Computer Security 3e - PowerPoint PPT Presentation

1 / 43
About This Presentation
Title:

Computer Security 3e

Description:

Computer Security 3e Dieter Gollmann www.wiley.com/college/gollmann – PowerPoint PPT presentation

Number of Views:152
Avg rating:3.0/5.0
Slides: 44
Provided by: bti73
Category:

less

Transcript and Presenter's Notes

Title: Computer Security 3e


1
Computer Security 3e
  • Dieter Gollmann

www.wiley.com/college/gollmann
2
Chapter 9Database Security
3
Database Security
  • Databases store data and provide information to
    their users.
  • Database Security protection of sensitive data
    and mechanisms that allow users to retrieve
    information in a controlled manner.
  • Difference to Operating System Security Database
    Security control access to information more than
    access to data.
  • Focus on principals requesting access to database.

4
Objectives
  • Analyze the security issues specific to database
    systems.
  • Show how to use views for access control in
    relational databases.
  • Protect information in statistical databases.
  • Examine interactions between security mechanisms
    in the database management system and in the
    underlying operating system.

5
Man-machine scale DBsec
specific complex focus on users
generic simple focus on data
man oriented
machine oriented
6
Agenda
  • Protection requirements
  • Relational databases
  • SQL security model
  • Access control through views
  • Statistical database security
  • Tracker attacks
  • Integrating database security and operating
    system security
  • Privacy

7
DBsec Attack Goals
  • Exact data the values stored in the database
  • Bounds lower or upper bounds on a numerical
    value like a salary can already be useful
    information
  • Negative results e.g. if a database contains
    numbers of criminal convictions, then the
    information that a particular person does not
    have zero convictions is sensitive.
  • Existence the existence of data may already be
    sensitive information
  • Probable value being able to guess some
    information from the results of other queries.

8
Design Requirements
  • Precision protect sensitive information while
    revealing as much non-sensitive information as
    possible.
  • Internal consistency the entries in the database
    obey some prescribed rules.
  • E.g., stock levels cannot fall below zero.
  • External consistency the entries in the database
    are correct.
  • E.g., stock levels given in the database match
    stock levels in the warehouse however, the
    database management system (DBMS) alone cannot
    keep the database in a consistent state.
  • This property is also called accuracy.

9
Relational Databases
  • A relational database is a database that is
    perceived by its users as a collection of tables
    (and tables only).
  • A relation R is a subset of D1 ????? Dn where D1,
    ? , Dn are the domains on n attributes.
  • The elements in the relation are n-tuples
    (v1, ? , vn) with vi ? Di the value of the i-th
    attribute has to be an element from Di.
  • Elements in a tuple are often called fields.
  • A special null value indicates that a field does
    not contain any value.

10
Types of Relations
  • Base relations (real relations) named,
    autonomous relations exist in their own right,
    are not derived from other relations, and have
    their own stored data.
  • Views named, derived relations, defined in terms
    of other named relations no stored data of their
    own.
  • Snapshots named, derived relations, defined in
    terms of other named relations have stored data
    of their own.
  • Query results may or may not have a name no
    persistent existence in the database per se.

11
Database Keys
  • Tuples in a relation must be uniquely
    identifiable.
  • A primary key K of a relation R has to fulfil the
    following conditions
  • Uniqueness at any time, no tuples of R have the
    same value for K
  • Minimality if K is composite, no component of K
    can be omitted without destroying uniqueness.
  • Every relation must have a primary key.
  • A primary key of one relation that is an
    attribute in some other relation is a foreign key
    in that relation.

12
Integrity Rules
  • Entity Integrity Rule no component of the
    primary key of a base relation is allowed to
    accept nulls.
  • Referential Integrity Rule the database must not
    contain unmatched foreign key values.
  • Application specific integrity rules
  • Field checks to prevent errors on data entry.
  • Scope checks.
  • Consistency checks.

13
SQL
  • Structured Query Language (SQL) standard
    language for describing how information in a
    relational database can be retrieved and updated.
  • SQL operations
  • SELECT retrieves data from a relation.
  • UPDATE update fields in a relation.
  • DELETE deletes tuples from a relation.
  • INSERT adds tuples to a relation.

14
SQL Security Model
  • Discretionary access control using privileges and
    views, based on
  • users authenticated during logon
  • actions include SELECT, UPDATE, DELETE, and
    INSERT
  • objects tables, views, columns (attributes) of
    tables and views
  • Users invoke actions on objects the DBMS decides
    whether to permit the requested action.
  • When an object is created, it is assigned an
    owner initially only the owner has access to the
    object other users have to be issued with a
    privilege
  • (grantor, grantee, object, action, grantable).

15
Granting Revoking Privileges
  • Privileges managed with GRANT and REVOKE.
  • GRANT SELECT, UPDATE (Day,Flight)
  • ON TABLE Diary
  • TO Art, Zoe
  • Selective revocation of privileges
  • REVOKE UPDATE
  • ON TABLE Diary
  • FROM Art
  • Right to delegate privileges given through GRANT
    option
  • GRANT SELECT
  • ON TABLE Diary
  • TO Art
  • WITH GRANT OPTION

16
Access Control through Views
  • Views derived relations, created by
  • CREATE VIEW view_name ( column , column ...
    )
  • AS subquery
  • WITH CHECK OPTION
  • Many security policies better expressed by
    privileges on views than by privileges on base
    relations.
  • Access conditions described through subquery in
    the view definition
  • CREATE VIEW business_trips AS
  • SELECT FROM Diary
  • WHERE Status business'
  • WITH CHECK OPTION

17
Advantages
  • Views are flexible and allow access control
    policies to be defined at a level of description
    that is close to the application requirements.
  • Views can enforce context-dependent and
    data-dependent security policies.
  • Views can implement controlled invocation.
  • Secure views can replace security labels.
  • Data can be easily reclassified.

18
More Examples
  • CREATE VIEW Top_of_the_Class AS
  • SELECT FROM Students WHERE Grade lt
  • (SELECT Grade FROM Students
  • WHERE Name current_user())
  • CREATE VIEW My_Journeys AS
  • SELECT FROM Diary
  • WHERE Customer current_user())

displays students whose grade average is less
than that of the person using the view
display journeys booked by the customer using the
view.
19
CHECK Option
  • INSERT and UPDATE can interfere with view-based
    access control.
  • Views may not be updatable because they do not
    contain the information that is needed to
    maintain the integrity of the corresponding base
    relation.
  • E.g., a view that does not contain the primary
    key of an underlying base relation cannot be used
    for updates.
  • Blind writes updates that overwrite an existing
    entry.
  • For views defined WITH CHECK OPTION, UPDATE and
    INSERT can only write entries to the database
    that meet the definition of the view.
  • Blind writes possible if CHECK option is omitted.

20
Disadvantages
  • Access checking may become complicated and slow.
  • View definitions have to be checked for
    correctness do they really capture the
    intended security policy?
  • Completeness and consistency are not achieved
    automatically, views may overlap or may fail to
    capture the entire database.
  • The security relevant part of the DBMS (the TCB)
    becomes very large.
  • It may be difficult to determine for individual
    data items who has access thus, views are less
    suitable in situations where it is necessary to
    protect the data items rather than controlling
    the users actions.

21
Statistical Database Security
  • Statistical database information retrieved by
    means of statistical (aggregate) queries on
    attributes (columns) of a table.
  • Aggregate functions in SQL
  • COUNT the number of values in a column,
  • SUM the sum of the values in a column,
  • AVG the average of the values in a column,
  • MAX the largest value in a column,
  • MIN the smallest value in a column.
  • Query predicate of a statistical query specifies
    the tuples used for computing the aggregate,
  • Query set tuples matching the query predicate.

22
Security Challenge
  • The database contains data that are individually
    sensitive direct access to data items is
    therefore not permitted.
  • Statistical queries to the database are
    permitted, but these queries will read individual
    data items.
  • It thus becomes possible to infer information it
    is thus no longer sufficient to police access
    requests individually.
  • In a statistical database, there must be some
    information flow from the data to their
    aggregate.
  • We can only try to reduce it to an acceptable
    level.

23
Attacks
  • Aggregation sensitivity level of an aggregate
    computed over a group of values may differ from
    the sensitivity levels of the individual
    elements e.g., an aggregate may be sensitive
    information derived from a collection of less
    sensitive business data.
  • Inference problem derivation of sensitive
    information from non-sensitive data
  • Direct Attack aggregate computed over a small
    sample so that information about individual data
    items is leaked.
  • Indirect Attack combine information relating to
    several aggregates
  • Tracker Attack a particularly effective type of
    indirect attack
  • Linear System Vulnerability use algebraic
    relations between query sets to construct
    equations which yield the desired information.

24
Example Relation
Name Sex Program Units Grade Ave.
Alma F MBA 8 63
Bill M CS 15 58
Carol F CS 16 70
Don M MIS 22 75
Errol M CS 8 66
Flora F MIS 16 81
Gala F MBA 23 68
Homer M CS 7 50
Igor M MIS 21 70
25
Direct Attack
  • Q1 SELECT COUNT()
  • FROM Students
  • WHERE Sex 'F' AND Program 'CS'
  • Q2 SELECT AVG(Grade Ave.)
  • FROM Students
  • WHERE Sex 'F' AND Program 'CS'

Returns count 1
Returns 70 average for a single student
26
Tracker Attacks
  • Individual tracker for a given tuple query
    predicate T that allows to derive information
    about that tuple.
  • General tracker predicate that can be used to
    find the answer to any inadmissible query.
  • Let T be a general tracker and let R be a
    predicate that uniquely identifies the tuple r we
    want to probe T chosen so that the query set
    and its complement are large enough for the query
    to be permitted.
  • Make two queries to the database with the
    predicates R ? T and R ? ? T the target r is the
    only tuple used by both queries.
  • Add the two results and subtract the result
    of a query over the entire database only the
    target is left.

27
Tracker Attack
  • Q3 SELECT COUNT()
  • FROM Students
  • WHERE Programme 'CS'
  • Q4 SELECT COUNT()
  • FROM Students
  • WHERE Programme 'CS' AND Sex 'M'
  • Q5 SELECT AVG(Grade Ave.)
  • FROM Students
  • WHERE Program 'CS'
  • Q6 SELECT AVG(Grade Ave.)
  • FROM Students
  • WHERE Program 'CS' AND Sex 'M'

Returns count 4
Returns count 3
Returns average 61
Returns average 68
Carols grade average 4 ? 61 3 ? 58 70
28
General Tracker
  • Q7 SELECT SUM(Units)
  • FROM Students
  • WHERE Name 'Carol' OR Program 'MIS'
  • Q8 SELECT SUM(Units)
  • FROM Students
  • WHERE Name 'Carol' OR NOT (Program
    'MIS')
  • Q9 SELECT SUM(Units)
  • FROM Students

Returns sum 75
Returns sum 77
Returns sum 136
Carol has passed (75 77) - 136 16 units
29
Countermeasures
  • Suppress obviously sensitive information.
  • Disguise the data
  • Randomly swap entries in the database so that an
    individual query will give a wrong result
    although the statistical queries still would be
    correct
  • Add small random perturbations to query result so
    that the value returned is close to the real
    value but not quite correct.
  • Drawback reduced precision and usability.
  • Better design of the database schema.
  • Track what the user knows user actions recorded
    in an audit log, a query analysis checks for
    suspicious sequences of queries.

30
Integration with Operating System
  • Like an operating system, a DBMS has to stop
    users from interfering with each other, and with
    the DBMS.
  • To avoid duplicating efforts, you could give
    these tasks to the operating system.
  • DBMS runs as a set of operating system processes
    system processes for general database management
    tasks and each database user is mapped to a
    separate operating system process.
  • Operating system can distinguish between users
    if each database object is stored in its own
    file, the operating system can do all the access
    control.
  • DBMS only translates user queries into operations
    the operating system understands.

31
Users isolated by O/S
Art
Zoe
DBMS
Art
Zoe
DB sys- tem
operating system processes
32
Integration with Operating System
  • Allocating an individual operating system process
    to every database users wastes memory resources
    and does not scale up to large user numbers.
  • Letting processes handle the database requests of
    several users saves memory but the DBMS becomes
    responsible for access control.
  • Similar considerations for storing database
    objects for small objects, having a separate
    file for each object is wasteful.
  • If the operating system does not control access
    of database users, several database objects can
    be collected in one operating system file.

33
Users isolated by DBMS
Art
Zoe
DBMS
users Art Zoe
other users
DB sys- tem
operating system processes
34
Privacy
  • Organisations that store personal data of their
    customers, e.g. name, address, age, credit card
    number, meal preference, must comply with data
    protection laws and regulations.
  • Examples
  • OECD Guidelines on the Protection of Privacy and
    Transborder Flows of Personal Data.
  • EU Data Protection Directive
  • US HIPAA (Health Insurance Portability and
    Accountability Act of 1996)

35
OECD Guidelines (1980)
  • Organisation for Economic Co-operation and
    Development.
  • OECD Guidelines on the Protection of Privacy and
    Transborder Flows of Personal Data.
  • There is a danger that disparities in national
    privacy legislations could hamper the free flow
    of personal data across frontiers.
  • Goal of guidelines help harmonising national
    privacy legislation.

36
Basic Protection Principles
  • Collection Limitation Principle
  • There should be limits to the collection of
    personal data and any such data should be
    obtained by lawful and fair means and, where
    appropriate, with the knowledge or consent of the
    data subject.
  • Data Quality Principle
  • Personal data should be relevant to the purposes
    for which they are to be used, and, to the extent
    necessary for those purposes, should be accurate,
    complete and kept up-to-date.
  • Purpose Specification Principle (9)
  • The purposes for which personal data are
    collected should be specified not later than at
    the time of data collection and the subsequent
    use limited to the fulfilment of those purposes
    or such others as are specified on each
    occasion of change of purpose.

37
Basic protection principles
  • Use Limitation Principle
  • Personal data should not be disclosed, made
    available or otherwise used for purposes other
    than those specified in accordance with 9
    except
  • with the consent of the data subject or
  • by the authority of law
  • Security Safeguards Principle
  • Personal data should be protected by reasonable
    security safeguards against such risks as loss or
    unauthorised access, destruction, use,
    modification or disclosure of data.
  • Openness Principle
  • There should be a general policy of openness
    about developments, practices and policies with
    respect to personal data. Means should be readily
    available of establishing the existence and
    nature of personal data, and the main purposes of
    their use, as well as the identity and usual
    residence of the data controller.

38
Basic Protection Principles
  • Individual Participation Principle
  • An individual should have the right
  • to obtain from a data controller, or otherwise,
    confirmation of whether or not the data
    controller has data relating to him
  • to have communicated to him, data relating to him
  • within a reasonable time
  • at a charge, if any, that is not excessive
  • in a reasonable manner and
  • in a form that is readily intelligible to him
  • to be given reasons if a request made under
    subparagraphs (a) and (b) is denied, and to be
    able to challenge such denial and
  • to challenge data relating to him and, if the
    challenge is successful to have the data erased,
    rectified, completed or amended.

39
Basic Protection Principles
  • Individual Participation Principle
  • An individual should have the right
  • to obtain from a data controller, or otherwise,
    confirmation of whether or not the data
    controller has data relating to him
  • to have communicated to him, data relating to him
  • within a reasonable time
  • at a charge, if any, that is not excessive
  • in a reasonable manner and
  • in a form that is readily intelligible to him
  • to be given reasons if a request made under
    subparagraphs (a) and (b) is denied, and to be
    able to challenge such denial and
  • to challenge data relating to him and, if the
    challenge is successful to have the data erased,
    rectified, completed or amended.
  • Accountability Principle
  • A data controller should be accountable for
    complying with measures which give effect to the
    principles stated above.

40
P3P
  • Privacy users should be in control of their
    personal data, even after the data have been
    disclosed!?
  • Can technology help to achieve this goal?
  • Platform for Privacy Preferences 1.1 (P3P1.1)
  • W3C Working Draft 27 April 2004.
  • Enables Web sites to express their
    data-collection and data-use practices in a
    standardized machine-readable XML format known as
    a P3P policy.
  • P3P user agents built into Web browsers, browser
    plug-ins, or proxy servers.

41
P3P
  • P3P enables Web users to understand what data
    will be collected by sites they visit, how that
    data will be used, and what data/uses they may
    opt-out of or opt-in to.
  • P3P user agents can automate decision-making
    based on these practices by comparing a sites
    P3P policy with the privacy preferences set by
    the user.
  • Thus users need not read the privacy policies at
    every site they visit.

42
Comments
  • P3P is a descriptive language.
  • Users have to trust web sites that they adhere
    to their stated policies data protection laws
    can stipulate that they have to.
  • Can actions by the user agent imply the users
    consent?
  • (At least in an earlier version) only policies
    about retrieving cookies could be expressed
  • Reasonable from a technical point of view but the
    Directive would refer to the setting of cookies
    (writing).
  • Little impact on the Web so far.

43
Summary
  • In database security, access control requirements
    may conflict with application-level integrity
    requirements.
  • Statistical database security shows that it may
    be insufficient to control direct access to data.
  • Similar issues have to be addressed in data
    mining.
  • Privacy laws imply access control requirements on
    personal data.
  • Putting users (data subjects) in control of their
    personal data asks them to define security
    policies this is a difficult job most users will
    try to avoid.
Write a Comment
User Comments (0)
About PowerShow.com