Security and Authorization. Introduction to DB Security Secrecy: Users shouldn’t be able to see things they are not supposed to. –E.g., A student can’t.

Slides:



Advertisements
Similar presentations
Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
Advertisements

Database Management Systems, R. Ramakrishnan and J. Gehrke1 The Relational Model Chapter 3.
Database Management Systems, 3ed, R. Ramakrishnan and J. Gehrke1 Security and Authorization Chapter 21.
Introduction to Database Systems 1 SQL: The Query Language Relation Model : Topic 4.
Security and Authorization. Introduction to DB Security Secrecy: Users shouldn’t be able to see things they are not supposed to. –E.g., A student can’t.
Database Query Security
SQL Constraints and Triggers
Database Security by Muhammad Waheed Aslam SIS Project Leader ITC/KFUPM.
Database Management System
ICS 421 Spring 2010 Security & Authorization Asst. Prof. Lipyeow Lim Information & Computer Science Department University of Hawaii at Manoa 4/20/20101Lipyeow.
SPRING 2004CENG 3521 The Relational Model Chapter 3.
Security Fall 2006McFadyen ACS How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.
1 Relational Model. 2 Relational Database: Definitions  Relational database: a set of relations  Relation: made up of 2 parts: – Instance : a table,
The Relational Model Lecture 3 Book Chapter 3 Relational Data Model Relational Query Language (DDL + DML) Integrity Constraints (IC) From ER to Relational.
1 Views. 2 Views A view is a "virtual table" defined using a query You can use a view as if it were a table, even though it doesn't contain data The view.
Security and Authorization. Introduction to DB Security Secrecy: Users shouldn’t be able to see things they are not supposed to. –E.g., A student can’t.
CSCI 5707: Database Security Pusheng Zhang University of Minnesota March 2, 2004.
1 Views. 2 What are views good for? (1) Simplifying complex queries: We saw one example. Here is another that allows the user to "pretend" that there.
A Guide to MySQL 7. 2 Objectives Understand, define, and drop views Recognize the benefits of using views Use a view to update data Grant and revoke users’
A Guide to SQL, Seventh Edition. Objectives Understand, create, and drop views Recognize the benefits of using views Grant and revoke user’s database.
View n A single table derived from other tables which can be a base table or previously defined views n Virtual table: doesn’t exist physically n Limitation.
CMPT 354, Simon Fraser University, Fall 2008, Martin Ester 157 Database Systems I SQL Constraints and Triggers.
Database Constraints. Database constraints are restrictions on the contents of the database or on database operations Database constraints provide a way.
CS-550 (M.Soneru): Protection and Security - 2 [SaS] 1 Protection and Security - 2.
Chapter 6: Integrity and Security Thomas Nikl 19 October, 2004 CS157B.
The Relational Model These slides are based on the slides of your text book.
The Relational Model. Review Why use a DBMS? OS provides RAM and disk.
© G. Dhillon, IS Department Virginia Commonwealth University Principles of IS Security Formal Models.
Switch off your Mobiles Phones or Change Profile to Silent Mode.
Data Modeling and Database Design
Lecture 7 Integrity & Veracity UFCE8K-15-M: Data Management.
1 Database Administration. 2 Objectives  Understand, create, and drop views  Grant and revoke users’ privileges  Understand and obtain information.
Chapter 6 Database Administration
Chapter 11 Database Security: An Introduction Copyright © 2004 Pearson Education, Inc.
FALL 2004CENG 351 File Structures and Data Management1 Relational Model Chapter 3.
DATABASE SECURITY MODULE 5.
1 Chapter 6 Database Administration. 2 Introduction Database administration The process of managing a database Database administrator A person or an entire.
Copyright © 2007 Ramez Elmasri and Shamkant B. Navathe Chapter 6 Data Integrity and Security.
Lecture 10: Dr. Taysir Hassan Abdel Hamid May 10, 2015.
Lecture 10: Dr. Taysir Hassan Abdel Hamid May 11, 2014.
Chapter 9 Constraints. Chapter Objectives  Explain the purpose of constraints in a table  Distinguish among PRIMARY KEY, FOREIGN KEY, UNIQUE, CHECK,
The Relational Model Content based on Chapter 3 Database Management Systems, (Third Edition), by Raghu Ramakrishnan and Johannes Gehrke. McGraw Hill, 2003.
Database Security Lesson Introduction ●Understand the importance of securing data stored in databases ●Learn how the structured nature of data in databases.
Academic Year 2014 Spring Academic Year 2014 Spring.
Chapter 11 Database Security: An Introduction Copyright © 2004 Pearson Education, Inc.
Chapter 5 : Integrity And Security  Domain Constraints  Referential Integrity  Security  Triggers  Authorization  Authorization in SQL  Views 
CS34311 The Relational Model. cs34312 Why Relational Model? Currently the most widely used Vendors: Oracle, Microsoft, IBM Older models still used IBM’s.
Chapter 13Introduction to Oracle9i: SQL1 Chapter 13 User Creation and Management.
Database Management Systems, 2 nd Edition, R. Ramakrishnan and J. Gehrke1 Security Lecture 17.
Oracle 11g: SQL Chapter 7 User Creation and Management.
Database System Concepts, 6 th Ed. ©Silberschatz, Korth and Sudarshan See for conditions on re-usewww.db-book.com Chapter 4: Intermediate.
Database Security. Introduction to Database Security Issues (1) Threats to databases Loss of integrity Loss of availability Loss of confidentiality To.
Database Security and Authorization Introduction to DB Security Access Controls Database Security and the DBA Discretionary Access Control The privileges.
Database Security Database System Implementation CSE 507 Some slides adapted from Navathe et. Al.
Database Management Systems 3ed, R. Ramakrishnan and J. Gehrke1 The Relational Model Chapter 3.
1 CS122A: Introduction to Data Management Lecture #4 (E-R  Relational Translation) Instructor: Chen Li.
CENG 351 File Structures and Data Management1 Relational Model Chapter 3.
Lecture 2 Page 1 CS 236 Online Security Policies Security policies describe how a secure system should behave Policy says what should happen, not how you.
Database Security Advanced Database Dr. AlaaEddin Almabhouh.
IST 210 Security. IST 210 Introduction to DB Security Secrecy: Users should not be able to see things they are not supposed to. E.g., A student can’t.
Database System Implementation CSE 507
CS122A: Introduction to Data Management Lecture #11: SQL (4) -- Triggers, Views, Access Control Instructor: Chen Li.
Privileges Grant and Revoke Grant Diagrams
Database Security and Authorization
Privileges Grant and Revoke Grant Diagrams
Privileges Grant and Revoke Grant Diagrams
SQL Authorization Book: A First Course in Database Systems
Views and Security views and security.
Privileges Grant and Revoke Grant Diagrams
Privileges Grant and Revoke Grant Diagrams
Presentation transcript:

Security and Authorization

Introduction to DB Security Secrecy: Users shouldn’t be able to see things they are not supposed to. –E.g., A student can’t see other students’ grades. Integrity: Users shouldn’t be able to modify things they are not supposed to. –E.g., Only instructors can assign grades. Availability: Users should be able to see and modify things they are allowed to.

Access Controls Security policy specifies who is authorized to do what. Security mechanism allows us to enforce a chosen security policy. Two main mechanisms at the DBMS level: –Discretionary access control –Mandatory access control

Discretionary Access Control Based on the concept of access rights or privileges for objects (tables and views), and mechanisms for giving users privileges (and revoking privileges). Creator of a table or a view automatically gets all privileges on it. DMBS keeps track of who subsequently gains and loses privileges.

GRANT Command GRANT privileges ON object TO users [WITH GRANT OPTION] The following privileges can be specified: –SELECT Can read all columns including those added later via ALTER TABLE command –INSERT(column-name) Can insert tuples with non-null or nondefault values in this column. –INSERT means same right with respect to all columns. –DELETE Can delete tuples. –REFERENCES (column-name) Can define foreign keys (in other tables) that refer to this column.

Granting Privileges 1.You have all possible privileges on the objects, such as relations, that you create. 2.You may grant privileges to other users (authorization ID’s). 3.You may also grant privileges WITH GRANT OPTION, which lets the grantee also grant this privilege. To grant privileges, say: GRANT ON TO ; If you want the recipient(s) to be able to pass the privilege(s) to others add: WITH GRANT OPTION

Privileges on Views A user who creates a view has precisely those privileges on the view that he has on every one of the views or base tables used to define the view. At least, the user creating the view must have the SELECT privilege on each underlying table.

Grant Examples I Suppose Joe has created the tables –Sailors(sid, sname, rating, age) –Boats(bid, bname, color) –Reserves(sid, bid, day) Joe now executes the following: GRANT INSERT, DELETE ON Reserves TO Yuppy WITH GRANT OPTION; Yuppy can now insert or delete Reserves rows and authorize someone else to do the same.

Grant Examples II Joe further executes: GRANT SELECT ON Reserves TO Michael; GRANT SELECT ON Sailors TO Michael WITH GRANT OPTION; Michael can now execute SELECT queries on Sailors and Reserves, and he can pass this privilege to others for Sailors but not for Reserves. With the SELECT privilege, Michael can create a view that accesses the Sailors and Reserves tables, for example, the ActiveSailors view: CREATE VIEW ActiveSailors (name, age, day) AS SELECT S.sname, S.age, R.day FROM Sailors S, Reserves R WHERE S.sid = R.sid AND S.rating > 6; However, Michael cannot grant SELECT on ActiveSailors to others. Why?

Grant Examples III On the other hand, suppose that Michael creates the following view: CREATE VIEW YoungSailors (sid, age, rating)AS SELECT S.sid, S.age, S.rating FROM Sailors S WHERE S.age < 18; The only underlying table is Sailors, for which Michael has SELECT with grant option. Therefore he can pass this on to Eric and Guppy: GRANT SELECT ON YoungSailors TO Eric, Guppy; Eric and Guppy can now execute SELECT queries on view YoungSailors. –Note, however, that Eric and Guppy don’t have the right to execute SELECT queries directly on the underlying Sailor table.

Grant Examples IV Suppose now Joe executes: GRANT UPDATE (rating) ON Sailors TO Leah; Leah can update only the rating column of Sailors. E.g. UPDATE Sailors S SET S.rating = 8; However, she cannot execute: UPDATE Sailors S SET S.age = 25; She cannot execute either: UPDATE Sailors S SET S.rating = S.rating-l; Why?

Grant Examples V Suppose now that Joe executes: GRANT SELECT, REFERENCES(bid) ON Boats TO Bill; Bill can then refer to the bid column of Boats as a foreign key in another table. E.g. CREATE TABLE BillTable ( bid INTEGER, … FOREIGN KEY (bid) REFERENCES Boats );

REFERENCES Privilege The REFERENCES privilege is very different from the SELECT privilege. Well, SQL requires the creator of the table constraint that refers to a table T to possess the SELECT privilege on T. But, why the SQL standard chose to introduce the REFERENCES privilege rather than to simply allow the SELECT privilege to be used when creating a Foreign Key?

REFERENCES Privilege To see why, consider the case when the creator of table BillTable (i.e. Bill) doesn’t specify a policy such as for example ON DELETE SET NULL The default NO ACTION policy is assumed which prevents Joe from deleting a tuple from Boats because a tuple in BillTable refers to this Boat tuple. Giving Bill, the creator of the BillTable, the right to constrain deletes (and updates) in this manner goes beyond simply allowing him to read values, which is all that SELECT privilege authorizes.

Role-Based Authorization Privileges can also be assigned to roles. Roles can then be granted to users and to other roles. Reflects how real organizations work. Example. CREATE ROLE some_role; GRANT SELECT ON Reserves TO some_role; GRANT INSERT ON Sailors TO some_role; GRANT UPDATE ON Boats TO some_role; GRANT some_role TO Michael; GRANT some_role TO Bill;

Revoke Examples I REVOKE [GRANT OPTION FOR] privileges ON object FROM users {RESTRICT | CASCADE} Suppose Joe is the creator of Sailors. GRANT SELECT ON Sailors TO Art WITH GRANT OPTION (executed by Joe) GRANT SELECT ON Sailors TO Bob WITH GRANT OPTION (executed by Art) REVOKE SELECT ON Sailors FROM Art CASCADE (executed by Joe)

Revoke Examples II Art loses the SELECT privilege on Sailors. Then Bob, who received this privilege from Art, and only Art, also loses this privilege. –Bob’s privilege is said to be abandoned When CASCADE is specified, all abandoned privileges are also revoked –Possibly causing privileges held by other users to become abandoned and thereby revoked recursively. If the RESTRICT keyword is specified, the command is rejected if revoking privileges causes other privileges becoming abandoned.

Revoke Examples III GRANT SELECT ON Sailors TO Art WITH GRANT OPTION (executed by Joe) GRANT SELECT ON Sailors TO Bob WITH GRANT OPTION (executed by Joe) GRANT SELECT ON Sailors TO Bob WITH GRANT OPTION (executed by Art) REVOKE SELECT ON Sailors FROM Art CASCADE (executed by Joe) As before, Art loses the SELECT privilege on Sailors. But what about Bob? Bob received this privilege from Art, but he also received it independently from Joe. So, he doesn’t lose the privilege.

Revoke Examples IV Suppose Joe executes: GRANT SELECT ON Sailors TO Art WITH GRANT OPTION REVOKE SELECT ON Sailors FROM Art CASCADE Since Joe granted the privilege to Art twice and only revoked it once, does Art get to keep the privilege? As per the SQL, NO. It doesn’t matter how many times we grant a privilege.

Privilege Descriptors When a GRANT is executed, a privilege descriptor is added to a table of such descriptors maintained by the DBMS. The privilege descriptor specifies the following: –the grantor of the privilege, –the grantee who receives the privilege, –the granted privilege –the grant option When a user creates a table or view he 'automatically' gets certain privileges, –A privilege descriptor with system as the grantor is entered into the descriptors table.

Authorization Graphs Nodes are users. Arcs indicate how privileges are passed. GRANT SELECT ON Sailors TO Art WITH GRANT OPTION (executed by Joe) GRANT SELECT ON Sailors TO Bob WITH GRANT OPTION (executed by Art) GRANT SELECT ON Sailors TO Art WITH GRANT OPTION (executed by Bob) GRANT SELECT ON Sailors TO Cal WITH GRANT OPTION (executed by Joe) GRANT SELECT ON Sailors TO Bob WITH GRANT OPTION (executed by Cal)

Effects of Revocations I Suppose that Joe executes: REVOKE SELECT ON Sailors FROM Art CASCADE The arc from Joe to Art is removed. Art still has the privilege –He got it independently from Bob.

Effects of Revocations II Let’s suppose now that Joe decides to revoke Cal's SELECT privilege as well. The arc from Joe to Cal is removed. The arc from Cal to Bob is removed as well, since there is no longer a path from System to Cal. Art and Bob also have lost privileges as well because there isn’t a path from the System.

Grant and Revoke on Views Suppose that Joe created Sailors and gave Michael the SELECT privilege on it with the grant option. Michael then created the view YoungSailors and gave Eric the SELECT privilege on YoungSailors. Eric now defines a view called FineYoungSailors: CREATE VIEW FineYoungSailors (name, age, rating) AS SELECT S.sname, S.age, S.rating FROM YoungSailors S WHERE S.rating> 6; What happens if Joe revokes the SELECT privilege on Sailors from Michael? Michael no longer has the authority to execute the query used to define YoungSailors because the definition refers to Sailors. –Therefore, the view YoungSailors is dropped (I.e., destroyed). –In turn, FineYoungSailors is dropped as well.

Revoking REFERENCES privilege Recall, Joe had executed: GRANT REFERENCES(bid) ON Boats TO Bill; Bill referred to the bid column of Boats as a foreign key in BillTable table. CREATE TABLE BillTable ( bid INTEGER, … FOREIGN KEY (bid) REFERENCES Boats ); If now Joe revokes the REFERENCES privilege from Bill, then the Foreign Key constraint referencing the Boat table will be dropped from the Bill’s Reserves table.

Mandatory Access Control Based on system-wide policies that cannot be changed by individual users. Each DB object is assigned a security class. Each subject (user or user program) is assigned a clearance for a security class. Rules based on security classes and clearances govern who can read/write which objects. Most commercial systems do not support mandatory access control. Versions of some DBMSs do support it; used for specialized (e.g., military) applications.

Why Mandatory Control? Discretionary control has some flaws, e.g., the Trojan horse problem: Dick creates table Horsie and gives INSERT privileges to Justin (who doesn’t know about this). Dick modifies the code of an application program used by Justin to additionally write some secret data to table Horsie. Now, Dick can see the secret info. The modification of the code is beyond the DBMS’s control, but it can try and prevent the use of the database as a channel for secret information.

Bell-LaPadula Model Objects (e.g., tables, views) Subjects (e.g., users, user programs) Security classes: –Top secret (TS), secret (S), confidential (C), unclassified (U): –TS > S> C > U Each object and subject is assigned a class. Subject S can read object O only if class(S) >=class(O) (Simple Security Property) Subject S can write object O only if class(S) <= class(O) (*-Property)

Intuition Idea is to ensure that information can never flow from a higher to a lower security level. E.g., –If Dick has security class C, Justin has class S, and the secret table has class S: –Dick’s table, Horsie, has Dick’s clearance, C. –Justin’s application has his clearance, S. –So, the program cannot write into table Horsie.

Statistical Databases Statistical DB: Contains information about individuals, but allows only aggregate queries (e.g., average age, rather than Joe’s age). New problem: It may be possible to infer some secret information! Example. Suppose Sneaky Pete wants to know the rating of Admiral Horntooter –It happens that Pete knows that Horntooter is the oldest sailor in the club. –Pete repeatedly asks "How many sailors are older than an age X" for various values of X, until the answer is 1. –Obviously, this sailor is Horntooter, the oldest sailor. –Hence the Horntooter’s age is discovered. Each of these queries is a valid statistical query and is permitted. Let the value of X at this point be, say, 65. Pete now asks the query, "What is the maximum rating of all sailors whose age is greater or equal to 65?" …discovering so the Horntooter’s rating.