PowerPoint bemutat&#243

Download Report

Transcript PowerPoint bemutat&#243

Database Management
10. course
Database security
•
•
•
•
•
•
Protection
Privacy
Control access
Role of the administrator
Encryption
Audit trails
Objectives
• Secrecy
– Info not given to unauthorized users: you should
not examine your classmate’s grades
• Integrity
– Only authorized users can modify data: you can
see your grades but hopefully cannot modify it
• Availability
– Access of authorized users should not be denied:
I can modify your grades
•
•
•
•
Security policy
Security mechanisms
Security measures at every level
Security leaks: e.g. easy passwords
Access control
Discretionary access control
• Concept of privileges (access rights) and
mechanisms for giving users such privileges
• If I create a table, I get all privileges
• DBMS keeps track of grants and revokes
• Weakness: if an authorized user is tricked,
everything is disclosed to the hacker
• SQL-92 standard: Data Control Language
• User creating a table has all the rights and the
grant option
• User creating a view has those rights that he
has on every other base tables and base views
• E.g. he must have the select right to create it
• He has select with grant for the view if he has
for the base tables/views
• Similar for insert/update/delete
• The schema owner can use DDL (create,…)
• Right of DDL cannot be granted
• Grants are stored with authorization id ~
username
• Information can be hidden by views
• Example: hide bid, sid, list active sailors
Example 2
• Michael creates a view:
• Now he can give select option to everyone on
YoungSailors
• Others can select on YoungSailors, but not on
Sailors
Example
• What is the maximal rating for Sailors?
• Constraints can be created based on a select
CREATE TABLE Sneaky (maxrating INTEGER,
CHECK (maxrating>=
(SELECT MAX(Sailors.rating) FROM Sailors)))
• By repeatedly inserting rows, maxrating could
be guessed  SELECT privilege is needed for
this
Example 2
•
•
•
•
GRANT UPDATE (rating) ON Sailors TO Leah
UPDATE Sailors SET rating = 8  
UPDATE Sailors SET rating = rating – 1  
(no select privilege)
Example 3
• GRANT REFERENCES (bid) ON Boats TO Bill
• Bill can create foreign key reference on bid
• GRANT INSERT ON Sailors TO Michael
• GRANT INSERT ON Sailors(sid), Sailors(sname),
Sailors(rating), Sailors(age) TO Michael
• If we insert a new column, can Michael insert
a new row?
Revoke
• One user can get rights for sg multiple times.
DB stores every grant
• Revoke with cascade: withdraw rights from
those who have privileges only from that user
who had the grant option
Example
• Who looses privileges? Art and Bob
• Otherwise Bob’s privilege would be
abandoned
• RESTRICT: Do not revoke privileges that create
abandoned privileges
Example 2
• Who looses right? Art
• Does Art loose rigth? Yes!
• Revoke grant option:
• Privilege descriptor is added to the table that
stores grantor (giver), grantee (receiver),
privilege (with DB object name), grant option
(true/false)
• For table creator the grantor is the System
Authorization graph
Trace revoke
• Rule: There is a path from the System node
with each node with the same right+grant
option
• Joe  Art removed
• But! System  Joe  Cal  Bob  Art
remains so everybody has the rights
• Convenient in real world: if a manager gets
fired, only those rights are revoked that
belong to him
• If grant is revoked from Cal
Views and Integrity Constraints
• Privileges of the creator on the view change if
the privileges on the base tables change:
1. A view may be dropped because SELECT
privilege is revoked from its creator
2. If the creator gains additional privileges on
the base tables, he automatically gains
additional privileges on the view
3. Distinction between the REFERENCES and
SELECT privileges is important
Example
• Joe created table Sailors and gave Michael the
SELECT privilege with grant option
• Michael created the view YoungSailors and
gave Eric the SELECT privilege on YoungSailors.
• Eric defines the view called FineYoungSailors:
•
•
•
•
•
If Joe revokes SELECT on Sailors from Michael?
Michael has no rights for YoungSailor
Eric has no rights for FineYoungSailor
Both are dropped
If SELECT is re-granted then views can be
created again
• Other option: if Joe gives INSERT right on
Sailors to Michael?
• Michael’s right on YoungSailors is upgraded,
he gets INSERT privilege on it.
• Eric’s privilege is unchanged
REFERENCES privilege
• Joe creates table Boats
• He authorizes Fred to create table Reserves
with foreign key to bid  REFERENCES grant
• If SELECT privilege is given, foreign key cannot
be created
• If REFERENCES privilege is given, select cannot
be queried
• If REFERENCES privilege is lost, the foreign key
constraint is dropped, but table is not dropped
Why
• SELECT and REFERENCES privileges are
differentiated because
• If the foreign key is defined with NO ACTION
than Joe (the owner) might not be able to
delete from that table (e.g. from Boats, if
there is a reservation with that bid)
• Foreign key with update option goes beyond
SELECT…
Mandatory access control
• Systemwide policy
• Cannot be changed by individual users
• Weakness of discretionary access contol:
Susceptible to Trojan horse schemes
• Student Tricky Dick wants to break into table
grades of instructor Trustin Justin
– Creates table MineAllMine and gives INSERT
privileges to Justin (who does not know this)
– He modifies some DBMS applications that Justin
uses often to do some additional things: read
table Grades, write results into MineAllMine
• After the data is copied into MineAllMine,
Dick undoes the modifications and revokes
the INSERT privilege
• How to hack applications? Sorry, out of scope
of this lesson…
• Aim: solve the weknesses of discretionary
access control
• Popular model: Beel-LaPadula model
• Described in terms of
– objects (table, view, row, column)
– subjects (users, programs)
– security classes
– clearances
• Every DB object is assigned a security class
class
• Every subject (A) has a clearance for a security
class. Class of subject A is class(A)
• Security classes are ordered: most secure class
 least secure class
• E.g.: TS > S > C > U
• Bell-LaPadula rules on reading and writing of
objects
– Simple Security Property: Subject S is allowed to
read object O only if class(O) ≤ class(S)
– *-Property: Subject S is allowed to write object O
only if class(S) ≤ class(O)
• Can be combined by discretionary access
control: object can be modified with proper
grant and security class level
• This representation avoids leaks: if Tricky Dick
with class C creates table MineAllMine, it can
have level C at last.
• Since Trustin Justin has level TS, he cannot
write table MineAllMine -> *-Property would
be violated
Multilevel Relations and
Polyinstantiation
• Security class must be assigned to every DB
object (table/row/column…)
• If there are rows with different security
classes, it is a multilevel table
• Users with different clearances can see
different collection of rows when they access
Dilemma
• User with class C wants to insert row
<101, Picante, Scarlet, C>
• Primary key: bid
• If insertion is permitted, two rows with
bid=101
• If not, he will know that there is a higher
security row with bid=101
Solution
• Treat security class as part of the key
• Show both with security class
• Show only one with one security level
• Polyinstantiation: presence of data object with
different values in case of different clearances
• Drawback: rigidity (policies are set by
administrators)
Covert channels
• How to get data from higher levels?
• If information is needed from 2 distributed
sites with clearance level C and S and both
have to be committed before the transaction
is omitted
• First commits the site with clearance level S
and sends 1 bit if it is willing to commit or not
(1/0)
• Stream of bits flows between the 2 sites
DoD Security Levels
• Oracle does not support mandatory access
control
• United States Department of Defense requires
mandatory access control
• 4 security levels: A, B, C, and D (least secure)
• Level C supports discretionary access control,
2 sublevels: C1 and C2, login verification, audit
trails
• Level B is divided: B1, B2, and B3 (mandatory)
• B2 needs extra identification and elimination
of covert channels
• B3 needs audit trails and the designation of
security administrator (not necessary the DBA)
• Level A requires mathematical proof that
security enforces the security policy
Role of the DBA
•
•
•
•
Contributes to develop a security policy
Important role in enforcing it
He has the system account
Tasks
– Creating new accounts: ID, pwd
– Mandatory control issues: assign security class
and clearance to the objects and users
– Maintain audit trail: log of updates
– Log DB readings: helps to track hackers…
Statistical Database
• Contains specific information on
users/events/…
• Permits only statistical queries
– Avg, max, …
• How to avoid queries of individual data?
• Example: Sneaky Pete wants to know Admiral
Horntooter’s rating who is the oldest sailor in
the club
• Query the number of sailors older than 55, 60,
65,… until 1 remains
• Query the rating of those sailors who is older
than that age
• Solution: query is executed only if the number
of result rows exceeds N
• How to trick this: how many sailors there are
whose age is greater than 55,60,…? -> Age
limit until N rows remain: X
• What is the sum of ratings of all sailors whose
age is greater than X?
• What is the sum of ratings of all sailors whose
age is greater than X and Horntooter is
excluded, but Pete is included?
• Solution: limit the amount of intersection
between queries
• Solution2: limit the number of queries a user
can execute  still can be tricked
Encryption
•
•
•
•
Extra protection
If data is stolen, it still has to be decrypted
Data Encryption Standard:
Encryption algorithm  Encryption key which
is kept secret  Decryption algorithm (with
the key)
• Character substitution and permutation
• Weakness: get the key from one user…
Public-key encryption
• Every user has a public encryption key and a
private decryption key
• Algorithms are public
• Message is sent by encrypting with the user’s
encryption key
• Only he can decrypt it with his own decryption
key
• Function: hard to invert it
• RSA: Determine the prime factors of a nonprime number is hard, for 100 digits it takes
years
• Example: integer limit for the largest number
he will have to encode
• Limit is the product of 2 large primes: p*q
• Choose a prime e larger than p, q, and the
encryption key
•
•
•
•
•
•
•
Limit and e are public and used for encryption
Decryption key d is based on limit, e, and d
E.g. d*e=1 mod ((p-1)*(q-1))
Hard to compute d based on limit and e
Easy to compute d based on p, q, and e
Decryption is the inverse of encryption
The source of every message can be proved
easily (to filter fake messages)
Example
•
•
•
•
•
•
•
Sam’s public encryption key: eSam
Sam’s private decryption key: dSam
Company’s public encryption key: eComp
Company’s private decryption key: dComp
Sam’s order is encrypted by eComp
Company can decrypt it by dComp
Trick: Sam first decrypts his own order by dSam
• Then encrypts the decrypted order by eComp
• When the company gets the order, decrypts it
by dComp
• Then the Company uses Sam’s public
encryption key eSam
• Source (Sam) is proved
• The company does not know dSam thus, cannot
forge fake orders
Thank you for your attention!