Transcript Current Research Topics in Data Security

Database
Security
Floris Geerts
1
Course organization
• One introductory lecture (this one)
• Then, a range of db security topics
presented by you
• You will be graded on the quality of
presentation, technical depth, critical
assessment of the topic and ability to
answer questions raised in class
• No exam.
2
Course organization
• Today, after this lecture:
– Send me an email [email protected]
– with your name and at most two partners (in
case we need to assign multiple persons to the
same topic)
– A ranked list of the top 10 topics (11 topics)
• Then I will assign the topics.
• You’ll get time to study and prepare presentations
• You send the slides to me, and incorporate
comments
3
Topics
1. Access control
•
•
Getting access
Access control mechanisms
2. Safety & integrity
•
•
Redundancy
Data integrity
3. Intrusion
•
•
DB specific
Software specific
4
Topics
4. Cryptography
•
•
•
Symmetric
Asymmetric
Quantum (optional)
4. Privacy & Security
•
•
Statistical DB
Privacy preservation
5
Data Security
Dorothy Denning, 1982:
• Data Security is the science and study of
methods of protecting data (...) from
unauthorized disclosure and modification
• Data Security = Confidentiality + Integrity
6
Data Security
• Distinct from systems and network security
– Assumes these are already secure
• Tools:
– Cryptography, information theory, statistics, …
• Applications:
– Everywhere
7
Topic 1
Access methods: “Getting in”
• It is all about passwords and authentication
- How are passwords used for authentication in
DBMS?
- What kind of password control mechanisms do
DBMS have? (e.g., Oracle,…)
- What makes a password good or bad?
- Techniques to check this
- Techniques to generate one
- Alternatives to passwords (e.g., captcha)
8
Captcha
• CAPTCHA stands for
Completely Automated
Public Turing test to tell
Computers and Humans
Apart
• A.K.A. Reverse Turing
Test, Human Interaction
Proof
• The challenge: develop a
software program that can
create and grade challenges
most humans can pass but
computers cannot
9
Topic 2:
Access methods: control mechanisms
• How do DBMS control access to different
users?
• How do DBMS assure that users can only
change/query data to which they have
access?
• As an example
10
Discretionary Access Control (DAC) in
SQL
GRANT privileges
ON object
TO users
[WITH GRANT OPTIONS]
privileges = SELECT |
INSERT(column-name) |
UPDATE(column-name) |
DELETE |
REFERENCES(column-name)
object = table | attribute
11
Examples
GRANT INSERT, DELETE ON Customers
TO Yuppy WITH GRANT OPTIONS
Queries allowed to Yuppy:
INSERT INTO Customers(cid, name, address)
VALUES(32940, ‘Joe Blow’, ‘Seattle’)
DELETE Customers
WHERE LastPurchaseDate < 1995
Queries denied to Yuppy:
SELECT Customer.address
FROM Customer
WHERE name = ‘Joe Blow’
12
Examples
GRANT SELECT ON Customers TO Michael
Now Michael can SELECT, but not INSERT or DELETE
13
Examples
GRANT SELECT ON Customers
TO Michael WITH GRANT OPTIONS
Michael can say this:
GRANT SELECT ON Customers TO Yuppi
Now Yuppi can SELECT on Customers
14
Examples
GRANT UPDATE (price) ON Product TO Leah
Leah can update, but only Product.price, but not Product.name
15
Examples
Customer(cid, name, address, balance)
Orders(oid, cid, amount)
cid= foreign key
Bill has INSERT/UPDATE rights to Orders.
BUT HE CAN’T INSERT ! (why ?)
GRANT REFERENCES (cid) ON Customer TO Bill
Now Bill can INSERT tuples into Orders
16
David owns
Views and Security
Fred is not
allowed to
see this
Customers:
Name
Mary
Address
Huston
Balance
450.99
Sue
Joan
Ann
Seattle
Seattle
Portland
-240
333.25
-520
David says
CREATE VIEW PublicCustomers
SELECT Name, Address
FROM Customers
GRANT SELECT ON PublicCustomers TO Fred
17
David owns
Views and Security
Customers:
Name
Mary
Sue
Address
Huston
Seattle
Balance
450.99
-240
Joan
Ann
Seattle
Portland
333.25
-520
John is
allowed to
see only >0
balances
David says
CREATE VIEW BadCreditCustomers
SELECT *
FROM Customers
WHERE Balance > 0
18
GRANT SELECT ON BadCreditCustomers TO John
Revocation
REVOKE [GRANT OPTION FOR] privileges
ON object FROM users { RESTRICT | CASCADE }
Administrator says:
REVOKE SELECT ON Customers FROM David CASCADE
John loses SELECT privileges on BadCreditCustomers
19
Revocation
Joe: GRANT [….] TO Art …
Art: GRANT [….] TO Bob …
Bob: GRANT [….] TO Art …
Joe: GRANT [….] TO Cal …
Cal: GRANT [….] TO Bob …
Joe: REVOKE [….] FROM Art CASCADE
Same privilege,
same object,
GRANT OPTION
What happens ??
20
Revocation
Admin
Revoke
0
Joe
1
4
Art
2
3
Cal
5
Bob
According to SQL everyone keeps the privilege
21
Other approaches
Discretionary Access Control (DAC)
Label-based Access Control (LBAC)
Role-based Access Control (RBAC)
Mandatory Access Control (MAC)
Pro’s and con’s of these control mechanisms?
22
Topic:
Safety & Integrity
It is about keeping our precious bits safe from
harm.
•Disk failure which mostly goes together with data
loss
• System failure which can cause data inconsistency.
(For example a Denial-Of-Service attack can result
in system failures because of the exhaustion of
system resources.
23
Topic 3: Recovery
• Mostly solved by redundancy:
– having and organizing redundant information
so that the data stored can be recovered in case
there is a disk failure.
– Where and how to store? Secondary storage,
RAIDs
– How to assure that all the data has a copy
somewhere
24
Topic 4: Integrity
• How to assure that all data is consistent
– The same data in all copies
• How to assure that nothing gets corrupted
during transmission
– Error correcting codes
• How to keep track of changes and possible
unauthorized access
– Transaction log/data auditing
25
Topic 5: DB intrusion
• Intrusion prevention
– detecting ongoing attacks in real time in order
to prevent damage to the database.
• Intrusion detection
– Use of database auditing
• Example: SQL injection
26
SQL Injection
Your health insurance company lets you see the claims online:
First login:
User:
fred
Password:
********
Now search through the claims :
Search claims by:
Dr. Lee
SELECT…FROM…WHERE doctor=‘Dr. Lee’ and patientID=‘fred’
27
SQL Injection
Now try this:
Search claims by:
Dr. Lee’ OR patientID = ‘suciu’; --
…..WHERE doctor=‘Dr. Lee’ OR patientID=‘suciu’;
--’ and patientID=‘fred’
Better:
Search claims by:
Dr. Lee’
OR 1 = 1; -28
SQL Injection
When you’re done, do this:
Search claims by:
Dr. Lee’; DROP TABLE Patients; --
29
SQL Injection
• The DBMS works perfectly. So why is
SQL injection possible so often ?
30
Topic 6: Software intrusion
• Leveraging Stack and Buffer overflow in
programs
• How to prevent/detect such intrusions?
31
Topic 7: Cryptography symmetric
Commonly used
techniques
Same
encryption and
decryption key
DES, AES
32
Topic 8: Cryptography –
asymmetric
• Different encoding and decoding keys
• Public key
• RSA
33
Topic 9: Cryptography Quantum
• Newest methods based on quantum
computing
• You need to ask if you want this – it is a bit
math heavy.
34
Topic 10: Security in Statistical
DBs
Goal:
• Allow arbitrary aggregate SQL queries
• Hide confidential data
• Inference
SELECT name
FROM Patient
WHERE age=42
and sex=‘M’
and diagnostic=‘schizophrenia’
SELECT count(*)
OK
FROM Patients
WHERE age=42
and sex=‘M’
and diagnostic=‘schizophrenia’
35
Topic 11: Privacy preservation
k-Anonymity/Randomization
Definition: each tuple is equal to at least k-1 others
Anonymizing:
First
Harry
*
John
Beatrice
*
John
Last
Stone
Reyser
R*
Stone
Ramos
R*
Age
30-50
34
20-40
36
30-50
47
20-40
22
Race
Afr-Am
Cauc
*
Afr-am
Hisp
*
36