Access Control

1
Access Control

• Ensures that all direct accesses to object are
  authorized
• Protects against accidental and malicious threats
  by regulating the read, write and execution of
  data and programs

2
Access Control

• Need
• - Proper user identification
• - Information specifying the access rights is
  protected form modification

3
Access Control

• Access control components
• - Access control policy specifies the
• authorized accesses of a system
• - Access control mechanism implements
• and enforces the policy

4
Access Control Policies

• Discretionary Access Control (DAC)
• concerned with defining, modeling, and enforcing
  access to information
• Mandatory Access Control (MAC)
• Requires that data items and users are assigned
  to certain security labels
• Role-Based Access Control (RBAC)
• approach to restricting system access to
  authorized users

5
Access Control

• Subject active entity that requests access to an
  object
• - e.g., user or program
• Object passive entity accessed by a subject
• - e.g., record, relation, file
• Access right (privileges) how a subject is
  allowed to access an object
• - e.g., subject s can read object o

6
Discretionary Access Control (DAC)

• Typical method to enforce DAC in DBMS is user
  based grant / revoke previleges
• For each subject access right to the objects are
  defined.
• Problems
• - Propagation of access rights
• - Revocation of propagated access rights

7
DAC

• Access Matrix Model
• Represents two main entities objects and
  subjects
• Columns represent objects
• Rows represent subjects
• Objects tables, views, procedures, database
  objects
• Subjects users, roles, privileges, modules
• Authorization cell

8
DAC
Subjects Objects

• Access Matrix Model Harrison-Ruzzo-Ullman
• Authorized state Q (S, O, A)
• Conditions (dependent)
• Data
• Time
• Context
• History

9
DAC

• Access Modes Model
• Based on Take-Grant Model.
• Use both the subject and object entities as the
  main security entities
• Access modes indicates the tasks that are allowed
  by subject to perform on object.
• Static Mode
• Use level 1 allow the subject to use the object
  without modifying the object
• Read level 2 allows the subject to read the
  contents of the object
• Update level 3 allows the subject to modify the
  contents of the object
• Create level 4 allows the subject to add
  instances to the object
• Delete level 5 allows the subject to remove
  instances of the object

10
DAC

• Access Modes Model (2)
• Dynamic Modes
• GRANT level 1 allow the subject to grant any
  static access mode to do any other subject
• REVOKE level 1 allows the subject to revoke a
  granted static access mode from a subject
• DELEGATE level 2 allows the subject to grant
  privilege to other subject
• ABROGATE level 2 allows the subject to grant
  the revoke privilege to other subjects

11
DAC by Views
Employee relation
CREATE VIEW camping_dept AS SELECT Name,Salary,
Manager FROM Employee WHERE Dept.Camping
camping_dept view
12
DAC by Grant and Revoke
Black
Red
Brown (owner)
White
13
DAC and Trojan Horse (1)
Brown read, write
Employee
Brown
Black, Brown read, write
Blacks Employee
Black
14
DAC and Trojan Horse
Brown read, write
Employee
Word Processor
Uses shared program
Brown
Black, Brown read, write
Blacks Employee
Black
15
Mandatory Access Control
Elements OBJECTS
CLASSIFICATIONS
--class(o)-- SUBJECTS
CLEARANCE
--clear(s)--
Levels Top Secret,
Secret, Confidential, Unclassified
16
MAC (2)

• Security label
• - Top-Secret, Secret, Confidential, Unclassified
• Objects security classification
• - File 1 is Secret, File 2 is Public
• Subjects security clearances
• - Brown is cleared to Secret, Black is cleared to
  Public
• Dominance (?)
• - Top-Secret ? Secret ? Confidential ?
  Unclassified

17
MAC(3)

• Access rights defined by comparing the security
  classification of the requested objects with the
  security clearance of the subject
• If access control rules are satisfied, access is
  permitted
• Otherwise access is rejected
• Granularity of access rights!

18
MAC(4)- Bell-LaPadula (BLP) Model

• Rules
• Simple Property subject s is allowed to read
  data item d if clear(s) class(d)
• -property
• subject s is allowed to write data item d if
  clear(s) class(d)

• Simple Property protects information from
  unauthorized access
• -property protects data from contamination or
  unauthorized modification

No direct flow of information from high security
objects to low security objects!
19
BLP and Trojan Horse
Secret
Secret
Employee
Word Processor
24 hour monitoring of Reds activities
Uses shared program
Brown
Public
Public
Blacks Employee
Tries to copy Employee To Blacks Employee
Black
20
RBAC Motivation

• Express organizational policies
• - Separation of duties
• - Delegation of authority
• Permissions are associated with roles, and users
  are assigned to appropriate roles
• Flexible easy to modify to meet new security
  requirements
• Ensures that only authorized users are given
  access to certain data or resources
• Supports
• - Least-privilege
• - Separation of duties
• - Data abstraction

21
RBAC0
U Users
User assignment
Permission assignment
R Roles
P Permissions
. .
.
S Sessions
22
Secure databases

• Traditional database security topics and issues
• Users, Passwords
• Default users/passwords
• sys, system accounts privileged, with default
  passwords
• scott account well-known account and password,
  part of public group
• general password policies (length, domain,
  changing, protection)
• e.g. public can access all_users table
• Privileges, Roles, Grant/Revoke
• Privileges
• System - actions
• Objects data
• Roles
• Collections of system privileges
• Grant / Revoke
• Giving (removing )privileges or roles to (from)
  users

23
Secure DBMS

• Possible Holes in DBMS
• http//technet.oracle.com/deploy/security/alerts.h
  tm (50 listed)
• Buffer overflow problems in DBMS code
• Miscellaneous attacks (Denial of Service, source
  code disclosure of JSPs, others)
• UTL_FILE package in PL/SQL
• allows read/write access to files in directory
  specified in utl_file_dir parameter in init.ora
• possible access through symbolic links
• Need for continual patching of DBMS
• Encourage awareness of issues, continuous
  vigilance
• Cost of not patching
• SQL Slammer Worm

24
Secure Application Development

• Access to Oracle Database or Environment Through
  Applications
• Example SQL Injection Attack through Web
  Application
• Application tracks own usernames and passwords in
  database
• Client accepts username and password, passes as
  parameters
• Application Java code contains SQL statement
• String query "SELECT FROM users_table "
• " WHERE username " " " username "
  "
• " AND password " " " password " "
• Expecting one row to be returned if success, no
  rows if failure
• Attacker enters any username, password of Aa
  OR
• Query becomes SELECT FROM users_table WHERE
  username anyname AND password Aa OR
  // F or T gt T
• All user rows returned to application
• If application checking for 0 vs. more than 0
  rows, attacker is in

25
Secure Application Development

• Application Security in the Enterprise
  Environment
• J2EE
• .NET
• Use of Proxies
• Security Patterns

26
DBMSs and Web Security

• Internet communication relies on TCP/IP as the
  underlying protocol.
• However, TCP/IP and HTTP were not designed with
  security in mind. Without special software, all
  Internet traffic travels in the clear and
  anyone who monitors traffic can read it.

27
DBMSs and Web Security

• Must ensure while transmitting information over
  the Internet that
• inaccessible to anyone but sender and receiver
  (privacy)
• not changed during transmission (integrity)
• receiver can be sure it came from sender
  (authenticity)
• sender can be sure receiver is genuine
  (non-fabrication)
• sender cannot deny he or she sent it
  (non-repudiation).
• Must also protect information once it has reached
  Web server.

28
DBMSs and Web Security

• Download may have executable content, which can
  perform following malicious actions
• Corrupt data or execution state of programs.
• Reformat complete disks.
• Perform a total system shutdown.
• Collect and download confidential data.
• Usurp identity and impersonate user.
• Lock up resources.
• Cause non-fatal but unwelcome effects.

29
DBMSs and Web Security

• Measures include
• Proxy servers
• Firewalls
• Message digest algorithms and digital signatures
• Digital certificates
• Kerberos
• Secure sockets layer (SSL) and Secure HTTP
  (S-HTTP)
• Secure Electronic Transactions (SET) and Secure
  Transaction Technology (SST)
• Java security
• ActiveX security.

30
Securing DB Applications

• 75 percent of hacks happen at the application
  Gartner Security at the Application Level.
• The main battlefield between hackers and
  security professionals have moved from the
  network layer to the web applications

31
SQL Injection

• Web Application where
• 1) User inputs text into a textbox
• 2) Text used to build SQL Query dynamically
• 3) Malicious input changes the nature of the
  query
• Example user inputs names into textbox
• Name Benjamin Franklin ' OR 11
• SqlStr SELECT FROM EMPLOYEE
• WHERE EMPLOYEE.Name
  userInput
• SqlStr SELECT FROM EMPLOYEE
• WHERE EMPLOYEE.Name
• 'Benjamin Franklin' OR 1 1
• Result every row of the EMPLOYEE table will be
  returned

32
SQL Injection - Solution

• Similar to Buffer overflow
• validate user input.

33
Secure Operating System

• Interaction of Oracle and OS
• Restrict access to data files and directory.
• Windows
• Secure administrative accounts
• Control registry access
• Implement good account policies
• Linux/Unix
• Choose different account names than standard
  suggestions
• Restrict use of the account that owns Oracle
  software
• Secure temporary directory

34
Secure Web Server

• Interaction of Oracle and Web Server
• Apache is now provided within Oracle as its
  application server, started by default
• Apache issues
• Standard configuration has some potential
  problems
• See Oracle Security Handbook for more discussion
• Use MaxClients to limit possible connections
• Other Web Servers typically less secure

35
Secure Network

• Interaction of Oracle and Network
• Oracle Advanced Security (OAS) product
• Features for
• Authentication
• Integrity
• Encryption use of SSL
• Oracle server generally behind firewall
• Good to separate DB and web servers
• Connections initiated at 1521, but then
  dynamically selected
• Other Issues to consider
• Possibility of hijacking a sys/sysmgr connection
• Various sniffing and spoofing issues

36
Triggers and Stored Procedures

• Implementation of Triggers and Stored Procedures
  that enforce the matrix.
• Implementation of Triggers and Stored Procedures
  that perform Database Auditing
• Triggers Before, After, Instead

37
Auditing

• Check logs to see if all access that has occurred
  corresponds to accessibility matrix

38
Literature

• Sam Afyouni, Database Security and Auditing
  Protecting Data Integrity and Accessibility.
  Course Technology, 2005. ISBN 0-619-21559-3.
• David C. Knox
• Effective Oracle Database 10g Security by Design,
  McGraw Hill, 2004.
• ISBN 0-07-223130-0

39
Oracle DB Security Innovations

Oracle Audit
Vault
Oracle Database Vault

DB Security
Evaluation 19
Transparent
Data Encryption
EM
Configuration Scanning
Fine
Grained Auditing (9i)
Secure application
roles
Client Identifier / Identity
propagation
Oracle Label Security
Proxy authentication
Enterprise
User Security
Global roles Virtual
Private Database (8i) Database
Encryption API Strong
authentication (PKI, Kerberos, RADIUS)
Native Network Encryption (Oracle7)
Database Auditing
Government customer
1977
2007