Database Security

1
Database Security
2
DB Security subsystem

• Authentication - ensures that a user is who he or
  she claims to be.
• Authorization - allows the user access to various
  resources based on the user's identity (a.k.a.
  permission, access right, privilege)
• Privacy - DBMS should provide confidentiality

3
Database Security

• Different aspects of database security
• data encryption - encoding, transmission,
  decoding
• allow retrieval of statistical information
• protect individual information (could be deduced
  by smart queries)
• Access control for a whole DBMS
• account numbers and passwords
• Access control for portions of a database
• DB security and authorization subsystems secure
  portions of a DB against unauthorized access (4
  approaches)
• Discretionary Access Control (DAC)
• Mandatory Access Control (MAC)
• Role Based Access Control (RBAC)
• Attribute Based Access Control (ABAC)

4
DBA

• DBA is responsible for the overall security of
  the DB system. In particular
• Account creation - access to the whole DBMS
• Privilege granting - DAC
• Privilege revocation - DAC
• Security level assignment MAC
• Role assignment RBAC
• Attribute assignment - ABAC

5
Discretionary Access Control

• DAC

6
Discretionary Access Control

• Based on granting and revoking privileges
• 2 levels for assigning privileges
• account level (subject)
• independent of the relations
• create schema, create table, create view
• relation level (object)
• on a particular base relation or view

7
Access (authorization) matrix model

• row - subject
• column - object
• M(i,j) -gt read, write, update
• for example M(a,B) read means that subject a
  hold a read privilege on object B
• Owner of the relation (typically the creator) is
  assigned the owner account for that relation and
  is given all privileges on that relation

8
Grant SQL statement

• Grant privileges on table view to user
  public role
• Where privileges are
• Select, alter, delete, update, index, references,
  insert, all
• Can specify list of (columns) after privileges
  only for insert, update
• Cannot specify list of columns for select
  privileges
• Grant select, delete on Employee, Department
• to Smith

9
To access tables granted permission

• User granted access to table must qualify name of
  that table with owner
• Select
• from jones.Employee
• where dno 4

10
Grant/Revoke

• Revoking privileges
• Revoke privilege on table view from user
  public role
• Revoke delete on Department from Smith

11
Example of grant/revoke

• Example U1 issues
• Create table Employee(SSN, Fname, Lname, Salary)
• Propagating/Revoking privileges - horizontal and
  vertical
• Use WITH GRANT OPTION
• U1 can issue the following statements
• Grant select on Employee to A2
• Grant select on Employee to A3 with grant option
  
• Revoke select on Employee from A3

12
Using views for Security

• What if you only want a use to see some of the
  rows from a table?
• Or some of the columns?
• Can use views

13
Using Views for Security

• Create view EMP as select Fname, Lname, address
  from Employee where dno5
• Grant select on EMP to all

14
Roles

• Role-based access control (RBAC)
• Sandhu, R., Coyne, Feinstein, Youman Role-Based
  Access Control Models http//csrc.nist.gov/rbac/
  sandhu96.pdf
• Semantic construct
• System administrator creates roles according to
  job functions
• Role
• Specific task competency, duty assignments
• Embody authority and responsibility
• Grant permissions to roles and users
• Permissions Roles, Roles Users

15
Role Based Access Control

• RBAC

16
Motivation

• Many organizations
• Base access control in role of individual users
• Want to centrally control and maintain access
  rights
• Access control needs are unique
• commercially available products lack flexibility

17
Motivation

• Roles define individuals and extent of resource
  access
• Combination of users and permissions can change
• E.g. user membership in roles
• Permissions associated with roles stable
• Administration of roles rather than permissions
• Role permission predefined
• Easier to add/remove users membership than create
  new roles/permissions
• Roles part of SQL3
• Supported by many software products
• Roles used in Windows NT, XP (system admin)

18
RBAC basics

• Access control in RBAC exists in
• Role-permission
• User-role
• Role-role relationships
• RBAC supports principles
• Least privilege
• Separation of duties- mutually exclusive roles
• Data abstraction- abstract permissions (not just
  R/W)
• Limitations
• RBAC cannot enforce way principles applied
  system admin could configure to violate

19
Groups vs. roles

• Groups a collection of users, but not a
  collection of permissions
• Roles a collection of users and permissions
• Example Unix group membership defined in
• /etc/passwd and /etc/group
• Permission bits set for files and directories
• To determine permissions for a group requires
  traversing entire file system tree
• Unix groups can implement roles

20
RBAC models

• Authors proposed four conceptual models
• RBAC0
• Minimum for RBAC
• RBAC1
• RBAC0 plus role hierarchies
• RBAC2
• RBAC0 plus constraints
• RBAC3
• RBAC1 plus RBAC2

21
RBAC models
22
RBAC models
23
RBAC definitions

• Permission
• Can be access to entire subnetwork or record in
  table
• Example user assignment, permission assignment
  tables can be Many-many
• User/roles, roles/permissions
• Role provides greater control between users and
  permissions

24
Sessions

• Users establish sessions during which activate
  a subset of roles
• Each session associated with a single user
• User can have multiple sessions open
• User determines which roles activated in any
  session

25
Role hierarchies

• More powerful roles at top, less powerful on
  bottom
• Inherits up
• Inheritance transitive
• Multiple inheritance
• Partial order - reflexive, transitive,
  antisymmetric
• Can create private roles not inherited

26
(No Transcript)
27
Constraints

• Mutually exclusive roles
• User at most 1 role in ME set
• Combinations of roles and permissions can be
  prohibited
• Cardinality
• Maximum number of members in a role
• Minimum cardinality difficult to implement
• Prerequisite role
• User assigned to role B, only if assigned to A
• Permission p assigned to role only if role has
  permission q

28
In Oracle

• Rather than grant privileges to individual users,
  can grant them to groups using roles
• Create role role_name identified by pw
• Grant privilege on table to role_name
• Grant role_name to user
• The user must enable the role if a pw is
  specified with the command
• Set role role_name identified by pw

29
Mandatory Access Control

• MAC

30
Mandatory Access Control

• Users have security clearances, data has
  security classifications
• Need to restrict the access according to security
  level of user and data
• Useful for environments with hierarchical
  propagation of information
• Each subject and object are classified into one
  of the security classifications
• Security classes example
• TS(Top Secret), S (Secret), C(Classified), U
  (Unclassified)
• TS gt S gt C gt U

31
Bell-LaPadulla properties

• Restrictions on data access
• simple property No READ UP
• star () property No WRITE DOWN (write at own
  level)
• necessary but not sufficient conditions
• May still have problems covert channel
• Indirect means by which info at higher levels
  passed to lower levels

32
MLS

• multilevel relation (MLS) schema
• classification attribute C
• tuple classification TC
• Lowest user level that can see tuple
• R(A1, C1, A2, C2, ...An, Cn, TC) Jajodia-Sandhu
  

33
MLS Relation Example

• Vessel(pk) Objective Destination TC
• Micra U Shipping U Moon U U
• Vision U Spying U Saturn U U
• Avenger C Spying C Mars C C
• Logos S Shipping S Venus S S

34
Who sees what?

• Vessel(pk) Objective Destination TC
• Micra U Shipping U Moon U U
• Vision U Spying U Saturn U U
• Avenger C Spying C Mars C C
• Logos S Shipping S Venus S S

35
MLS

• Level U sees first 2 tuples
• Level C sees first 3 tuples
• Level S sees all tuples

36
MLS Insert

• What if a U user wants to insert a tuple with
  vessel Avenger?
• If insert another Avenger
• will have 2 avengers problems?
• Violates uniqueness
• If reject the insert what will happen?
• Covert channel

37
MLS Relation

• Vessel Objective Destination TC
• Micra U Shipping U Moon U U
• Vision U Spying U Saturn U U
• Avenger U Shipping U Mars U U
• Avenger C Spying C Mars C C
• Logos S Shipping S Venus S S

38
MLS Update

• What if the S level wants to update one of the
  tuples at the U level? (Vision)
• U cannot see the update
• Replicate the tuple polyinstantiation
• What if U then updates objective?

39
MLS Relation

• Vessel Objective Destination TC
• Micra U Shipping U Moon U U
• Vision U Spying U Saturn U U
• Avenger U Shipping U Moon U U
• Avenger C Spying C Mars C C
• Logos S Shipping S Venus S S
• Vision U Spying U Venus S S

40
Issues

• Entity integrity
• What is the primary key?
• Updates
• Insert, delete update

41
MLS Model

• apparent key
• user defined primary key
• PK Classification tuple classification
• polyinstantiation
• more than one tuple with the same apparent key
  value but different attribute values for users at
  different classification levels
• - entity (tuple) polyinstantiation
• - attribute (element) polyinstantiation

42
Covert Chanel

• Indirect downward flow of information
• must be avoided since it allows downward flow of
  information
• Can occur if reject update
• Can be used maliciously (higher level user can
  signal lower level user)

43
Jajodia Sandhu MLS Model early model

• Entity integrity rule
• all attributes that are members of the apparent
  key must not be null and must have the same
  security classification within each individual
  tuple
• Null integrity
• Nulls are classified at the level of the key
• One tuple does not subsume another (null values
  subsumed by non-null values)
• Inter-Instance Integrity
• User can only see portion of relation for which
  is cleared (use filters)
• Data not cleared is set to null
• Eliminate subsumed tuples

44
Jajodia Sandhu MLS Model

• S-user view
• Vessel Objective Destination TC
• Enterprise U Exploration U Talos U
  U
• Voyager U Spying S Mars S S
• U-user view
• Vessel Objective Destination TC
• Enterprise U Exploration U Talos U
  U
• Voyager U Null U Null U U

45
Jajodia Sandhu MLS Model

• Polyinstantiation Integrity
• AK, CAK, Ci -gt Ai
• Implies Primary key in MLS is
• AK U CAK U CR
• AK are data in PK, CAK is class of PK data, CR is
  data not in AK

46
Examples of Polyinstantiation Integrity

• Legal instance
• Vessel Objective Destination TC
• Enterprise U Exploration U Talos U
  U
• Voyager U Exploration U Talos U U
• Voyager U Spying S Mars S S
• Illegal instance
• Vessel Objective Destination TC
• Voyager U Exploration S Talos S S
• Voyager U Spying S Mars S S

47
Jajodia Sandhu MLS Model

• Suppose S-user updates Enterprise destination to
  Rigel
• Vessel Objective Destination TC
• Enterprise U Exploration U null U
  U
• Enterprise U Exploration U Rigel S
  S
• What is view to U-user? S-user?
• What does the null mean? Problem!

48
Insert

• Suppose S wants to insert (Enterprise, Spying,
  Rigel) into
• Vessel Objective Destination TC
• Enterprise U Exploration U Talos U
  U
• Can this insert be rejected? Should it be?
• Vessel Objective Destination TC
• Enterprise U Exploration U Talos U
  U
• Enterprise S Spying S Rigel S S
• Are these different or the same? Problem!

49
Update

• U view
• Vessel Objective Destination TC
• Enterprise U Exploration U null U
  U
• S view
• Vessel Objective Destination TC
• Enterprise U Exploration U null U
  U
• Enterprise U Exploration U Rigel S
  S
• U user wants to update, set Destination Talos
  where Starship Enterprise

50
Update

• U view
• Vessel Objective Destination TC
• Enterprise U Exploration U Talos U
  U
• S View
• Vessel Objective Destination TC
• Enterprise U Exploration U Talos U
  U
• Enterprise U Exploration U Rigel S
  S
• Suppose S users want to update, set
  objectivespying where starship Enterprise
  and destination Rigel
• Vessel Objective Destination TC
• Enterprise U Exploration U Talos U
  U
• Enterprise U Spying S Rigel S S

51
Update

• Vessel Objective Destination TC
• Enterprise U Exploration U Talos U
  U
• Enterprise U Spying S Rigel S S
• What if S user set objectivespying where
  starshipEnterprise
• Vessel Objective Destination TC
• Enterprise U Exploration U Talos U
  U
• Enterprise U Spying S Talos U S
• Enterprise U Spying S Rigel S S
• Problem because there are now 2 Enterprise U with
  a TC of S.
• What does it mean?

52
Winslett Smith Belief Model

• Tuples at users level believe info
• See info at lower levels
• R(K, KC, A1, A2, ... An, TC)  Smith-Winslett
• Every tuple has a base tuple level at which
  first inserted

53
Winslett Smith Belief Model

• Can distinguish between different entities, and
  same entities, different belief
• Vessel Objective Destination TC
• Enterprise U Exploration U Talos U
  U
• Enterprise S Spying S Rigel S
  S
• Or
• Enterprise S Spying S Rigel S
  S

54
MLR Model Sandhu Chen

• Relational operations still messy in
  Winslett/Smith
• Try to eliminate semantic ambiguity
• Borrowing to indicate belief in lower level
  tuples
• Does it mean T or F?
• Cannot indicate disbelief

55
Extensions to MLS model

• Belief consistent model (Jukic-Vrbsky)
• Can easily see what others believe at lower
  levels
• Can assert if one level believes lower level
  belief is false
• Reduces tuple propagation
• Can even have a cover story for a PK
• Useful for e-Business and Customer Relationship
  Modeling (CRM).

56
Beliefs

• True believe tuple representing object is true
• False- believe object exists, but values are
  false
• Mirage tuple dont even believe in existence of
  object
• Unverified no belief may be T or F

57
BC-MLS relational model

• Expanded set of labels - belief-consistent labels
  Example
• Levels with - preceding it indicate false
• Levels that follow with indicate true
• Can label an attribute as True, False or not
  verified on a classification level
• Introduce Belief Property - e.g. if believe a
  particular value is True, then a different value
  for that same attribute must be False
• Include asserting beliefs, such as verifyTrue or
  verifyFalse

58
BC-MLS relational model

• Redefine Integrity Properties  Entity,
  Polyinstantiation, Base Tuple, Foreign Key,
  Referential Integrity Properties
• Define belief-consistent relational algebra
  operations and update/delete operations
• Non-key related cover stories - paper
• E-commerce

59
(No Transcript)
60
(No Transcript)
61
Key Loophole

• Use SEID
• Redefine properties
• Define relational algebra operations

62
Properties

• Entity Integrity Property A multilevel relation
  R satisfies entity integrity iff, ? t ? R
• KK ? K ? tKK ? null,
• tKC ? null
• ? Ai ? K ? pl(tCi) ? pl(tKC), for 1 ? i ?
  n.
• Polyinstantiation Integrity Property A
  multilevel relation R satisfies polyinstantiation
  integrity iff, ? t ? R
• K, pl(KC), pl(Ci) ? Ai, for 1 ? i ? n
• K, pl(KC), pl(TC) ? Ai, Ci for 1 ? i ? n

63
Properties

• Base Tuple Integrity Property A multilevel
  relation R satisfies the base tuple property iff,
  ? t ? R there is a tb ? R, such that
• tK tbK
• pl(t(KC) pl(tbKC)
• pl(tbKC) pl(tbCi) pl(tbTC) for 1 ? i ?
  n
• tbAi ? null for 1 ? i ? n
• Referential Integrity Property When FK is a
  foreign key of the referencing relation R1 with
  FKC as its classification, and R2 is the
  referenced relation with an apparent primary key
  K, instances r1 of R1 and r2 of R2 satisfy
  referential integrity iff, ? t1 ? r1 such that
  t1FK ? null, and there exists a t2 ? r2 such
  that
• t1FK t2K
• pl(t1FKC) ? pl(t2KC)
• lb(pl(t1TC), t2TC) pl(t1TC).

64
Properties

• Foreign Key Integrity Property If FK is a
  foreign key of the referencing multilevel
  relation R, relation R satisfies the foreign key
  property iff ? t ? R
• Either ? Ai ? FK, tAi null for 1 ? i ? n or
  ? Ai ? FK, tAi ? null for 1 ? i ? n

65
Select operation

• ??(R)
• ? clause (boolean_op clause)
• where means zero or more, boolean_op is AND,
  OR, and NOT, and 
• clause Ei op Ej Ei op a Ei L b (boolean_op
  L b) TC L b (boolean_op L b).

66
Also did

• Proof of security

67
MLS Model

• In Oracle
• Oracle Label Security in 10g
• Sensitivity labels and security clearances

68
DAC, MAC vs. RBAC

• DAC vs. MAC emerged from defense security
  research
• RBAC independent of access control
• RBAC can be used to implement DAC, MAC

69
Attribute Based Access Control

• ABAC

70
ABAC

• Attribute Based Access Control
• Motivation web based services technologies and
  service oriented architectures
• Dynamic and adhoc
• Based on subject, object and environment
  attributes
• Supports MAC and DAC needs
• Slides based on Attribute Based Access Control
  ABAC for Web Services, E. Yuan, J. Tong, ICWS05.

71
Web services

• No longer have stove-piped info systems
• Instead collaboration and info sharing
• Must balance accessibility with protection
• Currently
• Firewall, intrusion detection (HTTP) can have
  potential attacks not detectable
• Need set of known users may not be feasible
• Simple, static, coarse grained (roles) doesnt
  take into account current threat level, community
  of interest

72
Standards

• Industry Standards
• Security Assertions Markup Language (SAML)
• Authentication/authorization represented as XML
  assertions
• XML Access Control Markup Language (XACML)
  defined architecture and policy language for
  access control
• Web Services Security (WSS) foundation for Simple
  Object Access Protocol (SOAP)
• Security tokens, XML digital signature, XML
  encryption
• Standards focused on defining wire format not
  service-level semantics, different parties
  interface with each other, need end-to-end
  security

73
Definition of ABAC

• ABAC
• Policy model defines ABAC policies
• Architecture model applies policies
• Attributes
• Subject entity (user, application, process)
  that acts on a resource
• Attributes subjects ID, name, organization,
  job title
• Resource entity acted upon by subject
• Title, subject, date, author, ownership
  (extracted from metadata)
• Environment operational, technical, situational
• Current date/time, virus/hacker activities,
  network security level
• Not associated with a particular subject or
  resource
• Evaluation of policy rules first order logic,
  forward chaining

74
Attributes

• ATTR(s) SA1 X SA2 X X SAk
• ATTR(r) RA1 X RA2 X X RAk
• ATTR(s) EA1 X EA2 X X Eak
• Assign attributes to s, r, e
• Role(s) Service Consumer
• ServiceOwner(r) XYZ, Inc.
• CurrentDate(e) 01-23-2005

75
Rules

• Rule can_access (s, r, e) ? f(ATTR(s), ATTR(r),
  ATTR(e))
• Policy rules
• Rule1 can_access(s, r, e) ? (Role(s)Manager)
  (Name(r)ApprovePurchase) // RBAC
• Rule2 can_access(s, r, e) ? (UserID(s)
  ResourceOwner(r))
• // resource can only be accessed by owner

76
Authorization Architecture

• Attribute Authorities AA
• creating, managing attributes for s, r, e
• Binding attributes to entity of interest
• Policy Enforcement Point PEP
• requesting and enforcing authorization
• decisions
• Point of presence for access control, cannot be
  bypassed
• Policy Decision Point PDP
• Evaluating policies and making authorization
  decisions
• When policy references s, r, or e, contacts AA to
  retrieve attribute values
• Policy Authority PA
• Create/manages access control policies

77
ABAC vs RBAC

• Example
• RBAC
• 3 roles adult, juvenile, child
• 3 permissions can view R-rated movies, PG-13
  movies, G-rated movies
• Adult all 3 permissions, juvenile 2, child 1

78
Example

• ABAC
• Age is s attribute, rating r attribute
• Eliminates definition/management of static roles

79
Expand example

• Suppose expand to include new, old release
• Changes to RBAC Changes to ABAC

80
Securing Web Services
81
Implementation

• JAX-RPC message handlers to intercept SOAP
  request messages
• Policy decision services implemented using Apache
  Axis
• Policy stored and retrieved in XACML

82
Advantages of ABAC

• Intuitive to model
• More flexible and powerful
• Management of security can be distributed over
  network (AA, PA)
• Can implement DAC, MAC, RBAC in ABAC