Database Security by Muhammad Waheed Aslam SIS Project Leader ITC/KFUPM

Database Security I know that’s a secret, for it’s whispered everywhere William Congreve

Security  Introduction to Database Security  Discretionary Access Control  Mandatory Access Control  Additional Issues Related to Security

Introduction To DB Security Three main objectives  Secrecy  Integrity  Availability

Secrecy  Information should not be disclosed to unauthorized users. –For example, a student should not be allowed to examine other students’ grades.

Integrity  Only authorized users should be allowed to modify data. –For example, students may be allowed to see their grades, yet not allowed to modify them.

Availability  Authorized users should not be denied access. –For example, an instructor who wishes to change a grade should be allowed to do so.

Introduction To DB Security  Security policy describes the security measures enforced.  Security mechanisms of the underlying DBMS must be utilized to enforce the policy.

Introduction To DB Security  Security measures must be taken at several levels.  Security leaks in the operating system or network connections can circumvent database security mechanisms.

Introduction To DB Security Views provide a valuable tool in enforcing security policies.  A view is a table whose rows are not explicitly stored in the database but are computed as needed from a view definition.

Introduction To DB Security  We can define views that give a group of users access to just the information they are allowed to see.  For example, we can define a view that allows students to see other students’ name and age but not their grade, and allow all students to access this view, but not the underlying Students table.

Introduction To DB Security  Views are valuable in the context of security. -- Create a “window” on a collection of data -- Limit access to sensitive data

Access Control  An Access Control mechanism is a way to control the data that is addressable to a given user.

Discretionary Access Control  Discretionary access control: –Based on the concept of privileges, and mechanisms for giving users such privileges.

privilege  A privilege allows a user to access some data object in a certain manner (e.g., to read or to modify).  SQL-92 supports discretionary access control through GRANT and REVOKE commands.

Mandatory Access Control  Mandatory access control is based on systemwide policies that cannot be changed by individual users.  Each database object is assigned a security class ; each user is assigned clearance for a security class, and rules are imposed on reading and writing of database objects by users.

Mandatory Access Control  SQL-92 standard does not include any support for mandatory access control.

An example will be used for interpreting the details of access control later  Schemas used in example  Sailors(sid:integer, sname:string, rating:integer, age:real)  Boats(bid:integer, bname:string, color:string)  Reserves(sname:string, bid:integer, day:dates)

Discretionary Access Control Discretionary Access Control

Discretionary access control  It is based on the concept of access rights, or privileges, and mechanisms for giving users such privileges.  A privilege allows a user to access some database object in a certain manner  SQL-92 supports discretionary access control through the GRANT and REVOKE commands.

 Advantage: effective  Disadvantage: a devious unauthorized user can trick an authorized user into disclosing sensitive data

 GRANT command: Give users privileges to base tables and views. GRANT privileges ON object TO users [WITH GRANT OPTIONS]  REVOKE command: intended to achieve the reverse, to withdraw the granted privilege from the user. REVOKE [GRANT OPTION FOR] privileges ON object FROM users {RESTRICT | CASCADE}

Several privileges:  SELECT : access all columns  INSERT (column-name): insert rows with values in the named column  DELETE: delete rows from the table  REFERENCES(column-name): define foreign keys(in other table) that refer to the specified column.

Suppose user Joe has created the tables Boats, Reserves, and Sailors: GRANT INSERT, DELETE ON Reserves TO Bob WITH GRANT OPTION ---- Bob can insert or delete Reserves rows and can authorize other people to do the same. GRANT SELECT ON Reserves TO Michael GRANT SELECT ON Sailors TO Michael WITH GRANT OPTION

With the SELECT privilege, Michael can: CREATE VIEW ActiveSailors(name,age,day) As SELECT S.sname, S.age, R.day FROM Sailors S, Reserves R WHERE S.sname=R.sname AND S.rating > 6 But, he cannot grant SELECT on ActiveSailors to others.

How about this one: CREATE VIEW YoungSailors (sid, age, rating) AS SELECT S.sid, S.age, S.rating From Sailors S WHERE S.age < 18 Here he can pass on the SELECT privilege on YoungSailors to others. Eg. GRANT SELECT ON YoungSailors TO ERIC

 GRANT UPDATE (rating) ON Sailors TO Rose Rose can update only the rating column of Sailors rows. For example: UPDATE Sailors S SET S.rating= 8; she can execute this command, which sets all ratings to 8. However, she is not allowed to execute SET S.age = 25, because she is not allowed to update the age field.

UPDATE Sailors S SET S.rating = S.rating-1 Can she execute this command? NO! Because it requires the SELECT privilege on the S.rating column and Rose does not have this privilege!

GRANT FEFERENCES (bid) ON Boats TO Bill Bill can refer to the bid column of Boats as a foreign key in another table. For example, Bill can create the Reserves table through the following command: CREATE TABLE Reserves (sname CHAR(10) NOT NULL, bid INTEGER, day DATE, PRIMARY KEY (sname), UNIQUE (sname), FOREIGN KEY (bid) REFERENCES Boats) If Bill did not have the REFERENCES privilege on the bid column of Boats, he cannot execute this CREATE statement because the FOREIGN KEY clause requires this privilege.

Specifying just the INSERT privilege in a GRANT command is not the same as specifying SELECT (column- name) for each column currently in the table. GRANT INSERT ON Sailors TO Michael Michael has the INSERT privilege with respect to a newly added column. GRANT INSERT ON Sailors(sid), Sailors(sname), Sailors(rating), Sailors(age), TO Michael Michael would not have the INSERT privilege on the new column.

REVOKE:  Is a complementary command to GRANT that allows the withdrawal of privileges. REVOKE [ GRANT OPTION FOR ] privileges ON object FROM users { RESTRICT | CASCADE }

Some examples on REVOKE Consider what happens after the following sequence of commands, where Joe is the creator of Sailors: GRANT SELECT ON Sailors TO Art WITH GRANT OPTION (executed by Joe) GRANT SELECT ON Sailors TO Bob WITH GRANT OPTION (executed by Art) REVOKE SELECT ON Sailors FROM Art CASCADE (executed by Joe)

 Bob’s privilege is said to be abandoned when the privilege that he was derived from is revoked.  When the CASCADE keyword is specified, all the abandoned privileges are also revoked.  If the RESTRICT keyword is specified in the REVOKE command, the command is rejected if revoking the privileges would result other privileges becoming abandoned. CASCADE AND RESTRICT

GRANT SELECT ON Sailors TO Art WITH GRANT OPTION (executed by Joe) GRANT SELECT ON Sailors TO Bob WITH GRANT OPTION (executed by Joe) GRANT SELECT ON Sailors TO Bob WITH GRANT OPTION (executed by Art) REVOKE SELECT ON Sailors FROM Art CASCADE (executed by Joe) Here Art will lose the SELECT privilege on Sailors. Bob received this privilege from Art, but he also received it independently from Joe. Thus Bob retains this privilege.

GRANT SELECT ON Sailors TO Art WITH GRANT OPTION (executed by Joe) REVOKE SELECT ON Sailors FROM Art CASCADE (executed by Joe) Although Joe granted the same privilege to Art several times, he can revoke it with a single REVOKE command.

GRANT SELECT ON Sailors To Art WITH GRANT OPTION (executed by Joe) REVOKE GRANT OPTION FOR SELECT ON Sailors FROM Art CASCADE (executed by Joe) This command would leave Art with the SELECT privilege on Sailors, but Art wont’ have the grant option and can ‘t pass it to others.

system Joe Cal Bob Art GRANT SELECT ON Sailors TO Art WITH GRANT OPTION (executed by Joe) GRANT SELECT ON Sailors TO Bob WITH GRANT OPTION (executed by Art) GRANT SELECT ON Sailors TO Art WITH GRANT OPTION (executed by Bob) GRANT SELECT ON Sailors TO Cal WITH GRANT OPTION (executed by Joe) GRANT SELECT ON Sailors TO Bob WITH GRANT OPTION (executed by Cal) REVOKE SELECT ON Sailors FROM Art CASCADE (executed by Joe)

Grant and Revoke on Views and Integrity Constraints

Important points:  A view may be dropped because a SELECT privilege is revoked from the user who created the view.  If the creator of a view gains additional privileges on the underlying tables, he or she automatically gains additional privileges on the view.  The distinction between the REFERENCES and SELECT privileges is important.

Mandatory Access Control

Mandatory access control  It is based on system wide policies that can not be changed by individual users  In this approach each database object is assigned a security class, each user is assigned clearance for a security class, and rules are imposed on reading and writing of database object by users

 Mandatory Access Control: –Discretionary access control is susceptible to Trojan horse Schemes whereby a devious unauthorized user can trick an authorized user into disclosing sensitive data –Mandatory access control aims at the loopholes in discretionary access control

Role of Database Administrator (DBA) Responsible for the overall security of the system ! Why?  DBA is the owner of data  DBA contributes to developing a security policy  DBA has a special account called system account

The DBA deals with…  Creating a new accounts –Each new user or group of users must be assigned an authorization id and a password –Application programs that access the database have the same authorization id as the user executing the program  Mandatory control issues –Assign security classes to each database object and assign security clearance to each authorization