Database Security CS 645 Apr 10, 2008 Gerome Miklau, UMass Amherst - - PowerPoint PPT Presentation

Database Security

CS 645 Apr 10, 2008 Gerome Miklau, UMass Amherst

Outline

• Security basics
• Access control in Databases
• Privacy foundations
• Beyond access control

Security properties

• Confidentiality
• Authenticity
• Availability
• Privacy

Confidentiality

• Threats to confidentiality
• direct release, approximate disclosure, leaks

from inference & outside knowledge

• Providing confidentiality
• access controls, inference controls,

encryption

A guarantee that data has not been disclosed to an unauthorized party.

Authenticity

• Aspects of authenticity:
• data comes from original source
• not modified
• freshness: current, not re-used
• Threats to authenticity:
• forging, tampering, replay
• Providing authenticity
• access control, digital signatures, hashing

Also called: data integrity

A guarantee that data has not been modified from its original state by an unauthorized party.

Confidentiality or Authenticity ?

• Which security properties matter for:
• Student grades for this course stored in

database.

• Resume or CV posted on webpage.
• Medical records stored in database.

Availability

• Threats to availability: denial of service
• Providing availability: conventional

concern of databases

A guarantee that data is available when needed.

Privacy

• Requires both data confidentiality &

authenticity

The ability to determine for ourselves when, how, and to what extent information about us is communicated to others.

• Westin

Informational Privacy

• Security basics
• Access control in Databases
• Privacy foundations
• Beyond access control

Access control

• Regulates direct access to resources
• Subjects (i.e. registered users)
• Objects (files, directories, tables)
• Privileges (read, write, insert, delete, etc.)
• Discretionary access control
• Users can grant access at their discretion.
• Mandatory access control
• All subjects and objects classified by an

authority and global rules determine privileges.

SQL Security

• Core security features present in nearly all

database systems:

• User authentication
• Discretionary access control:
• Subjects (database users)
• Privileges (select, insert, delete, update)
• Objects (tables, columns, views)
• In SQL: GRANT / REVOKE

System R authorization model [Griffith and Wadeʼ76], [Faginʼ78]

Database system security

SQL query/update Parser

Server

Result

Client

File system

tables

Query engine

tables tables

DB system

OS

Access Control

13

Discretionary AC in SQL

GRANT privileges ON object TO users [WITH GRANT OPTIONS]

privileges = SELECT | INSERT(column-name) | UPDATE(column-name) | DELETE | REFERENCES(column-name)

• bject = table | view

14

Examples

GRANT INSERT, DELETE ON Customers TO Yuppy WITH GRANT OPTIONS

Queries allowed to Yuppy: Queries denied to Yuppy:

INSERT INTO Customers(cid, name, address) VALUES(32940, ‘Joe Blow’, ‘Seattle’) DELETE Customers WHERE LastPurchaseDate < 1995 SELECT Customer.address FROM Customer WHERE name = ‘Joe Blow’

15

Examples

GRANT SELECT ON Customers TO Michael

Now Michael can SELECT, but not INSERT or DELETE

16

Examples

GRANT SELECT ON Customers TO Michael WITH GRANT OPTIONS

Michael can say this: GRANT SELECT ON Customers TO Yuppi Now Yuppi can SELECT on Customers

17

Examples

GRANT UPDATE (price) ON Product TO Leah

Leah can update, but only Product.price, but not Product.name

18

Examples

GRANT REFERENCES (cid) ON Customer TO Bill

Customer(cid, name, address, balance) Orders(oid, cid, amount) cid= foreign key

Now Bill can INSERT tuples into Orders Bill has INSERT/UPDATE rights to Orders. BUT HE CAN’T INSERT ! (why ?)

19

Views and Security

CREATE VIEW PublicCustomers SELECT Name, Address FROM Customers; GRANT SELECT ON PublicCustomers TO Fred

David says

Name Address Balance Mary Huston 450.99 Sue Seattle

• 240

Joan Seattle 333.25 Ann Portland

• 520

David owns

Customers:

Fred is not allowed to see this

20

Views and Security

Name Address Balance Mary Huston 450.99 Sue Seattle

• 240

Joan Seattle 333.25 Ann Portland

• 520

CREATE VIEW BadCreditCustomers SELECT * FROM Customers WHERE Balance < 0; GRANT SELECT ON BadCreditCustomers TO John

David says

David owns

Customers:

John is allowed to see only <0 balances

21

Views and Security

• Each customer should see only her/his record

CREATE VIEW CustomerMary SELECT * FROM Customers WHERE name = ‘Mary’ GRANT SELECT ON CustomerMary TO Mary

Doesn’t scale. Need row-level access control !

Name Address Balance Mary Huston 450.99 Sue Seattle

• 240

Joan Seattle 333.25 Ann Portland

• 520

David says

CREATE VIEW CustomerSue SELECT * FROM Customers WHERE name = ‘Sue’ GRANT SELECT ON CustomerSue TO Sue

. . .

22

Revocation

REVOKE [GRANT OPTION FOR] privileges ON object FROM users { RESTRICT | CASCADE }

Administrator says:

REVOKE SELECT ON Customers FROM David CASCADE

John loses SELECT privileges on BadCreditCustomers

Revocation

• 1. Joe: GRANT [….] TO Art …
• 2. Art: GRANT [….] TO Bob …
• 3. Bob: GRANT [….] TO Art …
• 4. Joe: GRANT [….] TO Cal …
• 5. Cal: GRANT [….] TO Bob …

Joe: REVOKE [….] FROM Art CASCADE

Same privilege, same object, GRANT OPTION

What happens ??

5

Admin

Joe

Art Cal Bob

1 2 3 4

Revoked

Everyone keeps the privilege:

REVOKE removes privileges to all users who hold the privilege SOLELY through a grant command executed by the revoking user.

24

Summary of SQL Security

Limitations:

• No row level access control
• Table creator owns the data

… or spectacular failure:

• Only 30% assign privileges to users/roles

– And then to protect entire tables, not columns

Access control = great success story of the DB community...

• Security basics
• Access control in Databases
• Privacy foundations
• Beyond access control

Next

• Security basics
• Access control in Databases
• Privacy foundations
• Beyond access control

27

Computers and privacy

Virtually every department of government and law enforcement agency, every credit bureau, insurance company, big business, every important educational establishment, ... is using computer technology to gather personal information on as many people as they can.

Excerpted from Miller: The Assault on Privacy

published in 1971

28

Roots of privacy

• Historical roots in the bible, Aristotle,

ancient chinese culture

• Recognized as a fundamental human

right.

• Nearly every country mentions right to

privacy explicitly in constitution.

Except US, Ireland, India

Definitions of privacy

30

Definitions of privacy

• Gavison, 1980:

–

protection from being brought to the attention of others

–

Privacy is a complex of concepts concerned with the accessibility

• thers have to us. One has perfect privacy when one is completely

inaccessible to others.

• Privacy can be gained through:

– secrecy - when no one has information about us – anonymity - when no one pays attention to us – solitude - when no one has physical access to us

31

Informational privacy

• Westin, 1967:

–

the ability to determine for ourselves when, how, and to what extent information about us is communicated to others.

• Hughes, 1993:

–

the power to selectively reveal oneself to the world.

32

Privacy, For and Against

• A fundamental human right
• Aspect of personal freedom, liberty
• Requirement for democracy
• Prerequisite to developing sense of self.

33

Privacy, For and Against

• Surveillance has benefits
• Accountability requires sacrificing privacy
• Posner (1981) - Economic critique
• MacKinnon (1989) - Feminist critique
• Brin (1999) Increased flow of information

can benefit all, if access is free and equal.

Attitudes

• Westin’s categories, through surveys

– Privacy fundamentalist (25%)

• Feel they’ve lost privacy, resistant to further

erosion

– Privacy pragmatist (55%)

• Concerned about privacy, but willing to share

info given choice and notice

– Privacy unconcerned (20%)

Jennicam, 1996

35

Behavior != Attitude

• Behavior is not always consistent with

stated attitudes

– economic model of behavior - rational

economic agents protecting or divulging their personal info

– price of privacy

• Individuals are not rational actors

Acquisti/Grossklags 2005

36

Strong privacy advocates

• Technologists - crypto, electronic anonymity,

fighting surveillance technology.

• “European model” - rules and regulations to

govern data operations.

• Pragmatics - practical advice on how to

protect oneself.

Privacy can be achieved by limiting information flow

37

Transparency

• Data collection and surveillance is probably

inevitable, and provides accountability

• Rather than fight against “watching”, make

sure everyone can “watch the watcher”.

Increasing flow of info may help all parties Brin

Major U.S. Privacy regulation

• Financial Info, G-L-B (2001) FCRA (1970)

–

notification of collection, use, dissemination

• Student Info, FERPA (1974)

–

right to inspect, right to correct, controlled release.

• Video rentals, (1988)
• Medical Info, HIPAA (2003)

–

right to access, right to request correction of errors, informed of use, confidential communication.

http://www.privacyrights.org/index.htm Much more at

39

Anti-privacy regulation

• Patriot Act

–

weak standards for empowering FBI to collect personal information about individuals.

–

library records

• CALEA

–

Communications Assistance for Law Enforcement Act of 1994 (FCC)

–

telephone companies must make their networks “wiretap” ready.

–

now VOIP, ISPs, university networks

40

Info ownership challenges

• Data brokers use sophisticated analysis

techniques to derive likely facts about you.

• Shared information

– transactions with two parties – your genetic information says something

about your parents and relatives.

Next

• Security basics
• Access control in Databases
• Privacy foundations
• Beyond access control