Security
Index
- Introduction
- Objectives
- 1.Database Security Concepts
- 1.1.Security Issues
- 1.2.Security Controls
- 1.2.1.Flow Control
- 1.2.2.Inference Control
- 1.2.3.Access Control
- 1.3.Intrusion Detection
- 2.Security Models
- 3.Statistical Databases
- 4.Security for Advanced Data Management Systems
- 4.1.Access Control for XML
- 4.2.SQL Injections
- 5.Data Protection Act
- Summary
- Activities
- Self-evaluation
- Glossary
- Bibliography
Introduction
Objectives
-
Understand the responsibilities of a database administrator from a security point of view.
-
Understand confidentiality threats and solutions available in relational DBMSs.
-
Understand the particular case of statistical databases as an example of the need for inference control.
-
Learn about some of the security issues affecting the use of new technologies.
-
Be aware of current Spanish and Catalan legislation on personal data protection.
1.Database Security Concepts
-
If we ensure that the employees of an organisation do not know the salaries of their managers, we are keeping these data confidential.
-
By preventing employees from being able to change their salary, we ensure compliance with the data integrity of the organisation.
-
When we ensure that everybody can send payment orders on time, we are guaranteeing the availability of the service.
1.1.Security Issues
1.2.Security Controls
1.2.1.Flow Control
1.2.2.Inference Control
1.2.3.Access Control
-
Access restriction: refers to how much information is accessible. We can opt for a minimum privilege criterion, which only grants authorisation for the minimum set of data that need to be known; the problem with this is that it is sometimes difficult to define the minimum set. The alternative is to use a maximum privilege criterion, which is typically used in systems that require high levels of data sharing.
-
Closed system, in which only expressly authorised accesses are allowed, or an open system where, in contrast to the former, all accesses that are not explicitly denied are allowed. The choice of one or the other usually depends on whether the system requires more access permissions or more access restrictions.
-
Management of authorisations: (who grants or revokes access rights?) if it is necessary to do this centrally, the task falls to the system security manager; if it is decentralised, it is usually the creators of the specific data who grant access rights to other users. There are also intermediate criteria: hierarchically decentralised authorisations, owner and cooperative authorisations.
-
Access control criteria: these establish how and whether the system subjects and objects should be grouped in order to share modes of access based on the set rules and authorisations. We can choose to use criteria for discretionary access control, mandatory access control criteria (in particular, multilevel security criteria) and criteria for role-based access control.
-
Password-based systems: where the user is authenticated by a secret string of characters known only to the user and the system.
-
Question/answer systems: the user is authenticated according to the answer he or she gives to the question asked by the system. The questions generated by the system are specific to each user. Examples could include: "What city where you born in?" or "What is your favourite pet?"
-
Double authentication systems (also known as handshaking): once the user is authenticated with a password, an exchange of questions begins between the system and the user based on information known only to the user (e.g. the date, time or code of the last session).
1.3.Intrusion Detection
2.Security Models
2.1.Discretionary Access Control
-- |
O1 |
O2 |
O3 |
O4 |
O5 |
-- |
Om |
---|---|---|---|---|---|---|---|
S1 |
A[S1, O1] |
A[S1, O2] |
A[S1, O3] |
A[S1, O4] |
A[S1, O5] |
-- |
A[S1, Om] |
S2 |
A[S2, O1] |
A[S2, O2] |
A[S2, O3] |
A[S2, O4] |
A[S2, O5] |
-- |
A[S2, Om] |
S3 |
A[S3, O1] |
A[S3, O2] |
A[S3, O3] |
A[S3, O4] |
A[S3, O5] |
-- |
A[S3, Om] |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
-- |
Sn |
A[Sn, O1] |
A[Sn, O2] |
A[Sn, O3] |
A[Sn, O4] |
A[Sn, O5] |
-- |
A[Sn, Om] |
-
Data dependent. For example, the user can only read data on employees with salaries of <6000.
-
Time dependent. For example, the user can only read data on employees between 8 am and 5 pm.
-
Context dependent. For example, the user can read data on the names and salaries of employees but cannot do so at the same time or make the connection between the two.
-
History dependent. For example, the user can only read employees salaries if he or she has not yet read their names.
GRANT <privileges> ON <objects> TO <subjects> [WITH GRANT OPTION]; REVOKE [GRANT OPTION FOR] <privileges> FROM <subjects> [RESTRICT | CASCADE];
-
INSERT: for inserting tuples in the indicated relations.
-
UPDATE: for updating tuples in the indicated relations.
-
DELETE: for deleting tuples from the indicated relations.
-
SELECT: for querying the information on the indicated relations.
-
REFERENCES: for creating a foreign key.
-
TRIGGER: for creating a trigger in the specified table.
-
EXECUTE: for executing the specified function or procedure.
-
ALL PRIVILEGES: for granting all privileges.
-
Discretionary criteria do not impose restrictions on how the information is used once it has been obtained by the user.
-
The information disclosure is not controlled (the user who has obtained the data could pass them on to somebody else).
-
Vulnerability to trojans.
2.2.Mandatory Access Control
-
The mandatory criteria are too rigid and irrelevant in certain environments. Specifically, it is not always possible to assign clearance levels to subjects and/or security levels to objects in commercial information systems.
-
Security criteria are required, which must be both discretionary and mandatory. This allows the security system to protect itself from trojans, since it is possible to control the information flow.
2.3.Role-based Access Control
CREATE ROLE <name> [ WITH ADMIN rolename ]; DROP ROLE <name>; SET ROLE <name>;
CREATE ROLE manager; GRANT ALL PRIVILEGES ON has TO manager; GRANT manager TO Anna; SET ROLE manager; REVOKE manager FROM Anna; REVOKE ALL PRIVILEGES FROM manager; DROP ROLE manager;
3.Statistical Databases
-
On-line (the users wait for the response to the statistical queries in real-time) or off-line (the users do not know when the statistics will be processed).
-
Static (the SDB data do not vary, as in a census SDB for example) or dynamic (the data undergo changes reflecting those that occur in the real world).
-
Centralised or distributed.
-
Oriented towards a single individual application or a series of heterogeneous applications (the heterogeneity makes protection more complex).
3.1.Inference Protection Techniques
3.1.1.Conceptual Techniques
DSC table |
||||
---|---|---|---|---|
Date_of_Birth |
Gender |
Dept_code |
||
|
|
Dept1 |
Dept2 |
Dept3 |
1961-1971 |
M |
10 |
12 |
0 |
|
F |
1 |
0 |
3 |
1972-1982 |
M |
12 |
10 |
5 |
|
F |
20 |
2 |
8 |
>1982 |
M |
15 |
0 |
1 |
|
F |
20 |
10 |
0 |
Alltable |
---|
129 |
3.1.2.Perturbation or Noise-Based Techniques
3.1.3.Restriction-Based Techniques
4.Security for Advanced Data Management Systems
4.1.Access Control for XML
-
Policy administration point (PAP), the system entity that creates a policy or policy set.
-
Policy decision point (PDP), the system entity that evaluates the applicable policy and renders an authorization decision.
-
Policy enforcement point (PEP), the system entity that performs access control, by making decision requests and enforcing authorization decisions.
-
Policy information point (PIP), the system entity that acts as a source of attribute values.
-
Context handler, the system entity that converts decision requests in the native request format to the XACML canonical form and converts authorization decisions in the XACML canonical form to the native response format.
-
Environment, the set of attributes that are relevant to an authorization decision and are independent of a particular subject, resource or action.
-
Resource, data, service or system component.
-
Subject, an actor whose attributes may be referenced by a predicate (a statement about attributes whose truth can be evaluated).
-
Obligation, an operation specified in a rule, policy or policy set that should be performed by the PEP in conjunction with the enforcement of an authorization decision.
-
Rule, is the most elementary unit of policy. In order to exchange rules between major actors, they must be encapsulated in a policy. A rule can be evaluated on the basis of its contents. The main components of a rule are: a target, an effect, a condition (optional), obligation expressions (optional), and advice expressions (optional). The target defines the set of requests to which the rule is intended to apply in the form of a logical expression on attributes in the request. The effect of the rule indicates the rule-writer's intended consequence of a "True" evaluation for the rule. Two values are allowed: "Permit" and "Deny". Condition represents a boolean expression that refines the applicability of the rule beyond the predicates implied by its target. When a PDP evaluates a rule containing obligation expressions, it evaluates the obligation expressions into obligations and returns certain of those obligations to the PEP in the response context. When a PDP evaluates a rule containing advice expressions, it evaluates the advice expressions into advice and returns certain of those advice to the PEP in the response context.
-
Policy: a PAP combines rules in a policy. A policy comprises five main components: a target, a rule-combining algorithm-identifier, a set of rules, obligation expressions and advice expressions. The rule-combining algorithm specifies the procedure by which the results of evaluating the component rules are combined when evaluating the policy.
-
Policy set: comprises five main components: a target, a policy-combining algorithm-identifier, a set of policies, obligation expressions, and advice expressions. The policy-combining algorithm specifies the procedure by which the results of evaluating the component policies are combined when evaluating the policy set, i.e. the Decision value placed in the response context by the PDP is the result of evaluating the policy set, as defined by the policy-combining algorithm. A policy set may have combining parameters that affect the operation of the policy-combining algorithm.
<?xml version="1.0" encoding="UTF-8"?> <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17 https://docs.oasis-open.org/xacml/3.0/xacml-core-v3-schema-wd-17.xsd" PolicyId="urn:oasis:names:tc:xacml:3.0:example:SimplePolicy1" Version="1.0" RuleCombiningAlgId="identifier:rule-combining-algorithm:deny-overrides"> <Description> Medi Corp access control policy </Description> <Target/> <Rule RuleId="urn:oasis:names:tc:xacml:3.0:example:SimpleRule1" Effect="Permit"> <Description> Any subject with an e-mail name in the med.example.com domain can perform any action on any resource. </Description> <Target> <AnyOf> <AllOf> <Match MatchId="urn:oasis:names:tc:xacml:1.0:function: rfc822Name-match"> <AttributeValue DataType="https://www.w3.org/2001/XMLSchema#string" >med.example.com</AttributeValue> <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:1.0:subject-category: access-subject" AttributeId="urn:oasis:names:tc:xacml:1.0:subject: subject-id" DataType="urn:oasis:names:tc:xacml:1.0:data-type: rfc822Name"/> </Match> </AllOf> </AnyOf> </Target> </Rule> </Policy>
<?xml version="1.0" encoding="UTF-8"?> <Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17 >https://docs.oasis-open.org/xacml/3.0/xacml-core-v3-schema-wd-17.xsd" ReturnPolicyIdList="false"> <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category: >access-subject"> <Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"> <AttributeValue DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name" >bs@simpsons.com</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"> <Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"> <AttributeValue DataType="https://www.w3.org/2001/XMLSchema#anyURI" >file://example/med/record/patient/BartSimpson</AttributeValue> </Attribute> </Attributes> <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"> <Attribute IncludeInResult="false" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"> <AttributeValue DataType="https://www.w3.org/2001/XMLSchema#string" >read</AttributeValue> </Attribute> </Attributes> </Request>
<?xml version="1.0" encoding="UTF-8"?> <Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17 >https://docs.oasis-open.org/xacml/3.0/xacml-core-v3-schema-wd-17.xsd"> <Result> <Decision>NotApplicable</Decision> </Result> </Response>
4.2.SQL Injections
Oracle Tutorial, "Defending Against SQL Injection Attacks!":
https://download.oracle.com/oll/tutorials/SQLInjection/index.htm
SQL injection, from Microsoft:
https://msdn.microsoft.com/en-us/library/ms161953.aspx
IBM, Web application security: Testing for vulnerabilities:
https://www.ibm.com/developerworks/web/library/wa-appsecurity/#resources
Imperva, SQL injection:
https://www.imperva.com/resources/glossary/sql_injection.html
How to stop SQL injection:
-
Extracting data is the most common type of SQLIA. The purpose is to extract data values from the database (information such as credit card numbers can be obtained) that could be of great value to the hacker.
-
Adding or modifying data is done to add or change data values in the database.
-
When performing database fingerprinting, the hacker attempts to discover technical information about the database, such as the type and version that a specific web application is using. Certain types of DBMS respond differently to attack queries and this information can be used to identify the DBMS. Once the hacker knows the type and version of the DBMS, he or she can organise a specific attack on the database.
-
With bypassing authentication, intruders attempt to bypass the authentication mechanisms in order to assume rights and privileges associated with other users of the application.
-
With identifying injection parameters, a web application is explored to discover which parameters and user input fields are vulnerable to SQLIA.
-
The aim of attacks that determine the database schema is to obtain all the information on the database schema (such as names of tables, names of columns and data types in columns). This information can then be used by a hacker to successfully extract data from the database.
-
With evading detection, hackers try to avoid auditing and intrusion detection mechanisms.
-
Denial of service is used to prevent others from using the service offered by the database, either by shutting down the database or by blocking or deleting tables.
-
The aim of executing remote commands is to execute arbitrary commands on the database. These commands can either be stored procedures or functions available to the users of the database. This type of attack is the most dangerous because it can allow a hacker to take control of the entire system.
-
With privilege escalation, the attack takes advantage of errors to increase the hacker's privileges.
-
Blind injection: true/false queries are used and depending on the response, the system's operation continues as normal or is altered.
-
Timing attacks: these allow a hacker to obtain information from a database by observing the delays in the database response. This technique uses an if-then statement for query injections, expressly including the WAITFOR builder, which causes the database to delay its response for a specific length of time depending on the options.
5.Data Protection Act
Summary
Activities
Self-evaluation
UPDATE Employee SET Dept= 'Dept2', Sou = '20.000' WHERE nom = 'Bernat';
-
Librarian role: insert and delete tuples in the book, author and has relations.
-
Manager role: insert, delete and update tuples in the library, book, person, author and has relations.
-
Head role: insert, delete and update tuples in the book, author and has relations.
2. a) GRANT SELECT ON book TO Joan WITH GRANT OPTION;
3.
4. a)
CREATE ROLE librarian; GRANT INSERT, DELETE ON book, author, has TO librarian; CREATE ROLE head; GRANT librarian TO head; GRANT UPDATE ON book, author, has TO head; CREATE ROLE manager; GRANT head TO manager; GRANT INSERT, DELETE, UPDATE ON library, person TO manager;
GRANT manager TO Paula; REVOKE head FROM Miquel;
Glossary
- Access control
- deals with preventing unauthorised operations on the managed data.
- Authentication
- mechanisms of ensuring that entities are who they claim to be.
- Authorisation
- the function of specifying access rights to data.
- Database auditing
- retains a secure record of database operations that can be used to verify compliance with desired security policies, to trace policy violations, or to detect anomalous patterns of access.
- Database security
- a discipline that seeks to protect data stored in a DBMS from intrusions, improper modifications, theft and unauthorised disclosures.
- Discretionary Access Control (DAC)
- provides for owner-controlled administration of access rights to objects. A DAC mechanism allows users to grant or revoke access to any of the objects under their control.
- Inference control
- a discipline that seeks to protect data so they can be published without revealing confidential information that can be linked to specific individuals among those to which the data correspond. Also known as Statistical Disclosure Control (SDC).
- Intrusion Detection (ID)
- the process of monitoring events occurring in a system and signalling responsible parties when interesting (suspicious) activity occurs.
- Mandatory Access Control (MAC)
- a kind of access control defined by the National Computer Security Center’s Trusted Computer System Evaluation Criteria (TCSEC) as a means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorisation (i.e. clearance) of subjects to access information of such sensitivity. Also known as Multilevel Security.
- Role Based Access Control (RBAC)
- involves controlling access to computer resources and information by defining users, roles, and permissions, and assigning users and permissions to roles. Also known as Role Based Security.
- Rounding (or Microdata rounding)
- a family of masking methods for statistical disclosure control of numerical microdata; a similar principle can be used to protect tabular data. It replaces original values of attributes with rounded values.
- Security mechanisms
- provide the appropriate desired security functionality according to the security criteria established for the database.
- SQL-Injection Attacks (SQLIAs)
- these attacks may allow the intruder to gain access to all the data stored into the database by bypassing the security mechanisms. They therefore give him or her the power to leak, modify or delete the information stored in the database.
- Statistical Database
- a database designed to explicitly handle ‘‘macro data,’’ i.e. data computed by different forms of summarisation, including grouping and classification, as first-class objects. One of the goals is to hide the micro data (i.e. the raw data records from which the macro data are computed) from user queries.