Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Lecture 13: Security Wednesday, October 26, 2006.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Lecture 13: Security Wednesday, October 26, 2006."— Presentation transcript:

1 1 Lecture 13: Security Wednesday, October 26, 2006

2 2 Midterm ! Friday, 10:30-11:20, in class. Problem 1: SQL Problem 2: E/R diagrams Problem 3: Conceptual design, BCNF Open book exam

3 3 Outline SQL Security – 8.7 Two famous attacks Two new trends

4 4 Discretionary Access Control in SQL GRANT privileges ON object TO users [WITH GRANT OPTIONS] GRANT privileges ON object TO users [WITH GRANT OPTIONS] privileges = SELECT | INSERT(column-name) | UPDATE(column-name) | DELETE | REFERENCES(column-name) object = table | attribute

5 5 Examples GRANT INSERT, DELETE ON Customers TO Yuppy WITH GRANT OPTIONS GRANT INSERT, DELETE ON Customers TO Yuppy WITH GRANT OPTIONS Queries allowed to Yuppy: Queries denied to Yuppy: INSERT INTO Customers(cid, name, address) VALUES(32940, ‘Joe Blow’, ‘Seattle’) DELETE Customers WHERE LastPurchaseDate < 1995 INSERT INTO Customers(cid, name, address) VALUES(32940, ‘Joe Blow’, ‘Seattle’) DELETE Customers WHERE LastPurchaseDate < 1995 SELECT Customer.address FROM Customer WHERE name = ‘Joe Blow’ SELECT Customer.address FROM Customer WHERE name = ‘Joe Blow’

6 6 Examples GRANT SELECT ON Customers TO Michael Now Michael can SELECT, but not INSERT or DELETE

7 7 Examples GRANT SELECT ON Customers TO Michael WITH GRANT OPTIONS Michael can say this: GRANT SELECT ON Customers TO Yuppi Now Yuppi can SELECT on Customers

8 8 Examples GRANT UPDATE (price) ON Product TO Leah Leah can update, but only Product.price, but not Product.name

9 9 Examples GRANT REFERENCES (cid) ON Customer TO Bill Customer(cid, name, address, balance) Orders(oid, cid, amount) cid= foreign key Now Bill can INSERT tuples into Orders Bill has INSERT/UPDATE rights to Orders. BUT HE CAN’T INSERT ! (why ?)

10 10 Views and Security CREATE VIEW PublicCustomers SELECT Name, Address FROM Customers GRANT SELECT ON PublicCustomers TO Fred CREATE VIEW PublicCustomers SELECT Name, Address FROM Customers GRANT SELECT ON PublicCustomers TO Fred David says NameAddressBalance MaryHuston450.99 SueSeattle-240 JoanSeattle333.25 AnnPortland-520 David owns Customers: Fred is not allowed to see this

11 11 Views and Security NameAddressBalance MaryHuston450.99 SueSeattle-240 JoanSeattle333.25 AnnPortland-520 CREATE VIEW BadCreditCustomers SELECT * FROM Customers WHERE Balance < 0 GRANT SELECT ON BadCreditCustomers TO John CREATE VIEW BadCreditCustomers SELECT * FROM Customers WHERE Balance < 0 GRANT SELECT ON BadCreditCustomers TO John David says David owns Customers: John is allowed to see only <0 balances

12 12 Views and Security Each customer should see only her/his record CREATE VIEW CustomerMary SELECT * FROM Customers WHERE name = ‘Mary’ GRANT SELECT ON CustomerMary TO Mary CREATE VIEW CustomerMary SELECT * FROM Customers WHERE name = ‘Mary’ GRANT SELECT ON CustomerMary TO Mary Doesn’t scale. Need row-level access control ! NameAddressBalance MaryHuston450.99 SueSeattle-240 JoanSeattle333.25 AnnPortland-520 David says CREATE VIEW CustomerSue SELECT * FROM Customers WHERE name = ‘Sue’ GRANT SELECT ON CustomerSue TO Sue CREATE VIEW CustomerSue SELECT * FROM Customers WHERE name = ‘Sue’ GRANT SELECT ON CustomerSue TO Sue...

13 13 Revocation REVOKE [GRANT OPTION FOR] privileges ON object FROM users { RESTRICT | CASCADE } Administrator says: REVOKE SELECT ON Customers FROM David CASCADE John loses SELECT privileges on BadCreditCustomers

14 14 Revocation Joe: GRANT [….] TO Art … Art: GRANT [….] TO Bob … Bob: GRANT [….] TO Art … Joe: GRANT [….] TO Cal … Cal: GRANT [….] TO Bob … Joe: REVOKE [….] FROM Art CASCADE Same privilege, same object, GRANT OPTION What happens ??

15 15 Revocation Admin JoeArt CalBob 0 1 2 3 4 5 Revoke According to SQL everyone keeps the privilege

16 16 Summary of SQL Security Limitations: No row level access control Table creator owns the data: that’s unfair ! … or spectacular failure: Only 30% assign privileges to users/roles –And then to protect entire tables, not columns Access control = great success story of the DB community...

17 17 Summary (cont) Most policies in middleware: slow, error prone: –SAP has 10**4 tables –GTE over 10**5 attributes –A brokerage house has 80,000 applications –A US government entity thinks that it has 350K Today the database is not at the center of the policy administration universe [Rosenthal&Winslett’2004]

18 18 Two Famous Attacks SQL injection Sweeney’s example

19 19 Search claims by: SQL Injection Your health insurance company lets you see the claims online: Now search through the claims : Dr. Lee First login: User: Password: fred ******** SELECT…FROM…WHERE doctor=‘Dr. Lee’ and patientID=‘fred’ [Chris Anley, Advanced SQL Injection In SQL]

20 20 SQL Injection Now try this: Search claims by: Dr. Lee’ OR patientID = ‘suciu’; -- Better: Search claims by: Dr. Lee’ OR 1 = 1; -- …..WHERE doctor=‘Dr. Lee’ OR patientID=‘suciu’; --’ and patientID=‘fred’

21 21 SQL Injection When you’re done, do this: Search claims by: Dr. Lee’; DROP TABLE Patients; --

22 22 SQL Injection The DBMS works perfectly. So why is SQL injection possible so often ? Quick answer: –Poor programming: use stored procedures ! Deeper answer: –Move policy implementation from apps to DB

23 23 Latanya Sweeney’s Finding In Massachusetts, the Group Insurance Commission (GIC) is responsible for purchasing health insurance for state employees GIC has to publish the data: GIC(zip, dob, sex, diagnosis, procedure,...)

24 24 Latanya Sweeney’s Finding Sweeney paid $20 and bought the voter registration list for Cambridge Massachusetts: GIC(zip, dob, sex, diagnosis, procedure,...) VOTER(name, party,..., zip, dob, sex) GIC(zip, dob, sex, diagnosis, procedure,...) VOTER(name, party,..., zip, dob, sex)

25 25 Latanya Sweeney’s Finding William Weld (former governor) lives in Cambridge, hence is in VOTER 6 people in VOTER share his dob only 3 of them were man (same sex) Weld was the only one in that zip Sweeney learned Weld’s medical records ! zip, dob, sex

26 26 Latanya Sweeney’s Finding All systems worked as specified, yet an important data has leaked How do we protect against that ? Some of today’s research in data security address breaches that happen even if all systems work correctly

27 27 Summary on Attacks SQL injection: A correctness problem: –Security policy implemented poorly in the application Sweeney’s finding: Beyond correctness: –Leakage occurred when all systems work as specified

28 28 Two Novel Techniques K-anonymity, information leakage Row-level access control

29 29 FirstLastAgeRace HarryStone34Afr-Am JohnReyser36Cauc BeatriceStone47Afr-am JohnRamos22Hisp FirstLastAgeRace *Stone30-50Afr-Am JohnR*20-40* *Stone30-50Afr-am JohnR*20-40* Information Leakage: k-Anonymity Definition: each tuple is equal to at least k-1 others Anonymizing: through suppression and generalization Hard: NP-complete for suppression only Approximations exists; but work poorly in practice [Samarati&Sweeney’98, Meyerson&Williams’04] Disease Flue Measels Pain Fever

30 30 Information Leakage: Query-view Security Secret QueryView(s)Disclosure ? S(name)V(name,phone) S(name,phone) V1(name,dept) V2(dept,phone) S(name)V(dept) S(name) where dept=‘HR’ V(name) where dept=‘RD’ TABLE Employee(name, dept, phone) Have data: total big tiny none [Miklau&S’04, Miklau&Dalvi&S’05,Yang&Li’04]

31 31 Fine-grained Access Control Control access at the tuple level. Policy specification languages Implementation

32 32 Policy Specification Language CREATE AUTHORIZATION VIEW PatientsForDoctors AS SELECT Patient.* FROM Patient, Doctor WHERE Patient.doctorID = Doctor.ID and Doctor.login = %currentUser CREATE AUTHORIZATION VIEW PatientsForDoctors AS SELECT Patient.* FROM Patient, Doctor WHERE Patient.doctorID = Doctor.ID and Doctor.login = %currentUser Context parameters No standard, but usually based on parameterized views.

33 33 Implementation SELECT Patient.name, Patient.age FROM Patient WHERE Patient.disease = ‘flu’ SELECT Patient.name, Patient.age FROM Patient WHERE Patient.disease = ‘flu’ SELECT Patient.name, Patient.age FROM Patient, Doctor WHERE Patient.disease = ‘flu’ and Patient.doctorID = Doctor.ID and Patient.login = %currentUser SELECT Patient.name, Patient.age FROM Patient, Doctor WHERE Patient.disease = ‘flu’ and Patient.doctorID = Doctor.ID and Patient.login = %currentUser e.g. Oracle

34 34 Two Semantics The Truman Model = filter semantics –transform reality –ACCEPT all queries –REWRITE queries –Sometimes misleading results The non-Truman model = deny semantics –reject queries –ACCEPT or REJECT queries –Execute query UNCHANGED –May define multiple security views for a user [Rizvi’04] SELECT count(*) FROM Patients WHERE disease=‘flu’

35 35 Summary on Information Disclosure The theoretical research: –Exciting new connections between databases and information theory, probability theory, cryptography The applications: –many years away [Abadi&Warinschi’05]

36 36 Summary of Fine Grained Access Control Trend in industry: label-based security Killer app: application hosting –Independent franchises share a single table at headquarters (e.g., Holiday Inn) –Application runs under requester’s label, cannot see other labels –Headquarters runs Read queries over them Oracle’s Virtual Private Database [Rosenthal&Winslett’2004]

Download ppt "1 Lecture 13: Security Wednesday, October 26, 2006."

Similar presentations

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
Jan. 2014Dr. Yangjun Chen ACS-49021 Database security and authorization (Ch. 22, 3 rd ed. – Ch. 23, 4 th ed. – Ch. 24, 6 th )

Jan. 2014Dr. Yangjun Chen ACS Database security and authorization (Ch. 22, 3 rd ed. – Ch. 23, 4 th ed. – Ch. 24, 6 th )
Database Security CS461/ECE422 Spring 2012. Overview Database model – Relational Databases Access Control Inference and Statistical Databases Database.

Database Security CS461/ECE422 Spring Overview Database model – Relational Databases Access Control Inference and Statistical Databases Database.
Security and Authorization. Introduction to DB Security Secrecy: Users shouldn’t be able to see things they are not supposed to. –E.g., A student can’t.

Security and Authorization. Introduction to DB Security Secrecy: Users shouldn’t be able to see things they are not supposed to. –E.g., A student can’t.
Database Security by Muhammad Waheed Aslam SIS Project Leader ITC/KFUPM.

Database Security by Muhammad Waheed Aslam SIS Project Leader ITC/KFUPM.
Database Management System

Database Management System
Security and Authorization. Introduction to DB Security Secrecy: Users shouldn’t be able to see things they are not supposed to. –E.g., A student can’t.

Security and Authorization. Introduction to DB Security Secrecy: Users shouldn’t be able to see things they are not supposed to. –E.g., A student can’t.
1 Lecture 7: Indexes and Database Tuning Wednesday, November 10, 2010 Dan Suciu -- CSEP544 Fall 2010.

1 Lecture 7: Indexes and Database Tuning Wednesday, November 10, 2010 Dan Suciu -- CSEP544 Fall 2010.
1 Lecture 11: Provenance and Data privacy December 8, 2010 Dan Suciu -- CSEP544 Fall 2010.

1 Lecture 11: Provenance and Data privacy December 8, 2010 Dan Suciu -- CSEP544 Fall 2010.
Monday, 08 June 2015Dr. Mohamed Osman1 What is Database Administration A high level function (technical Function) that is responsible for ► physical DB.

Monday, 08 June 2015Dr. Mohamed Osman1 What is Database Administration A high level function (technical Function) that is responsible for ► physical DB.
1 Current Trends in Data Security Dan Suciu Joint work with Gerome Miklau.

1 Current Trends in Data Security Dan Suciu Joint work with Gerome Miklau.
1 Introduction to Database Systems CSE 444 Lecture 05: Views, Constraints April 9, 2008.

1 Introduction to Database Systems CSE 444 Lecture 05: Views, Constraints April 9, 2008.
Winter 2002Arthur Keller – CS 1809–1 Schedule Today: Jan. 31 (TH) u Constraints. u Read Sections 7.1-7.3, 7.4.1. Project Part 3 due. Feb. 5 (T) u Triggers,

Winter 2002Arthur Keller – CS 1809–1 Schedule Today: Jan. 31 (TH) u Constraints. u Read Sections , Project Part 3 due. Feb. 5 (T) u Triggers,
System Administration Accounts privileges, users and roles

System Administration Accounts privileges, users and roles
DBSYSTEMS 1 of 13 Chapter 10 DB System Administration (Part II) 1 Based on G. Post, DBMS: Designing & Building Business Applications University of Manitoba.

DBSYSTEMS 1 of 13 Chapter 10 DB System Administration (Part II) 1 Based on G. Post, DBMS: Designing & Building Business Applications University of Manitoba.
Security and Authorization. Introduction to DB Security Secrecy: Users shouldn’t be able to see things they are not supposed to. –E.g., A student can’t.

Security and Authorization. Introduction to DB Security Secrecy: Users shouldn’t be able to see things they are not supposed to. –E.g., A student can’t.
CSCI 5707: Database Security Pusheng Zhang University of Minnesota March 2, 2004.

CSCI 5707: Database Security Pusheng Zhang University of Minnesota March 2, 2004.
Security and Transaction Management Pertemuan 8 Matakuliah: T0413/Current Popular IT II Tahun: 2007.

Security and Transaction Management Pertemuan 8 Matakuliah: T0413/Current Popular IT II Tahun: 2007.
Dec 15, 2003Murali Mani Transactions and Security B term 2004: lecture 17.

Dec 15, 2003Murali Mani Transactions and Security B term 2004: lecture 17.
About physical design After you have provided your scripts Understand the problems Present a template that can be used to report on the physical design.

About physical design After you have provided your scripts Understand the problems Present a template that can be used to report on the physical design.

Similar presentations

Ads by Google