1 introduction to database systems cse 444 lecture 13 security may 2, 2008
TRANSCRIPT
![Page 1: 1 Introduction to Database Systems CSE 444 Lecture 13 Security May 2, 2008](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697bfc21a28abf838ca51d5/html5/thumbnails/1.jpg)
1
Introduction to Database SystemsCSE 444
Lecture 13Security
May 2, 2008
![Page 2: 1 Introduction to Database Systems CSE 444 Lecture 13 Security May 2, 2008](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697bfc21a28abf838ca51d5/html5/thumbnails/2.jpg)
2
Outline
SQL Security – 8.7
Two famous attacks
Two new trends
Optional material;May not have time to coverin class
Optional material;May not have time to coverin class
![Page 3: 1 Introduction to Database Systems CSE 444 Lecture 13 Security May 2, 2008](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697bfc21a28abf838ca51d5/html5/thumbnails/3.jpg)
3
Discretionary Access Control in SQL
GRANT privileges ON object TO users [WITH GRANT OPTIONS]
GRANT privileges ON object TO users [WITH GRANT OPTIONS]
privileges = SELECT | INSERT(column-name) | UPDATE(column-name) | DELETE | REFERENCES(column-name)object = table | attribute
![Page 4: 1 Introduction to Database Systems CSE 444 Lecture 13 Security May 2, 2008](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697bfc21a28abf838ca51d5/html5/thumbnails/4.jpg)
4
Examples
GRANT INSERT, DELETE ON Customers TO Yuppy WITH GRANT OPTIONSGRANT INSERT, DELETE ON Customers TO Yuppy WITH GRANT OPTIONS
Queries allowed to Yuppy:
Queries denied to Yuppy:
INSERT INTO Customers(cid, name, address) VALUES(32940, ‘Joe Blow’, ‘Seattle’)
DELETE Customers WHERE LastPurchaseDate < 1995
INSERT INTO Customers(cid, name, address) VALUES(32940, ‘Joe Blow’, ‘Seattle’)
DELETE Customers WHERE LastPurchaseDate < 1995
SELECT Customer.addressFROM CustomerWHERE name = ‘Joe Blow’
SELECT Customer.addressFROM CustomerWHERE name = ‘Joe Blow’
![Page 5: 1 Introduction to Database Systems CSE 444 Lecture 13 Security May 2, 2008](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697bfc21a28abf838ca51d5/html5/thumbnails/5.jpg)
5
Examples
GRANT SELECT ON Customers TO MichaelGRANT SELECT ON Customers TO Michael
Now Michael can SELECT, but not INSERT or DELETE
![Page 6: 1 Introduction to Database Systems CSE 444 Lecture 13 Security May 2, 2008](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697bfc21a28abf838ca51d5/html5/thumbnails/6.jpg)
6
Examples
GRANT SELECT ON Customers TO Michael WITH GRANT OPTIONSGRANT SELECT ON Customers TO Michael WITH GRANT OPTIONS
Michael can say this: GRANT SELECT ON Customers TO Yuppy
Now Yuppy can SELECT on Customers
![Page 7: 1 Introduction to Database Systems CSE 444 Lecture 13 Security May 2, 2008](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697bfc21a28abf838ca51d5/html5/thumbnails/7.jpg)
7
Examples
GRANT UPDATE (price) ON Product TO LeahGRANT UPDATE (price) ON Product TO Leah
Leah can update, but only Product.price, but not Product.name
![Page 8: 1 Introduction to Database Systems CSE 444 Lecture 13 Security May 2, 2008](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697bfc21a28abf838ca51d5/html5/thumbnails/8.jpg)
8
Examples
GRANT REFERENCES (cid) ON Customer TO BillGRANT REFERENCES (cid) ON Customer TO Bill
Customer(cid, name, address, balance)Orders(oid, cid, amount) cid= foreign keyCustomer(cid, name, address, balance)Orders(oid, cid, amount) cid= foreign key
Now Bill can INSERT tuples into Orders
Bill has INSERT/UPDATE rights to Orders.BUT HE CAN’T INSERT ! (why ?)
![Page 9: 1 Introduction to Database Systems CSE 444 Lecture 13 Security May 2, 2008](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697bfc21a28abf838ca51d5/html5/thumbnails/9.jpg)
9
Views and Security
CREATE VIEW PublicCustomers SELECT Name, Address FROM CustomersGRANT SELECT ON PublicCustomers TO Fred
CREATE VIEW PublicCustomers SELECT Name, Address FROM CustomersGRANT SELECT ON PublicCustomers TO Fred
David says
Name Address Balance
Mary Huston 450.99
Sue Seattle -240
Joan Seattle 333.25
Ann Portland -520
David owns
Customers:Fred is notallowed to
see this
![Page 10: 1 Introduction to Database Systems CSE 444 Lecture 13 Security May 2, 2008](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697bfc21a28abf838ca51d5/html5/thumbnails/10.jpg)
10
Views and Security
Name Address Balance
Mary Huston 450.99
Sue Seattle -240
Joan Seattle 333.25
Ann Portland -520
CREATE VIEW BadCreditCustomers SELECT * FROM Customers WHERE Balance < 0GRANT SELECT ON BadCreditCustomers TO John
CREATE VIEW BadCreditCustomers SELECT * FROM Customers WHERE Balance < 0GRANT SELECT ON BadCreditCustomers TO John
David says
David owns
Customers: John isallowed tosee only <0
balances
![Page 11: 1 Introduction to Database Systems CSE 444 Lecture 13 Security May 2, 2008](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697bfc21a28abf838ca51d5/html5/thumbnails/11.jpg)
11
Views and Security• Each customer should see only her/his record
CREATE VIEW CustomerMary SELECT * FROM Customers WHERE name = ‘Mary’GRANT SELECT ON CustomerMary TO Mary
CREATE VIEW CustomerMary SELECT * FROM Customers WHERE name = ‘Mary’GRANT SELECT ON CustomerMary TO Mary
Doesn’t scale.
Need row-level access control !
Name Address Balance
Mary Huston 450.99
Sue Seattle -240
Joan Seattle 333.25
Ann Portland -520
David says
CREATE VIEW CustomerSue SELECT * FROM Customers WHERE name = ‘Sue’GRANT SELECT ON CustomerSue TO Sue
CREATE VIEW CustomerSue SELECT * FROM Customers WHERE name = ‘Sue’GRANT SELECT ON CustomerSue TO Sue
. . .
![Page 12: 1 Introduction to Database Systems CSE 444 Lecture 13 Security May 2, 2008](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697bfc21a28abf838ca51d5/html5/thumbnails/12.jpg)
12
Revocation
REVOKE [GRANT OPTION FOR] privileges ON object FROM users { RESTRICT | CASCADE }REVOKE [GRANT OPTION FOR] privileges ON object FROM users { RESTRICT | CASCADE }
Administrator says:
REVOKE SELECT ON Customers FROM David CASCADEREVOKE SELECT ON Customers FROM David CASCADE
John loses SELECT privileges on BadCreditCustomers
![Page 13: 1 Introduction to Database Systems CSE 444 Lecture 13 Security May 2, 2008](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697bfc21a28abf838ca51d5/html5/thumbnails/13.jpg)
13
Revocation
Joe: GRANT [….] TO Art …Art: GRANT [….] TO Bob …Bob: GRANT [….] TO Art …Joe: GRANT [….] TO Cal …Cal: GRANT [….] TO Bob …Joe: REVOKE [….] FROM Art CASCADE
Joe: GRANT [….] TO Art …Art: GRANT [….] TO Bob …Bob: GRANT [….] TO Art …Joe: GRANT [….] TO Cal …Cal: GRANT [….] TO Bob …Joe: REVOKE [….] FROM Art CASCADE
Same privilege,same object,GRANT OPTION
What happens ??
![Page 14: 1 Introduction to Database Systems CSE 444 Lecture 13 Security May 2, 2008](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697bfc21a28abf838ca51d5/html5/thumbnails/14.jpg)
14
Revocation
Admin
Joe Art
Cal Bob
0
1
234
5
Revoke
According to SQL everyone keeps the privilege
![Page 15: 1 Introduction to Database Systems CSE 444 Lecture 13 Security May 2, 2008](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697bfc21a28abf838ca51d5/html5/thumbnails/15.jpg)
15
Summary of SQL Security
Limitations:• No row level access control• Table creator owns the data: that’s unfair !
… or spectacular failure:• Only 30% assign privileges to users/roles
– And then to protect entire tables, not columns
Access control = great success story of the DB community...
![Page 16: 1 Introduction to Database Systems CSE 444 Lecture 13 Security May 2, 2008](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697bfc21a28abf838ca51d5/html5/thumbnails/16.jpg)
16
Summary (cont)
• Most policies in middleware: slow, error prone:– SAP has 10**4 tables
– GTE over 10**5 attributes
– A brokerage house has 80,000 applications
– A US government entity thinks that it has 350K
• Today the database is not at the center of the policy administration universe
[Rosenthal&Winslett’2004]
![Page 17: 1 Introduction to Database Systems CSE 444 Lecture 13 Security May 2, 2008](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697bfc21a28abf838ca51d5/html5/thumbnails/17.jpg)
17
Two Famous Attacks
• SQL injection
• Sweeney’s example
![Page 18: 1 Introduction to Database Systems CSE 444 Lecture 13 Security May 2, 2008](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697bfc21a28abf838ca51d5/html5/thumbnails/18.jpg)
18
Search claims by:
SQL InjectionYour health insurance company lets you see the claims online:
Now search through the claims :
Dr. Lee
First login:User:
Password:
fred
********
SELECT…FROM…WHERE doctor=‘Dr. Lee’ and patientID=‘fred’SELECT…FROM…WHERE doctor=‘Dr. Lee’ and patientID=‘fred’
[Chris Anley, Advanced SQL Injection In SQL]
![Page 19: 1 Introduction to Database Systems CSE 444 Lecture 13 Security May 2, 2008](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697bfc21a28abf838ca51d5/html5/thumbnails/19.jpg)
19
SQL InjectionNow try this:
Search claims by: Dr. Lee’ OR patientID = ‘suciu’; --
Better:
Search claims by: Dr. Lee’ OR 1 = 1; --
…..WHERE doctor=‘Dr. Lee’ OR patientID=‘suciu’; --’ and patientID=‘fred’…..WHERE doctor=‘Dr. Lee’ OR patientID=‘suciu’; --’ and patientID=‘fred’
![Page 20: 1 Introduction to Database Systems CSE 444 Lecture 13 Security May 2, 2008](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697bfc21a28abf838ca51d5/html5/thumbnails/20.jpg)
20
SQL InjectionWhen you’re done, do this:
Search claims by: Dr. Lee’; DROP TABLE Patients; --
![Page 21: 1 Introduction to Database Systems CSE 444 Lecture 13 Security May 2, 2008](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697bfc21a28abf838ca51d5/html5/thumbnails/21.jpg)
21
SQL Injection
• The DBMS works perfectly. So why is SQL injection possible so often ?
• Quick answer:– Poor programming: use stored procedures !
• Deeper answer:– Move policy implementation from apps to DB
![Page 22: 1 Introduction to Database Systems CSE 444 Lecture 13 Security May 2, 2008](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697bfc21a28abf838ca51d5/html5/thumbnails/22.jpg)
22
Latanya Sweeney’s Finding
• In Massachusetts, the Group Insurance Commission (GIC) is responsible for purchasing health insurance for state employees
• GIC has to publish the data:
GIC(zip, dob, sex, diagnosis, procedure, ...)GIC(zip, dob, sex, diagnosis, procedure, ...)
![Page 23: 1 Introduction to Database Systems CSE 444 Lecture 13 Security May 2, 2008](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697bfc21a28abf838ca51d5/html5/thumbnails/23.jpg)
23
Latanya Sweeney’s Finding
• Sweeney paid $20 and bought the voter registration list for Cambridge Massachusetts:
GIC(zip, dob, sex, diagnosis, procedure, ...)VOTER(name, party, ..., zip, dob, sex)
GIC(zip, dob, sex, diagnosis, procedure, ...)VOTER(name, party, ..., zip, dob, sex)
![Page 24: 1 Introduction to Database Systems CSE 444 Lecture 13 Security May 2, 2008](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697bfc21a28abf838ca51d5/html5/thumbnails/24.jpg)
24
Latanya Sweeney’s Finding
• William Weld (former governor) lives in Cambridge, hence is in VOTER
• 6 people in VOTER share his dob
• only 3 of them were man (same sex)
• Weld was the only one in that zip
• Sweeney learned Weld’s medical records !
zip, dob, sex
![Page 25: 1 Introduction to Database Systems CSE 444 Lecture 13 Security May 2, 2008](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697bfc21a28abf838ca51d5/html5/thumbnails/25.jpg)
25
Latanya Sweeney’s Finding
• All systems worked as specified, yet an important data has leaked
• How do we protect against that ?
Some of today’s research in data security address breachesthat happen even if all systems work correctly
![Page 26: 1 Introduction to Database Systems CSE 444 Lecture 13 Security May 2, 2008](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697bfc21a28abf838ca51d5/html5/thumbnails/26.jpg)
26
Summary on Attacks
SQL injection:
• A correctness problem:– Security policy implemented poorly in the application
Sweeney’s finding:
• Beyond correctness:– Leakage occurred when all systems work as specified
![Page 27: 1 Introduction to Database Systems CSE 444 Lecture 13 Security May 2, 2008](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697bfc21a28abf838ca51d5/html5/thumbnails/27.jpg)
27
Two Novel Techniques
• K-anonymity, information leakage
• Row-level access control
![Page 28: 1 Introduction to Database Systems CSE 444 Lecture 13 Security May 2, 2008](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697bfc21a28abf838ca51d5/html5/thumbnails/28.jpg)
28
First Last Age Race
Harry Stone 34 Afr-Am
John Reyser 36 Cauc
Beatrice Stone 47 Afr-am
John Ramos 22 Hisp
First Last Age Race
* Stone 30-50 Afr-Am
John R* 20-40 *
* Stone 30-50 Afr-am
John R* 20-40 *
Information Leakage:k-Anonymity
Definition: each tuple is equal to at least k-1 others
Anonymizing: through suppression and generalization
Hard: NP-complete for suppression onlyApproximations exists; but work poorly in practice
[Samarati&Sweeney’98, Meyerson&Williams’04]
Disease
Flue
Measels
Pain
Fever
![Page 29: 1 Introduction to Database Systems CSE 444 Lecture 13 Security May 2, 2008](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697bfc21a28abf838ca51d5/html5/thumbnails/29.jpg)
29
Information Leakage:Query-view Security
Secret Query View(s) Disclosure ?
S(name) V(name,phone)
S(name,phone)V1(name,dept)V2(dept,phone)
S(name) V(dept)
S(name)where dept=‘HR’
V(name)where dept=‘RD’
TABLE Employee(name, dept, phone)TABLE Employee(name, dept, phone)Have data:
total
big
tiny
none
[Miklau&S’04, Miklau&Dalvi&S’05,Yang&Li’04]
![Page 30: 1 Introduction to Database Systems CSE 444 Lecture 13 Security May 2, 2008](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697bfc21a28abf838ca51d5/html5/thumbnails/30.jpg)
30
Fine-grained Access Control
Control access at the tuple level.
• Policy specification languages
• Implementation
![Page 31: 1 Introduction to Database Systems CSE 444 Lecture 13 Security May 2, 2008](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697bfc21a28abf838ca51d5/html5/thumbnails/31.jpg)
31
Policy Specification Language
CREATE AUTHORIZATION VIEW PatientsForDoctors AS SELECT Patient.* FROM Patient, Doctor WHERE Patient.doctorID = Doctor.ID and Doctor.login = %currentUser
CREATE AUTHORIZATION VIEW PatientsForDoctors AS SELECT Patient.* FROM Patient, Doctor WHERE Patient.doctorID = Doctor.ID and Doctor.login = %currentUser
Contextparameters
No standard, but usually based on parameterized views.
![Page 32: 1 Introduction to Database Systems CSE 444 Lecture 13 Security May 2, 2008](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697bfc21a28abf838ca51d5/html5/thumbnails/32.jpg)
32
ImplementationSELECT Patient.name, Patient.ageFROM PatientWHERE Patient.disease = ‘flu’
SELECT Patient.name, Patient.ageFROM PatientWHERE Patient.disease = ‘flu’
SELECT Patient.name, Patient.ageFROM Patient, DoctorWHERE Patient.disease = ‘flu’ and Patient.doctorID = Doctor.ID and Patient.login = %currentUser
SELECT Patient.name, Patient.ageFROM Patient, DoctorWHERE Patient.disease = ‘flu’ and Patient.doctorID = Doctor.ID and Patient.login = %currentUser
e.g. Oracle
![Page 33: 1 Introduction to Database Systems CSE 444 Lecture 13 Security May 2, 2008](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697bfc21a28abf838ca51d5/html5/thumbnails/33.jpg)
33
Two Semantics
• The Truman Model = filter semantics– transform reality– ACCEPT all queries– REWRITE queries– Sometimes misleading results
• The non-Truman model = deny semantics– reject queries– ACCEPT or REJECT queries– Execute query UNCHANGED– May define multiple security views for a user
[Rizvi’04]
SELECT count(*)FROM PatientsWHERE disease=‘flu’
SELECT count(*)FROM PatientsWHERE disease=‘flu’
![Page 34: 1 Introduction to Database Systems CSE 444 Lecture 13 Security May 2, 2008](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697bfc21a28abf838ca51d5/html5/thumbnails/34.jpg)
34
Summary on Information Disclosure
• The theoretical research:– Exciting new connections between databases
and information theory, probability theory, cryptography
• The applications: – many years away
[Abadi&Warinschi’05]
![Page 35: 1 Introduction to Database Systems CSE 444 Lecture 13 Security May 2, 2008](https://reader036.vdocuments.net/reader036/viewer/2022062519/5697bfc21a28abf838ca51d5/html5/thumbnails/35.jpg)
35
Summary of Fine Grained Access Control
• Trend in industry: label-based security• Killer app: application hosting
– Independent franchises share a single table at headquarters (e.g., Holiday Inn)
– Application runs under requester’s label, cannot see other labels
– Headquarters runs Read queries over them
• Oracle’s Virtual Private Database
[Rosenthal&Winslett’2004]