1 Lecture 14: Midterm Review Security Friday, February 4, 2005.

Slides:



Advertisements
Similar presentations
1 Term 2, 2004, Lecture 6, Views and SecurityMarian Ursu, Department of Computing, Goldsmiths College Views and Security 3.
Advertisements

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
Database Administration, Integrity and Performance.
CSE 544 Constraints Lecture #3 Friday, January 13, 2011 Dan Suciu , Winter
SQL Lecture 10 Inst: Haya Sammaneh. Example Instance of Students Relation  Cardinality = 3, degree = 5, all rows distinct.
Security and Authorization. Introduction to DB Security Secrecy: Users shouldn’t be able to see things they are not supposed to. –E.g., A student can’t.
Database Security by Muhammad Waheed Aslam SIS Project Leader ITC/KFUPM.
Database Management System
Security and Authorization. Introduction to DB Security Secrecy: Users shouldn’t be able to see things they are not supposed to. –E.g., A student can’t.
1 Lecture 7: Indexes and Database Tuning Wednesday, November 10, 2010 Dan Suciu -- CSEP544 Fall 2010.
1 Current Trends in Data Security Dan Suciu Joint work with Gerome Miklau.
1 Lecture 13: Security Wednesday, October 26, 2006.
1 Query Languages: How to build or interrogate a relational database Structured Query Language (SQL)
DBSYSTEMS 1 of 13 Chapter 10 DB System Administration (Part II) 1 Based on G. Post, DBMS: Designing & Building Business Applications University of Manitoba.
Security and Authorization. Introduction to DB Security Secrecy: Users shouldn’t be able to see things they are not supposed to. –E.g., A student can’t.
CSCI 5707: Database Security Pusheng Zhang University of Minnesota March 2, 2004.
Security and Transaction Management Pertemuan 8 Matakuliah: T0413/Current Popular IT II Tahun: 2007.
Dec 15, 2003Murali Mani Transactions and Security B term 2004: lecture 17.
Cs3431 Transactions, Logging and Security. cs3431 Transactions: What and Why? A set of operations on a database must appear as one “unit”. Example: Consider.
Oracle SQL*plus John Ortiz. Lecture 10SQL: Overview2 Overview  SQL: Structured Query Language, pronounced S. Q. L. or sequel.  A standard language for.
ORACLE DATABASE SECURITY
Security and Integrity
1 Lecture 15-16: Security Wednesday, May 17, 2006.
Database Integrity and Security HAP 709 – Healthcare Databases George Mason University Janusz Wojtusiak, PhD Fall, 2010.
Database Systems Marcus Kaiser School of Computing Science Newcastle University.
1 Intro to Info Tech Database Management Systems Copyright 2003 by Janson Industries This presentation can be viewed on line at:
1 Database Security Floris Geerts. Course organization One introductory lecture (this one) Then, a range of db security topics presented by you You will.
Database Security John Ortiz. Lecture 23Database Security2 Secure Passwords  Two main requirements for choosing a secure password:  1) MUST be easy.
Database Security  Authentification: verifying the id of a user  Authorization: checking the access privileges  Auditing: looking for violations (in.
SEC835 Practical aspects of security implementation Part 1.
An Investigation of Oracle and SQL Server with respect to Integrity, and SQL Language standards Presented by: Paul Tarwireyi Supervisor: John Ebden.
DCL/1 Data Control Language Objectives –To learn about the security mechanisms implemented in an RDBMS and how to use them Contents –Identifying Users.
1 IT420: Database Management and Organization Database Security 5 April 2006 Adina Crăiniceanu
Database Management COP4540, SCS, FIU Constraints and security in SQL (Ch. 8.6, Ch22.2)
Dale Roberts 1 Department of Computer and Information Science, School of Science, IUPUI Dale Roberts, Lecturer Computer Science, IUPUI
1 Lecture 16: Data Storage Friday, November 5, 2004.
Database Security Lesson Introduction ●Understand the importance of securing data stored in databases ●Learn how the structured nature of data in databases.
Introduction.  Administration  Simple DBMS  CMPT 454 Topics John Edgar2.
Chapter 11 Database Security: An Introduction Copyright © 2004 Pearson Education, Inc.
Advanced Databases DBA: Security 1. Advanced Databases Agenda Understand the need for security. Learn about System Permissions and Object permissions.
IST 318 Database Administration Lecture 9 Database Security.
Chapter 13Introduction to Oracle9i: SQL1 Chapter 13 User Creation and Management.
Security and User Authorization in SQL CIS 4301 Lecture Notes Lecture /18/2006.
Chapter 9 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
Database Management Systems, 2 nd Edition, R. Ramakrishnan and J. Gehrke1 Security Lecture 17.
Oracle 11g: SQL Chapter 7 User Creation and Management.
SQL Server Administration. Overview  Security  Server roles  Database roles  Object permissions  Application roles  Managing data  Backups  Restoration.
Database Security. Introduction to Database Security Issues (1) Threats to databases Loss of integrity Loss of availability Loss of confidentiality To.
Database Security and Authorization Introduction to DB Security Access Controls Database Security and the DBA Discretionary Access Control The privileges.
Database Security Database System Implementation CSE 507 Some slides adapted from Navathe et. Al.
Slide Set #24: Database security SY306 Web and Databases for Cyber Operations.
Database Security Advanced Database Dr. AlaaEddin Almabhouh.
IST 210 Security. IST 210 Introduction to DB Security Secrecy: Users should not be able to see things they are not supposed to. E.g., A student can’t.
Cosc 5/4765 Database security. Database Databases have moved from internal use only to externally accessible. –Organizations store vast quantities of.
Database System Implementation CSE 507
Privileges Grant and Revoke Grant Diagrams
Database Security and Authorization
Lecture 13: Midterm Review and Security
Privileges Grant and Revoke Grant Diagrams
Privileges Grant and Revoke Grant Diagrams
SQL Authorization Book: A First Course in Database Systems
Privileges Grant and Revoke Grant Diagrams
Session #, Speaker Name Database Privileges 11/29/2018.
אבטחת נתונים בסביבת SQL Data Security
Privileges Grant and Revoke Grant Diagrams
Copyright © 2013 – 2018 by Curt Hill
Lecture 14: Security Friday, October 28, 2005.
Presentation transcript:

1 Lecture 14: Midterm Review Security Friday, February 4, 2005

2 Outline Midterm review SQL Security – 8.7 SQL Injection

3 Midterm Monday, 11:30, this room (in class) –50’ Open book –Notes, notebooks, anything –No computers

4 Midterm SQL E/R Diagrams Functional Dependencies Recovery from crashes

5 Midterm How to prepare: Read lecture notes Read from the textbook Review the homeworks Make sure you understand

6 Discretionary Access Control in SQL GRANT privileges ON object TO users [WITH GRANT OPTIONS] privileges = SELECT | INSERT(column-name) | UPDATE(column-name) | DELETE | REFERENCES(column-name) object = table | attribute

7 Examples GRANT INSERT, DELETE ON Customers TO Yuppy WITH GRANT OPTIONS Queries allowed to Yuppy: Queries denied to Yuppy: INSERT INTO Customers(cid, name, address) VALUES(32940, ‘Joe Blow’, ‘Seattle’) DELETE Customers WHERE LastPurchaseDate < 1995 INSERT INTO Customers(cid, name, address) VALUES(32940, ‘Joe Blow’, ‘Seattle’) DELETE Customers WHERE LastPurchaseDate < 1995 SELECT Customer.address FROM Customer WHERE name = ‘Joe Blow’ SELECT Customer.address FROM Customer WHERE name = ‘Joe Blow’

8 Examples GRANT SELECT ON Customers TO Michael Now Michael can SELECT, but not INSERT or DELETE

9 Examples GRANT SELECT ON Customers TO Michael WITH GRANT OPTIONS Michael can say this: GRANT SELECT ON Customers TO Yuppi Now Yuppi can SELECT on Customers

10 Examples GRANT UPDATE (price) ON Product TO Leah Leah can update, but only Product.price, but not (say) Product.name

11 Examples GRANT REFERENCES (cid) ON Customer TO Bill Customer(cid, name, address, …..) Orders(..., cid, …) cid=foreign key Now Bill can INSERT tuples into Orders Bill has INSERT/UPDATE rights to Orders. BUT HE CAN’T INSERT ! (why ?)

12 Views and Security David has SELECT rights on table Customers John is a debt collector: should see the delinquent customers only: David says: CREATE VIEW DelinquentCustomers SELECT * FROM Customers WHERE balance < GRANT SELECT ON DelinquentCustomers TO John David says: CREATE VIEW DelinquentCustomers SELECT * FROM Customers WHERE balance < GRANT SELECT ON DelinquentCustomers TO John Views are an important security mechanism

13 Revokation REVOKE [GRANT OPTION FOR] privileges ON object FROM users { RESTRICT | CASCADE } Administrator says: REVOKE SELECT ON Customers FROM David CASCADE John loses SELECT privileges on DelinquentCustomers

14 Revocation Joe: GRANT [….] TO Art … Art: GRANT [….] TO Bob … Bob: GRANT [….] TO Art … Joe: GRANT [….] TO Cal … Cal: GRANT [….] TO Bob … Joe: REVOKE [….] FROM Art CASCADE Same privilege, same object, GRANT OPTION What happens ??

15 Revocation Admin JoeArt CalBob Revoke According to SQL everyone keeps the privilege

16 Search claims by: SQL Injection Your health insurance company lets you see the claims online: Now search through the claims : Dr. Lee First login: User: Password: fred ******** SELECT…FROM…WHERE doctor=‘Dr. Lee’ and patientID=‘fred’ [Chris Anley, Advanced SQL Injection In SQL]

17 SQL Injection Now try this: Search claims by: Dr. Lee’ OR patientID = ‘suciu’; -- Better: Search claims by: Dr. Lee’ OR 1 = 1; -- …..WHERE doctor=‘Dr. Lee’ OR patientID=‘suciu’; --’ and patientID=‘fred’

18 SQL Injection When you’re done, do this: Search claims by: Dr. Lee’; DROP TABLE Patients; --

19 SQL Injection The DBMS works perfectly. So why is SQL injection possible so often ? Quick answer: –Poor programming: use stored procedures ! Deeper answer: –Move policy implementation from apps to DB