons – Read / write opera8ons – Old / new values of data
• Audit purposes – Id user – Log in / log out 8me – Id computer / device
Control measures • Sensi8vity of data is a measure of the importance assigned to
the data by its owner for the purpose of denoLng its needs for protecLon.
• SensiLve data: – Inherently sensiLve: person’s salary or that a paLent has HIV/AIDS – From a sensiLve source: an informer whose idenLty must be kept
secret. – Declared sensiLve – A sensiLve aZribute or sensiLve record: the salary aZribute of an
employee – SensiLve in relaLon to previously disclosed data: the exact laLtude
and longitude informaLon for a locaLon where some previously recorded event happened that was later deemed sensiLve.
Control measures
• Access control: – Prevent unauthorized persons from accessing the system itself, either to obtain informaLon or to make malicious changes.
– User accounts and passwords to control the login process.
The DBA has a DBA account (a superuser accout), which provides powerful capabiliLes that are not made available to regular database accounts and users, including commands for granLng and revoking privileges to individual accounts, users, or user groups. AcLons: account crea8on, privilege gran8ng, privilege revoca8on, security level assignment.
Control measures • DiscreLonary Access Control: based on the granLng and revoking of privileges • Level:
– Account level: the DBA specifies the parLcular privileges that each account holds. • Create schema; create table/view; alter table/view; drop table/view; modify (tuples);
select (query).
– Rela8on level: the DBA can control the privilege to access each individual relaLon or view in the database. • access matrix model, where the rows of a matrix M represent subjects (users, programs) and the columns represent objects (relaLons, records, columns, views, operaLons); each posiLon M(i, j) in the matrix represents the types of privileges (read, write, update) that subject i holds on object j.
It is possible to use VIEWS in order to specify some kind of privilege!
The example
Considering four accounts: A1, A2, A3 e A4
GRANT CREATETAB TO A1; % A1 is able to create base rela8ons CREATE SCHEMA EXAMPLE AUTHORIZATION A1; % the same effect
A1 creates the relaLons EMPLOYEE and DEPARTMENT. He is the owner.
The example
A1 …
GRANT INSERT, DELETE ON EMPLOYEE, DEPARTMENT TO A2;
% A2 was given the privilege to insert and delete tuples in both of these rela8ons. % A1 does not want A2 to be able to propagate these privileges to addi8onal accounts
GRANT SELECT ON EMPLOYEE, DEPARTMENT TO A3 WITH GRAND OPTION;
% A1 wants to allow account A3 to retrieve informa8on from either of the two tables and also to be able to propagate the SELECT privilege to other accounts.
The example
A3 …
GRANT SELECT ON EMPLOYEE TO A4;
A1 …
REVOKE SELECT ON EMPLOYEE FROM A3;
The DBMS must now revoke the SELECT privilege on EMPLOYEE from A3, and it must also automaLcally revoke the SELECT privilege on EMPLOYEE
from A4.
The example
A1 … CREATE VIEW A3EMPLOYEE AS SELECT Name, Bdate, Address FROM EMPLOYEE WHERE Dno = 5; GRANT SELECT ON A3EMPLOYEE TO A3 WITH GRANT OPTION; GRANT UPDATE ON EMPLOYEE (Salary) TO A4;
Control measures
• Role-‐Based Access Control – Privileges and other permissions are associated with organizaLonal roles, rather than individual users.
– Individual users are then assigned to appropriate roles.
GRANT ROLE full-‐Lme TO employee_type1 GRANT ROLE intern TO employee_type2
Control measures
• StaLsLcal Database Security
StaLsLcal databases are used mainly to produce staLsLcs about various populaLons. The database may contain confidenLal data about individuals, which should be protected from user access. However, users are permiZed to retrieve staLsLcal informaLon about the populaLons, such as averages, sums, counts, maximums, minimums, and standard deviaLons.
Control measures
• StaLsLcal Database Security
– we may want to retrieve the number of individuals in a populaLon or the average income in the populaLon.
– staLsLcal users are not allowed to retrieve individual data, such as the income of a specific person.
Sta8s8cal queries: queries that involve staLsLcal aggregate funcLons such as COUNT, SUM, MIN, MAX, AVERAGE, and STANDARD DEVIATION.
An inference
• StaLsLcal Database Security – It is possible to infer the values of individual tuples from a sequence of staLsLcal queries.
– Consider the following staLsLcal queries
An inference
• Suppose the following condiLon for Q1:
Last_degree=‘Ph.D.’ AND Sex=‘F’ AND City=‘Bellaire’ AND State=‘Texas’
• If we get a result of 1 for this query, we can issue Q2 with the same condiLon and find the Salary of Jane Smith.
• Even if the result of Q1 on the preceding condiLon is not 1 but is a small number—say 2 or 3—we can issue staLsLcal queries using the funcLons MAX, MIN, and AVERAGE to idenLfy the possible range of values for the Salary of Jane Smith.
Control measures
• StaLsLcal Database Security
– This is why … • no staLsLcal queries are permiZed whenever the number of tuples in the populaLon specified by the selecLon condiLon falls below some threshold.
• it is prohibited sequences of queries that refer repeatedly to the same populaLon of tuples.
• it is recommended to introduce slight inaccuracies or noise into the results of staLsLcal queries deliberately, to make it difficult to deduce individual informaLon from the results.
SQL InjecLon
• Types – SQL ManipulaLon – Code InjecLon – FuncLon Call InjecLon
In an SQL InjecLon aZack, the aZacker injects a string input through the applicaLon, which changes or manipulates the SQL statement to the
aZacker’s advantage.
SQL InjecLon
The SQL engine checks each parameter to ensure that it is correct for its column and are treated literally, and not as part of the SQL to be
executed.
SQL InjecLon
• Code Injec8on: the aZacker can inject or introduce code into a computer program to change the course of execuLon.
• Func8on Call Injec8on: In this kind of aZack, a database
funcLon or operaLng system funcLon call is inserted into a vulnerable SQL statement.