tddd17 informatjon security topic database security
play

TDDD17 Informatjon Security Topic: Database Security Olaf Hartjg - PowerPoint PPT Presentation

May 17, 2023 •326 likes •572 views

TDDD17 Informatjon Security Topic: Database Security Olaf Hartjg olaf.hartjg@liu.se Acknowledgement: Many of the slides in this slide set are adaptations from slides made available for the database textbook by Elmasri and Navathe. Before

  1. TDDD17 Informatjon Security Topic: Database Security Olaf Hartjg olaf.hartjg@liu.se Acknowledgement: Many of the slides in this slide set are adaptations from slides made available for the database textbook by Elmasri and Navathe.

  2. Before we begin … … a reminder of database-related terminology  Data : known facts that can be recorded and that have implicit meaning  Database : logically coherent collection of related data – Built for a specific purpose – Represents some aspects of the real world  Database management system ( DBMS ): collection of computer programs to create and maintain a database – Protects DB against unauthorized access and manipulation – Examples of DBMSs: IBM’s DB2, Microsoft’s SQL Server, Oracle, MySQL, PostgreSQL TDDD17 Informatjon Security Topic: Database Security Olaf Hartjg 2

  3. … and some more terminology … SQL (Structured Query Language)  Most prevalent database language  Commands for defining databases (i.e., their structure)  Commands for manipulating the data – INSERT, UPDATE, DELETE  Commands for expressing queries (i.e., questions to be answered based in the data) – SELECT  SQL databases represent data in a tabular form TDDD17 Informatjon Security Topic: Database Security Olaf Hartjg 4

  4. … and last but not least ... Relational Data Model (formal foundation of SQL)  Relational database is a collection of relations  Schema describes the relations – Relation names, attribute names, attribute domains (types) – Integrity constraints  Instance (also called state) is a set of tuples for each relation that represent the current content Example from “Fundamentals of Database Systems” by Elmasri and Navathe, Addison Wesley. TDDD17 Informatjon Security Topic: Database Security Olaf Hartjg 5

  5. Introductjon to DB Security

  6. What are the threads? ● Loss of integrity: improper modification of data – e.g., students changing their grades ● Loss of confidentiality: unauthorized disclosure of data – e.g., student learns other students' grades ● Loss of availability: unavailability of database objects to authorized programs and people – e.g., students are denied seeing their own grades – “denial of service attack” TDDD17 Informatjon Security Topic: Database Security Olaf Hartjg 8

  7. Control Measures to Provide DB Security ● Access control – Limiting access to the database (or parts thereof) – Requires authentication (e.g., through login and password) – Usually with auditing (i.e., logging DB operations by each user) ● Inference control – Preventing deductions about database content – Summary data without ability to determine individuals’ data ● Flow control – Preventing information from reaching unauthorized users ● Data encryption – Protecting sensitive data (e.g., when transmitted over network) – Making information unintelligible unless authorized – Making changes traceable to source TDDD17 Informatjon Security Topic: Database Security Olaf Hartjg 10

  8. Access Control in a Database System ● Security policy specifies who is authorized to do what in the system ● DBMS provides access control mechanisms to help implement a security policy ● Two complementary types of such mechanisms: – Discretionary access control – Mandatory access control TDDD17 Informatjon Security Topic: Database Security Olaf Hartjg 11

  9. Discretjonary Access Control

  10. Idea and Related Concepts ● Idea: achieve access control based on 1. privileges (specific rights for tables, columns, etc.), and 2. a mechanism for granting and revoking such privileges ● Authorization administration policy specifies how granting and revoking is organized – i.e., who may grant / revoke – Centralized administration : only some privileged users – Ownership-based administration : creator of the ob ● Administration delegation: if authorized to do so, a user may assign others the right to grant / revoke TDDD17 Informatjon Security Topic: Database Security Olaf Hartjg 13

  11. Discretjonary Access Control in SQL ● Simple examples: – to allow user Alice to query the table called Student GRANT SELECT ON Student TO Alice – to allow Alice to delete from the Student table GRANT DELETE ON Student TO Alice – revoke the previous privilege REVOKE DELETE ON Student FROM Alice – to allow Alice to modify any value in Employee GRANT UPDATE ON Employee TO Alice – to allow Bob to modify Salary values in Employee GRANT UPDATE ON Employee(Salary) TO Bob TDDD17 Informatjon Security Topic: Database Security Olaf Hartjg 14

  12. Discretjonary Access Control in SQL (cont'd) GRANT privileges ON objects TO users REVOKE privileges ON objects FROM users ● Possible privileges: – SELECT – INSERT (may be restricted to specific attributes) – UPDATE (may be restricted to specific attributes) – DELETE – REFERENCES (may be restricted to specific attributes) ● Possible objects: – Tables – Views – Specific attributes (for INSERT, UPDATE, REFERENCES) TDDD17 Informatjon Security Topic: Database Security Olaf Hartjg 15

  13. What are Views? ● A virtual table derived from other (possibly virtual) tables, i.e. always up-to-date CREATE VIEW research_colleagues_view AS SELECT Fname, Lname, Email FROM EMPLOYEE WHERE Dept = 'Research' ; CREATE VIEW dept_view AS SELECT Dept , COUNT (*) AS C, AVG (Salary) AS S FROM EMPLOYEE GROUP BY Dept ; TDDD17 Informatjon Security Topic: Database Security Olaf Hartjg 16

  14. Discretjonary Access Control in SQL (cont'd) GRANT privileges ON objects TO users [WITH GRANT OPTION] REVOKE [GRANT OPTION FOR] privileges ON objects FROM users ● WITH GRANT OPTION allows users to pass on privilege (with or without passing on grant option) – When a privilege is revoked from user X , it is also revoked from all users who were granted this privilege solely from X TDDD17 Informatjon Security Topic: Database Security Olaf Hartjg 17

  15. Example ● Assume we do GRANT UPDATE ON Emp TO Alice GRANT UPDATE ON Emp TO Bob WITH GRANT OPTION ● Next, Bob does GRANT UPDATE ON Emp TO Alice, Eve ● Now, Bob, Alice, and Eve have the privilege ● Assume we now do REVOKE UPDATE ON Emp FROM Alice ● Alice still has the privilege (thanks to Bob) ● Let's do REVOKE UPDATE ON Emp FROM Bob ● Now, neither of them has the privilege anymore TDDD17 Informatjon Security Topic: Database Security Olaf Hartjg 18

  16. Granularity of Privileges in SQL ● Seen so far, object-level privileges – Objects: tables, views, attributes – SQL does not support tuple-specific privileges ● System-level privileges – CREATE / ALTER / DROP tables or views – Creator of an object gets all (object-level) permissions on that object – Not supported by standard SQL but by DBMS-specific extensions of SQL TDDD17 Informatjon Security Topic: Database Security Olaf Hartjg 20

  17. Mandatory Access Control

  18. Idea ● Achieve access control based on system-wide policies that cannot be changed by individual users ● Basis: partially ordered set of security classes – e.g., TopSecrect > Secret > Confidential > Unclassified ● DB objects (e.g., tables, columns, rows) are assigned such a class ● Subjects (users, programs) are assigned a clearance for such a class ● Subject's clearance must match class of object TDDD17 Informatjon Security Topic: Database Security Olaf Hartjg 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

TDDD17 Informatjon Security (VT 2020) Topic: Database Encryptjon Olaf Hartjg

TDDD17 Informatjon Security (VT 2020) Topic: Database Encryptjon Olaf Hartjg

TDDD17 Informatjon Security (VT 2020) Topic: Database Encryptjon Olaf Hartjg olaf.hartjg@liu.se Limitatjons of Access Control as a means to achieve the objectives of DB security (in particular, confidentiality and integrity)

603 views • 29 slides
TDDD17 Informatjon Security (VT 2020) Topic: Database Security Olaf Hartjg olaf.hartjg@liu.se

TDDD17 Informatjon Security (VT 2020) Topic: Database Security Olaf Hartjg olaf.hartjg@liu.se

TDDD17 Informatjon Security (VT 2020) Topic: Database Security Olaf Hartjg olaf.hartjg@liu.se Acknowledgement: Several of the slides in this slide set are adaptations from slides made available for the database textbook by Elmasri and

555 views • 27 slides
TDDD17 Informatjon Security (VT 2019) Topic: Database Security Olaf Hartjg olaf.hartjg@liu.se

TDDD17 Informatjon Security (VT 2019) Topic: Database Security Olaf Hartjg olaf.hartjg@liu.se

TDDD17 Informatjon Security (VT 2019) Topic: Database Security Olaf Hartjg olaf.hartjg@liu.se Acknowledgement: Several of the slides in this slide set are adaptations from slides made available for the database textbook by Elmasri and

284 views • 27 slides
TDDD17 Informatjon Security Topic: Database Privacy Olaf Hartjg olaf.hartjg@liu.se

TDDD17 Informatjon Security Topic: Database Privacy Olaf Hartjg olaf.hartjg@liu.se

TDDD17 Informatjon Security Topic: Database Privacy Olaf Hartjg olaf.hartjg@liu.se Acknowledgement: Many of the slides in this slide set are adaptations of lecture slides of Prof. Johann-Christoph Freytag (Humboldt Universitt zu Berlin).

496 views • 32 slides
System Security I: Introduction TDDD17 Information Security, Second Course Ulf Kargn

System Security I: Introduction TDDD17 Information Security, Second Course Ulf Kargn

System Security I: Introduction TDDD17 Information Security, Second Course Ulf Kargn Department of Computer and Information Science Linkping University System Security 2 Security in computer systems Hardware (System)

838 views • 56 slides
This Lecture General Database Security Privileges Database Security Granting

This Lecture General Database Security Privileges Database Security Granting

This Lecture General Database Security Privileges Database Security Granting Revoking Views Database Systems SQL Insertion Attacks Michael Pound Further Reading The Manga Guide to Databases, Chapter 5 Database

285 views • 7 slides
Malware Defense II TDDD17 Information Security, Second Course Alireza Mohammadinodooshan

Malware Defense II TDDD17 Information Security, Second Course Alireza Mohammadinodooshan

Malware Defense II TDDD17 Information Security, Second Course Alireza Mohammadinodooshan Department of Computer and Information Science Linkping University TDDD17 - Malware Defense II 1/31/2020 2 What Has Been Covered Malware

760 views • 50 slides
SYSTEM SECURITY III: TRUSTED COMPUTING TDDD17 Informationsskerhet Ben Smeets Ericsson

SYSTEM SECURITY III: TRUSTED COMPUTING TDDD17 Informationsskerhet Ben Smeets Ericsson

SYSTEM SECURITY III: TRUSTED COMPUTING TDDD17 Informationsskerhet Ben Smeets Ericsson Research Security / Lund University 1 2020-02-28 B. Smeets LiTH course Goal of this lecture Understand trusted computing and its purpose Threats

1.42k views • 65 slides
SYSTEM SECURITY III: TRUSTED COMPUTING TDDD17 Informationsskerhet Ben Smeets Ericsson

SYSTEM SECURITY III: TRUSTED COMPUTING TDDD17 Informationsskerhet Ben Smeets Ericsson

SYSTEM SECURITY III: TRUSTED COMPUTING TDDD17 Informationsskerhet Ben Smeets Ericsson Research Security / Lund University 1 2019-03-01 B. Smeets LiTH course Goal of this lecture Understand trusted computing and its purpose Threats

794 views • 66 slides
Database Security Enforced Database security - only authorized users can perform authorized

Database Security Enforced Database security - only authorized users can perform authorized

IT360: Applied Database Systems Database Security Kroenke: Ch 9, pg 309-314 PHP and MySQL: Ch 9, pg 217-227 1 Rights Database Security Enforced Database security - only authorized users can perform authorized activities Responsibilities

317 views • 9 slides
Security Security as term, Possible Security violations Authentication Criteria for

Security Security as term, Possible Security violations Authentication Criteria for

BS1 WS19/20 topic-based slides Security Security as term, Possible Security violations Authentication Criteria for Trust in Computer Systems Three hearts of Windows Security DACLs A Look at Security System is secure if

988 views • 20 slides
Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of

Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of

Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of Computer and Information Science Linkping University Malware Defense Agenda 2 Two lectures Lecture I : Malware basics, malware on the PC,

621 views • 40 slides
Overview Database Security Semantic Integrity Controls Access Control Rules Multilevel

Overview Database Security Semantic Integrity Controls Access Control Rules Multilevel

Overview Database Security Semantic Integrity Controls Access Control Rules Multilevel Secure Databases RBAC in Commercial DBMS Statistical Database Security Simone Fischer-Hbner Applied Security, DAVC17 Relational Database

194 views • 6 slides
Database-enabled web technology Security Instructor: C a gr C oltekin

Database-enabled web technology Security Instructor: C a gr C oltekin

Database-enabled web technology Security Instructor: C a gr C oltekin c.coltekin@rug.nl Information science/Informatiekunde Fall 2011/12 Security in Web applications Web, Databases & Security http://xkcd.com/327/ C . C

952 views • 47 slides
OS Security Thierry Sans Security is a wide topic CSCD27 Computer and Network Security covers

OS Security Thierry Sans Security is a wide topic CSCD27 Computer and Network Security covers

OS Security Thierry Sans Security is a wide topic CSCD27 Computer and Network Security covers Cryptography Network security System security Web security (recap) Protection File systems implement a protection system Who

800 views • 30 slides
Session 8 Database, Cloud and IoT Security Sbastien Combfis Fall 2019 This work is

Session 8 Database, Cloud and IoT Security Sbastien Combfis Fall 2019 This work is

I5020 Computer Security Session 8 Database, Cloud and IoT Security Sbastien Combfis Fall 2019 This work is licensed under a Creative Commons Attribution NonCommercial NoDerivatives 4.0 International License. Database Security

384 views • 24 slides
CGS 3066: Fall 2016 SQL Reference Can also be used as a study guide. Only covers topics

CGS 3066: Fall 2016 SQL Reference Can also be used as a study guide. Only covers topics

CGS 3066: Fall 2016 SQL Reference Can also be used as a study guide. Only covers topics discussed in class. This is by no means a complete guide to SQL. Database accounts are being set up for all students who have given me your CS usernames.

462 views • 6 slides
Introduction Why Databases? Can you name one application that does not need any data?

Introduction Why Databases? Can you name one application that does not need any data?

Introduction Why Databases? Can you name one application that does not need any data? No, a program itself is data Can you name one application that does not need organized data? No, programs = algorithms + data

824 views • 26 slides
How we run a 99,5% uptime SDI using Geoserver Roel Huybrechts, Niels Charlier, Timothy De Bock et.

How we run a 99,5% uptime SDI using Geoserver Roel Huybrechts, Niels Charlier, Timothy De Bock et.

How we run a 99,5% uptime SDI using Geoserver Roel Huybrechts, Niels Charlier, Timothy De Bock et. al. Data tabank Ondergrond Vla laanderen OPEN DATA geothermics soil geology FLANDERS IN INSPIRE groundwater geotechnics mineral

645 views • 31 slides
Persistent Bioperl Persistent Bioperl BOSC 2003 Hilmar Lapp Genomics Institute Of The Novartis

Persistent Bioperl Persistent Bioperl BOSC 2003 Hilmar Lapp Genomics Institute Of The Novartis

Persistent Bioperl Persistent Bioperl BOSC 2003 Hilmar Lapp Genomics Institute Of The Novartis Research Foundation San Diego, USA Acknowledgements Acknowledgements Bio* contributors and core developers Aaron, Ewan, ThomasD, Matthew,

534 views • 30 slides
SQLite, sqlite3, and more SQLite, sqlite3, and more Programming for Statistical Programming for

SQLite, sqlite3, and more SQLite, sqlite3, and more Programming for Statistical Programming for

SQLite, sqlite3, and more SQLite, sqlite3, and more Programming for Statistical Programming for Statistical Science Science Shawn Santo Shawn Santo 1 / 40 1 / 40 Supplementary materials Full video lecture available in Zoom Cloud

678 views • 40 slides
CMPT 354 Database Systems I Spring 2012 Instructor: Hassan Khosravi Textbook First Course

CMPT 354 Database Systems I Spring 2012 Instructor: Hassan Khosravi Textbook First Course

CMPT 354 Database Systems I Spring 2012 Instructor: Hassan Khosravi Textbook First Course in Database Systems, 3 rd Edition . Jeffry Ullman and Jennifer Widom Other text books Ramakrishnan SILBERSCHATZ Ramez Elmasri Course

239 views • 22 slides
Security and Authorization 5DV119 Introduction to Database Management Ume a University

Security and Authorization 5DV119 Introduction to Database Management Ume a University

Security and Authorization 5DV119 Introduction to Database Management Ume a University Department of Computing Science Stephen J. Hegner hegner@cs.umu.se http://www.cs.umu.se/~hegner Security and Authorization 20130307 Slide 1 of 33

513 views • 33 slides
EGTDC Database Course 2004 Database Users And Security Backing-Up Data Tim Booth :

EGTDC Database Course 2004 Database Users And Security Backing-Up Data Tim Booth :

EGTDC Database Course 2004 Database Users And Security Backing-Up Data Tim Booth : tbooth@ceh.ac.uk Environmental Genomics Thematic Programme Data Centre http://envgen.nox.ac.uk Overview Areas covered: Controlling who can connect

344 views • 16 slides

More recommend