CS551 Project - Security of Databases Security of Databases By Christopher DiBiagio-Wood Yves LéPouchard Yiting Nan Kendrick Hang Ted Hsu

CS551 Project - Security of Databases

Security of Databases

ByChristopher DiBiagio-Wood

Yves LéPouchardYiting Nan

Kendrick HangTed Hsu

04/2604/2620002000

University of Virginia - CS551 Project - Security of Databases

22

Outline

Overview

OODBS

SQLOracle &MicrosoftSQL Server

Active DB

Data mining/warehouse

Real-time

Conclusion

Outline

TopicsDatabase Security OverviewObject Oriented Database SecuritySQLOracle® and MS® SQL Server

Active DatabasesData Warehousing and MiningReal-time databasesConclusion

Outline

04/2604/2620002000


33

Outline

Overview

OODBS


Active DB


Real-time

Conclusion

Overview of Database Security

The 3 primary goals of DB SecuritySecrecy

data is not disclosed to unauthorized users

Integrityonly authorized users can modify the data

Availabilityauthorized users are only denied access to data when absolutely necessary

example: table locked for a write operation

Overview

04/2604/2620002000


44

Outline

Overview

OODBS


Active DB


Real-time

Conclusion

Models of Database Security

Access Control Listsall users are given lists of rights to all objects in the database (like OSes)

Flow Controlinformation passage between objects is governed by data flow rules

Bell-LaPadula Modelhas two important propertiesthe basis of mandatory access control

Overview

04/2604/2620002000


55

Outline

Overview

OODBS


Active DB


Real-time

Conclusion

Comparison of Flow vs. ACLs

Overview

04/2604/2620002000


66

Outline

Overview

OODBS


Active DB


Real-time

Conclusion

Mandatory Access Control

Bell-LaPadula Model (saw this before)1. Simple Security Property: A subject S can read an object

O only if [class (O)] <= [class (S)]2. *-Property (Confinement): A subject S can write to an

object O only if [class (O)] >= [class (S)]based on military security ideals, it is described in terms of objects, subjects, security classes, and clearancesSecurity classes are usually ordered TS > S > C > UGiven that objects are given security classes and subjects are given clearances, the database system enforces the security policies using the 2 rules of the above modelthe key issue is that mandatory access control is a system wide policy, not a user controlled access system

Overview

04/2604/2620002000


77

Outline

Overview

OODBS


Active DB


Real-time

Conclusion

Discretionary Access Control

Uses privileges that are granted and revoked between users

Weaker than mandatory access control

Strongly linked to SQL92Can grant privileges like this:

GRANT privileges ON object TO users [WITH GRANT OPTION]

Grantable privileges include:select, insert, update, delete, and references

Revoking a privilege can cause cascading revocations

Overview

04/2604/2620002000


88

Outline

Overview

OODBS


Active DB


Real-time

Conclusion

Discretionary Access Example

Overview

04/2604/2620002000


99

Outline

Overview

OODBS


Active DB


Real-time

Conclusion

Views/Roles

Viewsusers can pass rights for only certain columns or rows in a table (more specific access control)the underlying representation of the view is unknown to the recipient

Rolesprivileges are associated with a job rather than a user, because this is often more naturalusers are assigned to roles in the systemroles can be assigned sub-roles for nesting

Overview

04/2604/2620002000


1010

Outline

Overview

OODBS


Active DB


Real-time

Conclusion

Covert Channels

A Difficult ProblemThis is an extremely hard to combat method of passing data through unexpected pathways (not new)For instance, use differential commit transactions to pass ‘1’ or ‘0’ from a higher level DB user to a lower level oneStopping this kind of attack often requires limiting the database to one op at a timeYou can also formally prove that a covert attack is not possible (extremely difficult to do)

Overview

04/2604/2620002000


1111

Outline

Overview

OODBS


Active DB


Real-time

Conclusion

Inference

Inference Attacks produce protected information from databases by logical deduction (usually statistical)Examples:

Salary of the company president is protected, but not the MAX of salaries in the database, which is a statistical queryThe number of top rated people is protected, but not the average rating of the top n, n+1, . . . until the average drops

Overview

04/2604/2620002000


1212

Outline

Overview

OODBS


Active DB


Real-time

Conclusion

Auditing

Similar to OS auditingA retroactive technique to check whether improper access to database information has been obtained

this allows corrective action to be taken (sometimes automated as part of audit system)it can also notify the DBA of potential security breakdowns or corrupted data and set other processes in motion

Overview

04/2604/2620002000


1313

Outline

Overview

OODBS


Active DB


Real-time

Conclusion

Encryption

Information can be stored as ciphertext within the databaseThis keeps those who steal the data from being able to decrypt it, because they do not know the keysThis step serves as a good second layer of defense for a data fortress

Overview

04/2604/2620002000


1414

Outline

Overview

OODBS


Active DB


Real-time

Conclusion

Object-Oriented Databases

= database containing OO dataData encapsulated in ObjectsObjects = instances of classesObjects have attributes / variablesObject have methods (functions)Objects communicate via messagesInheritance hierarchyDefinition of Object-Oriented is controversial

OODBS

04/2604/2620002000


1515

Outline

Overview

OODBS


Active DB


Real-time

Conclusion

Orion (1)

= discretionary security model for OODB

Role-based (Role Lattice)Classes (AOS) and instances (AOL)Access modes (AAM & ATL)

Write, Read, Generate, Write any, Read Definition

Authorizationsexplicit / implicitpositive / negativestrong / weak

OODBS

04/2604/2620002000


1616

Outline

Overview

OODBS


Active DB


Real-time

Conclusion

Orion (2)

OODBS

04/2604/2620002000


1717

Outline

Overview

OODBS


Active DB


Real-time

Conclusion

Orion (3)

Propagation of access modes restrictedA.up (WA, RD) / A.down (W, R) / A.nil (G)

6 formal rules to describe this propagatione.g Authorizations with access mode belonging to A.down are propagated for subjects at higher levels, and for objects at lower levels as described in the corresponding lattices

OODBS

04/2604/2620002000


1818

Outline

Overview

OODBS


Active DB


Real-time

Conclusion

Message filter (1)

= mandatory security model based on Bell-LaPadula rules

message filter mediates every message exchanged between objectssubjects and objects are considered as objects in the BLP meaningObject has an immutable security levelAlterations to an object (like its creation) consists of a message which is sent by the object to itself

OODBS

04/2604/2620002000


1919

Outline

Overview

OODBS


Active DB


Real-time

Conclusion

Message filter (2)

Two basic rules:the level of an instance object must dominate the level of the class of which the object is an instancethe level of a subclass must dominate the level of its super class(es)

Three decisions of the message filter:

block, let flow or enforce restriction

OODBS

04/2604/2620002000


2020

Outline

Overview

OODBS


Active DB


Real-time

Conclusion

How SQL handles security

ViewA view is a virtual table. For example:

Create or replace view RESTRICTED_NAMES asSelect * from NAMEWhere Name = User;

Authority SQL99 based on Role-model.

SQL

04/2604/2620002000


2121

Outline

Overview

OODBS


Active DB


Real-time

Conclusion

Authority

Advantages of Role-based model:Permit enforcement of the least privilegePermits enforcement of the separation of duties principleSimplified the authorization management task Allows for more powerful administrative policies

SQL

04/2604/2620002000


2222

Outline

Overview

OODBS


Active DB


Real-time

Conclusion

Role can be granted two database privileges: system privileges and object privileges create role clerk;

create role manager;grant select on account_access TO clerk;GRANT clerk TO manager;REVOKE SELECT ON account_access FROM clerk;DROP ROLE clerk;

Role can also be authorized by the operating system or network. The SQL statement is like:

CREATE ROLE account_access IDENTIFIED EXTERNALLY;

Example - Oracle 8

SQL

04/2604/2620002000


2323

Outline

Overview

OODBS


Active DB


Real-time

Conclusion

Relational Databases

SQL is the standard relational database language

Two widely used commercial relational databases

SQL Server 7 by MicrosoftOracle 8/8i by Oracle

Oracle &MicrosoftSQL Server

04/2604/2620002000


2424

Outline

Overview

OODBS


Active DB


Real-time

Conclusion


Microsoft SQL Server Security

Claim: “SQL Server 7.0 makes far-reaching enhancements in data security by completely integrating Microsoft Windows NT security into the SQL Server core”


04/2604/2620002000


2525

Outline

Overview

OODBS


Active DB


Real-time

Conclusion


Microsoft SQL Server Security Features

Security ModesRolesPermissionsNetworking Protocols

Version 7 is the first to provide these features


04/2604/2620002000


2626

Outline

Overview

OODBS


Active DB


Real-time

Conclusion


Oracle 8/8i Security FeaturesAuthentication Modes

Oracle, Host OS, Third-Party

Privileges2 types: system and object

Stored ProceduresCall procedures instead of modifying data


04/2604/2620002000


2727

Outline

Overview

OODBS


Active DB


Real-time

Conclusion


Oracle 8/8i Security FeaturesVirtual Private Database

Fine grained control at DB level instead of app level for client interfaces

RolesAuditingDatabase Encryption

Choose from: full, partial, or off-line


04/2604/2620002000


2828

Outline

Overview

OODBS


Active DB


Real-time

Conclusion


SQL Server and Oracle 8i are widely used on the InternetWhat mechanisms do we have when we operate on the Internet?

Still dependent on the operating systemNew features include secure networking and secure services


04/2604/2620002000


2929

Outline

Overview

OODBS


Active DB


Real-time

Conclusion

Active Databases

What is an active database?Automatically executes actionsReactive behavior

BenefitsReactive behavior moved to DBMSDBMS can react & monitor specific eventsCentralized & timely

Active DB

04/2604/2620002000


3030

Outline

Overview

OODBS


Active DB


Real-time

Conclusion

Need for Rules System

Most active database definitions informalNeed formal definitionHelp define clear & maintainable policy

Active DB

04/2604/2620002000


3131

Outline

Overview

OODBS


Active DB


Real-time

Conclusion

Active database model

Knowledge Model – describes rules

EventConditionActionECA (Event-condition-action)

Execution Model – describes behaviors associated with rule

Active DB

04/2604/2620002000


3232

Outline

Overview

OODBS


Active DB


Real-time

Conclusion

Termination Problem

Event conditions can call other eventsPossibility of infinite loopSolutions

Static analysis of rules setLimit number of rules evaluated in sequence

Active DB

04/2604/2620002000


3333

Outline

Overview

OODBS


Active DB


Real-time

Conclusion

Granularity

Event granularityTransition granularityNet effect

Multiple event-rule pairs triggeredStarburst

Check with transition tableOption to delay with later net effects

Active DB

04/2604/2620002000


3434

Outline

Overview

OODBS


Active DB


Real-time

Conclusion

Need for Monitors

Needed to enforce policyMonitors

Event DetectorCondition MonitorSchedulerQuery evaluator

Active DB

04/2604/2620002000


3535

Outline

Overview

OODBS


Active DB


Real-time

Conclusion

Data Warehousing and Mining

Data warehousingA technique to integrate an

organization’s distributed, autonomous, and heterogeneous data for use in analysis.

Data mining A technology that converts data in data

warehouse into useful information. It can give a complete picture of the data.


04/2604/2620002000


3636

Outline

Overview

OODBS


Active DB


Real-time

Conclusion

Security in Data Warehousing

Characters Subject-oriented Integrated Time-variant Low volatility

Issues security architectures, integrating multiple security policies for the

warehouse, inference problem, administrating and auditing the warehouse.


04/2604/2620002000


3737

Outline

Overview

OODBS


Active DB


Real-time

Conclusion

Data Mining and Security

As a technique to handle security problemsSuch as intrusion detection and database

auditing, which finding abnormal pattern in audit data.

Security in data mining itselfThe main problem is the inference

problem. It is a dual-edged sword.


04/2604/2620002000


3838

Outline

Overview

OODBS


Active DB


Real-time

Conclusion

Same problem as statistical databases have. Do not know what it is we are trying to protect. Opposite of raised by statistical/summary queries thatvalue to be protected is the individual values of data

instances.

Model imprecise database inference. Establish the granularity of inference and evaluate the potential of inference compromise. Materialization of latent facts and rules (inference channels) Representation method to express common sense knowledge


Data Mining - Challenges

04/2604/2620002000


3939

Outline

Overview

OODBS


Active DB


Real-time

Conclusion

Mining - Current Approaches

Before-hand Adding an inference

controller between data mining tools and data warehouse.

After-handUse data mining tools to

see whether sensitive information can be deduced.


04/2604/2620002000


4040

Outline

Overview

OODBS


Active DB


Real-time

Conclusion

Real-time Database Definition

A real-time database is a database in which each transaction has a deadline.

Implies:Real-time database correctness is based

on both logical correctness and the timelines of its actions. Real-time

04/2604/2620002000


4141

Outline

Overview

OODBS


Active DB


Real-time

Conclusion

Real-time DB Motivation

Many RTDBS applications arise in safety-critical areas where enforcing security is crucial (aerospace, stock

exchanges)A secure RTDBS has to simultaneously satisfy two conflicting requirements - guarantee data security and minimize the number of missed transaction deadlines. Real-time

04/2604/2620002000


4242

Outline

Overview

OODBS


Active DB


Real-time

Conclusion

Real-time Database Issues

New architectural and transaction processing model

New approaches to supporting transaction scheduling and concurrency control

New specification language New metrics for evaluation

Real-time

04/2604/2620002000


4343

Outline

Overview

OODBS


Active DB


Real-time

Conclusion

Assumption:Timeliness is more essential than security

and hence security can be traded for timeliness.

Solution:Defined the notion of partial security. Classified transactions into three catalogs:

class1 - Critical and periodic transactions class2 - Critical and aperiodic transactions class3 - Non-critical transactions

Real-time

Real-time DB Proposals (1)

04/2604/2620002000


4444

Outline

Overview

OODBS


Active DB


Real-time

Conclusion

Assumption:Security is of utmost importance (i.e. it is

a correctness criterion) whereas timeliness is a performance issue.

Solution:Simultaneously using different

Concurrent Control protocols in order to guarantee security and improve real time performance. Real-time

Real-time DB Proposals (2)

04/2604/2620002000


4545

Outline

Overview

OODBS


Active DB


Real-time

Conclusion

Conclusion

Database security is a complex topicThere are many different database paradigms and hence many different security modelsCommercial systems only implement part of the solutions to dateMore standardization is neededMore research is needed

Conclusion

04/2604/2620002000


4646

Outline

Overview

OODBS


Active DB


Real-time

Conclusion

Our Web Page

Go here to learn more:www.cs.virginia.edu/~kjh7r

Documents

CS551 Project - Security of Databases Security of Databases By Christopher DiBiagio-Wood Yves LéPouchard Yiting Nan Kendrick Hang Ted Hsu