ics 2415 adbs sess05 06 dbase security integrity and recovery

Kyanganda S. ICS 2415 Advanced Dbase Systems

Database Security, Integrity

and Recovery


Database Security

and Integrity

Definitions

Threats to security

Threats to integrity

Resolution of Problems


Database Security

SECURITY Protecting the database from unauthorised users Ensures that users are allowed to do the things they

are trying to do


Database Security

INTEGRITY Protecting the database from authorised users Ensures that what users are trying to do is correct


Database Security

TYPES OF SYSTEM FAILURES

1.HARDWAREDISK , CPU , NETWORK

2. SOFTWARESYSTEM, DATABASE, PROGRAM


Database Security

Important security features include:

Views

Authorisation & controls

User defined procedures

Encryption procedures


Authorisation Rules

An example: a person who can supply a particular password may be authorised to read any record, but cannot modify any of those records.

Authorisation Table for subjects i.e. Salesperson

Customer Records Order Records

Read Y YInsert Y Y

Modify Y NDelete N N


Authorisation Rules

Authorisation Table for Objects i.e. Order Records

Salesperson Order Entry Accounting

Password (Batman) (Joker) (Julie)

Read Y Y Y

Insert N Y N

Modify N Y Y

Delete N N Y


Database Integrity

CONSTRAINTSCan be classed in 3 different ways:

1. Business constraints

2. Entity constraints

3. Referential constraints


Database Integrity

BUSINESS CONSTRAINTS

A value in one column may be constrained by value of another or by some calculation

or formulae.


Database Integrity

ENTITY CONSTRAINTSIndividual columns of a table may be constrained e.g. not null

REFERENTIAL CONSTRAINTSSome times referred to as key constraints, e.g.

Table 2 depends on Table 1


Database Integrity

create table account_dets(acc_id char(6) primary key,acc_custid char(6) references customer(cust_id),acc_odraft number(4) check (acc_odraft


Database Integrity

BENEFITS OF USING CONSTRAINTS Guaranteed integrity and consistency Defined as part of table definition

Applies across all applications

Cannot be circumvented

Application development productivity

Requires no special programming

Easy to specify and maintain(reduced coding)

Defined once only


Database Integrity

CONCURRENCY CONTROL WHAT IS IT?

The co-ordination of simultaneous requests, for the same data, from multiple users


Database Integrity

CONCURRENCY CONTROL WHY IS IT IMPORTANT?

Simultaneous execution of transactions over a shared database may create several data integrity and consistency problems


Database Integrity

Janet Time John

1. Read balance (1000)

1. Read Balance (1000)

2. Withdraw 200 (800)

Balance 800 2. Withdraw 300 (700)

3. Write balance

Balance 800 3. Write Balance

Balance 700

ERROR


Database Integrity

The three main integrity problems are:

Lost updates

Uncommitted data

Inconsistent retrievals


Database Integrity

LOCKING

Two kinds of Locks:

1. Shared Locks (allows read only access)

2. Exclusive Locks (prevents reading of a

record)


Database Integrity

Time

User 1 User2

1. Lock record X

1. Lock record Y

2. Request record Y

2. Request Record X

(Wait for Y) (Wait for X)

DEADLOCK


Database Recovery

The process of restoring the database to a correct state in the event of a failure, e.g. System Crashes

Media Failures

Application Software Errors

Natural Physical Disasters

Carelessness

Sabotage


Basic Recovery Facilities Backup Facilities

Journaling Facilities

Checkpoint facilities

Recovery Facilities

Database Recovery


Transactions

Basic unit of recovery Properties of Transaction (ACID)

Atomicity Consistency Isolation Durability

Purpose of recovery manager is to enforce Atomicity and Durability


Staff Salary

Update Example

Read Operations: Find address of the disk block that contains record with primary key x transfer block into a DB buffer in main memory

copy salary data from DB buffer into variable salary

Write Operations: as steps 1 & 2 above

copy salary data from variable salary into the DB buffer write DB buffer back to disk


Storing Data

Database

Buffer

Main Memory

SecondaryStorage Commit

Buffer contents flushed to secondary storage permanent

buffer full


Database(State 1)

Database(State 2)

Database(State 3)

Database(State 4)

Update Trans1 Update Trans2 Update Trans3

Database(State 2)

DatabaseBackup

Database Update Procedures


DBMS provides a mechanism for taking backup copies of the database and log file at regular intervals.

A dump or copy or backup file contains all or part of the database

backups taken without having to stop the system

Back-up Facilities


REDO LOGSThis is the main logging file. The file contains two different types of logging records. AFTER IMAGES

BEFORE IMAGES

Journal Facilities


REDO LOGS - AFTER IMAGESAfter any column of any row on any table in the database is changed, then the new values are not only written to the database but also to the redo log. The complete row is written to the log. If a row is deleted then notification is also put on to the redo log. After images are used in roll forward recovery.

Journal Facilities


REDO LOGS - BEFORE IMAGESBefore a row is updated the data is copied to the redo log. It is not a simple copy from the database because a separate area of the database maintains the immediate pre-update version of each row updated in the database. The extra area is called the ROLLBACK SEGMENT. The redo log takes before image copies from the rollback segment in the database.

Journal Facilities


Sample Log File

Tid Time Operation Object Before

Image

After

Image

pPtr nPtr

T1 10:12 START 0 2

T1 10:13 UPDATE TENANT

NO21

(old value) (new value) 1 8

T2 10:14 START 0 4

T2 10:16 INSERT TENANT

NO37

(new value) 3 5

T2 10:17 DELETE TENANT

NO9

(old value) 4 6

T2 10:17 UPDATE PROPERTY

PG16

(old value) (new value) 5 9

T1 10:18 COMMIT 2 0

10:19 CHECKPOINT T2


Duplicate Databases

Rollback Recovery

Rollforward Recovery

Reprocessing Transactions

Types of Recovery


Requires 2 copies of the databaseAdvantages

Fast Recovery (seconds)

Good for disk failuresDisadvantages

No protection against power failure

Expensive

Duplicate Databases


Changes made to the database are undone

(Backward Recovery )

Rollback enables the updating to be undone to a predetermined point in the database processing that provides a consistent database state.

Rollback Recovery


Database(State 1)

Database(State 2)

Database(State 3)

Database(State 4)


Database(State 2)

DatabaseBackup



Database

(with

changes)

ROLLBACKDatabase

(without

changes)

Before

Images

Rollback Recovery


This recovery technique updates an out-of-date database up-to-the current processing position.

If the data is inconsistent then the database may need to rollback to the previous consistent state.

Roll Forward Recovery


Database(State 1)

Database(State 2)

Database(State 3)

Database(State 4)


Database(State 2)

DatabaseBackup



Database(withchanges)

ROLL FORWARD

Database(without changes)

After Images

Roll Forward Recovery


Similar to Forward Recovery

Uses update transactions instead of after images

ADVANTAGES Simple

DISADVANTAGES Slow

Reprocessing Transactions


Database(State 1)

Database(State 2)

Database(State 3)

Database(State 4)


Database(State 2)

DatabaseBackup



Problem Recovery Procedure

Storage Medium

Destruction

*Duplicate Database

Forward Recovery

Reprocess Transactions

Transaction error or

system failure

*Backward Recovery

Forward Recovery or reprocess

transactions - bring forward to

just before termination

Incorrect Data *Backward Recovery

Reprocess Transactions

(exclusing those from the update

that created incorrect data)

Database Recovery Procedures


Summary

This lecture has looked at security and recovery procedures

Ensuring that these two are administered correctly cuts out the majority of problems with database administration


Further Reading

SecurityConnolly & Begg, chapter 19

Concurrency ControlConnolly & Begg, chapter 20?

Integrity and RecoveryConnolly & Begg, chapters 18 and 19?

Kyanganda S. ICS 2415 Advanced Dbase Systems 44

Advanced Database Security


Contents

Definitions Countermeasures Security Controls Data Protection and Privacy Statistical Databases Web Database Security Issues and Solutions SQL Injection


Database Security Definition

Definition (revisited): The protection of the database against intentional or

unintentional threats using computer-based or non-computer-based controls

Areas in which to reduce risk: theft and fraud

loss of confidentiality

loss of privacy

loss of integrity

loss of availability


Countermeasures

Ways to reduce risk

Include Computer Based Controls

Non-computer Based Controls


Computer Based Controls

Security of a DBMS is only as good as the OS

Computer based Security controls available: authorization and authentication

views

backup and recovery

Integrity

Encryption within database and data transport

RAID for fault tolerance

associated procedures e.g. backup, auditing, testing, upgrading, virus checking


Non-computer based Controls

Include: Security policy and contingency plan

personnel controls

secure positioning of equipment

escrow agreements

maintenance agreements

physical access controls Both internal and external


Data Security

Two (original) broad approaches to data security: Discretionary access control

a given user has different access rights (privileges) on different objects

flexible, but limited to which rights users can have on an object

privileges can be passed on at users discretion

Mandatory access control each data object is labelled with a certain classification level

each user is given a certain clearance level

rigid, hierarchic


Role Based Access Control

A specific function within an organisation

Authorizations are granted to the roles Instead of users

Users are made members of roles

Privileges can not be passed on to other users

Simplifies authorization management

Supported in SQL


System R Authorization Model

One of the first authorization model for RDBMS As part of System R RDBMS

Based on concept of Protection Objects Tables and views

Access modes SELECT

INSERT

DELETE

UPDATE

Not all applicable for views


System R Authorization Model

Users can give access to other users through use of GRANT and REVOKE

Removing REVOKE is recursive

System R has a closed world policy If no authorization then access is denied

However authorization can be granted later

Negative authorization Denials are expressed Denials take precedence


SQL Facilities

SQL supports discretionary access control using view mechanism and authorization system

e.g. CREATE VIEW S_NINE_TO_FIVE ASSELECT S.S#, S.SNAME, S.STATUS, S.CITYFROM SWHERE to_char(SYSDATE, 'HH24:MI:SS) >= 09:00:00AND to_char(SYSDATE, 'HH24:MI:SS)


Oracle Virtual Private Databases

Fine-grained access control based on tuple-level access

Uses dynamic query modification

Users are given a specific policy The policy returns a specific WHERE clause in the query

depending on the policy SELECT * FROM prop_for_rent

Becomes SELECT * FROM prop_for_rent WHERE prop_type = F


Data Protection and Privacy

Privacy concerns the right of an individual not to have personal

information collected, stored and disclosed either willfully or indiscriminately

Data Protection Act the protection of personal data from unlawful

acquisition, storage and disclosure, and the provision of the necessary safeguards to avoid the destruction or corruption of the legitimate data held

New Freedom of Information Act


Statistical Databases

A database that permits queries that derive aggregated information (e.g. sums, averages) but not queries that derive individual information

Tracking possible to make inferences from legal queries to

deduce answers to illegal ones SELECT COUNT(*) FROM STATS X WHERE X.SEX=M AND

X.OCCUPATION = Programmer)

SELECT SUM(X.SALARY) FROM STATS X WHERE X.SEX=M AND X.OCCUPATION = Programmer)


Statistical Databases

Various strategies can be used to minimize problems prevent queries from operating on only a few

database entries

swap attribute values among tuples

randomly add in additional entries

use only a random sample

maintain history of query results and reject queries that use a high number of records identical to previous queries


Web Database Security Issues

Internet is an open network traffic can easily be monitored, e.g. credit card numbers

Challenge is to ensure that information conforms to: privacy, integrity, authenticity, non-fabrication, non-

repudiation

Information also needs protected on web server

Also need to protect from executable content


Web Database Security Solutions

Various methods can be used proxy servers

improve performance and filter requests

firewalls prevents unauthorised access to/from a private network

digital certificates electronic message attachments to verify that user is

authentic

Kerberos centralised security server for all data and resources on

network


Web Database Security Solutions

Secure Sockets Layer and Secure HTTP SSL - secure connection between client and server S-HTTP - individual messages transmitted securely

Secure Electronic Transactions certificates which splits transactions so that only relevant

information is provided to each user

Java - Java Virtual Machine (JVM) class loader - checks applications do not violate system

integrity by checking class hierarchies bytecode verifier - verify that code will not crash or violate

system integrity Active-X

uses digital signatures, user is responsible for security


SQL Injection

a technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a Web application for execution by a backend database1

Can chain SQL commands

Embed SQL commands in a string

Ability to execute arbitrary SQL queries

1 http://imperva.com/application_defense_center/glossary/sql_injection.html


SQL Injection: Example 1

Form asking for username and password Original Query:

SQLQuery = SELECT count(*) FROM users

WHERE username = + $usename +

AND password = + $password + ;

Specify username and password = OR 1 = 1

SELECT count(*) FROM users WHERE

username = OR 1 = 1 AND password = OR 1 = 1;


SQL Injection : Example 2

SQLQuery = SELECT * FROM staff WHERE staff_no =

+ $name + ;

Enter staff_no: 100 OR 1 = 1

Will give the query: SELECT * FROM staff WHERE staff_no = 100 OR 1

= 1;

Even worse: Enter staff_no: 100; DROP TABLE staff; SELECT * FROM sys.user_tables

Enter staff_no: 100 UNION SELECT SELECT Username, Password FROM Users


SQL Injection : Remedies

Can include:

Strip quotation marks and other spurious characters from strings

Use stored procedures

Limit field lengths or even dont allow text entries

Restrict UNION


Summary

Have looked at a number of issues and solutions for database security

e.g. access controls, SQL features, etc.

Web security is an important problem

Need to consider security of data transmission, the data server and the clients


Further Reading

Connolly and Begg, chapter 19

Date (7th edition), chapter 17

both Connolly and Date have general introductions to security concepts, with mention of some advanced features

Bertino and Sandhu: Database Security Concepts, Approaches and Challenges, IEEE Transactions on Dependable and Secure Computing, Vol. 2, No. 1, 2005

Oracle 8i Virtual Private Database White Paper: http://www.oracle.com/technology/deploy/security/oracle8i/pdf/vpd_wp6.pdf


Client/Server, Distributed and

Internet Databases


Client/Server Databases

Web Databases

Distributed Databases

Contents


In a file server client architecture each client must run a copy of the DBMS

A better solution is to have a central database server which performs all database commands sent to it from client PCs.

Application programs on each client PC can then concentrate on user interface functions.

Database recovery, security and concurrency control is managed centrally on the server.

Client/Server

Architecture


DATABASE SERVER

The SERVER portion of the client/server database system which provides processing and shared access functions.

Client/Server

Architecture


CLIENT Manages the user interface (controls the PC screen,

interprets data sent to it by the server and displays the results of database queries)

The client forms queries in a specified language (usually SQL) to retrieve data from the database. This query process is usually transparent to the user.

Client/Server

Architecture


CLIENT/SERVER ADVANTAGES Allows companies to harness the benefits of

microcomputer technology such as low cost.

Processing can be performed close to the source of the data - more speed.

Allows the use of GUI interfaces that are commonly available on PCs and workstations.

Paves the way for truly open systems.

Client/Server

Architecture


CLIENT/SERVER DESIGN ISSUES The server must be upgradeable to allow for the

growth in clients.

Gateway software is normally required for accessing databases held on a mainframe.

The server must have capabilities for backup, recovery, security and UPS.

Client/Server

Architecture


CLIENT/SERVER DESIGN ISSUES

Can be complex and so require specialised and expensive tools such as database servers and APIs.

A lack of comprehensive standards.

Front-end GUI software often requires expensive client workstations.

Client/Server

Architecture


Traditional Client-

Server Architecture

Traditional Database Systems are based on a two-tier client-server architecture

Fat clients

Client

Database

Server

User interface

Main business and data

processing logic

Server-side validation

Database access


Web Architecture

Need for enterprise scalability causes problems which can be solved by a three-tier architecture

Thin clients

Client

Database

Server

User interface

Server-side validation

Database access

Application

Server

Business logic

Data processing logic


Web as a Database

Platform Advantages

DBMS advantages

E.g. transactions, concurrency, synchronisation, security, integrity

Simplicity

HTML is a simple markup language, however with new scripting languages this simplicity is being lost

Platform independence

Web clients are mostly platform independent

Graphical User Interface

Users prefer a GUI to a text based application

Standardization

HTML is a de facto standard


Advantages (cont).

Cross-platform support Users on all types of computer can access a machine with a web browser

Transparent network access Access solely by URL

Scalable deployment Applications upgraded on server only

Innovation Organisations can provide new services and reach new customers


Web as a Database

Platform Disadvantages

Reliability Internet is a slow and unreliable communication medium No guarantee of delivery

Security Data accessible on web User authentication and secure data transmissions are critical

Cost A report from Forrester Research claims that maintaining a commercial web

site costs $200 to $3.4 million

Scalability Unreliable and potentially very large peak loads Needs highly scalable server architectures


Disadvantages (cont.)

Limited HTML Functionality Need to extend HTML with scripting languages Adds a performance overhead

Statelessness No concept of a database connection

Bandwidth Internet is slow! 1.5mbps compared to 10-100mbps

Performance Many scripting languages are interpreted languages

Immaturity of development tools This is improving!


Web Database

Approaches

Traditional web pages are normally static

To run queries, need to be able to produce dynamic HTML pages


Client Side vs.

Server Side

To access database and process information from the database, need executable content

Acts as a gateway between the Web and the database Server

This can run at either of two locations Client Side

Server Side


Web Database

Approaches

Approaches include: CGI - Common Gateway Interface HTTP Cookies - allows machine to store information,

e.g. user authentication JavaScript - code which runs on client machine PHP - Hypertext Preprocessor Active Server Pages - MS Access dynamic forms


Database Connectivity

Client Side, 2 approaches: Extend the browser using scripts, or add-ons or applets,

e.g. plug-ins, JavaScript, ActiveX, Java applets Link browser to other (external) applications, e.g. legacy systems

Server Side, 2 approaches: Embed scripts within web page source, e.g. PHP, Java servlets Create programs which are executed when accessed by client, e.g.

CGI


Client Side

Advantages Distribution of processing

Feedback speed

Web-page functionality

Disadvantages Platform/environment dependent

Security and integrity

Download time

Programming limitations


Server Side

Advantages Platform/browser independent

Security and integrity

Download time

Programming limitations direct access to database

Disadvantages Lack of debugging tools

Lack of direct control over user interface


DECENTRALIZED DATABASE stored on computers at multiple locations.

computers are not interconnected by a network.

users at the various sites cannot share data.

DISTRIBUTED DATABASE Spread physically across computers in multiple locations that

are connected by a data communications link.



Geographical Distribution: Several databases run under the control of different CPU's at a variety of different locations.

Platform Distribution: Databases exist on diverse hardware platforms, and are 'brought together' by the distributed database manager.

Architectural Distribution: Different database architectures exist together, e.g. an object-oriented database communicating with a relational database

Distribution Types


Distributed Database Requirements: For a distributed database to be as such, a

fundamental principle must be adhered to: To the user, a distributed database should look exactly like

a non-distributed system

Local Autonomy: All operational controls and data maintenance are

controlled only by that site.

Dates Rules


No Reliance On A Central Site: This follows on from the first objective and is self-

explanatory

Continuous Operation: A distributed approach leads to greater reliability

and availability. The database should still be able tofunction, even if one of its sites is unavailable.

Dates Rules


Distributed Transaction Management: Transaction processing is the key to the successful

usage of distributed databases.

Must cater for two core aspects of transaction management i.e. recovery control and concurrency.

Location Independence Otherwise known as Transparency.

Dates Rules


Fragmentation Independence: Horizontal Partitioning: different rows from the

same table are stored at different sites.

Vertical Partitioning: different columns from thesame table are maintained at different sites.

Replication Independence: Replication occurs when a stored relation can be

represented by many distinct copies (replicas), stored atmany sites. As with fragmentation, users must not be awarethat the data is replicated.

Dates Rules


Distributed Query Processing: Queries may retrieve information from several

sites. Therefore distributed queries must beoptimised.

Dates Rules


Hardware Independence: Presenting a 'single-image' system to the end user

regardless of platform.

Operating System Independence: Same as above, but based upon software.

Network Independence: Support for a disparate variety of communication

networks.

DBMS Independence: Achieving heterogeneity between different database

management systems via a common interface, i.e. The SQLlanguage.

Dates Rules


ADVANTAGES Increased reliability and availability

Encourages local ownership of data

Modular growth

Lower communication costs

Faster response



DISADVANTAGES Software complexity and cost

Processing overhead

Data integrity

Slow response



HOW SHOULD A DATABASE BE DISTRIBUTED ?

Four basic strategies1. Data replication

2. Horizontal partitioning

3. Vertical partitioning

4. Combinations of the above



Separate copy of the database stored at the different sites.

Preferred for systems where: Most transactions are read only

Data is relatively static, for example timetables or catalogues.

Data Replication


Advantages Reliability - If one site fails another copy of the data can be found at a second site.

Fast response - Each site has a full copy of the data therefore queries can be processed locally.

Data Replication

Advantages


Horizontal Partitioning: The base table is split horizontally into several different tables at different sites.

Selected rows from a table are put into tables at different sites.

Distributed databases


Advantages Efficiency - Data items are stored where they are most often used away from other applications.

Optimisation - Data optimised for local use

Security - Only relevant data is available



Disadvantages Inconsistent access speed - When data from several different partitions are required, access speed can vary significantly.

Backup vulnerability



Vertical PARTITIONING

Some of the columns in a table are projected into a table at one of the sites and other columns are projected into a table at another site.The same advantages and disadvantages of horizontal partitioning apply.



Combinations

To complicate matters even further it is possible to have a strategy which is a combination of all the above. Some data stored centrally, some distributed both horizontally and vertically. It could be a real challenge (or a nightmare).



DISTRIBUTED DBMS Determine the location from which data is to be

retrieved.

Translate requests from different nodes.

Provide functions such as security, recovery, concurrency and optimisation.



DISTRIBUTED DBMSIT SHOULD ALSO OFFER:

Location transparency

Replication transparency

Failure transparency

Concurrency transparency

Commit protocol



Further Reading

Distributed Databases Connolly and Begg, chapter 22

Web Databases Connolly and Begg, chapter 29

Sections 29.1 to 29.3

ics 2415 adbs sess05 06 dbase security integrity and recovery

Documents

balance balance

data integrity

odraft kyanganda

table definition

integrity definitions

security threats

key constraints

shared database