Presentation is loading. Please wait.

Presentation is loading. Please wait.

D ISCRETIONARY A CCESS C ONTROLS Truong Quynh Chi Faculty of Computer Science & Engineering HCMC University of Technology

Published byDerick Hood Modified over 9 years ago

Similar presentations

Presentation on theme: "D ISCRETIONARY A CCESS C ONTROLS Truong Quynh Chi Faculty of Computer Science & Engineering HCMC University of Technology"— Presentation transcript:

1 D ISCRETIONARY A CCESS C ONTROLS Truong Quynh Chi Faculty of Computer Science & Engineering HCMC University of Technology tqchi@cse.hcmut.edu.vn

2 Introduction to Discretionary Access Control Proposed Models for DAC SQL for Data Control DAC & Information Flow Controls O UTLINE 2

3 I NTRODUCTION TO DAC Discretionary Access Control (DAC): User can protect what they own. The owner is given all privileges on their own data. The owner can define the type of access (read/write/execute/…) and grant access to others. The typical method of enforcing DAC in a database system is based on the granting and revoking privileges 3

4 I NTRODUCTION TO DAC Types of Discretionary Privileges: The account/system level : The administrator specifies the particular privileges that each account holds independently of the objects in the database system. The object level : The administrator can control the privilege to access each individual object in the database system. 4

5 Introduction to Discretionary Access Control Proposed Models for DAC SQL for Data Control DAC & Information Flow Controls O UTLINE 5

6 P ROPOSED M ODELS FOR DAC Access matrix model Take-Grant model 6

7 A CCESS MATRIX MODEL Authorization state: Q=(S,O,A) For DBs, A[s,o] also includes conditions that must be satisfied in order for s to exercise the access modes Possible conditions: data-dependent (sal<1000), time- dependent (8:00am- 5:00pm), context- dependent (“name- salary” pair is prohibited), history- dependent, … O1…Oi…Om S1 A[s1,o1]A[s1,oi]A[s1,om] … Si A[si,o1]A[si,oi]A[si,om] … Sn A[sn,o1]A[sn,oi]A[sn,om]

8 A CCESS MATRIX MODEL Asset 1Asset 2filedevice Role 1 read, write, execute, own executereadwrite Role 2 read read, write, execute, own

9 A CCESS MATRIX MODEL Model implementation: S  {(O,A)}: capability list O  {(S,A)}: ACL (access control list) Each entry in the list specifies a subject and operation(s): for example, the entry (Alice, delete) on the ACL for file X gives Alice permission to delete file X Advantages & disadvantages of the two above & the model? [2] Capability list: compute a set of subjects granted access on a given object  all lists must be gone through ACL: find all objects a subject can access

10 T AKE -G RANT MODEL Authorization state: G=(S,O,E) V=S U O is the set of vertexes, S ∩ O = Ф E is the set of labelled arcs take(d,s,x,y): the subject s takes the right d on the object/subject y from the object/subject x t s y x d t s y x dd take(d,s,x,y) 10

11 T AKE -G RANT MODEL g s y x d g s y x dd grant(d,s,x,y) grant(d,s,x,y): the subject s grants the right d on the object/subject y to the object/subject x 11

12 T AKE -G RANT MODEL Access modes: read, write, take, grant Read, write: inert rights Take, grant: transport rights A subject S may lose control on the subsequent transfers of the rights it granted to an object O This model is classifiable as an access matrix model Disadvantages? 12

13 T AKE -G RANT MODEL Disadvantages: Non-selectivity of administrative rights : all authorizations of S owning a ‘GRANT’ authorization can be transferred, and all authorizations of O/S on which a ‘TAKE’ right is held can be taken No control on propagation of authorizations Non locality : S owning the grant privilege on O can give any of its privileges to O, thus augmenting the domain of O (the set of authorizations associated to O) Reversibility of the privileges transport flow 13

14 O THER MODELS Acten (Action-Entity) model Wood et al. model  See [2] + Internet 14

15 Introduction to Discretionary Access Control Proposed Models for DAC SQL for Data Control DAC & Information Flow Controls O UTLINE 15

16 SQL FOR D ATA C ONTROL  Commands: GRANT REVOKE  Based on three central objects: Users Database objects Privileges: select, modify (insert, update, delete), reference 16

17 SQL FOR D ATA C ONTROL GRANT : pass privileges on their own database objects to other users GRANT ON TO REVOKE : take back (cancel) privileges on their own database objects from other users REVOKE ON FROM 17

18 SQL FOR D ATA C ONTROL Propagation of Privileges using the GRANT OPTION Whenever the owner A of a relation R grants a privilege on R to another account B, privilege can be given to B with or without the GRANT OPTION. If the GRANT OPTION is given, this means that B can also grant that privilege on R to other accounts. 18

19 SQL FOR D ATA C ONTROL DAC with views (virtual relations) If the owner A of a relation R wants another account B to be able to retrieve only some fields of R, then A can create a view V of R that includes only those attributes and then grant SELECT on V to B. The same applies to limiting B to retrieving only certain tuples of R; a view V’ can be created by defining the view by means of a query that selects only those tuples from R that A wants to allow B to access. 19

20 A N E XAMPLE Suppose that the DBA creates four accounts A1, A2, A3, A4 and wants only A1 to be able to create base relations. Then the DBA must issue the following GRANT command in SQL GRANT CREATETAB TO A1; In SQL2 the same effect can be accomplished by having the DBA issue a CREATE SCHEMA command as follows: CREATE SCHEMA EXAMPLE AUTHORIZATION A1; 20

21 A N E XAMPLE (2) User account A1 can create tables under the schema called EXAMPLE. Suppose that A1 creates the two tables EMPLOYEE and DEPARTMENT A1 is then owner of these two relations and hence all the relation privileges on each of them. Suppose that A1 wants to grant A2 the privilege to insert and delete tuples in both of these relations, but A1 does not want A2 to be able to propagate these privileges to additional accounts: GRANT INSERT, DELETE ON EMPLOYEE, DEPARTMENT TO A2; 21

22 A N E XAMPLE (3) 22

23 A N E XAMPLE (4) Suppose that A1 wants to allow A3 to retrieve information from either of the two tables and also to be able to propagate the SELECT privilege to other accounts. A1 can issue the command: GRANT SELECT ON EMPLOYEE, DEPARTMENT TO A3 WITH GRANT OPTION; A3 can grant the SELECT privilege on the EMPLOYEE relation to A4 by issuing: GRANT SELECT ON EMPLOYEE TO A4; Notice that A4 can’t propagate the SELECT privilege because GRANT OPTION was not given to A4 23

24 A N E XAMPLE (5) Suppose that A1 decides to revoke the SELECT privilege on the EMPLOYEE relation from A3; A1 can issue: REVOKE SELECT ON EMPLOYEE FROM A3; The DBMS must now automatically revoke the SELECT privilege on EMPLOYEE from A4, too, because A3 granted that privilege to A4 and A3 does not have the privilege any more. 24

25 A N E XAMPLE (6) Suppose that A1 wants to give back to A3 a limited capability to SELECT from the EMPLOYEE relation and wants to allow A3 to be able to propagate the privilege. The limitation is to retrieve only the NAME, BDATE, and ADDRESS attributes and only for the tuples with DNO=5. A1 then create the view: CREATE VIEW A3EMPLOYEE AS SELECT NAME, BDATE, ADDRESS FROM EMPLOYEE WHERE DNO = 5; After the view is created, A1 can grant SELECT on the view A3EMPLOYEE to A3 as follows: GRANT SELECT ON A3EMPLOYEE TO A3 WITH GRANT OPTION; 25

26 A N E XAMPLE (7) Finally, suppose that A1 wants to allow A4 to update only the SALARY attribute of EMPLOYEE; A1 can issue: GRANT UPDATE ON EMPLOYEE (SALARY) TO A4; The UPDATE or INSERT privilege can specify particular attributes that may be updated or inserted in a relation. Other privileges ( SELECT, DELETE ) are not attribute specific. 26

27 Introduction to Discretionary Access Control Proposed Models for DAC SQL for Data Control DAC & Information Flow Controls O UTLINE 27

28 DAC & I NFORMATION F LOW C ONTROLS Inherent weakness of DAC: Unrestricted DAC allows information from an object which can be read by a subject to be written to any other object Bob is denied access to file A, so he asks cohort Alice to copy A to B that he can access Suppose our users are trusted not to do this deliberately. It is still possible for Trojan Horses to copy information from one object to another. 28

29 T ROJAN HORSE E XAMPLE 29

30 T ROJAN HORSE E XAMPLE 30

31 T ROJAN HORSE E XAMPLE 31

32 32

Download ppt "D ISCRETIONARY A CCESS C ONTROLS Truong Quynh Chi Faculty of Computer Science & Engineering HCMC University of Technology"

Similar presentations

7- Sicurezza delle basi di dati

7- Sicurezza delle basi di dati
4/6/2017.

4/6/2017.
Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
Jan. 2014Dr. Yangjun Chen ACS-49021 Database security and authorization (Ch. 22, 3 rd ed. – Ch. 23, 4 th ed. – Ch. 24, 6 th )

Jan. 2014Dr. Yangjun Chen ACS Database security and authorization (Ch. 22, 3 rd ed. – Ch. 23, 4 th ed. – Ch. 24, 6 th )
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
Lakshmi Narayana Gupta Kollepara 10/26/2009 CSC-8320.

Lakshmi Narayana Gupta Kollepara 10/26/2009 CSC-8320.
Oracle9i Database Administrator: Implementation and Administration 1 Chapter 12 System and Object Privileges.

Oracle9i Database Administrator: Implementation and Administration 1 Chapter 12 System and Object Privileges.
Database Security by Muhammad Waheed Aslam SIS Project Leader ITC/KFUPM.

Database Security by Muhammad Waheed Aslam SIS Project Leader ITC/KFUPM.
Chapter 11 Database Security: An Introduction Copyright © 2004 Pearson Education, Inc.

Chapter 11 Database Security: An Introduction Copyright © 2004 Pearson Education, Inc.
Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
Security and Integrity

Security and Integrity
Database Management System

Database Management System
Database Security - Farkas 1 Database Security and Privacy.

Database Security - Farkas 1 Database Security and Privacy.
Security Fall 2009McFadyen ACS-49021 How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.

Security Fall 2009McFadyen ACS How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.
Security Fall 2006McFadyen ACS-49021 How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.

Security Fall 2006McFadyen ACS How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.
System Administration Accounts privileges, users and roles

System Administration Accounts privileges, users and roles
CSCI 5707: Database Security Pusheng Zhang University of Minnesota March 2, 2004.

CSCI 5707: Database Security Pusheng Zhang University of Minnesota March 2, 2004.
Copyright © 2011 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 24 Database Security.

Copyright © 2011 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 24 Database Security.
View n A single table derived from other tables which can be a base table or previously defined views n Virtual table: doesn’t exist physically n Limitation.

View n A single table derived from other tables which can be a base table or previously defined views n Virtual table: doesn’t exist physically n Limitation.
Lecture 7 Access Control

Lecture 7 Access Control

Similar presentations

Ads by Google