1 / 41

CSC 405 Introduction to Computer Security

CSC 405 Introduction to Computer Security. Topic 6. Database Security. Agenda. Discretionary access control in DBMS Mandatory access control and multi-level databases Database inference control. Topic 6.1 DAC in DBMS. Outline . Relational model Grant and revoke

hova
Télécharger la présentation

CSC 405 Introduction to Computer Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CSC 405Introduction to Computer Security Topic 6. Database Security Dr. Peng Ning

  2. Agenda • Discretionary access control in DBMS • Mandatory access control and multi-level databases • Database inference control Dr. Peng Ning

  3. Dr. Peng Ning

  4. Topic 6.1 DAC in DBMS Dr. Peng Ning

  5. Outline • Relational model • Grant and revoke • Extension to the basic model • Questions/comments in reviews Dr. Peng Ning

  6. Basic Relational Concepts • Data is organized as a collection of tables, called RELATIONS • Example: two relations - EMP, DEPT • EMP: name, title, department • DEPT: department, location • Each row (or record) of a relation is called a TUPLE • Each relation has a unique name • Each attribute has a unique name within a relation • All values in a relation are atomic (indecomposable) • As a consequence , we have two tuples for a user Dr. Peng Ning

  7. Examples EMP Name Title Dept Tom Prof ECE Tom Prof CS Adams Prof ECE Smith Inst CS DEPT Name Location CS Wither Hall ECE Daniels Hall Math Harrelson Hall Dr. Peng Ning

  8. Relation Schemes • A relational database consists of 2 relation schemes: • EMP(Name, Title, Dept) • DEPT(Name, Location) • Schemes: structure of the database • Structured Query Language (SQL) • SQL "data definition" statements are used to create relations CREATE TABLE DEPT (Name CHAR(10) NOT NULL, Location CHAR (15), PRIMARY KEY (Name)) CREATE TABLE EMP (Name CHAR(15) NOT NULL, Title CHAR(4), Dept CHAR(10), PRIMARY KEY (Name)) Dr. Peng Ning

  9. SQL • The SELECT statement SELECT Name FROM EMP WHERE Dept = `ECE' • Joins SELECT * FROM EMP, DEPT WHERE EMP.Dept= DEPT.Name AND Dept.Location = `Wither Hall' Tom Adams Tom Prof CS Wither Hall Smith Inst CS Wither Hall Dr. Peng Ning

  10. Views EMP_LOCATION Name Dept Location Tom ECE Daniels Hall Tom CS Wither Hall Abrams ECE Daniels Bldg Smith CS Wither Hall • Views are "virtual" relations. They can be used to customize relations and to provide security CREATE VIEW EMP_LOCATION AS SELECT Name, Dept, Location FROM EMP, DEPT WHERE EMP.Dept = DEPT.Name Dr. Peng Ning

  11. Discretionary Access Controls • Decentralized administration • Users can protect what they own • The owner may grant access to others • The owner may define the type of access (read/write/execute) given to others Dr. Peng Ning

  12. Access Control Mechanisms • Identification and Authentication (I&A) • Security through Views • Stored Procedures • Grant and Revoke • Query Modification Dr. Peng Ning

  13. Identification and Authentication • Identification provided by DBMS can be distinct from that provided by the underlying OS • Example: MS SQL server • Two options • I&A through the OS • Separate I&A Dr. Peng Ning

  14. Security Through Views NAME DEPT SALARY MANAGER Smith Toy 10,000 Jones Jones Toy 15,000 Baker Baker Admin 40,000 Harding Adams Candy 20,000 Harding Harding Admin 50,000 None EMP Users are allowed to access partial information (such as the Toy dept data), but not the detailed information. Dr. Peng Ning

  15. NAME SALARY MANAGER Smith 10,000 Jones Jones 15,000 Baker Example CREATE VIEW TOY_DEPT AS SELECT NAME, SALARY, MANAGER FROM EMP WHERE DEPT = 'Toy' TOY_DEPT Dr. Peng Ning

  16. NAME MANAGER Smith Jones Jones Baker Example CREATE VIEW TOY_EMP_MGR AS SELECT EMP, MANAGER FROM EMP WHERE DEPT = 'Toy' TOY_EMP_MGR Dr. Peng Ning

  17. DEPT AVG TOY 12,500 CANDY 20,000 ADMIN 45,000 Example CREATE VIEW AVSAL(DEPT, AVG) AS SELECT DEPT, AVG(SALARY) FROM EMP GROUP BY DEPT AVSAL Dr. Peng Ning

  18. Stored Procedures • Right to execute compiled programs • GRANT RUN ON program_A TO ADAMS • Suppose program_A needs to access the relation EMP. Adams can execute program_A even though he does not have permission to access EMP Dr. Peng Ning

  19. Query Modification • Adams: GRANT SELECT ON EMP TO THOMAS WHERE SALARY < 15000 • THOMAS: SELECT * FROM EMP • DBMS: SELECT * FROM EMP WHERE SALARY < 15000 Dr. Peng Ning

  20. The Grant Command • GRANT <privilege> ON <relation> TO <users> [WITH GRANT OPTION] • GRANT SELECT ON EMP TO ADAMS • GRANT SELECT ON EMP TO ADAMS WITH GRANT OPTION • GRANT SELECT, UPDATE(SALARY) ON EMP TO JIM, JILL • Applied to base relations as well as views Dr. Peng Ning

  21. The Revoke Command • REVOKE <privileges> [ON <relations>]FROM <users> • REVOKE SELECT ON EMP FROM TOM • REVOKE UPDATE ON EMP FROM SMITH • REVOKE RESOURCE FROM ABRAMS • REVOKE DBA FROM SMITH Dr. Peng Ning

  22. Semantics of Revoke • A sequence of grant command follow by a revoke operation • G1, G2, …, Gn, Rh • Semantics • Equivalent to: G1, G2, …Gh-1, Gh+1, Gn Dr. Peng Ning

  23. Time-stamped Authorizations B E 30g 10g 40g A D F 20g 60g C 50g Dr. Peng Ning

  24. Cascading Revocation Grant sequence: A B C D 20g 10g 30g B revokes privilege from C : A B 10g Dr. Peng Ning

  25. Timestamps Make a Difference B E 30g 10g 40g A D F 20g 60g C 50g Dr. Peng Ning

  26. Timestamps Make a Difference B E 30g 10g 50g A D F 20g 60g C 40g Dr. Peng Ning

  27. Further Extension • Make cascading optional • Permit negative authorizations Dr. Peng Ning

  28. The Revoke Command • REVOKE <privileges> [ON <relations>] FROM <users> [CASCADE] • REVOKE SELECT ON EMP FROM TOM • REVOKE UPDATE ON EMP FROM SMITH CASCADE • REVOKE RESOURCE FROM ADAMS • REVOKE DBA FROM SMITH CASCADE Dr. Peng Ning

  29. Non-cascading Revocation A B C D 20g 10g 30g A B D 30g 10g Dr. Peng Ning

  30. Why Non-cascading Revoke • Reasons for revoke • Task is done. No need to have the privilege anymore • Task is still in progress. But a member left the project (e.g., promoted) Dr. Peng Ning

  31. Example 80 G E B 20 40 50 D A 30 C 70 F 60 Dr. Peng Ning

  32. Example 80 G E B 20 40 50 D A 30 C 70 F 60 After cascading revocation B 20 D A 30 C 70 F 60 Dr. Peng Ning

  33. Example 80 G E B 20 40 50 D A 30 C 70 F 60 After non-cascading revocation 50 80 G E B 20 70 A D 30 C F 60 70 Dr. Peng Ning

  34. Why Positive & Negative Authorization • Closed world policy • Cannot access unless explicitly granted the right • Negative authorization • User A should not be allowed to read table Emp • Need explicit deny policies Dr. Peng Ning

  35. Positive & Negative Authorizations 40 — B E 10 + g 30 + g A D 20 — C Dr. Peng Ning

  36. Complication • It is possible to have two authorizations • Grant A privilege p • Deny A privilege p • Negative authorizations override positive authorizations Dr. Peng Ning

  37. Problem 1 User B gives D negative authorization at time 50 : 40 — B E 50 — 10 + g 30 + g A D 20 — C In our model, positive authorization granted by A to D becomes blocked, but we do not delete the authorization. Dr. Peng Ning

  38. Problem 2 Suppose D receives negative authorization from B at time 60 : 40 — B E 10 + g 60 — 30 + g 50 + A D F 20 — C What about the privilege given to F by D? Under our approach, it becomes blocked, but we do not delete it. Dr. Peng Ning

  39. Revocation When Negative Authorizations Are Present Given : 40 — B E 10 + g 60 — 30 + g 50 + A D F 20 — C Suppose A revokes B’ s privilege. Dr. Peng Ning

  40. Cascading Revocation When Negative Authorizations Are Present 30 + g 50 + A D F 20 — C Dr. Peng Ning

  41. Non-cascading Revocation When Negative Authorizations Are Present E 40 — 60 — 50 + A D F 30 + g C 20 — Dr. Peng Ning

More Related