csce 253/2501 fundamentals of database systems
Post on 21-Dec-2021
11 Views
Preview:
TRANSCRIPT
1
CSCE 253/2501 Fundamentals of Database Systems Dr. Khalil
SECURITY OF
DATABASE SYSTEMS
DATABASE SECURITY
Database security is the protection of the Database against intentional or unintentional threats
using computer-based or non-computer-based controls.
A database represents an essential corporate resource that should be properly secured using
appropriate controls. We consider database security in relation to the following situations:
1. Theft and fraud.
2. Loss of confidentiality (secrecy).
3. Loss of privacy.
4. Loss of integrity.
5. Loss of availability.
Database security aims to minimize losses caused by anticipated events in a cost-effective manner
without unduly constraining the users.
THREATS A threat is any situation or event, whether intentional or unintentional, involving a person, action,
or circumstance, that will adversely affect a system and consequently an organization.
2
Examples of threats
Summary of potential threats to computer systems
COUNTER MEASURES A - Computer-Based Controls
1. Authorization & Access Controls
2. Firewalls
3. Views
4. Backup and Recovery
5. Integrity.
6. Encryption
7. RAID Technology
Representation of a typical multi-user computer environment
3
AUTHORIZATION
Authorization is the granting of a right or privilege, which enables a subject to have legitimate
access to a system’s object
Authorization controls can be built into the software, and govern not only what system or object a
specified user can have access to, but also what the user may do with it.
The process of authorization involves authentication of subjects requesting access to objects.
AUTHENTICATION
A mechanism that determines whether a user is, who he or she claims to be.
PRIVILEGES
OWNERSHIP & PRIVILEGES
User and group identifiers
Access control matrix
VIEWS
A view is a dynamic result of one or more relational operations operating on the base relations, to
produce another relation. A view is a virtual relation that does not actually exist in the database,
but is produced upon request by a particular user, at the time of request.
BACKUP and RECOVERY
The process of periodically taking a copy of the database and log file (and possibly programs) onto
offline storage media.
JOURNALING
The process of keeping and maintaining a log file (or journal) of all changes made to the database
to enable recovery to be undertaken effectively in the event of failure.
4
CHECKPOINTING
The Point of synchronization between the database and the transaction log file. All buffers are
force-written to secondary storage.
INTEGRITY
Integrity controls (entity integrity and referential integrity constraints) contribute to maintaining
a secure database system by preventing data from becoming invalid, and hence giving misleading
or incorrect results.
ENCRYPTION
Encryption is the encoding of the data by a special algorithm that renders the data unreadable by
any program without the decryption key.
CRYPTOSYSTEM
To transmit data securely over insecure networks requires the use of cryptosystem, which
includes:
1. Encryption key to encrypt the data (plain text).
2. Encryption algorithm that, with the encryption key, transforms the plain text into
ciphertext.
3. Decryption key to decrypt the cyphertext.
4. Decryption algorithm that, with the decryption key, transforms the cyphertext back into
plain text.
(a) Symmetric Encryption
This technique uses the same key for both encryption and decryption and relies on safe
communication lines for exchanging the key.
One scheme used for symmetric encryption is the Data Encryption Standard (DES), developed by
IBM. This scheme uses one key for both encryption and decryption, which must be kept secret,
although the algorithm need not be.
The algorithm transforms each 64-bit block of plaintext using a 56-bit key.
The DES is not universally regarded as being very secure.
A scheme called PGP (Pretty Good Privacy) uses a 128-bit symmetric algorithm for bulk
encryption of data it sends.
Keys with 64 bits are now probably breakable by major governments with special hardware,
albeit at substantial cost.
While. keys with 80 bits will also become breakable in the future, keys with 128 bits will remain
unbreakable for the foreseeable future.
(b) Asymmetric Encryption
This cryptosystem uses two different keys for encryption and decryption.
One example is public key cryptosystems, which uses two keys, one of which is public and the
other private.
The encryption algorithm may also be public, so that anyone wishing to send a user message can
use the user's publicly known key in conjunction with the algorithm to encrypt it. Only the owner
of the private key can then decipher the message.
Public key cryptosystems can also be used to send a 'digital signature' with a message and prove
that the message came from the person who claimed to have sent it.
The most well known asymmetric encryption is RSA.
5
Generally, symmetric algorithms are much faster to execute on a computer than those that are
asymmetric.
However, in practice, they are often used together, so that a public key algorithm is used to
encrypt a randomly generated encryption key, and the random key is used to encrypt the actual
message using a symmetric algorithm.
Using Encryption
1. Security Is ensured if the sender uses the recipient’s public key to encrypt and the recipient uses his/her
private key to decrypt.
2. Authentication Is achieved if the sender uses his/her private key to encrypt and the recipient uses the public to
decrypt.
RAID (Redundant Array of Independent Disks) The Hardware that the DBMS is running on must be fault-tolerant, meaning that the DBMS
should continue to operate even if one of the hardware components fails.
This suggests having redundant components that can de seamlessly integrated into the working
system whenever there is one or more component failures.
The main hardware components that should be fault-tolerant include disk drives, disk controllers,
CPU, power supplies, and cooling fans.
Disk drives are the most vulnerable components with the shortest times between failure of any of
the hardware components.
One solution is the use of RAID technology. RAID works on having a large array comprising an
arrangement of several independent disks that are organized to improve reliability and at the
same time increase performance.
Performance is increased through data stripping; the data is segmented into equal-size portions
(the stripping unit) which are transparently distributed across multiple disks.
This gives the appearance of a single large, fast disk where in actual fact the data is distributed
across several smaller disks.
Stripping improves overall I/O performance by allowing multiple I/Os to be serviced in parallel.
At the same time, data stripping also balances the load among disks.
Reliability is improved through storing redundant information across the disks using a parity
scheme or an error-correcting scheme, such as Reed-Solomon codes.
There are a number of different disk configurations with RAID, termed RAID levels:
1. RAID 0 - Nonredundant: This level maintains no redundant data and so has the best write
performance since updates do not have to be replicated. Data stripping is performed at the
level of blocks.
2. RAID 1 - Mirrored: This level maintains (mirrors) two identical copies of the data across
different disks. To maintain consistency in the presence of disk failure, writes may not
performed simultaneously. This is the most expensive storage solution.
3. RAID 0+1 - Nonredundant and Mirrored: This level combines stripping and mirroring.
4. RAID 2 - Memory-style Error-Correcting Codes: With this level, the stripping unit is a
single bit and Hamming codes are used as the redundancy scheme.
5. RAID 3 - Bit-Interleaved Parity: This level provides redundancy by storing parity
information on a single disk in the array.
6. RAID 4 - Block-Interleaved Parity: With this level, the stripping unit is a disk block - a
parity block is maintained on a separate disk for corresponding blocks from a number of other
disks.
6
7. RAID 5 - Block-Interleaved Distributed Parity: This level uses parity data for redundancy
in a similar way to RAID 3 but stripes the parity data across all the disks, similar to the way in
which the source data is stripped.
8. RAID P+Q: This level is similar to RAID 5 but additional redundant data is maintained to
protect against multiple disk failures.
Oracle, for example, recommends use of RAID 1 for the redo log files. For the database files,
Oracle, recommends either RAID 5, provided the write overhead is acceptable, otherwise Oracle
recommends either RAID 1 or RAID 0+1.
COUNTER MEASURES B- Non-Computer-Based Controls
1. Security policy and contingency plan.
2. Personnel control.
3. Secure positioning of equipment.
4. Escrow agreements.
5. Maintenance agreements.
6. Physical access control.
SECURITY POLICY & CONTINGENCY PLAN
Security Policy: Should address:
The area of business it covers.
Responsibilities and obligations of employees.
The disciplinary action that will result from breaches of the policy.
Procedures that must be followed.
Contingency Plan: Should include:
Who the key personnel are and how they can be contacted.
Who decides that a contingency exists and how that is decided.
The technical requirements of transferring operations elsewhere, which may include:
The location of the alternate site;
The additional equipment needed;
Whether any communication lines are required.
The operational requirements of transferring operations elsewhere in terms of staffing
requirements.
Any outside contacts who may help, for example, equipment suppliers.
Whether any insurance exists to cover the situation.
7
DBMSs and WEB Security
Proxy servers.
Firewalls.
Digital signatures.
Message digest and digital signatures.
Digital certificate
Kerberos.
Secure Sockets Layer (SSL) and Secure HTTP (HTTPS).
Proxy servers In a Web environment, a proxy server is a computer that sits between a Web browser and a Web server.
It intercepts all requests to the Web server to determine if it can fulfill the requests itself. If not, it
forwards the requests to the Web server.
Proxy servers have two main purposes: to improve performance and filter requests.
Improve Performance: Since a proxy server saves the results of all requests for a certain amount of time,
it can significantly improve performance for group of users.
Filter requests: Proxy servers can also be used to filter requests. For example, an organization might use
a proxy server to prevent its employees from accessing a specific set of Web sites.
Firewalls A firewall is a system designed to prevent unauthorized access to or from a private network (Intranet).
Firewalls can be implemented in both hardware and software, or a combination of both.
All messages entering or leaving the Intranet pass through the firewall, which examines each message
and blocks those that do not meet the specified security criteria. There are several types of firewall
techniques:
Packet filter: which looks at each packet entering or leaving the network and accepts or rejects it based
on user-defined rules.
Application gateway: which applies security mechanisms to specific applications, such as FTP and
Telnet servers.
Circuit-level gateway: which applies security mechanisms when a TCP or UDP (User Datagram
Protocol) connection is established. Once the connection has been made, packets can flow between the
hosts without further checks.
Proxy server, which intercepts all messages entering and leaving the network. The proxy server in effect
hides the true network addresses.
Message Digest Algorithms and Digital Signature A message digest algorithm, or one-way hash function, takes an arbitrary-sized string (the message) and
generates a fixed-length string (the digest or hash).
A digest has the following characteristics:
It should be computationally infeasible to find another message that will generate the same digest.
The digest doesn’t reveal anything about the message.
A digital signature consists of two pieces of information: a string of bits that is computed from the data
that is being ‘signed’, along with the private key of the individual or organization wishing the signature.
The signature can be used to verify that the data comes from this individual or organization.
Like a handwritten signature, a digital signature has many useful properties:
Its authenticity can be verified, using a computation based on the corresponding public key.
It cannot be forged (assuming the private key is kept secret).
It is a function of the data signed and cannot be claimed to be the signature for any other data.
The signed data cannot be changed, otherwise the signature will no longer verify the data as being
authentic
8
Some digital signature algorithms use message digest algorithms for parts of their computations; others
for efficiency, compute the digest of a message and digitally sign the digest rather than signing the
message itself.
Digital Certificates A digital certificate is an attachment to an electronic message used for security purposes, most
commonly to verify that a user sending a message is who he or she claims to be, and to provide the
receiver with the means to encode a reply.
An individual wishing to send an encrypted message applies for a digital certificate from a Certificate
Authority (CA).
The CA issues an encrypted digital certificate containing the applicant’s public key and a variety of other
identification information.
The recipient of an encrypted message uses the CA’s public key to decode the digital certificate attached
to the message, verifies it as issued by the CA, and then obtains the sender’s public key and
identification information held within the certificate.
With this information, the recipient can send an encrypted reply.
Kerberos The importance of Kerberos is that it provides one centralized security server for all data and resources
on the network.
Kerberos has a similar function to that of a Certificate server to identify and validate a user.
Security companies are currently investigating a merger of Kerberos and Certificate servers to provide a
network-wide secure system
Kerberos is a server of secured user names and passwords (named after the three-headed monster in
Greek mythology that guarded the gate of hell).
Secure Sockets Layer and Secure HTTP SSL is an encryption protocol developed by Netscape for transmitting private documents over the
Internet.
SSL works by using private key to encrypt data that is transferred over the SSL connection.
The protocol, layered between application-level protocols such as HTTP and the TCP/IP transport-level
protocol, is designed to prevent eavesdropping tampering, and message forgery.
Through the use of cryptographic techniques such as encryption, and digital signatures, these protocols:
Allow Web browsers and servers to authenticate each other.
Permit Web site owners to control access to particular servers, directories, files, or services.
Allow sensitive information (for example, credit card numbers) to be shared between browser and
server, yet remain inaccessible to third parties.
Ensure that data exchanged between browser and server is reliable (that is , cannot be corrupted either
accidentally or deliberately, without detection).
9
DATABASE SECURITY
AND
AUTHORIZATION
A DBMS typically includes a database security and authorization subsystem that is responsible for
ensuring the security portions of a database against unauthorized access.
DBA and Database Security
The DBA is the central authority for managing a database system.
The DBA has a privileged account in the DBMS, is sometimes called a system account, which
provides powerful capabilities that are not made available to regular database accounts and users.
DBA privileged commands include commands for granting and revoking privileges to individual
accounts, users, or user groups and for performing the following types of actions:
1. Account creation: This action creates a new account and password for a user or a group of users to
enable them to access the DBMS.
2. Privilege granting: This action permits the DBA to grant certain privileges to certain accounts.
3. Privilege revocation: This action permits the DBA to revoke (cancel) certain privileges that were
previously given to certain accounts.
4. Security level assignment: This action consists of assigning user accounts to the appropriate security
classification level.
Database Audits
The DBMS must keep track of all operations on the database that are applied by certain user throughout
each log-in session, so that, if a the database is tampered with, the DBA can find out which user did
the tampering.
The system log entries can be expanded so that they also include the account number of the user and
the on-line terminal id that applied each operation recorded in the log.
If any tampering with the database is suspected, a database audit is performed, which consists of
reviewing the log to examine all accesses and operations applied to the database during a certain time
period.
A database log that is used mainly for security purposes is sometimes called an audit trail.
Access Control Based on Privileges
Types of Privileges There are two levels for which assigning privileges to use the database system:
1. The Account level: At this level, the DBA specifies the particular privileges that each account holds
independently of relations in the database.
10
2. The relation level: At this level, we can control the privilege to access each individual relation or view
in the database.
The Account Level Privileges
The Privileges at the account level apply to the capabilities provided to the account itself and can
include:
The CREATE SCHEMA or CREATE TABLE privilege to create schema or base relation.
The CREATE VIEW privilege to create views.
The ALTER privilege to add or remove attributes from relations.
The DROP privilege to delete relations or views.
The MODIFY privilege to insert, delete, or update tuples.
The SELECT privilege to retrieve information from the database using a SELECT query.
The Relation Level Privileges
Privileges at the relation level specify for each user the individual relations on which each type of
command can be applied.
Some privileges also refer to individual attributes of relations.
The granting and revoking of privileges generally follows an authorization model for discretionary
privileges known as the access matrix model, where the rows of a matrix M represent subjects (users,
accounts, programs) and the columns represent objects (relations, records, columns, views, operations).
Each position M(i,j) in the matrix represents the types of privileges (read, write, update) that subject i
holds on object j.
To control the granting and revoking of relation privileges, each relation R in a database is assigned an
owner account.
The owner of a relation is given all privileges on that relation.
The owner account holder can pass privileges on any of the owned relations to other users by granting
privileges to their accounts.
In SQL, the following types of privileges can be granted on each individual relation R:
SELECT (retrieval) privilege.
MODIFY privileges on R: This gives the account the capability to modify tuples of R. In SQL this
privilege is further divided into UPDATE, DELETE, and INSERT privileges to apply the
corresponding SQL command to R. In addition, both the INSERT and UPDATE privileges can specify
that only certain attributes of R can be updated by the account.
REFERENCES privilege on R: This gives the account the capability to reference the relation R
when specifying integrity constraints. This privilege can also be restricted to specific attributes of R.
Notice that to create a view, the account must have SELECT privileges on all relations involved in the
view definition.
11
Specifying Authorization by Using Views
The mechanism of views is an important access mechanism in its own right.
For example, if the owner A of a relation R wants another account B to be able to retrieve only some
fields of R, then A can create a view V of R that includes only those attributes and then grant SELECT
on V to B.
Revoking Privileges
In some cases it is desirable to grant some privilege to a user temporarily.
A mechanism for revoking (canceling) privileges is needed.
In SQL, a REVOKE command is included for the purpose of canceling privileges.
Propagation of Privileges
and the
GRANT OPTION
Whenever the owner A of relation R grants a privilege on R to another account B, the privilege can be
given to B with or without the GRANT OPTION.
If the GRANT OPTION is given, this means that B can also grant that privilege on R to other accounts.
If the owner account A revokes the privilege granted to B, all the privileges that B propagated based on
that privilege should automatically be revoked by the system.
Techniques to limit the propagation of privileges have been developed, although they have not yet been
implemented in most DBMSs.
Limiting horizontal propagation to an integer number i means that an account B given the GRANT
OPTION can grant the privilege to at most i other accounts.
Vertical propagation limits the depth of the granting of the privileges. Granting a privilege with
vertical propagation of zero is equivalent to granting the privilege with no GRANT OPTION. If account
A grants a privilege to account B with vertical propagation set to an integer number j>0, this means that
account B has the GRANT OPTION on that privilege, but B can grant the privilege to other accounts
with a vertical propagation less than j.
An Example
Suppose that the DBA creates four accounts - A1, A2, A3, and A4 - and wants only A1 to be
able to create base relations, then the DBA must issue the following GRANT command in SQL:
GRANT CREATETAB TO A1;
In SQL2, the same effect can be accomplished by having the DBA issue a CREATE SCHEMA
command as follows:
CREATE SCHEMA NWDB AUTHORIZATION A1;
Suppose that A1 creates the two base relations EMPLOYEE and DEPARTMENT.
Suppose that A1 wants to grant to account A2 the privilege to insert and delete tuples in both
of these relations. A1 does not want A2 to be able to propagate these privileges to additional
accounts. Then, A1 can issue the following command:
12
GRANT INSERT, DELETE ON EMPLOYEE, DEPARTMENT TO A2;
Suppose that A1 wants to allow account A3 to retrieve information from either of the two
tables and also be able to propagate the SELECT privilege to other accounts. Then A1 can issue
the following command:
GRANT SELECT ON EMPLOYEE, DEPARTMENT TO A3 WITH GRANT OPTION;
A3 can grant the SELECT privilege on the EMPLOYEE relation to A4 by issuing the
following command:
GRANT SELECT ON EMPLOYEE TO A4;
Suppose that A1 decides to revoke the SELECT privilege on the EMPLOYEE relation from
A3; then A1 can issue the following command:
REVOKE SELECT ON EMPLOYEE FROM A3;
Suppose that A1 wants to give back to A3 a limited capability to SELECT from the
EMPLOYEE relation and wants to allow A3 to propagate the privilege. The limitation is to
retrieve only the NAME, BDATE, and ADDRESS attributes and only the tuples with DNO = 5.
Then A1 can create the following view:
CREATE VIEW A3EMPLOYEE AS
SELECT NAME, BDATE, ADDRESS
FROM EMPLOYEE
WHERE DNO = 5;
After the view is created , A1 can grant SELECT on the view A3EMPLOYEE to A3 as follows:
GRANT SELECT ON A3EMPLOYEE TO A3
WITH GRANT OPTION;
Suppose that A1 wants to allow A4 to update only the SALARY attribute of EMPLOYEE:
GRANT UPDATE ON EMPLOYEE(SALARY) TO A4;
Assignment
Consider the COMPANY database. Suppose that all the relations were created by (and hence owned by)
user X, who wants to grant the following privileges to user accounts A, B, C, D, and E. Write SQL
statements to grant these privileges. Use views where appropriate.
1. Account A can retrieve or modify any relation except DEPENDENT and can grant any of these
privileges to other users.
2. Account B can retrieve all the attributes of EMPLOYEE and DEPARTMENT except for SALARY,
MGRSSN, and MGRSTARTDATE.
3. Account C retrieve or modify WORKS_ON but can only retrieve the FNAME, MINIT, LNAME, SSN
attributes of EMPLOYEE and the PNAME, PNUMBER attributes of PROJECT.
4. Account D can retrieve any attribute of EMPLOYEE or DEPENDENT and can modify DEPENDENT.
5. Account E can retrieve any attribute of EMPLOYEE but only for EMPLOYEE tuples that have DNO = 3.
top related