Download security of database systems - Computer Science and Engineering

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
Document related concepts

Extensible Storage Engine wikipedia , lookup

Relational algebra wikipedia , lookup

Database wikipedia , lookup

Functional Database Model wikipedia , lookup

Microsoft Jet Database Engine wikipedia , lookup

Clusterpoint wikipedia , lookup

Database model wikipedia , lookup

Relational model wikipedia , lookup

Transcript 
SECURITY OF DATABASE SYSTEMS
Dr. Awad Khalil
Computer Science Department
AUC
Content





Database Security
Threats
Countermeasures – Computer Based Controls
Countermeasures – Non Computer Based Controls
Database Security on the Web
Database Security


Database security is the protection of the Database against intentional or
unintentional threats using computer-based or non-computer-based controls.
A database represents an essential corporate resource that should be properly
secured using appropriate controls. We consider database security in relation
to the following situations:
1. Theft and fraud.
2. Loss of confidentiality (secrecy).
3. Loss of privacy.
4. Loss of integrity.
5. Loss of availability.

Database security aims to minimize losses caused by anticipated events in a
cost-effective manner without unduly constraining the users.
Threats
 A threat is any situation or event, whether intentional or unintentional, involving a
person, action, or circumstance, that will adversely affect a system and consequently
an organization.
Potential threats to computer systems
Countermeasures
Computer-Based Controls
1. Authorization & Access
Controls.
2. Views.
3. Backup and recovery.
4. Integrity.
5. Encryption.
6. RAID Technology.
Authorization & Access Controls (Privileges)



Authorization is the granting of a right or privilege, which enables a subject to have
legitimate access to a system’s object
Authorization controls can be built into the software, and govern not only what system
or object a specified user can have access to, but also what the user may do with it.
The process of authorization involves authentication of subjects requesting access to
objects.
Authentication
 A mechanism that determines whether a user is, who he or she claims to be.
Privileges: Privileges may include the right to access or create certain database objects
such as relations, views, and indexes, or to run various DBMS utilities.
Select(0001) Update(0010) Insert(0100) Delete(1000) All(1111)
Views
 A view is a dynamic result of one or more relational operations operating on the base
relations, to produce another relation. A view is a virtual relation that does not actually
exist in the database, but is produced upon request by a particular user, at the time of
request.
Backup and Recovery
 The process of periodically taking a copy of the database and log file (and possibly
programs) onto offline storage media.
JOURNALING
 The process of keeping and maintaining a log file (or journal) of all changes made to
the database to enable recovery to be undertaken effectively in the event of failure.
CHECKPOINTING
 The Point of synchronization between the database and the transaction log file. All
buffers are force-written to secondary storage.
Integrity
 Integrity controls (entity integrity and referential integrity constraints) contribute to
maintaining a secure database system by preventing data from becoming invalid, and
hence giving misleading or incorrect results.
Encryption

Encryption is the encoding of the data by a special algorithm that renders the data
unreadable by any program without the decryption key.
CRYPTOSYSTEM
 To transmit data securely over insecure networks requires the use of cryptos ystem,
which includes:
1. Encryption key to encrypt the data (plain text).
2. Encryption algorithm that, with the encryption key, transforms the plain text into
ciphertext.
3. Decryption key to decrypt the cyphertext.
4. Decryption algorithm that, with the decryption key, transforms the cyphertext
back into plain text.
Symmetric Cryptosystem
 This technique uses the same key for both encryption and decryption and relies on safe
communication lines for exchanging the key.
 One scheme used for s ymmetric encryption is the Data Encryption Standard (DES),
developed by IBM. This scheme uses one key for both encryption and decryption,
which must be kept secret, although the algorithm need not be.
 The algorithm transforms each 64-bit block of plaintext using a 56-bit key.
 The DES is not universally regarded as being very secure.
 A scheme called PGP (Pretty Good Privacy) uses a 128-bit symmetric algorithm for
bulk encryption of data it sends.
 Keys with 64 bits are now probabl y breakable b y major governments with special
hardware, albeit at substantial cost.
 While. keys with 80 bits will also become breakable in the future, keys with 128 bits
will remain unbreakable for the foreseeable future.
Asymmetric Cryptosystem
 This cryptos ystem uses two different keys for encryption and decryption.
 One example is public key cryptosystems, which uses two keys, one of which is public
and the other private.





The encryption algorithm may also be public, so that anyone wishing to send a user
message can use the user's publicly known key in conjunction with the algorithm to
encrypt it. Only the owner of the private key can then decipher the message.
Public key cryptosystems can also be used to send a 'digital signature' with a message
and prove that the message came from the person who claimed to have sent it.
The most well known asymmetric encryption is RSA.
Generally, symmetric algorithms are much faster to execute on a computer than those
that are asymmetric.
However, in practice, they are often used together, so that a public key algorithm is
used to encrypt a randomly generated encryption key, and the random key is used to
encrypt the actual message using a symmetric algorithm.
Using Encryption
Security
 Is ensured if the sender uses the recipient’s public key to encrypt and the recipient uses
his/her private key to decrypt.
Authentication
 Is achieved if the sender uses his/her private key to encrypt and the recipient uses the
public to decrypt.
RAID Technology
RAID (Redundant Array of Independent Disks)











The Hardware that the DBMS is running on must be fault-tolerant, meaning that the
DBMS should continue to operate even if one of the hardware components fails.
This suggests having redundant components that can de seamlessly integrated into the
working system whenever there is one or more component failures.
The main hardware components that should be fault-tolerant include disk drives, disk
controllers, CPU, power supplies, and cooling fans.
Disk drives are the most vulnerable components with the shortest times between
failure of any of the hardware components.
One solution is the use of RAID technology. RAID works on having a large array
comprising an arrangement of several independent disks that are organized to improve
reliability and at the same time increase performance.
Performance is increased through data stripping; the data is segmented into equal-size
portions (the stripping unit) which are transparently distributed across multiple disks.
This gives the appearance of a single large, fast disk where in actual fact the data is
distributed across several smaller disks.
Stripping improves overall I/O performance by allowing multiple I/Os to be serviced
in parallel.
At the same time, data stripping also balances the load among disks.
Reliability is improved through storing redundant information across the disks using a
parity scheme or an error-correcting scheme, such as Reed-Solomon codes.
There are a number of different disk configurations with RAID, termed RAID levels:
1. RAID 0 - Nonredundant: This level maintains no redundant data and so has the best
write performance since updates do not have to be replicated. Data stripping is
performed at the level of blocks.
2. RAID 1 - Mirrored: This level maintains (mirrors) two identical copies of the data
across different disks. To maintain consistency in the presence of disk failure, writes
may not performed simultaneously. This is the most expensive storage solution.
3. RAID 0+1 - Nonredundant and Mirrored: This level combines stripping and
mirroring.
4. RAID 2 - Memory-style Error-Correcting Codes: With this level, the stripping unit is
a single bit and Hamming codes are used as the redundancy scheme.
5. RAID 3 - Bit-Interleaved Parity: This level provides redundancy by storing parity
information on a single disk in the array.
6. RAID 4 - Block-Interleaved Parity: With this level, the stripping unit is a disk block a parity block is maintained on a separate disk for corresponding blocks from a
number of other disks.
7. RAID 5 - Block-Interleaved Distributed Parity: This level uses parity data for
redundancy in a similar way to RAID 3 but stripes the parity data across all the disks,
similar to the way in which the source data is stripped.
8. RAID P+Q: This level is similar to RAID 5 but additional redundant data is
maintained to protect against multiple disk failures.

Oracle, for example, recommends use of RAID 1 for the redo log files. For the
database files, Oracle, recommends either RAID 5, provided the write overhead
is acceptable, otherwise Oracle recommends either RAID 1 or RAID 0+1.
Countermeasures
Non-Computer-Based Controls
1. Security policy and contingency plan.
2. Personnel control.
3. Secure positioning of equipment.
4. Escrow agreements.
5. Maintenance agreements.
6. Physical access control.
Web Security







Proxy servers.
Firewalls.
Digital signatures.
Message digest and digital signatures.
Digital certificates.
Kerberos.
Secure Sockets Layer (SSL) and Secure HTTP (SHTTP).
Proxy Servers



In a Web environment, a proxy server is a computer that sits between a Web browser
and a Web server.
It intercepts all requests to the Web server to determine if it can fulfill the requests
itself. If not, it forwards the requests to the Web server.
Proxy servers have two main purposes: to improve performance and filter requests.

Improve Performance: Since a proxy server saves the results of all requests for a
certain amount of time, it can significantly improve performance for group of users.

Filter requests: Proxy servers can also be used to filter requests. For example, an
organization might use a proxy server to prevent its employees from accessing a
specific set of Web sites.
Firewalls



A firewall is a system designed to prevent unauthorized access to or from a private
network (Intranet).
Firewalls can be implemented in both hardware and software, or a combination of
both.
All messages entering or leaving the Intranet pass through the firewall, which
examines each message and blocks those that do not meet the specified security
criteria. There are several types of firewall techniques:
 Packet filter: which looks at each packet entering or leaving the network and
accepts or rejects it based on user-defined rules.
 Application gateway: which applies securit y mechanisms to specific applications,
such as FTP and Telnet servers.
 Circuit-level gateway: which applies security mechanisms when a TCP or UDP
(User Datagram Protocol) connection is established. Once the connection has been
made, packets can flow between the hosts without further checks.
 Proxy server, which intercepts all messages entering and leaving the network. The
proxy server in effect hides the true network addresses.
Message Digest Algorithms and Digital Signature






A message digest algorithm, or one-way hash function, takes an arbitrary-sized string
(the message) and generates a fixed-length string (the digest or hash).
A digest has the following characteristics:
 It should be computationally infeasible to find another message that will generate
the same digest.
 The digest doesn’t reveal anything about the message.
A digital signature consists of two pieces of information: a string of bits that is
computed from the data that is being ‘signed’, along with the private key of the
individual or organization wishing the signature.
The signature can be used to verify that the data comes from this individual or
organization.
Like a handwritten signature, a digital signature has many useful properties:
 Its authenticity can be verified, using a computation based on the corresponding
public key.
 It cannot be forged (assuming the private key is kept secret).
 It is a function of the data signed and cannot be claimed to be the signature for an y
other data.
 The signed data cannot be changed, otherwise the signature will no longer verify
the data as being authentic
Some digital signature algorithms use message digest algorithms for parts of their
computations; others for efficiency, compute the digest of a message and digitally sign
the digest rather than signing the message itself.
Digital Certificates





A digital certificate is an attachment to an electronic message used for security
purposes, most commonly to verify that a user sending a message is who he or she
claims to be, and to provide the receiver with the means to encode a reply.
An individual wishing to send an encrypted message applies for a digital certificate
from a Certificate Authority (CA).
The CA issues an encrypted digital certificate containing the applicant’s public key
and a variety of other identification information.
The recipient of an encrypted message uses the CA’s public key to decode the digital
certificate attached to the message, verifies it as issued by the CA, and then obtains the
sender’s public key and identification information held within the certificate.
With this information, the recipient can send an encrypted reply.
Kerberos
 Kerberos is a server of secured user names and passwords (named after the three-
headed monster in Greek mythology that guarded the gate of hell).
 The importance of Kerberos is that it provides one centralized security server for all
data and resources on the network.
 Kerberos has a similar function to that of a Certificate server to identify and validate a
user.
 Security companies are currently investigating a merger of Kerberos and Certificate
servers to provide a network-wide secure system
Secure Sockets Layer and Secure HTTP




SSL is an encryption protocol developed by Netscape for transmitting private
documents over the Internet.
SSL works by using private key to encrypt data that is transferred over the SSL
connection.
The protocol, layered between application-level protocols such as HTTP and the
TCP/IP transport-level protocol, is designed to prevent eavesdropping tampering, and
message forgery.
Through the use of cryptographic techniques such as encryption, and digital
signatures, these protocols:
 Allow Web browsers and servers to authenticate each other.
 Permit Web site owners to control access to particular servers, directories, files, or
services.
 Allow sensitive information (for example, credit card numbers) to be shared
between browser and server, yet remain inaccessible to third parties.
 Ensure that data exchanged between browser and server is reliable (that is , cannot
be corrupted either accidentally or deliberately, without detection).
DATABASE SECURITY and AUTHORIZATION




A DBMS typically includes a database security and authorization subsystem that
is responsible for ensuring the security portions of a database against unauthorized
access.
The DBA is the central authority for managing a database system.
The DBA has a privileged account in the DBMS, is sometimes called a system
account, which provides powerful capabilities that are not made available to regular
database accounts and users.
DBA privileged commands include commands for granting and revoking privileges
to individual accounts, users, or user groups and for performing the following types of
actions:
DBA Privileged Commands
1. Account creation: This action creates a new account and password for a user or a
group of users to enable them to access the DBMS.
2. Privilege granting: This action permits the DBA to grant certain privileges to certain
accounts.
3. Privilege revocation: This action permits the DBA to revoke (cancel) certain
privileges that were previously given to certain accounts.
4. Security level assignment: This action consists of assigning user accounts to the
appropriate security classification level.
Access Control Based on Privileges
 There are two levels for which assigning privileges to use the database system:
1.The Account level:: At this level, the DBA specifies the particular privileges that each
account holds independently of relations in the database.
2.The Relation level:: At this level, we can control the privilege to access each
individual relation or view in the database.
The Account Level Privileges
 The CRE ATE SCHEMA or CRE ATE TABLE privilege to create schema or base
relation.
 The CRE ATE VIEW privilege to create views.
 The ALTER privilege to add or remove attributes from relations.
 The DROP privilege to delete relations or views.
 The MODIFY privilege to insert, delete, or update tuples.
 The SELECT privilege to retrieve information from the database using a SELECT
query.
The Relation Level Privileges
 Privileges at the relation level specify for each user the individual relations on which
each type of command can be applied.
 Some privileges also refer to individual attributes of relations.
 To control the granting and revoking of relation privileges, each relation R in a
database is assigned an owner account.
 The owner of a relation is given all privileges on that relation.
 The owner account holder can pass privileges on any of the owned relations to other
users by granting privileges to their accounts.
 In SQL, the following types of privileges can be granted on each individual relation
R:
 SELECT (retrieval) privilege.
 MODIFY privileges on R: This gives the account the capability to modify tuples of R.
In SQL this privilege is further divided into UPDATE, DELETE, and INSERT
privileges to apply the corresponding SQL command to R. In addition, both the
INSERT and UPDATE privileges can specify that only certain attributes of R can be
updated by the account.
 REFERENCES privilege on R: This gives the account the capability to reference the
relation R when specifying integrity constraints. This privilege can also be restricted to
specific attributes of R.
Specifying Authorization by Using Views
 To create a view, the account must have SELECT privileges on all relations
involved in the view definition
 The mechanism of views is an important access mechanism in its own right.
 For example, if the owner A of a relation R wants another account B to be able to
retrieve only some fields of R, then A can create a view V of R that includes only
those attributes and then grant SELECT on V to B.
Revoking Privileges
 In some cases it is desirable to grant some privilege to a user temporarily.
 A mechanism for revoking (canceling) privileges is needed.
 In SQL, a REVOKE command is included for the purpose of canceling privileges.
Propagation of Privileges and the GRANT OPTION
 Whenever the owner A of relation R grants a privilege on R to another account B, the
privilege can be given to B with or without the GRANT OPTION.
 If the GRANT OPTION is given, this means that B can also grant that privilege on R
to other accounts.
 If the owner account A revokes the privilege granted to B, all the privileges that B
propagated based on that privilege should automatically be revoked by the system.
 Techniques to limit the propagation of privileges have been developed, although they
have not yet been implemented in most DBMSs.
 Limiting horizontal propagation to an integer number i means that an account B
given the GRANT OPTION can grant the privilege to at most i other accounts.

Vertical propagation limits the depth of the granting of the privileges. Granting a
privilege with vertical propagation of zero is equivalent to granting the privilege
with no GRANT OPTION. If account A grants a privilege to account B with
vertical propagation set to an integer number j>0, this means that account B has the
GRANT OPTION on that privilege, but B can grant the privilege to other accounts
with a vertical propagation less than j.
An Example
 Suppose that the DBA creates four accounts - A1, A2, A3, and A4 - and wants only
A1 to be able to create base relations, then the DBA must issue a CREATE
SCHEMA command as follows:
CREATE SCHEMA NWDB AUTHORIZATION A1;


Suppose that A1 creates the two base relations EMPLOYEE and DEPARTMENT.
Suppose that A1 wants to grant to account A2 the privilege to insert and delete tuples
in both of these relations. A1 does not want A2 to be able to propagate these privileges
to additional accounts. Then, A1 can issue the following command:
GRANT INSERT, DELETE ON EMPLOYEE, DEPARTMENT TO A2;

Suppose that A1 wants to allow account A3 to retrieve information from either of the
two tables and also be able to propagate the SELECT privilege to other accounts.
Then A1 can issue the following command:
GRANT SELECT ON EMPLOYEE, DEPARTMENT TO A3 WITH GRANT
OPTION;

A3 can grant the SELECT privilege on the EMPLOYEE relation to A4 by issuing the
following command:
GRANT SELECT ON EMPLOYEE TO A4;

Suppose that A1 decides to revoke the SELECT privilege on the EMPLOYEE
relation from A3; then A1 can issue the following command:
REVOKE SELECT ON EMPLOYEE FROM A3;

Suppose that A1 wants to give back to A3 a limited capability to SELECT from the
EMPLOYEE relation and wants to allow A3 to propagate the privilege. The limitation
is to retrieve only the NAME, BDATE, and ADDRESS attributes and only the tuples
with DNO = 5. Then A1 can create the following view:
CREATE VIEW A3EMPLOYEE AS
SELECT NAME, BDATE, ADDRESS
FROM EMPLOYEE
WHERE DNO = 5;
 After the view is created , A1 can grant SELECT on the view A3EMPLOYEE to A3
as follows:

GRANT SELECT ON A3EMPLOYEE TO A3
WITH GRANT OPTION;
Suppose that A1 wants to allow A4 to update only the SALARY attribute of
EMPLOYEE:
GRANT UPDATE ON EMPLOYEE(SALARY) TO A4;
Mandatory Access Control for Multilevel Security
 In many government, military, and intelligence applications, a particular security
policy is needed that classifies data and users based on security classes.
 The typical security classes used are top secret (TS), secret (S), confidential (C), and
unclassified (U), where TS>S>C>U.
Bell LaPadula Multilevel Security Model

The commonly used model for multilevel security, known as the Bell-LaPadula
model, classifies each subject (user, account, program) and object (relation, tuple,
column, view, operation) into one of the security classifications TS, S, C, and U. We
refer to the classification of a subject S as class(S) and the classification of an object
O as class(O).

Two restrictions are enforced on data access:
A subject S is not allowed read access to an object O unless class(S)class(O).
A subject S is not allowed write access to an object O unless class(O)class(S).
The first restriction enforces the obvious rule that no subject can read an object whose
security classification is higher than the subject’s security clearance.
The second restriction prohibits a subject from writing an object that has lower
security classification than the subject’s security clearance.




Multilevel Security Implementation in The Relational Model
 To incorporate multilevel security notions into the relational model, it is common
to consider attribute values and tuples as data objects.
 Each attribute A is associated with a classification attribute C in the schema, and
each attribute value in a tuple is associated with a corresponding security
classification.
 A tuple classification attribute TC is added to the relation attributes to provide a
classification for each tuple as a whole.
 A multilevel relation schema R with n attributes would be represented as:
R(A1, C1, A2, C2, …, An, Cn, TC)
A multilevel relation will appear to contain different data to subjects (users) with
different classification levels.
 It is possible to store a single tuple in the relation at a higher classification level and
produce the corresponding tuples at a lower level classification through a process
known as filtering..
 In other cases, it is necessary to store two or more tuples at different classification
levels with the same value for the apparent key (primary key). This leads to the
concept of polyinstantiation..

A multilevel relation: Employee
Name
Salary
JobPerformance
TC
____________________________________________
Smith U 40000 C
Fair
S
S
Brown C 80000 S
Good C
S
-----------------------------------------------------------------------------Appearance of Employee after filtering for classification C users
Name
Salary
JobPerformance
TC
_____________________________________________
Smith U 40000 C
Null
C
C
Brown C Null
C
Good C
C
A multilevel relation: Employee
Name
Salary
JobPerformance
TC
____________________________________________
Smith U 40000 C
Fair
S
S
Brown C 80000 S
Good C
S
----------------------------------------------------------------------------------------------Appearance of Employee after filtering for classification U users
Name
Salary
JobPerformance
TC
_____________________________________________
Smith U Null U
Null
U
U
A multilevel relation: Employee
Name
Salary
JobPerformance
TC
____________________________________________
Smith U 40000 C
Fair
S
S
Brown C 80000 S
Good C
S
------------------------------------------------------------------------------------Polyinstantiation of the Smith tuple
Name
Salary
JobPerformance
TC
____________________________________________
Smith U 40000 C
Fair
S
S
Smith U 40000 C
Excellent C
C
Brown C 80000 S
Good
C
S
Thank you
Related documents
Database Account/Privileges Request Form
Database Account/Privileges Request Form
CSCI 3140 Module 3 – Logical Database
CSCI 3140 Module 3 – Logical Database
Harnessing the Most to find the Least
Harnessing the Most to find the Least
Unit -3 - Ajay Ardeshana
Unit -3 - Ajay Ardeshana
End-of-Program Review 2011-12
End-of-Program Review 2011-12
INSIGHTS FROM NEW ZEALAND ON THE `GIG` ECONOMY
INSIGHTS FROM NEW ZEALAND ON THE `GIG` ECONOMY
recommendations/approval - SHCS Reference System
recommendations/approval - SHCS Reference System
Chapter Notes
Chapter Notes
eCommerce&Security
eCommerce&Security
Crash Recovery
Crash Recovery