csc 405 introduction to computer security n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
CSC 405 Introduction to Computer Security PowerPoint Presentation
Download Presentation
CSC 405 Introduction to Computer Security

Loading in 2 Seconds...

play fullscreen
1 / 41

CSC 405 Introduction to Computer Security - PowerPoint PPT Presentation


  • 173 Views
  • Uploaded on

CSC 405 Introduction to Computer Security. Topic 6. Database Security. Agenda. Discretionary access control in DBMS Mandatory access control and multi-level databases Database inference control. Topic 6.1 DAC in DBMS. Outline . Relational model Grant and revoke

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'CSC 405 Introduction to Computer Security' - hova


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
csc 405 introduction to computer security

CSC 405Introduction to Computer Security

Topic 6. Database Security

Dr. Peng Ning

agenda
Agenda
  • Discretionary access control in DBMS
  • Mandatory access control and multi-level databases
  • Database inference control

Dr. Peng Ning

outline
Outline
  • Relational model
  • Grant and revoke
  • Extension to the basic model
  • Questions/comments in reviews

Dr. Peng Ning

basic relational concepts
Basic Relational Concepts
  • Data is organized as a collection of tables, called RELATIONS
    • Example: two relations - EMP, DEPT
    • EMP: name, title, department
    • DEPT: department, location
  • Each row (or record) of a relation is called a TUPLE
  • Each relation has a unique name
  • Each attribute has a unique name within a relation
  • All values in a relation are atomic (indecomposable)
    • As a consequence , we have two tuples for a user

Dr. Peng Ning

examples
Examples

EMP Name Title Dept

Tom Prof ECE

Tom Prof CS

Adams Prof ECE

Smith Inst CS

DEPT Name Location

CS Wither Hall

ECE Daniels Hall

Math Harrelson Hall

Dr. Peng Ning

relation schemes
Relation Schemes
  • A relational database consists of 2 relation schemes:
  • EMP(Name, Title, Dept)
  • DEPT(Name, Location)
  • Schemes: structure of the database
  • Structured Query Language (SQL)
  • SQL "data definition" statements are used to create relations

CREATE TABLE DEPT

(Name CHAR(10) NOT NULL,

Location CHAR (15),

PRIMARY KEY (Name))

CREATE TABLE EMP

(Name CHAR(15) NOT NULL,

Title CHAR(4),

Dept CHAR(10),

PRIMARY KEY (Name))

Dr. Peng Ning

slide9
SQL
  • The SELECT statement

SELECT Name

FROM EMP

WHERE Dept = `ECE'

  • Joins

SELECT *

FROM EMP, DEPT

WHERE EMP.Dept= DEPT.Name

AND Dept.Location = `Wither Hall'

Tom

Adams

Tom Prof CS Wither Hall

Smith Inst CS Wither Hall

Dr. Peng Ning

views
Views

EMP_LOCATION Name Dept Location

Tom ECE Daniels Hall

Tom CS Wither Hall

Abrams ECE Daniels Bldg

Smith CS Wither Hall

  • Views are "virtual" relations. They can be used to customize relations and to provide security

CREATE VIEW EMP_LOCATION

AS SELECT Name, Dept, Location

FROM EMP, DEPT

WHERE EMP.Dept = DEPT.Name

Dr. Peng Ning

discretionary access controls
Discretionary Access Controls
  • Decentralized administration
    • Users can protect what they own
    • The owner may grant access to others
    • The owner may define the type of access (read/write/execute) given to others

Dr. Peng Ning

access control mechanisms
Access Control Mechanisms
  • Identification and Authentication (I&A)
  • Security through Views
  • Stored Procedures
  • Grant and Revoke
  • Query Modification

Dr. Peng Ning

identification and authentication
Identification and Authentication
  • Identification provided by DBMS can be distinct from that provided by the underlying OS
    • Example: MS SQL server
      • Two options
        • I&A through the OS
        • Separate I&A

Dr. Peng Ning

security through views
Security Through Views

NAME DEPT SALARY MANAGER

Smith Toy 10,000 Jones

Jones Toy 15,000 Baker

Baker Admin 40,000 Harding

Adams Candy 20,000 Harding

Harding Admin 50,000 None

EMP

Users are allowed to access partial information (such as

the Toy dept data), but not the detailed information.

Dr. Peng Ning

example

NAME SALARY MANAGER

Smith 10,000 Jones

Jones 15,000 Baker

Example

CREATE VIEW TOY_DEPT

AS SELECT NAME, SALARY, MANAGER

FROM EMP

WHERE DEPT = 'Toy'

TOY_DEPT

Dr. Peng Ning

example1

NAME MANAGER

Smith Jones

Jones Baker

Example

CREATE VIEW TOY_EMP_MGR

AS SELECT EMP, MANAGER

FROM EMP

WHERE DEPT = 'Toy'

TOY_EMP_MGR

Dr. Peng Ning

example2

DEPT AVG

TOY 12,500

CANDY 20,000

ADMIN 45,000

Example

CREATE VIEW AVSAL(DEPT, AVG)

AS SELECT DEPT, AVG(SALARY)

FROM EMP

GROUP BY DEPT

AVSAL

Dr. Peng Ning

stored procedures
Stored Procedures
  • Right to execute compiled programs
  • GRANT RUN ON program_A TO ADAMS
  • Suppose program_A needs to access the relation EMP. Adams can execute program_A even though he does not have permission to access EMP

Dr. Peng Ning

query modification
Query Modification
  • Adams:

GRANT SELECT ON EMP TO THOMAS WHERE SALARY < 15000

  • THOMAS:

SELECT *

FROM EMP

  • DBMS:

SELECT *

FROM EMP

WHERE SALARY < 15000

Dr. Peng Ning

the grant command
The Grant Command
  • GRANT <privilege> ON <relation> TO <users> [WITH GRANT OPTION]
    • GRANT SELECT ON EMP TO ADAMS
    • GRANT SELECT ON EMP TO ADAMS WITH GRANT OPTION
    • GRANT SELECT, UPDATE(SALARY) ON EMP TO JIM, JILL
  • Applied to base relations as well as views

Dr. Peng Ning

the revoke command
The Revoke Command
  • REVOKE <privileges> [ON <relations>]FROM <users>
    • REVOKE SELECT ON EMP FROM TOM
    • REVOKE UPDATE ON EMP FROM SMITH
    • REVOKE RESOURCE FROM ABRAMS
    • REVOKE DBA FROM SMITH

Dr. Peng Ning

semantics of revoke
Semantics of Revoke
  • A sequence of grant command follow by a revoke operation
    • G1, G2, …, Gn, Rh
  • Semantics
    • Equivalent to: G1, G2, …Gh-1, Gh+1, Gn

Dr. Peng Ning

time stamped authorizations
Time-stamped Authorizations

B

E

30g

10g

40g

A

D

F

20g

60g

C

50g

Dr. Peng Ning

cascading revocation
Cascading Revocation

Grant sequence:

A

B

C

D

20g

10g

30g

B revokes privilege from C :

A

B

10g

Dr. Peng Ning

timestamps make a difference
Timestamps Make a Difference

B

E

30g

10g

40g

A

D

F

20g

60g

C

50g

Dr. Peng Ning

timestamps make a difference1
Timestamps Make a Difference

B

E

30g

10g

50g

A

D

F

20g

60g

C

40g

Dr. Peng Ning

further extension
Further Extension
  • Make cascading optional
  • Permit negative authorizations

Dr. Peng Ning

the revoke command1
The Revoke Command
  • REVOKE <privileges> [ON <relations>] FROM <users> [CASCADE]
    • REVOKE SELECT ON EMP FROM TOM
    • REVOKE UPDATE ON EMP FROM SMITH CASCADE
    • REVOKE RESOURCE FROM ADAMS
    • REVOKE DBA FROM SMITH CASCADE

Dr. Peng Ning

non cascading revocation
Non-cascading Revocation

A

B

C

D

20g

10g

30g

A

B

D

30g

10g

Dr. Peng Ning

why non cascading revoke
Why Non-cascading Revoke
  • Reasons for revoke
    • Task is done. No need to have the privilege anymore
    • Task is still in progress. But a member left the project (e.g., promoted)

Dr. Peng Ning

example3
Example

80

G

E

B

20

40

50

D

A

30

C

70

F

60

Dr. Peng Ning

example4
Example

80

G

E

B

20

40

50

D

A

30

C

70

F

60

After cascading

revocation

B

20

D

A

30

C

70

F

60

Dr. Peng Ning

example5
Example

80

G

E

B

20

40

50

D

A

30

C

70

F

60

After non-cascading revocation

50

80

G

E

B

20

70

A

D

30

C

F

60

70

Dr. Peng Ning

why positive negative authorization
Why Positive & Negative Authorization
  • Closed world policy
    • Cannot access unless explicitly granted the right
  • Negative authorization
    • User A should not be allowed to read table Emp
    • Need explicit deny policies

Dr. Peng Ning

positive negative authorizations
Positive & Negative Authorizations

40 —

B

E

10 + g

30 + g

A

D

20 —

C

Dr. Peng Ning

complication
Complication
  • It is possible to have two authorizations
    • Grant A privilege p
    • Deny A privilege p
  • Negative authorizations override positive authorizations

Dr. Peng Ning

problem 1
Problem 1

User B gives D negative authorization at time 50 :

40 —

B

E

50 —

10 + g

30 + g

A

D

20 —

C

In our model, positive authorization granted by A to D

becomes blocked, but we do not delete the authorization.

Dr. Peng Ning

problem 2
Problem 2

Suppose D receives negative authorization from B at time 60 :

40 —

B

E

10 + g

60 —

30 + g

50 +

A

D

F

20 —

C

What about the privilege given to F by D?

Under our approach, it becomes blocked, but we do not delete it.

Dr. Peng Ning

revocation when negative authorizations are present
Revocation When Negative Authorizations Are Present

Given :

40 —

B

E

10 + g

60 —

30 + g

50 +

A

D

F

20 —

C

Suppose A revokes B’ s privilege.

Dr. Peng Ning

cascading revocation when negative authorizations are present
Cascading Revocation When Negative Authorizations Are Present

30 + g

50 +

A

D

F

20 —

C

Dr. Peng Ning

non cascading revocation when negative authorizations are present
Non-cascading Revocation When Negative Authorizations Are Present

E

40 —

60 —

50 +

A

D

F

30 + g

C

20 —

Dr. Peng Ning