0% found this document useful (0 votes)
24 views7 pages

Database Security Mechanisms in Mysql: Abdullah Hamidi (MSC) Abdul Razzaq Hamraz (MSC) Khadija Rahmani (MSC)

Uploaded by

tqa036
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
24 views7 pages

Database Security Mechanisms in Mysql: Abdullah Hamidi (MSC) Abdul Razzaq Hamraz (MSC) Khadija Rahmani (MSC)

Uploaded by

tqa036
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

Afghanistan Research Journal – Social Science

Volume 4, Issue 1, pp. 1-7, June 2022 ISSN (Online): 2789-8601

Database Security Mechanisms in MySQL


Abdullah Hamidi (MSc) Abdul Razzaq Hamraz (MSc) Khadija Rahmani (MSc)
Database / Information Systems Database / Information Systems Software Engineering
Computer Science Faculty, Herat Computer Science Faculty, Herat Computer Science Faculty, Herat
University University University
Herat, Afghanistan Herat, Afghanistan Herat, Afghanistan

Abstract— MySQL security is a concept that originates from database security and mainly comprises attacks that exploit database
systems vulnerabilities. SQL injection, inference attack, passive attack, active attack, and other database side attacks are general
security issues in many modern database systems. Those methods are used by hackers to retrieve, manipulate, misuse, make or
delete information in organizations’ relational databases through application layer or backend layer. Different techniques to prevent
MySQL against these attacks investigated and discussed in this article. Besides, different ways to secure or database were
introduced. In this article, different ways to protect the data in relational databases including database backups, database and table
locking, database encryption, user control, MySQL Enterprise Firewall, and use of views are discussed. Furthermore, each
protection method explained with their usages and advantages. Database designers have to be aware of these methods to increase
data protection on their designed information management systems. The goals of this research are to cover all security problems
that occur in MySQL backend, declaring the security vulnerabilities and providing suggestions to improve MySQL security and
preventing an attacker from attacking these systems.

Keywords— relational, MySQL, database, security, backup, locking, views, firewall

INTRODUCTION care of immediately. Database security should provide


controlled and protected access to the members and also
In the world of information technology, data security
should preserve the overall quality of the data” [15]. It’s
is one of the vital subjects, which these data define the
very important to understand the structure of the database
worth of organizations, so by the growth of technology
and identify potential threats at the beginning stages. These
organizations store their data in so-called databases.
“Database technologies are a core component of many points by Oracle should be considered when securing a
database (2016):
computing systems. They allow data to be retained and
shared electronically and the amount of data contained in • Protecting data from unauthorized access.
these systems continues to grow at a rate” [1]. So, we need
• Preventing unauthorized disclosure.
to ensure the integrity, Confidentially, Availability and
• Recovering from hardware or software errors.
Authenticity of the data and secure the data from
unintended access which is called database security,
GOALS AND IMPORTANCE
Database security is the protection of an invaluable
Nowadays, people trying to use technology according
organizational resource against unauthorized reading,
to their needs to gain the advantage of this unlimited
changing or erasing of the data. “Database security strives weapon. One of these valuable components of technology
to ensure that only authenticated users perform authorized is database systems which are changing the work outcomes
activities at authorized times” [1]. “It includes the system, and producing effective results. This technology has been
processes, and procedures that protect a database from tested in most of developed and developing countries, and
unintended activity” [14]. Database security in MySQL is the expected result has been achieved. Moreover, from
one of the most important topics that have been discussed understanding of its effectiveness. Nowadays, we know one
among security personnel. “The growing number of of the most challenging issues is data security.
incidents proves that it’s something that should be taken

http://arj.af/ 1
All Rights Reserved
Afghanistan Research Journal – Social Science

Volume 1, Issue 1, pp. 1-6, April 2021 ISSN (Online): 2789-8601

The purpose of this research is declaring the security intentional or unintentional and could be caused by a
vulnerabilities to improve Database systems security in situation or event that involves a person, action or
MySQL and preventing attacker from attacking to these circumstance which results in harm to someone or to an
systems, In order to know public and private sectors use organization. The harm may be loss of hardware, software
where and in which level database security and knowing or data (tangible) or could be loss of credibility or client
about security if they apply in Herat development confidence and trust (intangible). “However, focusing on
companies.
database security alone will not ensure a secure database.
This is because all parts of the systems must be secure. This
DATABASE SECURITY includes the buildings in which the database is stored
It is important to protect the data from unauthorized physically, the network, the operating system, DBMS and
access, disclosure, modification or destruction if we are the personnel who have authorized access to the system”
using DBMSs to store and maintain our data. Ensuring that [3]. In this current article our focus is on data security in
users have the proper authority to view the data, insert new relational database management systems.
data, or update existing data is an important aspect of
application development. Database security involves
protecting a database from unauthorized access, malicious
destruction, and even any accidental loss or misuse. Due to
the high value of data incorporate databases, there is a
strong motivation for unauthorized users to gain access to
them.

It may happen that competitors have strong motivation to


access sensitive information about product development
plans, cost-saving initiatives and customer profiles of other
companies. Sometimes they may want to access
information regarding unannounced financial results,
business transactions and even customer e-credit card
numbers. They may not only steal valuable information, in
fact, if they have access to the database, but they may also
destroy it and great havoc may occur [2].
Fig. 2. Threats of Database (Connolly, 2005)

TYPES OF ATTACKS ON DATABASES


Databases today are facing different kind of attacks. It
is preferable to describe the attacks which can be performed
on the databases. The major attacks on databases can be
categorized as shown in inference, active and passive
attacks and SQL Injection Attacks SQLIA on relational
DBMSs.

Inference: Inference is a major attack on database systems.


Fig. 1. Database security. (Oracle, database security, 2016) Inference is a way to derive sensitive data from non-
sensitive data. The query fired is very much specific in this
Furthermore, the database environment is getting more type of attack and matches exactly one data item which is
complex where access to data has become more open called a direct attack. Attacks may be Indirect in the
through the internet and mobile computing. Thus, you can inference category which includes the use of statistical data
imagine the importance of having database security. to get sensitive information.

Passive Attacks on Databases : In a passive attack, the


THREATS TO A DATABASE
attacker only observes data present in the database.
Any situation or event that may affect a system and
organization is called a threat. This threat may be

http://arj.af/ 2
All Rights Reserved
Afghanistan Research Journal – Social Science

Volume 1, Issue 1, pp. 1-6, April 2021 ISSN (Online): 2789-8601

Active Attacks on Databases: In an active attack, actual SECURITY IMPLEMENATION IN MYSQL


database values are modified. This is a serious kind of 1. Access control using SQL Data Control
attack.
Language
According to [9] The DCL (Data Control Language)
SQLIA (SQL Injection Attack) : Today, databases serve commands are used for assigning the different
as a backend for many applications including web authorizations to the user, these types of authorizations
applications. One of the major attacks with such are known as privilege. Grant and Revoke commands
applications is SQL Injection Attack. This type of attack is are the DCL commands. The grant command is used
called SQLIA or SIA. One of the basic reasons for SQLIA for conferring the authorization to the users whereas
attacks is that most of the web applications use on the fly the revoke command is used for withdrawing the
SQL queries without applying proper user input validation. authorization. Select, insert, update and delete are
Attackers can make the server run malicious SQL queries some of the privileges that are included in SQL
and can manipulate the database. Therefore, SQLIA is standards. This language has commands such as grant
considered as a dangerous type of attack on databases. and revoke which mainly deals with the rights,
permissions and other controls of the database system.
DATA PROTECTION IN RDBMS
Database protection means unlawful users have no “The MySQL privilege system ensures that all
access to the database and its sensitive information, whether users may perform only the operations permitted
intentional or accidental. Therefore, most companies to them. As a user, when you connect to a MySQL
consider the possibility of threats as actions for their server, your identity is determined by the host
database systems. This article addresses threats, from which you connect and the user’s name you
countermeasures, and database security approaches to specify. When you issue requests after
relational database threats and considerations of security connecting, the system grants privileges
techniques. [6]
according to your identity and what you want to
RDBMS threats can be summarized as [7]: do” [11].

o Required user privileges can be granted by the Grant


administrator. Abusing these privileges may lead “The database administrator defines
to the creation of trapdoors from the program. the GRANT command in SQL for giving the access
o The user has legal access to the database. or privileges to the users of the database. Three major
He/she may have a malicious intention to abuse components which are involved in the authorization
the tool. are the users, privilege/s (operations) and a database
o One of the threats is the software or operating object” [9]. The user is the one who triggers the
system vulnerability. This helps the perpetrator execution of the application program. “Operations are
violate sensitive information as they are back the component which is embedded in an application
home. program. The operations are performed on database
Techniques data protection in RDBMS objects such as relation or view name”[9].
Syntax of GRANT Command [10]
This type ranges from physical controls to administrative
grant <privilege record>
procedures. It can be categorized into various forms of on <relation title or view title>
control as [8]: to <user/role record>;

1. Access Control of database or DCL mysql> create user ’hamid1’@’localhost’ IDENTIFIED BY ’ssss’;

2. Backup and Restore Query OK, 0 rows affected (0.00 sec)


3. Enabling DBMS Firewall
Fig. 3. Creating user account on local host.
4. Use of Views
5. Locking mysql> GRANT SELECT ON library.* TO ’hamid1’@’localhost’
IDENTIFIED BY ’ssss’;

Query OK, 0 rows affected (0.00 sec)


Fig. 4. Grant select privilege.

http://arj.af/ 3
All Rights Reserved
Afghanistan Research Journal – Social Science

Volume 1, Issue 1, pp. 1-6, April 2021 ISSN (Online): 2789-8601

mysql> GRANT SELECT,UPDATE,INSERT ON library.books TO “MySQL Enterprise Firewall is an application-level


’hamis’@’localhost’ IDENTIFIED BY ’ssss’; firewall that enables database administrators to permit or
deny SQL statement executions based on matching against
Query OK, 0 rows affected (0.00 sec) whitelists of accepted statement patterns”.
Fig. 5. Grant multiple privileges on one table. This helps harden MySQL Server against attacks such as
SQL injection or attempts to exploit applications by using
According to the figure 3-3 and figure 3-4, we create user them outside of their legitimate query workload
and give it only select privilege on library database. This characteristics. MySQL Enterprise Firewall has stored
user can’t perform another operation on library database. In procedures that perform tasks such as registering MySQL
figure 3-5, we give multiple privileges just on books table accounts with the firewall, establishing their operational
to the user “Hamid” and lid have privileges only on books mode, and managing transfer of firewall data between the
table. cache and the underlying system tables. In the firewall
procedure we create the firewall tables, functions, stored
Revoke procedures and install the necessary plugins. After running
Another commends of DCL is revoke commend. This the script, the firewall is enabled. to test if it is enabled or
command in SQL is defined to take away the granted not the following scripts could be used:
privileges (authorizations) from the user of the database.
The one who has the authority to withdraw the privileges is
the database administrator [9]

Syntax Revoke Command:


revoke <privilege list>
Fig. 8. shows MySQL firewall mode
on <relation name or view name>
To test the firewall, a current MySQL user is used, as an
from <user/role list>;
example – hamid@localhost. The user probably doesn’t
The revoke command is similar to grant command except need all privileges, but for this example, everything is
for the revoke keyword and ‘from’. In given command, the granted to this user according to figure 3-4. Accordingly,
operations included in the privilege are taken from the library schema is selected to test the MySQL procedures
particular user or role list. Revoking becomes complex and functionalities. Afterward, the firewall is set to record
when privileges are propagated from one user to other. those queries which are granted to be executed:
We can revoke the given privileges by revoke statement.

mysql> revoke select ON library.* from ’hamid1’@’localhost’;

Query OK, 0 rows affected (0.00 sec)

Fig. 6. revoking select privilege

mysql> REVOKE ALL PRIVILEGES, GRANT OPTION FROM


’hamid1’@’localhost’;

Query OK, 0 rows affected (0.00 sec)

Fig. 7. revoking all privileges. Fig. 9. Call and set firewall to record allowed queries to allowed user.

According figure 3-6, for security purpose we can revoke


granted privilege from specific user and also can revoke all Using the following script it is possible to check if the
granted privileges according figure 3-7 and limiting his firewall is running and recording for our user or not:
privileges.

2. MySQL Enterprise Firewall


Database Firewalls are a type of Web Application
Firewall that monitors databases to identify and protect
against database specific attacks which mostly seek to
access sensitive information stored in the databases. Fig. 10. Display Firewall mode

http://arj.af/ 4
All Rights Reserved
Afghanistan Research Journal – Social Science

Volume 1, Issue 1, pp. 1-6, April 2021 ISSN (Online): 2789-8601

It is possible to run multiple queries on library to check for A complete backup of your database will include all the
recording, and then turning off the recording by turning on details of your database: tables, stored procedures,
the protection mode: functions, views, authorization information, indexes and of
course the data stored in those tables. There is also just
enough information from the transaction log to ensure that
the database can be restored in a continuous state and
restore the database online if it fails during a recovery
operation. In general, it can be assumed that by restoring a
complete backup of the database, the database will return to
Fig. 11. Set firewall mode to protecting. the status quo in the country when the backup process
begins. However, it is possible that the effect of the
The firewall is now protecting against non-whitelisted transaction that was created when the backup was started
queries. We can execute a couple of the queries we would still be included in the backup [10].
previously ran, which should be allowed by the
firewall. Now we run two new queries, which should Backing up data is likely to be the only type of backup you
be blocked by the firewall. need depending on the data recovery need. For example,
let's say that you rely solely on full backups, you do it once
in the middle of the night, and the server experiences a
deadly crash at 11 pm. one night. In this case, you will only
be able to restore the full database backup at midnight the
Fig. 12. Queries prevented by firewall
previous day and so you may lose 23 hours of data. [10].

Multiple queries are performed on the database in “A full database backup is probably the most common type
multiple mode, to see how much firewall activity you of backup in the SQL Server world. This is actually a
have, you may look at the status variables: backup of the data file (s) associated with a database”. [12].

Backing up a database is essentially "archiving" your


database because it existed at the time of the backup
operation [12]. It is useful to know exactly what is in this
"archive" and a full backup includes [12]:

• Copy of database when creating backup


Fig. 13. Status of firewall variable
• All user objects and data
• information Database system information
• User information
3. View • License information
Views are virtual tables that are created through some • Enough transaction reporting can return the
operations on database objects. By removing certain database online if it fails
columns or rows and combining certain tables, such views
can be used to limit the scope of objects that users can Full back up is a disaster recovery strategy for any database
manipulate or retrieve information from. user, in the event of data corruption or the loss of a disk
CREATE VIEW scrambling AS SELECT b.title, b.ISBN,
drive or even catastrophic hardware failure, where all the
SUM(c.id) copies, SUM(ba.id) authors FROM books b INNER physical media of a server is lost or damaged. In such cases,
JOIN copies c ON b.id = c.books_id INNER JOIN books_authors the availability of a complete backup file, stored securely
ba ON b.id = ba.books_id GROUP BY b.id separately, maybe the only way to get back up and work on
a new server with at least most of its data intact. If there is
Fig. 14. View on library schema.
also differential backup, there is a strong possibility that we
4. Backup and Recovery will be able to restore the database to a state very close to
Backup is one of the best tools to secure our data in where it was shortly before the disaster. [12].
case of loss. Backup means taking a copy of the sample Implementation of Full Backup
process logs plus a copy of the relational database
The MySQL dump program can make backups. It can back
periodically and storing it in memory for later retrieval [8]. up all kinds of tables.

http://arj.af/ 5
All Rights Reserved
Afghanistan Research Journal – Social Science

Volume 1, Issue 1, pp. 1-6, April 2021 ISSN (Online): 2789-8601

C:\Program Files\MySQL\MySQL Server 5.5\bin>mysqldump – layout, and transaction distribution and database
uroot –p library > libarary.sql
distribution. To understand how to minimize this impact on
Enter password: **** performance, one must understand the locking mechanisms
and how they are used and how these mechanisms and
C:\Program Files\MySQL\MySQL Server 5.5\bin>
usage scenarios influence performance [13].
Fig. 16. Database recovery
Locking also affects accuracy. Although locking usually
strikes people correctly, not all users of the lock result in
C:\Program Files\MySQL\MySQL Server 5.5\bin>mysql –uroot –p the correct results. “For example, it seems that reserving
library < libarary.sql access to data before access eliminates the possibility of
Enter password: **** interfering with each other” [13]. But if the ability to
serialize the target is simply not enough to lock the data
Fig. 16. Database recovery before accessing it. The timing of the lock operation is also
important [13].

5. Locking Mechanism
One of the most important characteristics of transactions is Implementation of Transaction Locking
that they are separated. Technically, this means that Although an application developer never directly confronts
executing transactions has the same effect as serial locks, he knows how to lock them for two reasons. First,
transactions, one after the other, with no overlap in both locking can have a significant impact on the performance of
cases, respectively. These executions are called serialized a TP system. Most systems offer to tune mechanisms to
executions, meaning they "have the same effect on serial optimize performance. To use these mechanisms, it is
execution" [13]. valuable to understand their effect on system internal
The most famous mechanism used to achieve serial locking. behaviors. Second, some of these optimizations can violate
The concept is simple [13]: correctly. Understanding lock execution helps to
understand when such optimizations are acceptable and
what other options are possible [13].
• Each transaction retains access to the data it
uses. The reservation is called a lock.
• There is a read lock and a write lock. Lock Manager is a component that provides operations
• Specifies the read lock transaction before [13]:
reading a piece of data. Sets the write lock
before writing data. • Set the lock with the mode of lock mode on
• Read the lock conflict with the write lock, and behalf of the transaction ID for the
write the lock conflict with the write lock. transaction.
• The transaction can only get a lock if no other • Release the transaction ID lock on the data.
transaction has a contradictory lock in the • Unlock all transaction IDs.
same case. Therefore, it can obtain a read lock
at x if it has no write lock transaction at x. It The locks on the lock table are low-level data structure in
can only get write locks on x if there is no deal the main memory, just like a control table in an operating
to read locks or write locks on x. [13]. system (ie, like an SQL table). The locking and unlocking
operation allow the locks to be inserted and removed from
the locking table respectively [13]. The first and foremost
Although the concept of lock is simple, its effects on thing is that the first use of a lock is to solve synchronization
performance and accuracy can be complex, counter- problems. If scripts are running that write to the database,
intuitive and difficult to predict. Making robust TP but the multi-step operations are not susceptible to the
applications requires a complete understanding of the lock. problems described in the last section, locks are not
[13]. required. Simple scripts that insert a row, delete a row, or
update a row, and do not use previous SELECT results or
Locking affects performance. When setting a lock user-entered data as input, require locking They don't. [6].
transaction, it delays the other transactions needed to adjust
the contradictory lock. All else being equal, the more Locks are special property variables. By default, each
transactions are made simultaneously, the greater the MySQL table has a lock variable. If the user sets the lock
likelihood of such delays. The frequency and length of such variable for a particular table, no other user can perform
delays can also be affected by transaction design, database

http://arj.af/ 6
All Rights Reserved
Afghanistan Research Journal – Social Science

Volume 1, Issue 1, pp. 1-6, April 2021 ISSN (Online): 2789-8601

specific actions on that table. The user who sets the lock ways to protect databases and make them more secure we
variable holds the lock on the table. In practice, there are discussed some of them in this article.
two types of locks for each table: READ LOCKs, when the
user reads only one table, and WRITE LOCKs when the
user is reading and writing a table. MySQL is not allowed References
to lock only one of the two tables used in the above
transaction. The following rules apply to locks [13]:
[1] Murray, M. C. (2010). Database Security: What
Students Need to Know
If you keep the lock, all other tables used should also be [2] Database security issues. (n. d.). Retrieved
locked. Failure to do so will result in MySQL error. December 29, 2009, from data bases.about.com/
od/security/database_security_issues.htm
Mannino, M. V. (2001).
If aliases are used in queries-for example [13]: [3] Oracle. (2016). database security. Retrieved from
http://www.oracle.com/technetwork/database/sec
SELECT * from customer c where c.custid=1
urity/overview/index.html
[4] Jeffrey A. Hoffer, J. F. (2011). Essentials of
sysetems analysis and Design . pearson.
The alias must be locked with: [5] Connolly, B. (2005). Database systems. Pearson.
[6] Madden, A. D. (2003). DATA PROTECTION.
LOCK TABLES customer c READ European: With financial support from the EU’s
Fundamental Rights and Citizenship Programme.
or:
[7] Derclaye, E. (2005). What is a Database? The
LOCK TABLES customer c WRITE
Journal of World Intellectual Propert, 4.
[8] Mustafa, A. A. (2016). See discussions, stats, and
author profiles for this pubSecurity Of Database
Management Systems. The Center of Judicial
CONCLUSION Expertise and Research 15 PUBLICATIONS 16
CITATIONS , 2.
[9] Ji-Won Byun, N. (2009). Privacy Protection in
Nowadays data security has become an important Relational Database Systems. The user has
topic, a database is a repository for our data which is faced requested enhancement of the downloaded file.
with different security threats such as SQL injection, [10] Martti Laiho, D. A. (2010). SQL Transaction.
DBTech VET Teachers project.
inference attacks, passive attacks, and other active attacks. [11] MySQL. (NA). Chapter 4 Access Control and
The most important aspects of securing database systems Account. Retrieved April 30 2022 from
are the ability to bind an incoming request, determine where https://dev.mysql.com/doc/mysql-security-
excerpt/8.0/en/access-control.html
and how the attacker can attack, and find out measures to
[12] McGehee, S. (2012). SQL Server Backup and
protect the database from attacks. This article focuses on Restore . The Red Gate Guide.
verifying those key aspects of a secure database system [13] Newcomer, B. a. (2001). Locking. Chicago: A.
from the backend aspect. Therefore, the best ways to make Bernstein and Eric Newcomer.
a database system safer, especially against SQL injection or [14] Abraham, A., Mauri, J. L., Buford, J., Suzuki, J.,
& Thampi, S. M. (Eds.). (2011). Advances in
other backend attacks are MySQL enterprise firewall to Computing and Communications, Part I: First
permit or deny SQL statement execution based on matching International Conference, ACC 2011, Kochi,
against whitelists of accepted statement patterns, changing India, July 22-24, 2011. Proceedings (Vol. 190).
Springer Science & Business Media.
the port of MySQL which attacker exploit default values, [15] Lynch, Steve (2015). Database Security. Retrieved
removing anonymous user, taking backup, use of views and May 15 2022 from
applying access privileges on the user account that every https://resources.infosecinstitute.com/topic/datab
ase-security/
user can access to granted databases and can perform the
granted operation on specific database and table.

Every organization and company in the business


environment needs to collect data from their users. Users
who provide their information to the companies have to
trust them and be confident about their data security.
Organizations should use various standard and reliable data
protection methods in their databases to protect their data
from unknown and unauthorized access. There are many

http://arj.af/ 7
All Rights Reserved

You might also like