25 Database security
Hiteishi Diwanji
Introduction to Databases:
Advantage of using Databases:
- Shared access – Users use one common, centralized set of data.
- Minimal redundancy – Users do not have to keep their own records of data.
- Data consistency – Change in particular data value changes the data of all users.
- Data integrity – Data values are protected against accidental or malicious undesirable changes.
- Controlled access – Only legitimate users who are authorized can view or modify data values.
What are the requirements for database security?
Integrity of the Database
Integrity of a database gets affected in following situations:
- Whenthe whole database is damaged
- When individual data items become unreadable.
- Integrity of the database as a whole is the responsibility of
- The DBMS
- The operating system
- The Database system manager.
- To reconstruct the database at the point of a failure, the DBMS maintains a log of transactions. The database system can refer to back up copy of the database and perform transactions again for the failed transaction by referring the log.
Element Integrity
- The integrity of database elements is measured by their correctness or accuracy. This can be measured in three ways :Field checks – This includes activities to test appropriateness of values in that field.Access control A change log – A change log maintains details of every change made to the database. It keeps original and modified values. This log helps, a database administrator to undo any changes that caused error.
Auditability
- Audit record of all access (read or write) to a database.
- Audit record help in keeping the database’s integrity, or to find out who had changed the values of database and timestamp of that change.
Access Control
- Databases are often separated logically by user access privileges.
User Authentication
- The DBMS performs user authentication. A user has to give specific password and time-of-day checks. This authentication is in addition to the authentication performed by the operating system.
Integrity/Confidentiality/Availability – Computer Security
- Integrity relates to the design of database management systems.
- Confidentiality is an issue due to the inference problem,
- Availability is to be addressed because the prime goal of database is shared access.
Reliability
Reliability ensures that the software runs for long time without failing.
Protection Features from the Operating System
- Database back up must be taken periodically.
- The operating system controls protects the files.
- The operating system performs integrity checks for all data. This is done during read and write operations for I/O devices.
Two-Phase Update
- The intent phase – the DBMS pulls all resources needed to perform the update
- Committing – This involves addition of commit flag to the database. The commit flag makes changes permanent that cannot be roll backed.
- Two-Phase Update Example
- The stock keeper verifies with the database whether 50 boxes of strings are available. If not available, the requisition gets rejected and the transaction finishes.
- If strings are enough in number in stock, the stock keeper reduces the inventory by 50 and reflects into the database (107 – 50 = 57).
- The stock keeper charges account department for budget (also in the database) for 50 boxes of strings.
- The stock keeper checks the remaining quantity on hand (57) to check whether the remaining quantity is below the reorder point. The status of the item is “on order” in the database.
- A delivery order is prepared, 50 boxes of string is sent to accounting.
All five of these steps must follow the order in order to complete. Hence the transaction must be processed correctly.
- In two-phase commit, shadow values are maintained for key data points. A shadow data value is computed and stored on local bases during the intent phase, and copied to the actual database during the commit phase.Intent:
- Check performed on COMMIT-FLAG in the database. If set, this phase cannot be performed. Either Halt till the COMMIT-FLAG is unset or continuously check whether the COMMIT-FLAG is unset.
- Compare number of boxes of strings available with required number; if required are more than available, halt.
- Calculate TString = ONHANDString – REQUIREDString.
- Ask Accounting department about available ABUDGET.
- Compute TBUDGETString = ABUDGET – SCOST, where SCOST is the cost of 50 boxes of strings.In case calculated TString is less than reorder point; set TREORDERString = TRUE; else set TREORDERString = FALSE
Commit:
- Set COMMIT-FLAG in database.
- Copy TString to String in database.
- Copy TBUDGET to BUDGET in database.
- Copy TREORDERString to REORDERString in database.
- Prepare note to deliver strings to accounting department. Log must store transaction as complete.
- Unset COMMIT-FLAG.
- Redundancy/Internal Consistency
- Error Detection and Correction Codes
- Shadow Fields
- Database keeps duplicates of all attributes or entire records.
- In case of error, if the data cannot be retrieved or reproduced, data can be replaced from the second copy.
- Recovery
- DBMS can maintain log with all accesses by user focusing on changes made by user.
- If transaction fails, the database is retrieved from a backup copy and changes are then applied from the audit log.
- Concurrency/Consistency
- Database systems are designed for multiuser environment. In case two users try to modify the same data, each user has its own data; the value to be written does not depend on the previous value of the data item. There is no conflict between two users. This assumption does not hold every time.
- Agent A executes the command
SELECT (SEAT-NUM = ’10C’) ASSIGN ‘RAJ L’ TO TRVELLER-NAME
while Agent B executes the command
SELECT (SEAT-NUM = ’10C’) ASSIGN ‘RAM P’ TO TRAVELLER-NAME
To resolve this problem, a DBMS treats the entire query update cycles a single atomic operation.
Monitors
- The monitor is the unit of a DBMS responsible for the structural integrity of the database.Forms of monitors
- Range Comparisons A range comparison monitor tests each new value to ensure that the value is within an acceptable range
- Filters or patterns are more general types of data form checks.
- State constraints describe the condition of the entire database.
- Transition constraints describe conditions necessary before changes can be applied to a database.
Sensitive Data
- Sensitive data are data that should not be made public.
- There exist cases that some but not all of the elements in the database are sensitive.
- There may be varying degrees of sensitivity.
- Sensitive data – Access Decisions
The DBMS may consider several factors when deciding whether to permit an access.
- Availability of the data – One or more required elements may be inaccessible. For example, if a user is updating several fields, other users’ accesses to those fields must be blocked temporarily. This blocking ensures that users do not receive inaccurate information.
- Acceptability of the access – One or more values of the record may be sensitive and not accessible by the general user. A DBMS should not release sensitive data to unauthorized individuals.
- Authenticity of the user. – Certain characteristics of the user external to the database may also be considered when permitting access. For example, to enhance security, the database administrator may permit someone to access the database only at certain times, such as during working hours.
- Access Decisions Types of Disclosures
- Exact Data – The most serious disclosure is the exact value of a sensitive data item itself
- Bounds – Another exposure is disclosing bounds on a sensitive value; that is,indicating that a sensitive value, y, is between two values, L and H.
- Negative Result – Sometimes we can word a query to determine a negative result. That is, we can learn that z is not the value of y.
- Existence – The existence of data is itself a sensitive piece of data
- Probable Value – it may be possible to determine the probability that a certain element has a certain value.
- Inference
- Inference is a way to infer or derive sensitive data from nonsensitive data. Medicine table Inference – Direct Attack
Name | sex | Race | Aid | Fines | Drugs | Dorm |
Ram | M | C | 5000 | 50 | 1 | West |
Shyam | M | A | 0 | 0 | 0 | East |
Shravani | F | B | 3000 | 0 | 2 | North |
- A user tries to determine values of sensitive fields by seeking them directly with queries that yield few records.
- A sensitive query might be
Select NAME from Medicine where SEX=M ∧ DRUGS=1
This query discloses that for record ADAMS, DRUGS=1. it is an obvious attack because it selects people for whom DRUGS=1, and the DBMS might reject the query because it selects records for a specific value of the sensitive attribute DRUGS.
- select NAME from medicine where (SEX=M ∧ DRUGS=1) ∨ (SEX≠M ∧ SEX ≠ F) ∨ (DORM=AYRES)
- This query still retrieves only one record, revealing a name that corresponds to the sensitive DRUG value. The DBMS needs to know that SEX has only two possible values so that the second clause will select no records. Even if that were possible, the DBMS would also need to know that no records exist with DORM=AYRES, even though AYRES might in fact be an acceptable value for DORM.
- Do not reveal results when a small number of people make up a large proportion of a category.
- The rule of “n items over k percent” means that data should be withheld if n items represent over k percent of the result reported.
- Indirect Attack
- Sum – An attack by sum tries to infer a value from a reported sum.
- Medicine table – Report student aid total by sex and dorm.
Indirect Attack – Mean If number of employees are known, if mean salary for a company and the mean salary of all employees except the president , then president’s salary can be computed. Indirect Attack – Median
- In Medicine table, there are 5 males and 3 persons whose drug value is 2.
- Majors is the only name common to both the list.
p=median(AID where SEX=M)
q=median(AID where DRUGS=2)
reveals the exact financial aid amount for Majors.
Tracker Attacks
A tracker attack can fool the database manager into locating the desired data by using additional queries that produce small results
- The tracker adds additional records to be retrieved for two different queries; the two sets of records cancel each other out, leaving only the statistic or data desired. The approach is to use intelligent padding of two queries.
- instead of trying to identify a unique value, request n – 1 other values (where there are n values in the database). Given n and n – 1, desired single element can be easily computed.
- To know how many female Caucasians live in Holmes Hall. A query posed might be count ((SEX=F) (RACE=C) (DORM=Holmes)) The database management system might consult the database, find that the answer is 1, and refuse to answer that query because one record dominates the result of the query.
- The query q=count((SEX=F) ∧ (RACE=C) ∧ (DORM=Holmes)) is of the form q = count(a ∧ b ∧ c) By using the rules of logic and algebra, we can transform this query to q = count(a ∧ b ∧ c) = count(a) – count(a ∧ ¬(b ∧ c)). Thus, the original query is equivalent to count (SEX=F) minus count ((SEX=F) ∧ ((RACE ≠ C) ∨ (DORM ≠Holmes)))
- Controls for Statistical Inference Attacks
- Suppression – sensitive data values are not provided; the query is rejected without response.
- Concealing – the answer provided is close to but not exactly the actual value.
- These two controls reflect the contrast between security and precision.
- With suppression, any results provided are correct, yet many responses must be withheld to maintain security.
- With concealing, more results can be provided, but the precision of the results is lower.
- The choice between suppression and concealing depends on the context of the database.
Random Sample
- With random sample control, a result is not derived from the whole database; instead the result is computed on a random sample of the database.The sample chosen is large enough to be valid.
Random Data Perturbation
- It is sometimes useful to perturb the values of the database by a small error.
- Generate a small random error term εi and add it to xi for statistical results.
Query Analysis
- A more complex form of security uses query analysis.
- Here, a query and its implications are analyzed to determine whether a result should be provided.
you can view video on Database security |
Suggested Reading:
- Cryptography and Network Security Principles and Practice by William Stallings, sixth Edition, PEARSON.
- Security in Computing by Charles Pfleeger & Shari Lawrence Pfleeger, fourth Edition, PEARSON.
- Network Security by Charlie Kaufman, Radia Perlman, Mike Speciner, second Edition, PHI.
- The Complete Reference – Network Security by Roberta Bragg, Mark Rhodes-Ousley & Keith Strassberg, Tata McGraw Hill
- Network Security Bible by Eric Cole, Ronald Krutz, James Conley, Wiley
- Hacking 6 Exposed by Stuart McClure, Joel Scambray & George Kurtz , Tata McGraw Hill .
- www.snort.org
- https://nmap.org