Chapter 7 Database Security

SCSR 3413 Computer Security Protecting data is a primary concern to secure systems, user count on the DataBase Management System (DBMS) to manage the protection Databases are important to businesses, governments, organizations. Why? Their organization and content are valuable assets Two major security problems  Integrity  Secrecy 2

SCSR 3413 Computer Security Introduction to Databases Concept of a database  Database is a collection of data and rules  DataBase Administrator (DBA) is the person responsible for defining rules to organize data and configuring access  DBMS is the program that interfaces between the user and the database (aka: database manager or front end) 3

SCSR 3413 Computer Security Components of a database  Records: One related group of data  Field or elements: Piece of data from a record  Schema: Logical structure of the database  Subschema: Part of a database schema, used to restrict a user to only a portion of the database they need  Attribute: Name of each column  Relation: Set of columns 4

SCSR 3413 Computer Security ADAMS212 Market St.ColumbusOH43210 BENCHHLY501 Union St.ChicagoIL60603 CARTER411 Elm St.ColumbusOH

SCSR 3413 Computer Security NameFirstAddressCityStateZipAirport ADAMSCharles212 Market St.ColumbusOH43210CMH ADAMSEdward212 Market St.ColumbusOH43210CMH CARTERMarlene411 Elm St.ColumbusOH43210CMH CARTERBeth411 Elm St.ColumbusOH43210CMH CARTERBen411 Elm St.ColumbusOH43210CMH CARTERLisabeth411 Elm St.ColumbusOH43210CMH CARTERMary411 Elm St.ColumbusOH43210CMH 6

SCSR 3413 Computer Security Queries  Interact with the DBMS to retrieve, modify, add, or delete fields, and records of the database.  Most query languages are English-like and many are based on a Sequential Query Language (SQL) developed by IBM Advantages of using databases  Shared access  Minimal redundancy  Data consistency  Data integrity  Controlled access A DBMS is designed to provide these advantages efficiently 7

SCSR 3413 Computer Security Security Requirements Some problems are like all other areas Basic problems we have looked at thus far  Access control  Exclusion of spurious data  Authentication if users  Reliability Database Security requirements  Physical database integrity Data are not lost in power failure If destroyed, database can be reconstructed  Logical database integrity The structure preserved and not easily disrupted by changes in fields 8

SCSR 3413 Computer Security  Element integrity Data in each element is accurate  Auditability Possible to track access and modification (who, what)  Access control Only to authorized data and only be in authorized mode (r/w)  User authentication All user positively identified  Availability 9

SCSR 3413 Computer Security Security Requirements : explained Database Integrity  Must be able to trust the accuracy of the data values  The DBMS, OS, and computing system manager are responsible for the integrity of the database  Backing up the database is one way of protecting it  Being able to reconstruct the database at a point of failure (DBMS transaction logging) 10

SCSR 3413 Computer Security Element integrity  Correctness or accuracy of the database elements  Ultimately the user is responsible for correct data, but DBMS can help error check  Three ways DBMS can take corrective action Field checks appropriate values, data type, ranges,.. Access control so redundant data not input  But who owns it? Who has authority to change? Change one? Change all?  Read Sidebar 6-2 : Pfleeger pg317 Change log which contains all changes made; original and modified values  Know when an error occur 11

SCSR 3413 Computer Security Auditability  Ideally generate a record of all reads and writes  Granularity problem  records-fields- elements level  Pass-through problem, accessing data without transferring the data to user  Perform a query that returns a result of one 12

SCSR 3413 Computer Security Access control  Databases can be separated logically by user access privileges  DB Admin specifies who gets access to what at what level  DBMS enforces policy  All fields, records, elements are related, hence inference can prove to be a problem 13

SCSR 3413 Computer Security User authentication  May use passwords  Time-of-day checks  Plus, authentication by OS Availability  Both a program and a system  When the system is not available, users notice just as if the OS or network were down  Arbitration – when 2 users access the same data  Withhold unprotected data to avoid revealing protected data 14

SCSR 3413 Computer Security Reliability and Integrity Software is reliable if it runs a long time without failing Reliability and integrity are important security issues in databases  It works 2 ways Reliable : data we can count on Integrity : our data are save and not meddled with While measures can be taken, there are no way to prevent an authorized user from entering acceptable, but incorrect data  humans are fallible 15

SCSR 3413 Computer Security Three dimensions of reliability and integrity  Database integrity: database as a whole is protected  backups, recovery, hardware failures, etc..  Element integrity: values are changed by only authorized users and proper controls protect a database from being corrupted by unauthorized users  Element accuracy: only correct values are entered through use of constraint conditions and rules 16

SCSR 3413 Computer Security Reliability and Integrity… Protection feature from the OS  Periodic backups  File protection  Standard access control  Integrity checks for all data I/O  These are the basic security practices and a database manager must enhance them 17

SCSR 3413 Computer Security What if failure happens in the middle of data modification process? Two-phase update (protects from failure during update)  Intent phase Gather provisions, be ready  Commit phase Permanent stage Analogy: getting married  Intent: like – ask for her hand  Commit: she says yes, vows spoken, permanent situation Two-Phase Update 18

SCSR 3413 Computer Security First phase is the intent phase DBMS gathers resources required to perform update Does everything short of changing database Can be restarted many times without adverse effect Ready to commit  Requires commit flag to be set  Past the point of no return Second phase makes changes permanent No actions from 1 st phase can be repeated 2 nd phase can be restarted if needed If system fails during second phase, database incomplete, but restart 2 nd phase to correct 19

SCSR 3413 Computer Security Redundancy/Internal Consistency  To detect internal inconsistencies  Some forms of redundancy Error detection and correction codes  (i.e. parity bits, Hamming codes, and cyclic redundancy checks)  To every data item, a check is computed and stored  Each time data is retrieved, similar checks are ran and compared Shadow fields  Attributes or entire database can be duplicated  2 nd copy always at hand, but takes big storage space 20

SCSR 3413 Computer Security Recovery  Audit or transaction log is maintained  If system aborts database can be recovered from backup  Then updated using the audit/transaction log Concurrency/Consistency  Problem (e.g. with 2 users) Both to read – no problem Both to modify – problem 1 to read, the other modify – problem  Control used: Lock files Single atomic operation : read-modify cycle 21

SCSR 3413 Computer Security Responsible for structural integrity of database Monitors values input to ensure they match previously defined constraints  Consistency & constraints Forms of monitors: »Range comparisons  Ensure data input is within acceptable range; otherwise rejected  Ensure internal consistency  Can be used to verify database corruption Monitors 22

SCSR 3413 Computer Security »State constraints  Describe condition of the entire database  Constraints not met, some value of database is in error commit flag is a type of state constraint  Uniqueness constraint – deter duplication of states »Transition constraints  Conditions necessary before changes can be applied to the database  E.g. slot 4474 = vacant; add employee (ali44); now slot 4474 = ali44  ok  E.g. slot 4474 = bob32; add employee (ali44); now slot 4474 = ali44  cant happen Small, simple checks and constraints can be within DBMS. Else it will be invoked by DBMS each time checking is needed. 23

Sensitive Data

SCSR 3413 Computer Security Sensitive Data Sensitive data should not be made public Easiest to handle are nothing sensitive or everything sensitive Unfortunately there are varying degrees of sensitivity and even differences between elements of a record The challenge is to only give access to those authorized 25

SCSR 3413 Computer Security Sensitive Data (cont) Several factors that can make data sensitive  Inherently sensitive  From a sensitive source  Declared sensitive  Part of a sensitive attribute or a sensitive record  Sensitive in relationship to previously disclosed information 26

SCSR 3413 Computer Security Access decisions DBA [person] decides what data in database and who has access Decisions are based on the access policy DBMS [program] will execute these decisions, while considering factors  Availability of the data Block other users from data in update operations  Acceptability of the access No releasing of sensitive data  Authenticity of the user Are you permitted to request for this? At this time? 27

SCSR 3413 Computer Security Availability of data: one or more requirements may be unavailable because of updating (if the updating user aborts the transaction while update is in progress permanent denial of service may result) Acceptability of access: a DBMS should not release sensitive data to unauthorized user Assurance of authenticity: certain characteristics of the user external to the database may be considered 28

SCSR 3413 Computer Security Types of disclosures Disclosures include:  Exact data  exact value  Bounds  No. of MI5 agents are between 25 and 40  Negative result  never been jailed = 0  Existence  ‘related to’ field (why should it be there?)  Probable value  gets a possibility/chance of an answer from probable logic. How many people in FIN are male? 9 How many people in FIN are male AND have NO in drug_test value? 8 A successful security strategy must protect from both direct and indirect disclosure 29

SCSR 3413 Computer Security Security vs. Precision Security usually means hide anything remotely related to sensitive Precision tries to protect all sensitive data while allowing access to as much nonsensitive data as possible Ideal combination of security and precision allows us to maintain perfect confidentially with maximum precision  we disclose all and only the non-sensitive data 30

SCSR 3413 Computer Security Inference Inference is a way to infer or derive sensitive data from non-sensitive data Can be done directly or indirectly Direct attack:  very obvious List NAME where SEX=M & DRUGS=YES  Less obvious (to DBMS) List NAME where (SEX=M&DRUGS=YES) / (SEX!=M & SEX!=F) / DORM=ABDULLAH 31

SCSR 3413 Computer Security Indirect attack  To protect data only statistical information may be released  Statistics such as sum, count, mean, median, mode, can be valuable tools to infer info  Sum  infer value from a reported sum  Count  Median requires finding selections having one point of intersection exactly in the middle 32

SCSR 3413 Computer Security Indirect attack continued  Tracker attacks fool the database manger into locating desired data by using additional queries that produce small results and records from different queries cancel each other out  Linear system vulnerability: use logic, algebra and luck to determine distribution by looking a several queries 33

SCSR 3413 Computer Security Includes suppression and concealing  Suppression provides nothing  Concealing provides information, but it is not exactly the actual value These two control reflect the contrast between security and precision Suppression is very precise (nothing may be provided for security reasons) Concealing data is not as precise, but you get more responses Controls for statistical inference attacks 34

SCSR 3413 Computer Security Limited response suppression: when there is a limited amount of data returned even deleting the data item may not be enough Totals may reveal the missing data Changing values of other cells in the small sample would keep the value from being inferred Combined results: ranging the result (i.e. instead of actual count use 1-2, 3-4, etc..) Random sample: use a sample set from database instead of entire database Control Examples 35

SCSR 3413 Computer Security Random data perturbation: instead of random sample change the values slightly Query analysis: maintain a query history to evaluate if there is a combination of data that could reveal sensitive data 36

SCSR 3413 Computer Security Conclusion of the inference problem No perfect solution Approaches include:  Suppress obviously sensitive data  Track what user knows  costly though  Disguise data  but may result in incorrect & inconsistent results Effective control is just knowing the problem exists ; then take appropriate measures 37

SCSR 3413 Computer Security Aggregation Building sensitive results from less sensitive inputs  Difficult to address because it is hard to track what each user has already received  Data mining: sifting through multiple databases and correlating the data 38

Multilevel databases

SCSR 3413 Computer Security Case for Differentiated Security  Some parts of data are not sensitive where others are The total average of salary in FSKSM is not sensitive, individual salary is The PM’s private line is sensitive, but the reception line is not **checkout table 6-15 and 6-16 of Pfleeger. 3 characteristics of database security  One element in a same row/column may have different security needs that others This implies that security should be implemented for each individual element  Sensitive and non-sensitive labels are not enough. Perhaps an approach like the military model could be better  Sometimes an aggregate on elements is more revealing than individual elements. Should be monitored. 40

SCSR 3413 Computer Security Granularity and security What do you keep safe? Data? Element? Combination of elements? Each might have different levels of sensitivity Manhattan = not sensitive (it’s a place) Project = a word, not sensitive Manhattan project = sensitive (bcoz it’s a gov. project to eradicate the drug lords in Manhattan) Every element and their combination may also have distinct sensitivity value/level So we need Access control policy to data  helps with determining access limitations Must have a way to guarantee that these policy will not be changed by unauthorized person. 41

SCSR 3413 Computer Security Security issues of multilevel databases  Integrity Hard to achieve High level process cannot write to lower level  But how about updates, backups, scanning? If need be: process must be a ‘trusted process’  Sth. like processes with security clearance  Confidentiality Enforcing it could lead to  Precision sacrificed – like with concealing  Redundancy – 2 records for same person  Polyinstantiation – 1 record appear many times with different level of confidentiality. Sometimes polyinstantiation is legitimate. 42

SCSR 3413 Computer Security NameSensitivityAssignmentLocation -- Hill.BobCProgram ManagerLondon Hill.BobTSSecret AgentItaly NameSensitivityAssignmentLocation -- Hill.BobCPensionerLondon Hill.BobCBy ContractLondon 43

SCSR 3413 Computer Security Some multilevel security proposals Separation – necessary to limit access  Partitioning Database is divided into separate databases, each with its own level of sensitivity Separate files, separate database Disadvantage: hinders the task of a database  Encryption Encrypt sensitive data so it cant be accidentally opened But its opened to attacks on encryption (chosen plaintext attack) And encryption and decryption takes time 44

SCSR 3413 Computer Security  Integrity lock Provide integrity and limited access Has 3 parts of a data item  Actual data  Sensitivity level – should be unforgeable, unique, concealed  Checksum – made of data and sensitivity level to ensure no unauthorized modification  Sensitivity lock Combination of unique identifier and the sensitivity level Each lock relates to one particular record With encryption the lock contents are concealed 45

SCSR 3413 Computer Security Designs of multilevel secure databases These are some different design for multilevel secure databases. These show the trade-off among efficiency, flexibility, simplicity and trustworthiness  Integrity lock  Trusted front end  Commutative filters  Distributed databases  Window/View 46

SCSR 3413 Computer Security Integrity lock  As before, but has efficiency drawbacks Needs more storage space, time Untrusted database manager may be prone to attacks UsersUntrusted (Commercial) Database Manager Trusted Access Controller Sensitive Database Security Perimeter 47

SCSR 3413 Computer Security Trusted front end  Uses enhanced existing systems as users are used to it.  Works much like a reference monitor Untrusted Database Manager Trusted Access Controller Sensitive Database Security Perimeter Trusted Front End Users 48

SCSR 3413 Computer Security  Interaction between a user, a trusted front end (TFE) and a DBMS User identifies himself to TFE & TFE authenticates user’s identity User issues query to TFE TFE verifies user’s authorization then issue query to database manager Database manager performs access and returns result to TFE TFE analyzes result sensitivity level, ensure its consistent with user’s clearance Result to user.  One way filter to screen out results that user shouldn’t get, but inefficient scheme. 49

SCSR 3413 Computer Security Commutative filters  Is a process that forms an interface between the user and DBMS  Much like TFE, but this try to overcome inefficiency  2-way filter It reforms user’s query to ensure sensitive information is never extracted from database Restricting results before passing it to the user, ensuring he has gets only those that is within is sensitivity level  Advantage: Allows query selection, some optimization and sub-query handling to be done by DBMS, hence keeps the filter size small, reduces redundancy, and improves overall efficiency. 50

SCSR 3413 Computer Security Distributed databases  A trusted front end controls access to 2 unmodified commercial databases One for all low-sensitivity data One for all high-sensitivity data  TFE accepts query and submits the query to appropriate databases according to user’s clearance.  If results are received from both databases, results are joined before handing it to user.  TFE is complex and costly, not very popular scheme. 51

SCSR 3413 Computer Security Window/View  Users only see what they need and are allowed to see.  Any attributes in a column or a row is withheld unless the user is authorized to access at least 1 element in them.  Say a user is allowed access to column A, but only element 3 (out of 15 elements), all others will be replaced as UNDEFINED. 52

SCSR 3413 Computer Security End note Most users do not want to sacrifice ease of use and efficiency, but they still want security. Best practice by any organization is to look at the value of its assets and evaluate it against time (expiration), efficiency and security. 53