Computer Security:

Principles and Practice

Chapter 5 – Database Security

First Edition
by William Stallings and Lawrie Brown

Lecture slides by Lawrie Brown

Database Security
 Relational Databases
 constructed from tables of data

each column holds a particular type of data

each row contains a specific value these

ideally has one column where all values are
unique, forming an identifier/key for that row
 have multiple tables linked by identifiers
 use a query language to access data
items meeting specified criteria
Relational Database Example
Relational Database Elements
 relation / table / file
 tuple / row / record
 attribute / column / field
 primary key

uniquely identifies a row
 foreign key

links one table to attributes in another
 view / virtual table
Relational Database Elements
 Structured Query Language
 Structure Query Language (SQL)

originally developed by IBM in the mid-1970s

standardized language to define, manipulate,
and query data in a relational database

several similar versions of ANSI/ISO standard
CREATE TABLE department ( CREATE VIEW newtable (Dname, Ename, Eid, Ephone)
Did INTEGER PRIMARY KEY, AS SELECT D.Dname E.Ename, E.Eid, E.Ephone
Dname CHAR (30), FROM Department D Employee E
Dacctno CHAR (6) )
WHERE E.Did = D.Did

CREATE TABLE employee (

Ename CHAR (30),
Did INTEGER,
SalaryCode INTEGER,
Eid INTEGER PRIMARY KEY,
Ephone CHAR (10),
FOREIGN KEY (Did) REFERENCES department (Did) )
 Database Access Control
 DBMS provide access control for database
 assume have authenticated user
 DBMS provides specific access rights to
portions of the database

e.g. create, insert, delete, update, read, write

to entire database, tables, selected rows or columns

possibly dependent on contents of a table entry
 can support a range of policies:

centralized administration

ownership-based administration

decentralized administration
 SQL Access Controls
 GRANT and REVOKE are used to manage
access rights.
 GRANT command grant one or more access rights or
can be used to assign a user to a role
 For access rights, the command can optionally specify
that it applies only to a specified table
 specifies the user or role to which the rights are granted
 A PUBLIC value indicates that any user has the
specified access rights
 SQL Access Controls
 GRANT SELECT ON TABLE Q.STAFF TO PUBLIC
 GRANT INSERT ON ORDER_BACKLOG TO PUBLIC
WITH GRANT OPTION
 GRANT SELECT ON employee TO user1.
 REVOKE SELECT ON employee FROM user1
 SQL Access Controls
 two commands:

GRANT { privileges | role } [ON table]
TO { user | role | PUBLIC } [IDENTIFIED
BY password] [WITH GRANT OPTION]
• e.g. GRANT SELECT ON ANY TABLE TO ricflair

REVOKE { privileges | role } [ON table]
FROM { user | role | PUBLIC }
• e.g. REVOKE SELECT ON ANY TABLE FROM ricflair
 typical access rights are:

SELECT, INSERT, UPDATE, DELETE,
REFERENCES(F.K)
Cascading Authorizations
 Role-Based Access Control
 role-based access control work well for DBMS

eases admin burden, improves security
 categories of database users:

application owner

end user

administrator
 DB RBAC must manage roles and their users

cf. RBAC on Microsoft’s SQL Server
Inference
 Inference

 Combination of a number of data items is

more sensitive than the individual items
 Combination of data items can be used to infer
data of a higher sensitivity
 The attacker may make use of non sensitive
data as well as metadata
Inference Example
 Inference Countermeasures
 Inference detection at database design

alter database structure or access controls
 Inference detection at query time

by monitoring and altering or rejecting queries
 Need some inference detection algorithm

a difficult problem

employee-salary example
 Statistical Databases
 provides data of a statistical nature

e.g. counts, averages
 two types:

pure statistical database

ordinary database with statistical access
• some users have normal access, others statistical
 access control objective to allow statistical
use without revealing individual entries
 security problem is one of inference
 Statistical Database Security
 use a characteristic formula C

a logical formula over the values of attributes

e.g. (Sex=Male) AND ((Major=CS) OR (Major=EE))
 query set X(C) of characteristic formula C,
is the set of records matching C
 a statistical query is a query that produces
a value calculated over a query set
 Statistical Database Example
e.g. Only statics functions
allowed. All specific queries
will be rejected.
Student info. Is confidential
but statistical query (Avg,
sum, Count) functions are
allowed

Find the Female student GP

of EE
A statistical query
count(EE Female) = 1
sum(EE Female, GP) = 2.5

Students from CS department

A statistical query
count(Female . CS) = 2;
sum(Female . CS, SAT) =
Protecting
Against
Inference
 Tracker Attacks
 divide queries into parts

C = C1.C2

count(C.D) = count(C1) - count (C1. ~ C2)
 combination is called a tracker
 each part acceptable query size
 overlap is desired result
 Other Query Restrictions
 query set overlap control

limit overlap between new & previous queries

has problems and overheads
 partitioning

cluster records into exclusive groups

only allow queries on entire groups
 query denial and information leakage

denials can leak information

to counter must track queries from user
history.
 Perturbation
 add noise to statistics generated from data

will result in differences in statistics
 This can be done in one of two ways:
 I. Data Perturbation : The data in the SDB can be
modified (perturbed) so as to produce statistics that
cannot be used to infer values for individual records.
 2. Output Perturbation : When a statistical query is
made, the system can generate statistics that are
modified from those that the original database would
provide, again thwarting attempts to gain knowledge of
individual records.
Perturbation: Data Swapping

he transformed statistics D’ has the same statistics as that of D for

one or two attributes. However, three-attribute statistics are not
preserved .Example: Count (EE * Male * 4.0) = 1 in D and it is 0 in D’.
(statistics not preserved)Average GPA of Biology majors (statistics is
preserved).
 Database Encryption
 databases typical a valuable info resource

protected by multiple layers of security: firewalls,
authentication, O/S access control systems, DB
access control systems, and database encryption
 can encrypt

entire database - very inflexible and inefficient

records (rows) or columns (attributes) - best
• also need attribute indexes to help data retrieval
 varying trade-offs
Database Encryption
 Database Encryption
 Data owner: organization that produces the sensitive
data
 User: that presents requests (queries) to the system.
 Client: Front-end that transforms user queries into
queries on encrypted data
 Server: that receives encrypted data from a data owner
and makes them available for distribution to clients.

The server could in fact be owned by the data owner but more
typically, is owned and maintained by an external provider.
 Database Encryption
1. The user issues an SQL query for fields from one
or more records with a specific value of the
primary key.
2. The query processor at the client encrypts the
primary key and transmits the query to the server.
3. The server processes the query using the
encrypted value of the primary key and returns the
appropriate record or records.
4. The query processor decrypts the data and
returns the results.
 Summary
 introduced databases and DBMS
 relational databases
 database access control issues

SQL, role-based
 inference
 statistical database security issues
 database encryption