CIS 2005 System Security and Control

1
CIS 2005System Security and Control

• Lecture 6
• Module 6 - Database security

2
This weeks objectives

• Identify DBMS security features
• Prevent data corruption
• Understand how to deal with sensitive data
• Identify security features in multilevel databases

3
Attacks on data

• are the ones that cause sensitive data to be
• Disclosed to unauthorized persons
• Altered in an unacceptable manner
• Inaccessible to authorized users

4
Traditional file processing

• Separate files created for a specific
  application, and accessed directly from within a
  program (eg. VB file)
• Different departments can keep their own data
  files independently from other departments

5
COBOL Example
01 Student Record Student-no PIC X(8)
Student-course PIC X(4) Student-name PIC
X(50) Student-enrol-date PIC 9(6)
Located within program Procedural vs
non-procedural processing Copy Proc (can
disguise fields with copy Proc)
6
Implications of file processing

• Requires custom-developed software which can lead
  to
• Programs bugs/lack of testing/unforeseen problems
• Programming attacks (trapdoors, salami attacks)
• Possible concurrency problems affects integrity
  and/or availability
• It is possible to open and/or modify files
  directly affects confidentiality
• Data redundancy, inconsistency affects
  integrity

7
Next generation of data handling

• DBMS (Database Management System)
• software program or a set of programs designed to
  control access to the database and manage the
  data resources efficiently
• Oracle, Ingress, Microsoft Access etc.
• Common functions are
• Update, delete, add, retrieve
• Access control (authentication, access rights)
• Concurrency management
• Backup and recovery

8
A database is

• a collection of data stored and maintained at
  one central location, to which many people have
  access as needed.

9
Database Security

• Addressing THREE aspects of security for DBMS
• Confidentiality and integrity in database
  applications
• The inference problem for statistical databases
• Including users and data with different
  sensitivity levels in one database

10
Advantages of using databases

• Shared access to data
• Minimal redundancy
• Data consistency
• Data integrity
• Controlled access
• (There are also other advantages that do not have
  security implications, such as easier reporting)

11
SECURITY REQUIREMENTS

12
Security requirements

• Physical database integrity
• Logical database integrity
• Element integrity
• Auditability
• Access control
• User authentication
• Availability

13
Element integrity

• is concerned with integrity and accuracy of
  individual pieces of data
• Ways databases ensure element integrity
• Field checks
• Check digits
• Error detection and correction methods (parity,
  cyclic redundancy checks etc.)
• These are computed and appended to the data when
  it is stored, and checked when the data is
  retrieved
• Access controls
• Change log

14
Element integrity Field checks

• Data types and constraint rules for each element
  are specified in a data dictionary

back
15
Element integrity Check digit

• The value of a check digit is determined by
  applying a formula to the numbers in the primary
  key

Q9421332 ?
9421332 24
246
Q9421332 6
back
16
RELIABILITY INTEGRITY

17
Techniques for reliability integrity

• OS protection features
• Two-phase updates
• Error detection correction codes
• Shadow fields
• Recovery mechanisms
• Locking concurrency and consistency
• Monitors
• Range comparisons
• State constraints
• Transition constraints

18
Two-phase update Intent phase
19
Two-phase update Commit phase
Update Data
Adams M 1 999.99
Bailey F 3 560.00 Adams M 1 452.45 Majors M 2 12
3.50
Database
999.99
Shadow field
Adams M 1 999.99
DB lock flag
Intent flag
ON
OFF
Commit flag
ON
20
Two-phase update Complete
Bailey F 3 560.00 Adams M 1 999.99 Majors M 2 12
3.50
Database
Shadow field

DB lock flag
Intent flag
OFF
OFF
Commit flag
OFF
21
Backup and recovery

• Some of the threats to database integrity
• Power failure/fluctuations
• Program being stuck in a loop while accessing a
  record
• Accidental or malicious deletion or modification
  of data
• To recover means to roll the database to its last
  stable state and to apply all subsequent
  transactions from an audit log

22
Backup and recovery (contd)

• Audit logs (also used for audit purposes)
• Listing of activities that have affected the
  dbase
• Before and after image
• Backup procedures
• Two-phase update provides a way to recover
  uncompleted transactions

23
SENSITIVE DATA

24
Sensitive data

• Sensitive data is data that we do not wish to
  make public!

25
Factors that make data sensitive

• Inherently sensitive
• From a sensitive source
• Declared sensitive
• Of a sensitive attribute or record
• Sensitive in relation to previously disclosed
  information (aggregation problem)
• Who decides ???

26
Access Decisions

• Database administrator
• Availability of data
• Acceptability of access
• Assurance of authenticity

27
Types of Disclosure

• Exact Data
• Bounds
• Negative Result
• Existence
• Probable Value

28
Security versus Precision

• The dilemma
• Balancing unrestricted sharing with preserving
  secrecy

29
INFERENCE

30
The Inference problem

• The situation during which legitimate users
  legitimately infer or derive sensitive data from
  non-sensitive data, without breaching their
  access rights
• The two types of inferences are
• Direct queries through legitimate queries
• Indirect queries statistical inference attack
• Sum, count, median, tracker attacks, linear
  system vulnerability

31
Example of indirect query
32
Controls against statistical inferences

• Suppression
• Sensitive values are not shown, or
• Query is rejected altogether without response
• Concealing
• The answer provided is close to but not the
  actual value

33
Aggregation problem

• Pieces of information that are not sensitive in
  isolation may become sensitive when they are put
  together

34
Approaches to controlling sensitive data

• Default permit
• Permit access to everything except for what is
  expressly prohibited
• Default prohibit
• Prohibit access to everything except for what is
  expressly permitted

35
MULTILEVEL DATABASES

36
Multilevel database security

• Two levels sensitive and non-sensitive are
  inadequate to represent most security situations
• Security of one element might be different from
  security level of another element
• Security of an aggregate might be different from
  the security of an individual element

37
Multilevel database security

• A multilevel database system stores data of
  various levels of security and serves users with
  various levels of security clearance
• Access rights and privileges
• Subjects active elements such as people and
  programs acting on behalf of people
• Objects passive elements such as data files,
  disks and memory
• Granularity

38
Multilevel Security Through Separation

• Partitioning
• Encryption
• Integrity lock
• Sensitivity lock

39
Multilevel Security Through Design

• Integrity lock
• Trusted front end
• Commutative filters
• Distributed databases
• Restricted views

40
TOPICS COVERED

• Confidentiality, integrity and reliability of
  DBMSs
• Inference problems
• Multilevel secure databases