Chapter 2

Database Security
Introduction
Data is a valuable resource that must be strictly controlled and managed. Database
security is the mechanisms that protect the database against intentional or
accidental threats. A threat means any situation or event whether intentional or
accidental that may adversely affect the organization.

Database Security Issues

Database security is a broad area that addresses many issues, such as
 Legal and ethical issues regarding the right to access certain information
For example, some information may be deemed to be private and cannot be accessed
legally by unauthorized organizations or persons.
 Policy issues at the governmental, institutional, or corporate level makes sure what
kinds of information should not be made publicly available and what to be made
available
For example, personal medical records, bank account statement etc..
 System-related issues such as the system levels at which various security functions
should be enforced
For example, whether a security function should be handled at the physical hardware
level, the operating system level, or the DBMS level.
 Identify multiple security levels and to categorize the data and users based on these
classifications
For example, top secret, secret, confidential, and unclassified. The security policy of
the organization with respect to permitting access to various classifications of data
must be enforced.

Threats to Databases
Threats to databases can result in the loss or degradation of some or all of the following
commonly accepted security goals: integrity, availability and confidentiality.
 Loss of integrity. Database integrity refers to the requirement that information be
protected from improper modification. Integrity is lost if unauthorized changes are
made to the data by either intentional or accidental acts. If the loss of system or data
integrity is not corrected, continued use of the contaminated system or corrupted data
could result in inaccuracy, fraud, or erroneous decisions.
 Loss of availability. Database availability refers to making objects available to a
human user or a program to which they have a legitimate right.
 Loss of confidentiality. Database confidentiality refers to the protection of data
from unauthorized disclosure. Unauthorized, unanticipated, or unintentional
disclosure could result in loss of public confidence, embarrassment, or legal action
against the organization.

Database Security & Authorization Subsystem

A DBMS typically includes a database security and authorization subsystem that is
responsible for ensuring the security of portions of a database (especially in a multiuser
database system) against unauthorized access. Two types of database security
mechanisms:
 Discretionary security mechanisms. These are used to grant privileges to users,
including the capability to access specific data files, records, or fields in a specified
mode (such as read, insert, delete, or update).
 Mandatory security mechanisms. These are used to enforce multilevel security
by classifying the data and users into various security classes (or levels) and then
implementing the appropriate security policy of the organization. For example, a

Page 1
 typical security policy is to permit users at a certain classification (or clearance) level
to see only the data items classified at the user’s own (or lower) classification level.
An extension of this is role-based security, which enforces policies and privileges
based on the concept of organizational roles.
Control Measures
To protect databases against these types of threats, it is common to implement four kinds
of control measures:
1. Access control
2. Inference control
3. Flow control
4. Encryption.

1. Access control
A security problem common to computer systems is that of preventing
unauthorized persons from accessing the system itself, either to obtain information or
to make malicious changes in a portion of the database. The security mechanism of a
DBMS must include provisions for restricting access to the database system as a
whole. This function, called access control, is handled by creating user accounts and
passwords to control the login process by the DBMS.

2. Inference Control
The security problem associated with databases is that of controlling the access to
a statistical database, which is used to provide statistical information or summaries of
values based on various criteria. The countermeasure to statistical database security
problem is called inference control measures.

3. Flow Control
Another security is that of flow control, which prevents information from flowing
in such a way that it reaches unauthorized users. Channels that are pathways for
information to flow implicitly in ways that violate the security policy of an
organization are called covert channels.

4. Data Encryption
A final security issue is data encryption, which is used to protect sensitive data
(such as credit card numbers) that is being transmitted via some type communication
network. The data is encoded using some encoding algorithm.
An unauthorized user who access encoded data will have difficulty deciphering it,
but authorized users are given decoding or decrypting algorithms (or keys) to
decipher data.

Database Security and the DBA

The database administrator (DBA) is the central authority for managing a database
system. The DBA has a DBA account in the DBMS, sometimes called a system or
superuser account, which provides powerful capabilities that are not made available to
regular database accounts and users. DBA-privileged commands include commands
for performing the following types of actions:
– Action 1: Account creation. This action creates a new account and password for
a user or a group of users to enable access to the DBMS.
– Action 2: Privilege granting. This action permits the DBA to grant certain
privileges to certain accounts.
– Action 3: Privilege revocation. This action permits the DBA to revoke (cancel)
certain privileges that were previously given to certain accounts.
– Action 4: Security level assignment. This action consists of assigning user
accounts to the appropriate security clearance level.

Page 2
The DBA is responsible for the overall security of the database system. Action 1 in the
preceding list is used to control access to the DBMS as a whole, whereas actions 2 and 3
are used to control discretionary database authorization, and action 4 is used to control
mandatory authorization.
User Accounts:
 Whenever a person or a group of persons needs to access a database system, the
individual or group must first apply for a user account.
 The DBA will then create a new account number and password for the user if
there is a legitimate need to access the database.
 Database users and their accounts and passwords are kept by creating an
encrypted table or file by the DBMS. Whenever a new account is created, a new
record is inserted into the table. When an account is cancelled, the corresponding
record must be deleted from the table.
 The user must log in to the DBMS by entering the account number and password
whenever database access is needed.
 The DBMS checks that the account number and password are valid; if they are,
the user is permitted to use the DBMS and to access the database.
 The database system keep track of all operations on the database that are applied
by a certain user throughout each login session, which consists of the sequence of
database interactions that a user performs from the time of logging into the time
of logging off in system log.
 System log also include the account number of the user and the online computer
or device ID that applied each operation recorded in the log.
 If any tampering with the database is suspected, a database audit is performed,
which consists of reviewing the log to examine all accesses and operations
applied to the database during a certain time period.
 Database audits are particularly important for sensitive databases that are updated
by many transactions and users, such as a banking database that is updated by
many bank tellers.

Database Audits: Reviewing the system log to examine all accesses and operations
applied to the database during a certain time period. When an illegal or unauthorized
operation is found, the DBA can determine the account number used to perform the
operation. Database audits are particularly important for sensitive databases that are
updated by many transactions and users, such as a banking database which is updated by
many bank tellers.
A database log that is used mainly for security purposes is sometimes called an audit
trail.

Data Administration &Database Administration

Data Administration: The management of the data resource, which includes database
planning, development and maintenance of standards, policies and procedures and
conceptual and logical database design.

Database Administration: The management of the physical realization of a database

system, which includes physical database design and implementation, setting security and

Page 3
integrity controls, monitoring system performance and reorganizing the database, as
necessary.
DATA ADMINISTRATION DATABASE ADMINISTRATION
Involved in strategic IS planning Evaluate new DBMS
Determine long term goals. Executes plan to achieve goals.
Enforce standards, policies and procedures Enforce standards, policies and procedures
Determines data requirements. Implement data requirements.
Develops conceptual & logical database Develops logical and physical database
design design
Develops and maintains data model Implements physical database design
Coordinates system development Monitors and controls database
Managerial orientation Technical orientation
DBMS-independent DBMS-dependent
Authorization Subsystem
 3 different authorization subsystems.
– Discretionary Access Control
– Mandatory Access Control
– Role Based Access Control

Discretionary Access Control Based on Granting and Revoking Privileges

Based on the granting and revoking of privileges. The main idea is to include statements
in the query language that allow the DBA and selected users to grant and revoke
privileges.

Types of Discretionary Privileges

The DBMS must provide selective access to each relation in the database based on
specific accounts. Operations may also be controlled; thus, having an account does not
necessarily entitle the account holder to all the functionality provided by the DBMS.

Informally, there are two levels for assigning privileges to use the database system:
 The account level - At this level, the DBA specifies the particular privileges that
each account holds independently of the relations in the database.
 The relation (or table) level- At this level, the DBA can control the privilege to
access each individual relation or view in the database.
 The privileges at the account level apply to the capabilities provided to the account
itself and can include the CREATE SCHEMA or CREATE TABLE privilege, to
create a schema or base relation; the CREATE VIEW privilege; the ALTER
privilege, to apply schema changes such as adding or removing attributes from
relations; the DROP privilege, to delete relations or views; the MODIFY privilege, to
insert, delete, or update tuples; and the SELECT privilege, to retrieve information
from the database by using a SELECT query. Notice that these account privileges
apply to the account in general.
 The second level of privileges applies to the relation level, whether they are base
relations or virtual (view) relations. Privileges at the relation level specify for each
user the individual relations on which each type of command can be applied. Some
privileges also refer to individual columns (attributes) of relations.
 The granting and revoking of privileges generally follow an authorization model for
discretionary privileges known as the access matrix model, where the rows of a
matrix M represent subjects (users, accounts, programs) and the columns represent
objects (relations, records, columns, views, operations). Each position M(i, j) in the
matrix represents the types of privileges (read, write, update) that subject i holds on
object j.
 The owner of a relation is given all privileges on that relation.

Page 4
 The owner account holder can pass privileges on any of the owned relations to other
users by granting privileges to their accounts. In SQL a GRANT command is
included for the purpose of granting privileges.
 The mechanism of views is an important discretionary authorization mechanism in
its own right. For example, if the owner A of a relation R wants another account B to
be able to retrieve only some fields of R, then A can create a view V of R that includes
only those attributes and then grant SELECT on V to B.
 In some cases it is desirable to grant a privilege to a user temporarily. For example,
the owner of a relation may want to grant the SELECT privilege to a user for a
specific task and then revoke that privilege once the task is completed. In SQL a
REVOKE command is included for the purpose of cancelling privileges.
 Whenever the owner A of a relation R grants a privilege on R to another account B,
the privilege can be given to B with or without the GRANT OPTION. If the GRANT
OPTION is given, this means that B can also grant that privilege on R to other
accounts. In this way, privileges on R can propagate to other accounts without the
knowledge of the owner of R. If the owner account A now revokes the privilege
granted to B, all the privileges that B propagated based on that privilege should
automatically be revoked by the system.
 The UPDATE and INSERT privileges can specify particular attributes that may be
updated or inserted in a relation. Other privileges (SELECT, DELETE) are not
attribute specific, because this specificity can easily be controlled by creating the
appropriate views that include only the desired attributes and granting the
corresponding privileges on the views. However, because updating views is not
always possible the UPDATE and INSERT privileges are given the option to specify
the particular attributes of a base relation that may be updated.

Example:
Assume DBA creates four user accounts: A1, A2, A3, A4.

1. DBA allow A1 to create table /relations.

GRANT Create Table To A1; (Account Privilege)
Assume A1 creates Employee and Department table and hence has all the
privileges on each of them.

2. Account A1 wants to grant to account A2 the privilege to insert and delete tuples
in both of these relations. However, A1 does not want A2 to be able to propagate
these privileges to additional accounts.
GRANT INSERT, DELETE ON EMPLOYEE, DEPARTMENT TO A2;

3. A1 wants to allow account A3 to retrieve information from either of the two tables
and also to be able to propagate the SELECT privilege to other accounts.
GRANT SELECT ON EMPLOYEE, DEPARTMENT TO A3
WITH GRANT OPTION;

4. A3 want to grant the SELECT privilege on the EMPLOYEE relation to A4.

GRANT SELECT ON EMPLOYEE TO A4;
Here A4 cannot propagate the SELECT privilege to other accounts.

5. A1 want to revoke the SELECT privilege on the EMPLOYEE relation from A3;
REVOKE SELECT ON EMPLOYEE FROM A3;
Here DBMS now revoke the SELECT privilege on EMPLOYEE from A3, and it
also automatically revokes the SELECT privilege on EMPLOYEE from A4.

6. Suppose that A1 wants to give to A3 a limited capability to SELECT only the

Name, Bdate, and Address attributes and only for the tuples with Dno = 5 from

Page 5
 the EMPLOYEE relation and wants to allow A3 to be able to propagate the
privilege. Concept of view also can be used.
A1 then can create the following view:
CREATE VIEW A3EMPLOYEE AS
SELECT Name, Bdate, Address
FROM EMPLOYEE
WHERE Dno = 5;
After the view is created, A1 can grant SELECT on the view A3EMPLOYEE
to A3 as follows:
GRANT SELECT ON A3EMPLOYEE TO A3 WITH GRANT OPTION;

7. A1 wants to allow A4 to update only the Salary attribute of EMPLOYEE;

GRANT UPDATE ON EMPLOYEE (Salary) TO A4;

Page 6
Mandatory Access Control and Role-Based Access Control for Multilevel
Security

An additional security policy is used that classifies data and users based on security
classes. This approach, known as mandatory access control (MAC), would typically be
combined with the discretionary access control mechanisms. Some DBMS vendors—for
example, Oracle—have released special versions of their RDBMSs that incorporate
mandatory access control for government use.

Typical security classes are top secret (TS), secret (S), confidential (C), and unclassified
(U), where TS is the highest level and U the lowest. For simplicity, we will use the
system with four security classification levels, where TS ≥ S ≥ C ≥ U, to illustrate our
discussion.

Bell-LaPadula model, model for multilevel security, classifies each subject (user,
account, program) and object (relation, tuple, column, view, operation) into one of the
security classifications TS, S, C, or U. Clearance (classification) of a subject S is referred
to as class(S) and the classification of an object O as class(O).

Two restrictions are enforced on data access based on the subject/object classifications:
 A subject S is not allowed read access to an object O unless class(S) ≥class(O). This is
known as the simple security property.
 A subject S is not allowed to write an object O unless class(S) ≤ class(O). This is
known as the star property (or *-property).

To incorporate multilevel security notions into the relational database model, it is

common to consider attribute values and tuples as data objects. Hence, each attribute A is
associated with a classification attribute C in the schema, and each attribute value in a
tuple is associated with a corresponding security classification. A multilevel relation
schema R with n attributes would be represented as: R(A1, C1, A2, C2, ..., An, Cn, TC)
where each Ci represents the classification attribute associated with attribute Ai.

The apparent key of a multilevel relation is the set of attributes that would have formed
the primary key in a regular (single-level) relation.

 A multilevel relation will appear to contain different data to subjects (users) with
different clearance levels.
 In some cases, it is possible to store a single tuple in the relation at a higher
classification level and produce the corresponding tuples at a lower-level
classification through a process known as filtering.
 In other cases, it is necessary
to store two or more tuples at
different classification levels
with the same value for the
apparent key.

Illustraion :
In the Figure the classification
attribute values are displayed next to
each attribute’s value. Assume that
the Name attribute is the apparent
key, and consider the query
SELECT * FROM EMPLOYEE.
A user with security clearance S
would see

Page 7
the same relation shown in fig(a) since all tuple classifications are less than or equal to S.
A user with security clearance C would not be allowed to see the values for Salary of
‘Brown’ and Job_performance of ‘Smith’, since they have higher classification. The
tuples would be filtered to appear as shown in Figure (b) with Salary and
Job_performance appearing as null.
For a user with security clearance U, the filtering allows only the Name attribute of
‘Smith’ to appear, with all the other attributes appearing as null Thus, filtering introduces
null values for attribute values whose security classification is higher than the user’s
security clearance.

 In general, the entity integrity rule for multilevel relations states that all attributes
that are members of the apparent key must not be null and must have the same
security classification within each individual tuple.
 In addition, all other attribute values in the tuple must have a security classification
greater than or equal to that of the apparent key.
o This constraint ensures that a user can see the key if the user is permitted to see any
part of the tuple at all.
Role-Based Access Control
Its basic notion is that privileges and other permissions are associated with organizational
roles, rather than individual users. Individual users are then assigned to appropriate roles.
Roles can be created using the CREATE ROLE and DROP ROLE commands. The
GRANT and REVOKE commands can then be used to assign and revoke privileges from
roles, as well as for individual users when needed. For example, a company may have
roles such as sales account manager, purchasing agent, mailroom clerk, department
manager, and so on. Multiple individuals can be assigned to each role. Security privileges
that are common to a role are granted to the role name, and any individual assigned to
this role would automatically have those privileges granted. RBAC can be used with
traditional discretionary and mandatory access controls; it ensures that only authorized
users in their specified roles are given access to certain data or resources.

Role: is a named group of related privileges that can be granted to the user. This method
makes it easier to revoke and maintain privileges. A user can have access to several roles,
and several users can be assigned the same role. Roles are typically created for a database
application.
Creating and assigning Role:
First the DBA must create the role. Then the DBA can assign privileges and assign the
role to users.
Syntax : CREATE ROLE
Example:
To create a role: CREATE ROLE manager;
Grant privileges to role : GRANT CREATE TABLE, CREATE VIEW TO MANAGER;
Grant role to users : GRANT MANAGER TO TOM (if TOM is a user)

Inference control

Statistical databases are used mainly to produce statistics about various populations. (A
population is a set of tuples of a relation (table) that satisfy some selection condition.)
Statistical users are not allowed to retrieve individual data, such as the income of a
specific person. Users are permitted to retrieve statistical information about the
populations, such as averages, sums, counts, maximums, minimums, and standard
deviations.

Consider the following relation ‘PERSON’.

Page 8
An SQL query with the condition Sex = ‘M’ specifies the male population; the condition
((Sex = ‘F’) AND (Last_degree = ‘M.S.’ OR Last_degree = ‘Ph.D.’)) specifies the female
population that has an M.S. or Ph.D.degree as their highest degree; and the condition City
= ‘Arbaminch’ specifies the population that lives in Arbaminch.

Statistical queries involve applying statistical functions to a population of tuples. In some

cases it is possible to infer the values of individual tuples from a sequence of statistical
queries. This is particularly true when the conditions result in a population
consisting of a small number of tuples.
As an illustration, consider the following statistical queries:
Q1: SELECT COUNT (*) FROM PERSON WHERE <condition>;
Q2: SELECT AVG (Income) FROM PERSONWHERE <condition>;

To find the Salary of ‘Netsanet’, and we know that she has a Ph.D. degree and that she
lives in the city of Arbaminch. We issue the statistical query Q1 with the following
condition: (Last_degree=‘Ph.D.’ AND Sex=‘F’ AND City=‘Arbaminch’). If we get a
result of 1 for this query, we can issue Q2 with the same condition and find the Salary of
Netsanet.
Even if the result of Q1 on the preceding condition is not 1 but is a small number—say 2
or 3—we can issue statistical queries using the functions MAX, MIN and AVERAGE to
identify the possible range of values for the Salary of ‘Netsanet’.

Statistical database security techniques

1. Must prohibit the retrieval of individual data if no statistical queries are permitted
whenever the number of tuples in the population specified by the selection
condition falls below some threshold.
2. Must prohibit queries that retrieve attribute values and allow queries that involve
statistical aggregate functions.
3. Must prohibit sequences of queries that refer repeatedly to the same population of
tuples.
4. Must introduce slight inaccuracies or noise into the results of statistical queries
deliberately, to make it difficult to deduce individual information from the results.

Flow Control

Flow control regulates the distribution or flow of information among accessible objects.
A flow between object X and object Y occurs when a program reads values from X and
writes values into Y. Flow controls check that information contained in some objects
does not flow explicitly or implicitly into less protected objects. Thus, a user cannot get
indirectly in Y what he or she cannot get directly in X. Most flow controls employ some
concept of security class; the transfer of information from a sender to a receiver is
allowed only if the receiver’s security class is at least as privileged as the sender’s.

 A flow policy specifies the channels along which information is allowed to move.
o The simplest flow policy specifies just two classes of information:
 confidential (C) and nonconfidential (N)
o and allows all flows except those from class C to class N.

Access control mechanisms are responsible for checking users’ authorizations for
resource access: Only granted operations are executed. Flow controls can be enforced by
an extended access control mechanism, which involves assigning a security class (usually

Page 9
called the clearance) to each running program. The program is allowed to read a
particular memory segment only if its security class is as high as that of the segment. It is
allowed to write in a segment only if its class is as low as that of the segment. This
automatically ensures that no information transmitted by the person can move from a
higher to a lower class. For example, a military program with a secret clearance can only
read from objects that are unclassified and confidential and can only write into objects
that are secret or top secret. In general, flow control mechanisms implement the controls
by assigning a label to each object and by specifying the security class of the object.
Labels are then used to verify the flow relations defined in the model.

Encryption
 Encryption is a means of maintaining secure data in an insecure environment.
 Encryption consists of applying an encryption algorithm to data using some pre-
specified encryption key.
 The resulting data has to be decrypted using a decryption key to recover the
original data.

Encryption is the conversion of data into a form, called a ciphertext, which cannot be
easily understood by unauthorized persons. It enhances security and privacy when access
controls are bypassed, because in cases of data loss or theft, encrypted data cannot be
easily understood by unauthorized persons.

Terminology
 Ciphertext: Encrypted (enciphered) data.
 Plaintext (or cleartext): Intelligible data that has meaning and can be read or acted
upon without the application of decryption.
 Encryption: The process of transforming plaintext into ciphertext.
 Decryption: The process of transforming ciphertext back into plaintext.

 The Data Encryption Standard (DES) is a system developed by the U.S. government
for use by the general public. DES can provide end-to-end encryption on the channel
between the sender A and receiver B.
o Symmetric Key Algorithms: A symmetric key is one key that is used for
both encryption and decryption. By using a symmetric key, fast encryption
and decryption is possible for routine use with sensitive data in the
database. A message encrypted with a secret key can be decrypted only
with the same secret key.
 In 1976, Diffie and Hellman proposed a new kind of cryptosystem, which they called
public key encryption. Public key algorithms are based on mathematical functions
rather than operations on bit patterns. In public key systems, two keys are used for
encryption/decryption. The public key can be transmitted in a non-secure way,
whereas the private key is not transmitted at all. These algorithms—which use two
related keys, a public key and a private key, to perform complementary operations
(encryption and decryption)—are known as asymmetric key encryption algorithms.
Public key encryption scheme, or infrastructure, has six ingredients:
o Plaintext. This is the data or readable message that is fed into the algorithm as
input.
o Encryption algorithm. This algorithm performs various transformations on the
plaintext.
o Public and private keys. These are a pair of keys that have been selected so that
if one is used for encryption, the other is used for decryption. The exact
transformations performed by the encryption algorithm depend on the public or
private key that is provided as input. For example, if a message is encrypted using
the public key, it can only be decrypted using the private key.

Page 10
 o Cipher text. This is the scrambled message produced as output. It depends on the
plaintext and the key. For a given message, two different keys will produce two
different cipher texts.
o Decryption algorithm. This algorithm accepts the cipher text and the matching
key and produces the original plaintext.
o The RSA Public Key Encryption algorithm, one of the first public key schemes
was introduced in 1978 by Ron Rivest (R), Adi Shamir (S), and Len Adleman (A)
at MIT and is named after them.
o The RSA algorithm also operates with modular arithmetic – mod n, where n is
the product of two large prime numbers.

 Digital Signatures: A digital signature is an example of using encryption

techniques to provide authentication services in electronic commerce
applications. Like a handwritten signature, a digital signature is a means of
associating a mark unique to an individual with a body of text.

Current Challenge-Database Survivability

Database systems need to operate and continue their functions, even with reduced
capabilities, despite disruptive events such as information warfare attacks. A DBMS, in
addition to making every effort to prevent an attack and detecting one in the event of
occurrence, should be able to do the following:
 Confinement. Take immediate action to eliminate the attacker’s access to the
system and to isolate or contain the problem to prevent further spread.
 Damage assessment. Determine the extent of the problem, including failed
functions and corrupted data.
 Reconfiguration. Reconfigure to allow operation to continue in a degraded mode
while recovery proceeds.
 Repair. Recover corrupted or lost data and repair or reinstall failed system
functions to re-establish a normal level of operation.
 Fault treatment. To the extent possible, identify the weaknesses exploited in the
attack and take steps to prevent a recurrence.

Page 11