0% found this document useful (0 votes)
23 views26 pagesData Security GK Gupta
Uploaded by
Pammi JasaniCopyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF or read online on Scribd
0% found this document useful (0 votes)
23 views26 pagesData Security GK Gupta
Uploaded by
Pammi JasaniCopyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF or read online on Scribd
/ 26
Database
J Security
OBJECTIVES
O_Discuss why database security isa serious concern,
Describe the main database security violations.
Explain how a database may be protected from security threats using
identification, authentication and authorization. .
Discuss a number of techniques for identification and authentication
Describe the discretionary access control for authorization
Describe SAL support for discretionary access control authorization,
Discuss mandatory control for authorization.
Discuss special security concerns for statistical databases.
Describe the role of the audit policy.
Explain the basics of security of Internet applications and encryption.
Introduce the topic of security of outsourced databases.
iene
Security, database security, identification, verification, cards, password,
name, authentication, biometrics, discretionary access control, privileges
REVOKE, SQL, subjects, mandatory access control, statistical databases
inference, Internet security, encryption, decryption, symmetrical
4 asymmetrical encryption, outsourced databases, audit policy.
Database Security | 493
a ‘once told me that there were two kinds of people: those who do the work and those who take
ee jame to try to be in the first group; there was much less competition there.
E Indira Gandhi
¥
INTRODUCTION
enone mtd earlier that a database YY valuable resource o}
an enterprise and it is essential that its
intained at all times. Also, database s
stems often include valuable enterprise information
“employees” personal information that must be protected from unauthorized retrieval
se inportance of database and computer security may be highlighted by what has been discovered by a
senier of esearch teams in UK, Canada and USA during 2008-10. These researchers found that many
computers, pethaps several thousands, were compromised by hackers that were based in China. The researchers
in Toronto leamed what kinds of material had been stolen, including classified assessments about security in
‘een! Indian states, and confidential embassy documents about India’s relationships in West Africa, Russia
‘aithe Middle East. The intruders breached the systems of independent analysts, taking reports on several
indan missile systems. They also obtained a year’s worth of Dalai Lama’s personal e-mail messages. The
smpors describing these research are “Capability of the People’s Republic of China to Conduct Cyber Warfare
‘ad Computer Network Exploitation’ prepared by the US-China Economic and Security Review Commission
ici October 9, 2009 (URL for the full 88-page report is http://www.usce.gov/index.php) and “Shadows
‘ie Cloud: Investigating Cyber Espionage 2.0° from the University of Toronto (The full report can be
‘Snnloaded from http://deibert.citizenlab.org/2010/04/new-iwm-report-shadows-in-the-cloud/. A New York
a dated 6 April 2010 is available at this site http://www.nytimes.com/2010/04/06/science/06cyber.
b
Manwining database consistency requires many techniques. Some of these have already been discussed
‘*Glaptes 9 and 10. For example, in Chapter 9 on concurrency, we discussed techniques for maintaining
“ssency when a number of transactions are being carried out concurrently. In Chapter 10 on recovery, we
essed how consistency could be maintained in spite of an accidental failure or damage to the database.
Nr dca two further problem areas and solutions to deal with them. These are database security
sew. Security is discussed in this chapter and integrity is discussed in Chapter 12. A database may
‘rien imconsistent as a result of deliberate sabotage of the database system. In addition, the database
Mins 10 be protected against deliberate unauthorized retrieval, corruption or update of data in the
‘Ava ttauthorized persons. The protection of a database in this context is called database security.
Natiase ge 4Y become inconsistent as a result of errors and mistakes on the part of authorized users.
Sicomeyy 2 et should protect the database from such errors and mistakes. The protection of a database in
4
ig "called maintaining database integrity.
aml, We discuss database security measures that need to be taken to protect the confidentiality,
‘wailability of the database against intervention by unauthorized persons, Chapter 12 is devoted
f techniques for maintaining database integrity. ‘ —
-
49a | eacaoase management systems
We first define database security violation and database security.
Definition—Database Security Violation
A gatabase security violation takes place when someone carries out an unauthorized
retrieval, modification or destruction of information in a database.
Database security
involves allowing or disallowing user actions on the database and the objects within it. jt
is defined as,
Definition—Database Security
Database security is the system, processes and procedures that protect a database from
unintended activity including loss of confidentiality, loss of privacy, loss of database integrity
or loss of database availability to the users.
Security violations include ‘a number of activities that are listed in the next section. Security is sometimes
confused with privacy, a related concept. Privacy, called information privacy in the context of databases,
deals with the right of individuals to control the flow of information about them, Pr ivacy protection measures
fii] not be discussed here but we note that privacy protection does require that adequate security measues
be in place.
‘This chapter is organized as follows, Security violations and sources of violations in a database system are
discussed next. This follows a discussion of various components of database secur Section 11,3 deals
with identification and authentication while Section 11.4 deals with authorization which includes dseussian
on discretionary access control and nondiscretionary control or mandatory control techniques. Security of
Statistical databases is discussed in Section 11.5. Database audit policy is discussed briefly in Section 11.6
followed by brief discussions on security of internet applications and use of encryption. Finally, a brief
discussion on outsourced databases is presented
11.2 SECURITY VIOLATIONS
As noted earlier an enterprise database infrastructure is subject to range of threats There are a number of
ways for classifying database security threats. Onc
In our approach, security violations may be classified into
the more detailed classes presented in Fig. 11,1.
Database security | 495
ous present an example
Re nator d disclosure of data~For example, in a university student database, a student looking
Unsessment records of other students compromises the database security. A lecturer looking at
#eesment records of students that he/she is not authorized to access also compromises security. A
astray violation would occur if in a police database, an officer of the department accesses police
ation of a person to find the address of the person, Also, it has been found that many large
emizaions assign lower priority t0 the protection of customer and employee data and a vast majority
Sfecurty breaches involved confidential customer and emplayee information
destruction of data or darabase—A person breaks into a computer system and destroys database files
on the computer system
+ Tron horse—This refers to a transaction that is hidden in another transaction, The hidden transaction
® jecomes active and may breach security when the main transaction is executed. For example, consider
apmgram called who that is commonly used by Unix users. A user could put a modified version of
‘who in the home directory of the user so that whenever who was executed, it not only did what it was
supposed to but also copied some of the files into the other user's directory.
4 Comuption or modification of data—In a bank database, an employee updates the information in some
accounts with a view to embezzling funds. In an interesting example of unauthorized modification of
ata, an employee of Qantas airlines many years ago managed to regularly modify passenger lists of
some flights after the flight had landed. He added his name to these flights and collected millions of
ffequent yer points. He was eventually arrested.
$. Deliberate interruption of service —A major computer installation is destroyed by a deliberate fire or a
bomb thereby destroying a valuable database. As an example, students at a Canadian university in the
1970s destroyed the central computers, interrupting the computer services of the university.
& Inference—A person is able to derive confidential or sensitive information about an individual by
‘vessing information about other individuals or groups from a census database.
Tiese security violations usually lead to either loss of confidentiality, loss of privacy, loss of database integrity
‘lo of database availability to the users. They can also lead to an enterprise suffering considerable damage.
Te motivations behind a deliberate security violation of a computer system are varied. For example, the
ektor might hope to benefit financially or to cause damage to the enterprise that owns the database perhaps
‘suse of hostility towards the enterprise or just wishing to prove that it is possible to penetrate the system
Y Whatever the motivation, books and articles on computer crime provide sufficient evidence to
e the view that computer security problems are real and extremely important. Computer crime studies
fiegy POE the vulnerability of some organizations, for whom the loss of their database may result in
HP ofthe organization itself
n"®® Of Security Threats 7 paneer aaa
= 4 number of different studies have inyestigated the + Fire
‘ra Security threats. These studies have shown that in + Disgruntled employees:
poms, ems the Primary threats to database security, in order of = Water
Fe given in Fig. 11,2 ‘+ Strangers -
Figure 11.2 Threats to database
Pan refers remain a significant risk. A majority of or-
b security
been found to be ineffective in managing the insider
496 | Database Management systems
threat and therefore most database fraud or crime is perpetrated by employees of the organization, employees
who use their access to the system to commit a crime. One possible solution to insider misuse is careful audit.
ing of databases that have sensitive information in them. Auditing is discussed in Section 11.6. A few years
go, a police employee during the night time tried accessing information about some person in the sensitive
database that had information about drug traffic suspects, This database was audited and the employee way
caught when someone looked at the auditing data several days later.
Searching for problems that the FBI has with its own employees, I found the following security incidents
(for more details, refer to http://www.copwatch.org/TechTV%20%20Top%2010%20List%4200f%20Polices
20Database*%420 buses%20htm|.htm):
+ Cop Suspected of Using Database to Plan Murder of Ex-wife
+ Australian Rookie Cop Checks on ‘Potential Girlfriends’: 6,900 Database searches in only two months
+ FBI Files Sold to mob and international criminals by Nevada Attorney General’s Office employee and
former FBI agent
+ Indiana Police Department banned From FBI database due to misuse
; + Prosecutor's office uses database to smear prosecutor's political opponent
*+ Police Lieutenant charged with abusing database to influence elections
Therefore every database organization has to be very careful in monitoring the security of the database
including monitoring of insiders if the information is sensitive. In addition to database auditing, intrusion
detection that uses user profiling and data profiling may be used.
In practice, only a small number of problems deal with the remaining security problems like unauthorized
access or willful damage to a database system. In spite of the small numbers, the security of a database must
be taken seriously.
Computer security concerns can be divided into two broad classes; internal security and external security.
Internal security deals with the operations of the computer system itself and with, for example, access to
the system, access to the-files, access to networks and inference control. External security on the other hand
deals with operations outside the computer system. These, for example, include physical security of the
computer server room, the computers that access the database and the rooms in which the computers are
placed, security clearance of the personnel accessing the database, security of the network lines, procedures
to protect passwords and audit trails. External security problems are beyond the scope of this book.
It should however be made clear at the outset that absolute security is an unrealistic goal. Just as the most well
protected banks are sometimes robbed, an adversary with sufficient motivation, resources and ingenuity €an
compromise the most sophisticated database security safeguards. Also, a disaster of sufficient severity would
result in destruction of the database irrespective of the security precautions. An optimum security policy
‘one in which the cost of implementing protective mechanisms has been balanced against the i
risk achieved, The process to achieve a tolerable level of risk at the lowest possible cost is referred
‘management, Furthermore, a DBMS exists to provide flexible and efficient facilities for retrieval,
and manipulation of stored data. Security and integrity controls should be such that an authorized |
not encounter unnecessary problems in accessing the system, This places demands on the syste
often inconsistent with demands to enforce security measures, * mon
coum otter
ee
a
a
atavase secunty | 497
measures can be costly, experience shows that adequate security is inexpensive compared with
nese sequences of failure to provide adequate protection. Usually an enterprise needs to identify
pepsi Sceuity threats that it might be subjected to and develop a security plan based on those threats.
ould not be ignored ifthe likely damage due to the threats is very large.
wert
i jabase systems are likely to be different, for example, a bank database,
latabase are likely to have different security concerns and policies. Each
a number of components. Some of the components are listed in Fig. 113.
fication and authentication
Authorization policy
Statistical inference policy for statistical databases
Eneryption
Database audit policy
Figure 11.3 Components of database security
achofthe components are now discussed.
113. IDENTIFICATION AND AUTHENTICATION
rey database must provide a mechanism that makes sure that the system only allows access to authorized
ssersand each user is allowed to run only those transactions that he/she is authorized to carry out. Therefore
‘daubase system must have a comprehensive identification, authentication and authorization mechanism.
Definition—Identification and Authentication
entiation involves a user indicating to the computer system who he/she is while
involves the computer system obtaining further information from the user to
‘enlyif the user is the person that he/she claims to be.
vatatiestion and authentication are standard means of estab
be: ‘dentity. They are standard operating system problems and
system texts provide a discussion on relevant issues.
Weticeg ‘methods for establishing the identity of an individual can
= into four classes: ’
fnovledge—tdemitication and authentication
is the most common form of au
ion and authentication are
authentication, the username may be
based
498 | Database Management systems
name, name of the street the user lives on, name of a relative). When a list of first names, last names,
city names, street names and words from a moderate size dictionary were collected it was found that
some 86 percent of all passwords on the systems that were checked were on this list. The password
‘authentication can be improved by some simple precautions. For example, it might be possible to
check the password a user is using against a dictionary of names and words and not allow common
names o words to be used. Some sites are now insisting on an 8-digit password with some numeric or
special characters to improve security of passwords.
Usemame/password authentication continues to be used widely because it is simple and easy to
implement
‘Objects —Idemtification and authentication can be based on objects in the possession of the individual,
for example, a card, Each card has a unique identifier stored on it to establish the user's identity.
Unfortunately this approach only confirms the identity of the object, not of the user. Objects can be
lost, stolen and may be forged allowing a person with someone else's object to gain access, The scheme
is considerably improved if the object is combined with some knowledge (e.g., PIN or password). This
is the approach being followed by the banks in using a card and a PIN for allowing customers to access
ATMS. Even then there have been problems as some people write down their PIN on the card or on a
piece of paper. Most ATM cards use a four-digit PIN but many banks now allow use of longer PINs to
improve security.
3. Actions—At is possible to base authentication on users’ actions. For example, handwritten signatures
have been used for hundreds of years and the approach has worked quite well. A user may be required
to sign on an electronic tablet and the signature may then be compared with the one (or more) stored in
the machine. It is also possible to use patterns of computer use behavior once the user is logged on to
authenticate the person’ identity by comparing the behaviour with the user's profile. These techniques
may involve keystroke dynamics (for example, in a 1990 study reliable results were obtained by
looking at keystroke latencies when users typed their username and password) and other human-
‘computer interactions.
Physiology—The most reliable authentication techniques are based on physiology. These are also
called biometric techniques and include fingerprints, retinal pattern, face recognition and voice pattern.
After the 9/11 terrorist attacks, use of biometrics is becoming more common. The usual approach in
biometric techniques is to obtain from the user a sample of the characteristic that is being used and
measure this characteristic when the user presents himself/herself for authentication. If the match
is close enough then the user is authenticated. Some of the biometric techniques, for example, face
recognition, are not particularly reliable. Also, biometrics often requires expensive equipment and are
not always suitable for a user wanting to access a database system using a desktop PC. yi
Most computer systems restrict identification and authentication to the first two categories because ofthe ease
of implementation of the techniques they are based on. Generally, computer systems require a user
himself/herself by either typing a login name or by inserting a machine readable card in the client
This is then followed by an authentication phase that usually involves the user providing a}
which is supposed to be known only to the user,
Other suthoetcaton Stiined ‘are’ of course ponsibl. For: patrculat’ bend:
‘system may use special terminals that are locked or kept in a
‘a machine readable card like a plastic credit card as well as
patabase securty | 499
andwriten signature verification is another area in which considerable research has been goin
ee st twenty Years oF $0. One bank jn Australia is using another approach. For transfer of large
in or for transferring money to a new person, the bank will seek confirmation by sending an
of mom ie account holder's registered mobile phone requesting himmvher to type in the code sent via
spe user's computer bank account
SNS
‘of other precautions may also be considered, For example, if appropriate, the system should lock
Asan wo has failed login on say three successive attempts in a short period of time. Password may De
4306 ime of sy tree or six months. When a password is changed it may be appropriate to ensue that
bare fod passwords is not used.
reser it shoud be noted that most computer systems including database systems come with number
fete deft accounts which can lead to security breaches. These default passwords should be changed to
er aswords immediately after the system has been installed
‘peonde the discussion on identification and authentication, the following simple rules should be noted.
a) Toprotect an enterprise database strong identification and authentication must be used. In most systems
‘xemames like guest, client, and visitor are often available. All such usemames should be removed
‘fom the system. Authentication must use strong passwords with a minimum of eight characters. In
‘adition, users should be encouraged to use lower and upper case characters, as well as numbers, and
‘punctuation marks in their password, Passwords should be regularly changed and each new password
should be checked.
{) System privileges should be allowed only to employees that need to have such privileges.
(6) Anaccount should be locked out after three failed attempts to login to the system.
{@) Unused accounts should be locked or simply deleted after some reasonable amount of time.
ta AUTHORIZATION OR ACCESS CONTROL
‘Stones to identification and authentication, authorization deals with controlling the type of access that a
Itmay be that we only wish to allow a user by the name X'to access some parts of the database
SaaS at level ¥ to some predefined level of access. In addition 10 access, authorization may also
— of what a user may do with the access. In the discussion below the users are referred to
‘and the database contents (e.g., tables, views, indexes) are referred to as objects, 7
: 500 | Database Management systems
2. Object profiles—In this scheme the DBMS maintains information about each data object. This
information called the object profile is then used to decide whether a user is allowed access to the
‘objects that he/she wishes to access. The simplest example of object profiles is the file protection
‘mechanism that is provided by most operating systems. For example, in UNIX file management, a
file may be readable, writable or executable either by the person whose directory the file is in, or by
1a group of users specified to the system by the user or by everyone (public). This is not particularly
satisfactory as this type of file protection mechanism is very simplistic. In regard to the database, the
protection provides only four options as far as the data is concerned:
* Cannot read or write data
+ Can read but not write data
+ Can read and write
+ Cannot read but can write data
File protections apply toa file as a whole and therefore different protections for parts ofa file are not possible,
In the database environment, one may wish to allow selective access to not only parts of the database but also
parts of individual tables to a user or a group of users. A technique other than the file protection mechanism
described above is then needed.
database security problem can be compared with a university campus security problem. The database
‘consists of many tables just like a campus consists of many buildings. A simplistic example of security on
campus may be something like:
1. People are allowed to enter the campus or not (similar to being allowed to login to a database system).
2. People who are allowed to enter the campus, are either allowed to enter a building (in which case they
can enter all rooms in that building) or not allowed to enter the building at all (similarto being ableto
access a table), ;
Such simple mechanisms are clearly inadequate in practice and we like to make finer decisions regarding a
person's entry to buildings (probably based on each office), Similarly, we would like to make fine-grained
decisions on access to a database among different classes of users. In the campus example, students may be
allowed to enter the labs and lecture theatres in a building but can enter staff offices only with the permission
of the staff member concerned, Locks on each of the offices as well as on the buildings help implement this
regulation. Decisions on access to buildings involve things like:
‘+ What day and time of the day it is é
+ Whether an office has a staff member in it *
+ Whether the office is locked, and so on
Similar ossiis exis reading ascent aus, For example dbase may
different classes of users onthe following basis: “
Ae gg fos bv an pose ses ogee on oss afore se
Database security | 501
vo techniques that enable fine-grained authorization. These are called Discretionary Access
onc (or Mandatory) Access Control. Most commercial products currently only
ol ‘onary access control since discretionary access control (DAC) provides simple and flexible
ane rer increasingly. pethaps due to the 9/11 terrorism attack in the USA and requirements of the
Gory Howe Defense, database vendors are exploring the possibility of providing mandatory control
150 well in their products:
Discretionary Access Control (DAC)—Access Matrix Model
nl
sonary policy involves providing access to users based on their need-to-access, where the need 1s
A dsema by someone authorized to determine each user’s need. The need may be determined by the user's
‘or some higher authority in the enterprise that is charged with the responsibility of determining
coking privileges to access and/or update the database as necessary. The
eed and granting and rev
‘dministrator often implements it. In practice in SQL, a user who owns an object (often the
eshase administrator) has the discretion! to give permission to others based on their need. The concept of
ian or access matrix in a discretionary access control model was proposed by Conway, Maxwell
soi Morgan in 1972.
efinition—Discretionary Access Control
‘4s dscretionary policy involves providing access to users based on their need-to-access,
iyhere the need is determined by someone authorized to determine each user's need.
Theathorization essentially is a set of triplets (s, 0, a) where s is the user, o is the object and a is the action
sivauthorized to carry out.
The (0, ) triples are usually represented by a
Player_[Match [Batting | Bow!
tnoddmensional matrix presenting sets of users, ss ae
ties and actions (S, O, A) as shown in Fig, 11.5 | Sere {= 2 : x
‘dh columns corresponding to data objects O (not | Anilkumar_|+ be £ rs
‘essarily disjoint) and the rows corresponding to | Saraswati | rw rw mw Ww
SS may fe used to specify access rights 4. Each [Tnderjit[rwx [rw = ow
in the matrix specifies the access rights a user’ na
'4 data item. Access rights represent operations. EE ee ee aia aaal
te by users on data items and may include retrieve, insert, del
OW Or an attribute, Data items may also be defined using views. 1
ae
‘ceess rights might include predicates describing a condition
tionary access control therefore is flexible, An
Security controls, although not fine-grained
person to manage the controls on
symbols, w and x conrespond to the pr
is given at the top of each colum
the Oxford Dictionary, discretion.
502 | patabase management systems
This is similar to the use of symbols r, w and x in the UNIX file protection system. ‘This matrix with a lane
‘number of objects and a lange number of users is often sparse since every user would normally deal with only
a small number of objects. Therefore, storing the matrix as a two-dimensional array is not viable,
‘The matrix may be stored as a table with only non-empty entries or it may be stored either by columns or by
rows. A system that stores by columns is commonly known as an access control list (ACL), for example, the
UNIX file system is such a system in which each file is accompanied by a list containing subjects and their
rights to that file, An implementation that stores by rows is commonly known as a capability ist in which each
subject maintains a list of their rights to objects. The underlying philosophy in discretionary access control
is that subjects owning database objects can determine who has access to their database objects, e.g. tables.
‘Since the authorization matrix can be large, typically DAC supports user groups and object groups which may
be hierarchically organized. Once groups are used, it may be necessary to define exceptions. Unfortunately
‘the discretionary access contro! method can only deal with a coarse granularity of database objects. Also,
DAC only deals with users and not processes. A process essentially is given the privileges that are available
to the user who generated the process. The process may then execute some malicious programs violating the
| database security.
Using the SQL GRANT Mechanism
SQL provides facilities for discretionary access control, The owner of a table is automatically granted all
privileges to the table, The owner may then grant privileges to other users who in turn may grant privileges to
others. Once a user has been granted some privilege by the database system, normally the system would allow
that user to grant the same privilege to some other user and the privileges may then be propagated. Of course,
if the first user revokes the privilege to the second user, the system should revoke all the privileges thatthe
second user has propagated. The system therefore must not only maintain a table of who has what privilege
but also who has granted what privilege and check these every time some privilege is revoked.
Itis worth noting that privileges should be granted only when absolutely necessary and should be revoked as
soon as the need fora privilege is over.
‘The granting of privileges may be represented by a graph like the one in Fig. 11.6 below?
‘To simplify the graph, we will only deal with all the privileges on the four tables 4, B, Cand D. Brahma bas
all privileges on tables A and B, Vishnu on tables B and C while Shiva has all privileges on C and D.
‘Saraswati has been granted privileges on 4 by Brahma, on B by Vishnu and on C by Shiva. Lakshmi has
‘been granted privileges on C by Vishnu and Parvati has been granted privileges of tables B and C by Visha-
Figure 11.6 also shows that the user Hanuman has been granted privileges on table D by user Shiva.
hasbeen granted privileges on table , Krishna hasbeen granted privileges by three oer users, on
and C by Saraswati, on C by Lakshmi and on B by Parvati _
‘Now consider what happens if the privileges to Parvati were revoked. She now has no
Figure 11.6 Example of an authorization graph
‘Tiegumlarty of many systems is quite coarse as access can be controlled only on the basis of tables. The
zeersystems are however able to control access as finely as each cell. One may nonetheless wish to have
‘sional security features including, value-dependent controls.
Apical SQL GRANT command looks like that shown in [ GRANT SELECT ON Player, Match
Fei. ‘TO Ganesh, Vishnu
‘Spans privilege to Ganesh and Vishnu to use the SELECT Figure 11.7 An example of the GRANT
‘Petion on tables named Player and Match. command
Assponent of he DBMS called the Security Manager deals with authorizations that are issued and also
them. It then enforces security based on the rules given by the DBA. It is assumed that the user
a
elas sBe holds that privilege on the object. SQL allows privileges to be granted for SELECT as
‘other operations, for example:
is provides rights to read any part of the given
SERT this Provides rights to the user specified to insert
as
504 | Database Management systems
Some simple examples of GRANT and REVOKE are
given below in Fig. 11.8
It is also possible to GRANT ALL PRIVILEGES. SQL
does not allow privileges to be granted to CREATE, ALTER
and DROP a table since these privileges are retained by the
‘owner of the table. They can only be granted by the system
administrator.
Privileges may be REVOKED as shown in Fig. 11.9.
As noted earlier, a REVOKE command may result in
withdrawal of privileges from other users who have been
granted privileges by these two users Vishnu and Ganesh
unless those users have been grated similar privileges by
some other users as well. This is illustrated in Fig. 11.6.
‘GRANT SELECT ON Player TO Shiva
GRANT INSERT ON Match TO Krishna
GRANT DELETE ON Batting TO Parvati
GRANT UPDATE ON Bowling TO Lakshmi
REVOKE SELECT ON Match FROM Natrajan
Examples of GRANT and REVOKE
commands
Figure 11
REVOKE PRIVILE
FROM Ganesh, Vishnu
'S ON Player
Figure 11.9 Another example of the REVOKE
‘command
‘A major weakness of discretionary access control is that it relies on each user to understand the security issues
when they pass on privileges to other users. A clever user may persuade another user who has authorizations
for a more sensitive part of the da
11.4.2 Using the SQL View Mechanism
Another useful DAC security mechanism is to provide each user with a tailor-made view (or views) of the
database and restrict his/her access to the database through these views, Although the view mechanism allows
data to be hidden (including data based on values), we still require control on who is allowed to write into the
database through their view. This can be done by using GRANT and REVOKE commands.
Consider the following two views that may be appropriate for some users’. Figure 11.10 is a view about
Indian Players.
Figure 11.1 presents another view. This is about batting information of Indian players.
DEFINE VIEW IPlayers AS
‘SELECT PID, FName, LName
abase to pass on his authorization to hinvher thereby gaining access to
information that he/she was not supposed to have. Nondiscretionary access overcomes this weakness by not
‘allowing discretion to any person in the enterprise to grant privileges to others.
DEFINE VIEW (Baiting AS
SELECT PID, MID, NRuns
FROM Batting 7
WHERE PID = .
(SELECT PID e
FROM Player
WHERE Ci
¢
patavase securty | 505
thes
my now be granted on these views as shown in [GRANT all privileges on [Players to Durga
itty GRANT SELECT on Batting to Bali
W ; ia, the i
Fe iew i about players from India, the information Figure 11.12 GRANTING aes
pe available t0 Users that need it. The second view
ses ‘access batting information for the Indian players.
os
privileges on any views must hold privileges on the tables used in the views.
128% roach is flexible and allows access control to be defined at a level of description close to the
Pr jews allow enforcement of data-dependent policies. It is easy to control read access through
the granularity of a table. A view is a program and it is possible to control its invocation.
controls are complicated and slow.
the nondiseretionary mandatory control
some dius 2 very diferent approach to author
il
4143 Nondiscretionary Control—Mandatory Control Model
nosso the nced-to-access basis of the discretionary policy, in which the owner ofa table or the database
tadsceion to grant access permissions to others, the nondiscretionary or mandatory access control (MAC)
tnicyinvolves system-wide policies based on regulations of an enterprise’s central authority that do not
‘dowany discretion to any user including table owners and supervisors.
Tix most commonly used MAC is the multilevel MAC policy, ion Sere)
‘Gsased in more detail later. It is based on classifications of both
scaled the subjects) and objects in the database system.
ah abject is then authorized to access all objects that have a <>
‘ification that is lower or equal to his/her classification.
eeain. mandatory control involves assigning each database
z Sean ‘and each user or subject a security clearance. Content) identi
im ioe may be like those used in the military as shown.
y they may range from unclassified (anyone can see
Lonfdential to secret and finally top secret, Each subject is
Seen oy cn nae mm
Digs gag ECS ana set of rules decided by the enterprise, the
Wien MMatically decides what a subject might or might Figure 11.13 A typical classification
pete: 4 Of database objects.
—-
ee
506 | catavase management systems
Bell-LaPadula model since David Bell and Len LaPadula created the model in 1973 in response to the
US Air Force’s concerns over the security of time sharing computer systems. Itis possible to combine the
diseretionary access control technique with the mandatory control to enforce additional restrictions, but a
‘users must still follow the basic rules of the mandatory control policies.
Multilevel Bell-LaPadula Model
‘The multilevel Bell-LaPadula mode! is an example of the mandatory control policy and the model is similar
to what is commonly used in security organizations and some industrial organizations. As noted above,
basic to such a mandatory security model is a set of access classes or security levels that represent the
se as shown in Fig. 11.13 and a set of clearances
classifications associated with the objects in the datab:
associated with the subjects of the database. Every data object in the database is assigned an access class and
each user is assigned a clearance. These clearance classes could be unclassified, confidential, secret and top
secret as shown in Fig. 11.13 or they could be denoted as class 1, 2, ...10, where class | is the lowest and
10 the highest. For example, class 10 could be top secret in military terms and clearance 10 could be the top
secret security clearance.
Bell and LaPadula (BLP) gave a formal model of multilevel security. This model enforces the policy that
information cannot leak to subjects who are not cleared for the information.
‘The access classes associated with the data items have a partial ordering associated with them, Let the classes
be C, i=1, 2, ... n where if for any two classes C, > C), then class C, is said to dominate C). To acess data
in the database, the subject's clearance must dominate the access class of the object. For example, if a subject
had a clearance S and a data object has class O then the subject may access the data object as long as $2 0.
The Bell-LaPadula model imposes the following two conditions:
+ No Read Up—A subject S may read object 0 only if level(O) < Level(S). As noted above, subjects are
not allowed to read up.
+ No Write Down—A subject § may write object O only if level(S) < level(O). In other words, a subject
may not write down
‘The second condition may appear counter-intuitive but the rationale is to ensure that a subject with higher
level security information does not write information in a lower level security object. For example, consider
two subjects 5 and R with S having a lower level clearance. If R reads an object O which S is not allowed to
read and then writes it as object P at a lower level which $ is able to read; sensitive information may leak
through P. A subject must never be able to learn information about some highly-labeled object O by reading
another low-labeled object P. mo
A direct implementation of such a system allows the author of a top secret report to retrieve information
entered by subjects operating at secret or confidential and merge it with top secret information.
to the Oxford Dictionary, a Trojan horse is “something intended to
sy ace
patabase security | 507
Secret
Confidential
Subject clearance = confidential
Figure 11.14_ Illustrating BLP model rules
Forexample, consider what would happen if an attacker inserts a macro function with a Trojan horse capability
into a word processing file. The attacker has stored the macro function in a confidential file and has told a
Jup secret subject to examine the file. When the subject opens the confidential file, the macro function starts
‘ming and copies files from the top secret subject’s directory into confidential files belonging to the attacker.
‘Wenow discuss weaknesses of the mandatory control model. First, researchers and system developers have
found it to be extremely difficult and perhaps impossible to completely prevent information flow between
‘ifierent security levels in the MAC system. Furthermore, it has been reported that the end user community
4asfound a number of cases where the BLP model did not entirely satisfy their operational and security needs.
Asecond serious problem is the virus threat because the MAC system does not prevent a virus introduced at
‘lower clearance level from propagating into higher clearance levels.
Furthermore, the rules of the Bell-LaPadula model allow ‘blind writes’. Subjects can ‘write up’ and not be
*®bto’read back’ what they have written, Therefore, a subject unsuitable for reading an object is permitted
‘changes to that object. One solution to this problem is to insist that writes be restricted to the same
'as the subject allowing a subject to write and read what he/she has written.
however this approach is not satisfactory since it does not allow
it may be necessary to either treat each attribute as a data object with its c
‘as a data object. The latter would of course result in fairly high sect
cardinality. Nevertheless, a table may contain data of different
o specify that a subject who does not have high enough clearance fo
508 | patabase management ‘Systems
should have access to only part ofthe table. It may be possible to use a mechanism Similar otha defi
a different view for different classes of users.
Jn summary, mandatory access contro! mechanisms allow less flexible security controls than discretionary
access control but there is less need for an administrator incharge of the database to manage the
controls on a day-to-day basis. A security system must be robust enough to resist determined attacks ty
sufficiently economical so it does not degrade the system performance,
s of computer time) it will not be used except where
Ifa security system is too expensive (for example in t
the need justifies the cost
in Oracle
11.4.4 Controlling Database Acce:
Database security in Oracle is based on discretionary access control. A system of privileges is used where 9
Privilege is a permission to access some part of the database to a defined level.
‘Oracle uses a variety of authentication mechanisms for user authentication. These include authentication by
the operating system, by a network service, and by the database system, Techniques are used to control the
use of passwords, for example, an account is locked if the user fails to login to the system within a specified
number of attempts. The database administrator is allowed to specify a lifetime for passwords, after which
passwords expire. Password history is maintained so a user may not reuse a password for a specified amount
ofttime. Passwords are checked for complexity, for example, itis required that a password include an alphabet
character, one numeric character, one punctuation mark and differ from the previous password in at least
three characters.
In Oracle, a privilege is a right to execute a particular type of SQL statement or to access another user's
object. The privileges include the right to retrieve information from another person’s table or execute another
person's procedure.
A user may grant privileges to other users. Privileges may include system privileges which can only be
granted by users that have been granted ADMIN OPTION. There are over 60 system privileges which inelude
Privileges such as that to delete a specified row from a specified table in the database.
also has a concept of role in which a group of privileges may be granted to another user. This is often
useful in reducing the security administration work involved in granting similar privileges to many users.
11.5 _ SECURITY OF STATISTICAL DATABASES
‘The primary reason for creating statistical databases is to supply s-atistical or ageregate info
_£r0ups of individuals to users without revealing confidential information about any individual,
ac database maintained by the Bureau of Statistics is desi ‘various oft
database normally would have stripped all the personal information |
expected to allow any personally identifiable information
Vent cataeets bee no pocfonally Sao
patavase secunty | 509
user, there is little need to worry about the security of such information. We will now show that
ce lave easy 10 derive personal information from summaries of statistical informatio.
wl the confidentiality of persor al information in a statistical database, statistical inference controls
mise of a statistical database must be defined in relative terms. It is generally accepted
21 pat of salary ofan ind idual that is in error by more than say 50% will probably not be considered
ga compromise. For exampl ate of Rs.15,000 for a salary of Rs. 30,000 could not really
ea oe compromise while an estimate of Rs, 85,000 for a salary of Rs, 100,000 might be, IF
secs database allows arbitrary queries then it is possible that if we know sufficient information about
Co le to pose one or more queries that will retrieve information about that person.
thon we will be abl
ively Compromised and Negatively Compromised
. js said to be positively compromised if someone is able to derive a value of 2
“gata item. It is negatively compromised if someone is able to find that a data item
particular
Fees not have a particular value.
Positive Compromise
faeexmple, consider a query given in Fig. 11.15 that finds the
snberof people in New Delhi earning more than Rupees one
‘ome and the average tax that they pay. We assume the census FROM Census,
‘anisavailable in a table Census WHERE Income > 1,00,00,000,
AND City = "New Delhi”
SELECT COUNT(*), AVG(Tax)
Lew assume that the query results in | and 750,000, that is, 5 :
Retbiyecr person in: New Delhi with such a’high indore! ure 11-19 Ore Ae. Jens
ithe peson paid tax of Rs. 750,000. We have therefore ie 8
‘aed the tax paid by the only person that qualified. The security of the database and the privacy of that
‘tn (whose name is not revealed) therefore have been compromised:
= Compromise
‘ery in Fig. 11.16 illustrates that a query may lead to a SELECT COUNT(*), AVG(Tax)
if the result of the query is zero. FROM Census
WHERE Income > 1,00,00,000
la
sw issume that the query retums a null result. It is now
‘eaming more than one crore rupees did not on
‘more than ten lakhs in tax, It does not tell us @ lot
°f people earning that amount
510 | cacaoase management systems
People doesnot work, let us assume that we believe that only one person in New Delhi hasan income of
than one crore. We will now pose two queries that retieve information about more thay individvale
infer the tax paid by the person earning more than one crore
We first obtain the number of people in New Delhi and
SELECT COUNT(*), AVG(Taxy
average tax paid by them if they had income of more than FROM Census
ninety lakhs, as shown in Fig. 11.17. WHERE Income > 90,00,000
AND City = ‘New Delhi”
Suppose we find that the result is 1 and 500,000. That is,
there are SI people with an income more than 50 lakhs Figure 11.17 First query to illustrate that
and pay on average a tax of five lakhs. We know that number of rows does not work
50 of the 51 individuals are earning below one crore since
we suspect only one person has an income of more than SELECT COUNT(*), AVG(TaR)
ion FROM Census
WHERE Income > 90,000,000
AND Income < 1,00,00,000
AND City = ‘New Dethi*
Suppose we now pose a query to find the number of
People and their average tax if their income is more than
90 lakhs and less than one crore. This query is presented
in Fig. 11.18. Figure 11.18 Second query to illustrate that
number of rows does not work
Let us assume that we now find that the result of the query
in Fig, 11.18 is 50 and 500,000. That is, there are 50 people with an income greater than 90 lakhs and jess
than one crore. For convenience we have assumed both average tax figures to be five lakhs, which means the
Person earning more than one crore also paid tax of only five lakhs,
Ifthe two values of average tax were 5,00,000 and 5,00,100 then we can deduce the tax paid by the one person
with income of one crore or more. It works out to be 51 x 5,00,000 = 2,55,00,000 and subtracting from the
total tax paid by the 50 people retrieved in query in Fig. 11.18, which is 50 x 5,00,100 = 2,50,05,000), and
therefore obtain the figure Rs. 4,95,000.
(One may of course suggest other restrictions on the queries, for example, no query should retrieve i
about less than w rows or more than n —w rows since it is desirable to exclude queries on a large
individuals close to the size of the database as well, We assume mis the total number of individuals.
We now define the concept of suitable queries.
Definition—Sujtable Queries i
Queries whose set size falls between (w, n ~ w) are sometimes
= wate AVA eta :
Suitable queries also do not prevent compromise as illustrated ahead. We first define what is m
characteristic formula. ‘
patabase security | 514
seam whic used in this context is query set, It can be defined as.
.
Set
Mat saisty @ characteristic formula are called a query set.
racker is now defined
soso
tracker
eer cet of auxiliary attributes which are added to the original query.
putes enable the user to pad the query set so that a query can be formulated to return ¢
ry be then suitable, and
pei at
slg than tat the original query would have returned and the query may
effect of the auxiliary characteristics can then be subtracted and the answer to the
tech answerable. The
aul qery may be obtained. We now define the term individual tracker.
Individual Tracker
=— Tike Income > 1,00,00,000 and NOT(City = ‘Mumbai’ is called an individual
exallyifa condition p identifies a
Piienpl and not (p2) is called a tracker
2
statistical database and p can be written as pl and
ngle individual ina
rn the person we are interested
sit lets us track down information o1
éoother Example of Tracking
be. ion about p individuals and another about
is to find two queries such that one retrieves informat another
‘Letus assume that an attacker knows that there is a person ‘who has the following attributes:
1 Gender = Male
2 Age <4
2 i Mant
Mariage status = Married
| inome> .00,00.000
the third condition as p2 and the remaining
en above ait results in identifying only one IM
512 | oatavase management systems
SELECT COUNT(*), AVG(Tax)
FROM Census SELECT COUNT(*), AVG(Taxy
WHERE Sex = °M° FROM Census
AND Age « 40 WHERE Sex = “M"
AND City <> ‘Mumbai? AND Age < 40
AND Status = “Married”
AND Income > 1,00,00,000
AND Status = ‘Married”
AND Income > 1,00,00,000
Figure 11.19 An example of an individual Figure 11.20 An example of an individual
tracker tracker
We will not discuss compromise in statistical databases any further. A reader interested in further study on
this topic may refer to the bibliography at the end of the chapter.
11.6 ©AUDIT POLICY
EE eee
An effective tool in database security is the maintenance of an audit trail. An audit trail is a record of every
transaction that has been executed in a database system. An audit trail usually includes the transaction, the
‘access operations carried out by the transaction and the identification of the user who executed the transaction.
Automated recording of at least all sensitive and/or unusual database transactions should be part of any
database deployment. Weak database audit policy represents a serious organizational security risk.
In case of suspicion or detection of a database security violation, the audit trail may be analyzed to find the
identity of the violator. The knowledge that an audit trail is maintained often deters violators from breaching
a system's security, The data generated by an audit trail is very large and effective management of such data
is necessary. The large amount of data generated by a busy database system often makes it expensive to
analyze the audit trail and this suggests that some method of selective auditing or selective recoding should
be considered. We do not discuss these problems any further.
Auditing is generally used for the following:
+ Future accountability of current actions on the database.
+ Investigations of suspicious activity (for example, some years ago a person working on police computer
systems in New Zealand tried to access drug-related records of a friend. He was discovered when 4
routine audit of the police database activities was carried out).
+ Gathering statistics about database activity which can be used for tuning the database
‘+ Auditing one single user, all the users or a group of users.
Audit records include a variety of information, normally including the following: 4
(a) Login, logoff to the database—The username, date and time of the day, client IP from where the
connection is originating, Failed logins also need to be logged and monitored.
During database usage—Which application is being used, what information was
‘was updated? If data was updated, old and new values may need to be save
patavase secunty | 513
definition usage—What tables were created and what were dropped, if any? What other DDL
om, ifany, were executed?
ora t errors, if any. occurred during the time the user was logged in?
Bros Were some integrity constraints changed? Were some security settings changed?
tions
oan enial data—Was some sensitive data accessed? What database objects were accessed?
( + database auditing is enabled, an audit record including items like those listed above is
i ne the execution phase of each statement execution, Often a database audit mechanism op &
eco ae ese will consume a large amount of CPU and disk resources, The performance decline
my dan audit is enabled may force an enterprise o scale back or altogether efiminate auditing.
ced wher
troduced the concepts of database auditing. A reader interested in further information should
aly int
eee tno
INTERNET APPLICATIONS AND
17 ENCRYPTIO:
Aer dllnges mst be faced when a database is being accessed via the Intemet The Internet is public
sek and security risks can expose passwords, accounts, and personal information to unauthorized
Gintls In the age of electronic commerce and electronic banking much confidential information,
feample, credit card numbers, is communicated via the Internet. Security of such communications is
viously important. Encryption of the data is often used to ensure security. We first define encryption.
Definition—Encryption
‘Encryption is the process of transforming information using a key and a mathematical
-agorithm so as the coded information is unintelligible to an unauthorized reader
ote is a mathematical algorithm that helps in maintaining secure data in an insecure environment like
ra The encryption approach involves scrambling of a message using an encryption algorithm and a
»alue so that the only person (or device) that can read the message is the device having the corresponding
| Therefore. it cannot be read by an unauthorized person.
bein transforms given data (called clear text) into a new unrecognizable encrypted data set using a
mn 2Pton key which may be created randomly or transformed from » password. The original data
asin 2 7te fom the encrypted data without the knowledge Of a comespondting sti~t S
