Scribd
Upload
17 views

Database Security, Privacy & Blockchain Security (Week 10)

1) Relational databases store data in a structured format using rows and columns and contain relationships between data items. Database security is challenging due to the complexity of database management systems and interaction protocols. 2) Key requirements for database security include physical and logical integrity, element integrity, auditability, access control, confidentiality, and availability. 3) SQL injection attacks are a dangerous threat that sends malicious SQL commands to the database, allowing attackers to extract or modify data or launch denial-of-service attacks. Input validation is a key countermeasure. 4) Privacy techniques like k-anonymity and l-diversity aim to prevent inference attacks by masking identities and ensuring diversity within data groups.

Uploaded by

michaelgowanto
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
17 views

Database Security, Privacy & Blockchain Security (Week 10)

1) Relational databases store data in a structured format using rows and columns and contain relationships between data items. Database security is challenging due to the complexity of database management systems and interaction protocols. 2) Key requirements for database security include physical and logical integrity, element integrity, auditability, access control, confidentiality, and availability. 3) SQL injection attacks are a dangerous threat that sends malicious SQL commands to the database, allowing attackers to extract or modify data or launch denial-of-service attacks. Input validation is a key countermeasure. 4) Privacy techniques like k-anonymity and l-diversity aim to prevent inference attacks by masking identities and ensuring diversity within data groups.

Uploaded by

michaelgowanto
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 14

Database Security, Privacy &

Blockchain Security (Week 10)


Friday, 13 May 2022 05.41

Security of Relational Databases


First of all, we know what databases are (I mean, check FIT2094), but then what is
relational databases?
It basically refers to a database that stores data in a structured format, using rows and
columns. It also contains the relationship between data items and groups of data items.

Now, database security is hard as the DBMS is complex; many options, and there are
different types of databases. Not to mention the complicated interaction protocol; SQL.
It is also a mismatch between database admin and security.

To access the database, we use a relational query language (e.g. MySQL).


View (virtual table) could also be used, this is not the actual database.

Database Security Requirements


What important is to make sure that the data stored is correct, thus has to prevent & avoid
modification. Below are the requirements:
◊ Physical database integrity - immune to physical problems
◊ Logical database integrity - the structure is preserved
◊ Element integrity - the data contained are accurate
◊ Auditability - possible to track who has accessed the elements
◊ Access control/user authentication
◊ Confidentiality/privacy of data/private info
◊ Availability

SQL Injection Attacks


◊ It is one of the most dangerous network-based security threats.
◊ Basically, it sends malicious SQL commands to the database server (type of command
injection).
◊ The common goal is bulk extraction of data.
◊ It can also be exploited to:
○ Modify/delete data
○ Execute arbitrary OS commands
○ Launch DoS attacks

The idea (to exploit):


◊ It can also be exploited to:
○ Modify/delete data
○ Execute arbitrary OS commands
○ Launch DoS attacks

The idea (to exploit):


→ Server connected to database
→ Server MySQL queries database, based on query from user
→ Input not checked

Insert other SQL commands & (optionally) terminate with --

SELECT count(*) FROM user_table


WHERE user_name = 'Joanne' OR 1=1--'
AND password = "

From above code, the OR 1=1 always return TRUE, so the query will always return a count
greater than zero, resulting in a successful login.

SQL attack typically works by prematurely terminating a text string & appending a new
command.

Example:
Countermeasures:
1) Defensive coding - put an input type checking/validation in code
2) Detection:
a. Signature based: match attack patterns
b. Anomaly based: detect behaviour beyond norm
3) Code analysis - test suit to detect SQL vulnerabilities, check queries at run time

Privacy of Databases
Inference Attack
The idea is, basically, performing queries to an non-sensitive data, where the attacker then
Privacy of Databases
Inference Attack
The idea is, basically, performing queries to an non-sensitive data, where the attacker then
make some deduction, which results in them obtaining the sensitive data.

Example:
Countermeasures
a. Cell suppression - some of the cells in a database are removed and left blank in the
published version
b. Generalization/Averaging - some values in a published database are replaced with more
general/averaged values (rather than the actual value)
c. Noise addition - values in a published database have random values (nonces) added to
them, so that the noise across all records for the same attribute averages out to zero.

Privacy
It is about how well we hiding the individual information.

k-anonymity
Often referred to as the power of 'hiding in the crowd'. Basically, just averaging;
combining sets of data with similar attributes and averaging it.
That way, the information within a group could correspond to any single member, hence
masking the identity of the individual data (within the group).

Example of k-anonymity

However, it somehow not secure enough as other private attributes still leak (if low
diversity/range of possibilities). Example:
However, it somehow not secure enough as other private attributes still leak (if low
diversity/range of possibilities). Example:

L-diversity
It is an extension of k-anonymization, which ensuring a sufficient diversity within each
equivalence class. Example:

General countermeasures
a. Inference detection at database design - alter database structure or access controls
b. Inference detection at query time - monitoring & altering/rejecting queries
c. Some inference detection algorithm <on-going research>

Security of Statistical Databases


Unlike relational database, statistical database (SDB) system only enables its users to retrieve
the aggregate statistics for a subset of entities represented in the database.
There are two types; pure statistical database and ordinary database with statistical access.
Access control objective is to provide users with needed information without compromising the
confidentiality of database. The problem here is one of the inference type attack.

Security
◊ Some query restrictions
◊ Query set overlap control
○ Limit the overlap between new & previous queries
○ Has problems & overheads
Security
◊ Some query restrictions
◊ Query set overlap control
○ Limit the overlap between new & previous queries
○ Has problems & overheads
◊ Partitioning
○ Cluster records into number of mutually exclusive groups
○ Query the statistical properties of each group as a whole
◊ Query denial & information leakage
○ Denials can leak information, thus must track queries from user
◊ Security against inference

Perturbation
It is a data security technique that adds 'noise' to databases allowing individual record
confidentiality. Hence, cannot infer values for individual records.
The output from this technique will be a random-sample query, where the system generates
statistics that are modified from those that the original database would provide.
The goal her is to minimize differences between original results & perturbed results.
The main challenge, however, is to determine the average size of the error/difference to be used
given the bigger the noise is, the inaccurate the data become.

Searchable Encryption

You might also like