Title: Chapter 6 Database Security
1Chapter 6 Database Security
- Integrity for databases record integrity, data
correctness, update integrity - Security for databases access control,
inference, and aggregation - Multilevel secure databases partitioned,
cryptographically sealed, filtered
2Introduction to Databases
- Database collection of data and set of rules
that organize the data by specifying certain
relationships among the data - Database administrator (DBA)
- Database management system (DBMS) database
manager, front-end
3Introduction to Databases
- Records contain related group of data
- Fields (elements) elementary data items
- Schema logical structure of database
- Subschema view into database
4Introduction to Databases
- Relational
- Rows (relation) columns (attributes)
- DB2, Oracle, Access
- Hierarchical
- IMS
- Object-oriented
5Introduction to Databases
- Queries
- SELECT NAME ADAMS
- SELECT (ZIP 43210) (NAME ADAMS)
- Project
- SHOW FIRST WHERE (ZIP 43210) (NAME
ADAMS) - Join
- SHOW NAME, AIRPORT WHERE
- NAME.ZIP AIRPORT.ZIP
6Advantages of Using Databases
- Shared access
- Minimal redundancy
- Data consistency
- Data integrity
- Controlled access
7Security Requirements
- Physical database integrity
- Logical database integrity
- Element integrity
- Auditability
- Access control
- User authentication
- Availability
8Integrity of the Database
- Users must be able to trust the accuracy of the
data values - Updates are performed by authorized individuals
- Integrity is the responsibility of the DBMS, the
OS, and the computing system manager - Must be able to reconstruct the database at the
point of a failure
9Element Integrity
- Correctness or accuracy of elements
- Field checks
- Access control
- Maintain a change log list every change made to
the database
10Auditability Access Control
- Desirable to generate an audit record of all
access to the database (reads/writes) - Pass-through problem accessing a record or
element without transferring the data received to
the user (no reads/writes) - Databases separated logically by user access
privileges
11Other Security Requirements
- User Authentication
- Confidentiality
- Availability
12Reliability and Integrity
- Database integrity
- Element integrity
- Element accuracy
- Some protection from OS
- File access
- Data integrity checks
13Two-Phase Update
- Failure of computing system in middle of
modifying data - Intent Phase gather resources needed for
update write commit flag to the database - Update Phase make permanent changes
14Redundancy / Internal Consistency
- Error detection / Correction codes (parity bits,
Hamming codes, CRCs) - Shadow fields
- Log of user accesses and changes
15Concurrency/Consistency
- Access by two users sharing the same database
must be constrained (lock) - Monitors check entered values to ensure
consistency with rest of DB - Range Comparisons
- State Constraints describes condition of
database (unique employee ) - Transition Constraints conditions before
changes are applied to DB
16Sensitive Data
- Data that should not be made public
- What if some but not all of the elements of a DB
are sensitive - Inherently sensitive
- From a sensitive source
- Declared sensitive
- Part of a sensitive attribute or record
- Sensitive in relation to previously disclosed
information
17Access Decisions
- Need an access policy (programmed into DBMS)
- Availability blocking permanent blocking
- Acceptability of Access (sensitive data)
- Assurance of Authenticity
18Types of Disclosures
- Exact Data
- Bounds
- Negative Results
- Existence of Data
- Probable Values
19Security vs. Precision
- Aim to protect all sensitive data while revealing
as much nonsensitive data as possible - Want to maintain perfect confidentiality with
maximum precision
20Inference
- Way to infer / derive sensitive data from
nonsensitive data - Direct Attack
- List NAME where SEXM DRUGS1
- List NAME where (SEXM DRUGS1) v (SEXM
SEXF) v (DORMAYRES)
21Indirect Attack
- Sum
- Show STUDENT-AID WHERE SEXF DORMGrey
- Count
- Show Count, STUDENT-AID WHERE SEXM DORMHolmes
- List NAME where (SEXM DORMHolmes)
- Median
- Tracker Attacks using additional queries that
produce small results
22Controls
- Suppression dont provide sensitive data
- Concealing dont provide actual values (close
to) - Limited Response Suppression
- n-item k-percent rule eliminates low frequency
elements from being displayed (may need to
suppress additional rows/columns)
23Controls
- Combined Results
- Sums
- Ranges
- Rounding
- Random Sample
- Random Data Perturbation
- Query Analysis should the result be provided
24Conclusion on the Inference Problem
- Suppress obviously sensitive information
- Track what the user knows
- Disguise the data
25Aggregation
- Building sensitive results from less sensitive
inputs - Data mining process of sifting through multiple
databases and correlating multiple data elements
to find useful information
26Multilevel Databases
- Differentiated Security
- Security of single element may be different from
security of other elements - Two levels sensitive and nonsensitive are
inadequate to represent some security situations - Security of an aggregate (sum, count,) may be
different from security of the individual
elements - Granularity
27Security Issues
- Integrity
- -property for access control
- Either process cleared at a high level cannot
write to a lower level or process must be a
trusted process - Confidentiality
- Different users at different levels may get
different query results - Polyinstantiation record can appear more than
once with different levels of confidentiality
28Proposals for Multilevel Security
- Separation
- Partitioning divide DB into separate DBs with
own level of sensitivity - Encryption (time consuming)
- Integrity Lock each data item contains a
sensitivity label and a checksum - Sensitivity label must be unforgeable, unique,
concealed - Checksum must be unique
- Sensitivity lock
29Design of Multilevel Secure Databases
- Integrity Lock not efficient (space/time)
- Trusted Front-end (Guard) does authentication
and filtering - Commutative Filters
- screen users requests, reformats, so that only
appropriate data is returned
30Design of Multilevel Secure Databases
- Distributed (federated) database
- Trusted front-end controls access to two DBMSs
one for high-sensitivity data and one for
low-sensitivity data - Very complex
- Window/View
- Subset of a database containing exactly the
information that the user is entitled to access