database security
play

Database Security CS 645 Apr 10, 2008 Gerome Miklau, UMass Amherst - PowerPoint PPT Presentation

Database Security CS 645 Apr 10, 2008 Gerome Miklau, UMass Amherst Outline Security basics Access control in Databases Privacy foundations Beyond access control Security properties Confidentiality Authenticity


  1. Database Security CS 645 Apr 10, 2008 Gerome Miklau, UMass Amherst

  2. Outline • Security basics • Access control in Databases • Privacy foundations • Beyond access control

  3. Security properties • Confidentiality • Authenticity • Availability • Privacy

  4. Confidentiality A guarantee that data has not been disclosed to an unauthorized party. • Threats to confidentiality • direct release, approximate disclosure, leaks from inference & outside knowledge • Providing confidentiality • access controls, inference controls, encryption

  5. Authenticity Also called: data integrity A guarantee that data has not been modified from its original state by an unauthorized party. • Aspects of authenticity: • data comes from original source • not modified • freshness: current, not re-used • Threats to authenticity: • forging, tampering, replay • Providing authenticity • access control, digital signatures, hashing

  6. Confidentiality or Authenticity ? • Which security properties matter for: • Student grades for this course stored in database. • Resume or CV posted on webpage. • Medical records stored in database.

  7. Availability A guarantee that data is available when needed. • Threats to availability: denial of service • Providing availability: conventional concern of databases

  8. Privacy Informational Privacy The ability to determine for ourselves when, how, and to what extent information about us is communicated to others. - Westin • Requires both data confidentiality & authenticity

  9. • Security basics • Access control in Databases • Privacy foundations • Beyond access control

  10. Access control • Regulates direct access to resources • Subjects (i.e. registered users) • Objects (files, directories, tables) • Privileges (read, write, insert, delete, etc.) • Discretionary access control • Users can grant access at their discretion. • Mandatory access control • All subjects and objects classified by an authority and global rules determine privileges.

  11. SQL Security • Core security features present in nearly all database systems: • User authentication • Discretionary access control: • Subjects (database users) • Privileges (select, insert, delete, update) • Objects (tables, columns, views ) • In SQL: GRANT / REVOKE System R authorization model [Griffith and Wade ʼ 76], [Fagin ʼ 78]

  12. Database system security Server Client Parser Query SQL query/update engine Access Control Result tables tables tables DB system File system OS

  13. Discretionary AC in SQL GRANT privileges ON object TO users [WITH GRANT OPTIONS] privileges = SELECT | INSERT(column-name) | UPDATE(column-name) | DELETE | REFERENCES(column-name) object = table | view 13

  14. Examples GRANT INSERT, DELETE ON Customers TO Yuppy WITH GRANT OPTIONS Queries allowed to INSERT INTO Customers(cid, name, address) Yuppy: VALUES(32940, ‘Joe Blow’, ‘Seattle’) DELETE Customers WHERE LastPurchaseDate < 1995 Queries denied to SELECT Customer.address Yuppy: FROM Customer WHERE name = ‘Joe Blow’ 14

  15. Examples GRANT SELECT ON Customers TO Michael Now Michael can SELECT, but not INSERT or DELETE 15

  16. Examples GRANT SELECT ON Customers TO Michael WITH GRANT OPTIONS Michael can say this: GRANT SELECT ON Customers TO Yuppi Now Yuppi can SELECT on Customers 16

  17. Examples GRANT UPDATE (price) ON Product TO Leah Leah can update, but only Product.price, but not Product.name 17

  18. Examples Customer(cid, name, address, balance) Orders(oid, cid, amount) cid= foreign key Bill has INSERT/UPDATE rights to Orders. BUT HE CAN’T INSERT ! (why ?) GRANT REFERENCES (cid) ON Customer TO Bill Now Bill can INSERT tuples into Orders 18

  19. Views and Security David owns Fred is not Customers: allowed to see this Name Address Balance Mary Huston 450.99 Sue Seattle -240 Joan Seattle 333.25 Ann Portland -520 David says CREATE VIEW PublicCustomers SELECT Name, Address FROM Customers; GRANT SELECT ON PublicCustomers TO Fred 19

  20. Views and Security David owns John is Customers: allowed to Name Address Balance see only <0 balances Mary Huston 450.99 Sue Seattle -240 Joan Seattle 333.25 David says Ann Portland -520 CREATE VIEW BadCreditCustomers SELECT * FROM Customers WHERE Balance < 0; GRANT SELECT ON BadCreditCustomers TO John 20

  21. David says Views and Security • Each customer should see only her/his record Name Address Balance CREATE VIEW CustomerMary Mary Huston 450.99 SELECT * FROM Customers Sue Seattle -240 WHERE name = ‘Mary’ Joan Seattle 333.25 GRANT SELECT ON CustomerMary TO Mary Ann Portland -520 CREATE VIEW CustomerSue SELECT * FROM Customers Doesn’t scale. WHERE name = ‘Sue’ Need row-level access GRANT SELECT ON CustomerSue TO Sue control ! . . . 21

  22. Revocation REVOKE [GRANT OPTION FOR] privileges ON object FROM users { RESTRICT | CASCADE } Administrator says: REVOKE SELECT ON Customers FROM David CASCADE John loses SELECT privileges on BadCreditCustomers 22

  23. Revocation 1. Joe: GRANT [….] TO Art … Same privilege, 2. Art: GRANT [….] TO Bob … same object, 3. Bob: GRANT [….] TO Art … GRANT OPTION 4. Joe: GRANT [….] TO Cal … 5. Cal: GRANT [….] TO Bob … Joe: REVOKE [….] FROM Art CASCADE What happens ?? Revoked Admin 0 Everyone keeps the privilege: 1 REVOKE removes privileges to all users Joe Art who hold the privilege SOLELY through a grant command executed by the 4 3 2 revoking user. Cal Bob 5

  24. Summary of SQL Security Limitations: • No row level access control • Table creator owns the data Access control = great success story of the DB community... … or spectacular failure: • Only 30% assign privileges to users/roles – And then to protect entire tables, not columns 24

  25. • Security basics • Access control in Databases • Privacy foundations • Beyond access control

  26. Next • Security basics • Access control in Databases • Privacy foundations • Beyond access control

  27. Computers and privacy Virtually every department of government and law enforcement agency, every credit bureau, insurance company, big business, every important educational establishment, ... is using computer technology to gather personal information on as many people as they can. Excerpted from Miller: The Assault on Privacy published in 1971 27

  28. Roots of privacy • Historical roots in the bible, Aristotle, ancient chinese culture • Recognized as a fundamental human right . • Nearly every country mentions right to privacy explicitly in constitution. Except US, Ireland, India 28

  29. Definitions of privacy

  30. Definitions of privacy • Gavison, 1980: – protection from being brought to the attention of others – Privacy is a complex of concepts concerned with the accessibility others have to us. One has perfect privacy when one is completely inaccessible to others. • Privacy can be gained through: – secrecy - when no one has information about us – anonymity - when no one pays attention to us – solitude - when no one has physical access to us 30

  31. Informational privacy • Westin, 1967: – the ability to determine for ourselves when, how, and to what extent information about us is communicated to others. • Hughes, 1993: – the power to selectively reveal oneself to the world. 31

  32. Privacy, For and Against • A fundamental human right • Aspect of personal freedom, liberty • Requirement for democracy • Prerequisite to developing sense of self. 32

  33. Privacy, For and Against • Surveillance has benefits • Accountability requires sacrificing privacy • Posner (1981) - Economic critique • MacKinnon (1989) - Feminist critique • Brin (1999) Increased flow of information can benefit all, if access is free and equal. 33

  34. Attitudes • Westin’s categories, through surveys – Privacy fundamentalist (25%) • Feel they’ve lost privacy, resistant to further erosion – Privacy pragmatist (55%) • Concerned about privacy, but willing to share info given choice and notice – Privacy unconcerned (20%) Jennicam, 1996

  35. Behavior != Attitude • Behavior is not always consistent with stated attitudes – economic model of behavior - rational economic agents protecting or divulging their personal info – price of privacy • Individuals are not rational actors Acquisti/Grossklags 2005 35

  36. Strong privacy advocates Privacy can be achieved by limiting information flow • Technologists - crypto, electronic anonymity, fighting surveillance technology. • “European model” - rules and regulations to govern data operations. • Pragmatics - practical advice on how to protect oneself. 36

  37. Transparency Increasing flow of info may help all parties Brin • Data collection and surveillance is probably inevitable, and provides accountability • Rather than fight against “watching”, make sure everyone can “watch the watcher”. 37

Recommend


More recommend