4/2/2018

 

Lecturer: Nguyễn Thị Thanh Vân – FIT - HCMUTE

 Understand the importance of securing data stored in

databases
 Learn how the structured nature of data in databases
impacts security mechanisms
 Understand attacks and defenses that specifically target
databases

4/1/2018 2

1
 4/2/2018

 Why securing data stored in databases so important and

different?
 Databases store massive amounts of sensitive data
 Data has structure that influences how it is accessed
 Accessed via queries or programs written in languages
like SQL (Structured Query Language)
 Transactional nature of queries (updates or reads)
 Derived data or database views

 DBS security requirements:

o OS-based security
mechanisms: control r/w
o security packages

 => security services and

mechanisms are designed
and integrated with DBSs

4
4/1/2018

2
 4/2/2018

● Relational model based database systems are widely

used in real-world environments
● A relational database consists of relations or tables
● A table is defined by a schema and consists of tuples
● Tuples store attribute values as defined by schema
● Keys used to access data in tuples

3
 4/2/2018

Operations on relations (using SQL):

●Create, select, insert, update, join and delete
●Example: SELECT * FROM EMPLOYEE WHERE DID = ‘15’
●It returns tuples for Robin and Cody
Queries written in a query language (e.g., SQL) use such basic
operations to access data in a database as needed.

 The database administrator (DBA) is the central

authority for managing a database system.
o The DBA’s responsibilities include
• granting privileges to users who need to use the system
• classifying users and data in accordance with the policy of the
organization
 The DBA is responsible for the overall security of the
database system.

4
 4/2/2018

 The DBA has a DBA account in the DBMS

o Sometimes these are called a system or superuser
account
o These accounts provide powerful capabilities such as:
• 1. Account creation
• 2. Privilege granting
• 3. Privilege revocation
• 4. Security level assignment
o Action 1 is access control, whereas 2 and 3 are
discretionarym and 4 is used to control mandatory
authorization

10

 The database system must also keep track of all

operations on the database that are applied by a certain
user throughout each login session.
o To keep a record of all updates applied to the database and of
the particular user who applied each update, we can modify
system log, which includes an entry for each operation applied
to the database that may be required for recovery from a
transaction failure or system crash.

11

5
 4/2/2018

 If any tampering with the database is suspected, a

database audit is performed
o A database audit consists of reviewing the log to examine all
accesses and operations applied to the database during a
certain time period.
 A database log that is used mainly for security purposes
is sometimes called an audit trail.

12

 Threats to databases
o Loss of integrity
o Loss of availability
o Loss of confidentiality

13

6
 4/2/2018

14

Choose the best answer.

 Oracle, a major database vendor, sponsored a database
security study which identified key security threats. In
your view, which of the following is the biggest threat...

External hackers

Insiders and unauthorized users

7
 4/2/2018

Mark all applicable answers.

Databases are attractive targets for hackers because...

They store information such as SS#, DOB etc. that can
be easily monetized

They store information about lots of users

Queries languages used to access data can be

abused to gain unauthorized access.

• Must protect databases & the servers on which they reside

• Must administer & protect the rights of internal database
users
• Must guarantee the confidentiality of ecommerce customers
as they access the database
• With the Internet continually growing, the threat to data
traveling over the network increases exponentially
4/1/2018 17

8
 4/2/2018

 Physical database integrity

 Logical database integrity
 Element integrity
 Auditability
 Access control
 User authentication
 Availability

 Physical database integrity

o immunity to physical catastrophe, such as power failures, media
failure
• physical securing hardware, UPS
• regular backups

 Logical database integrity

o reconstruction Ability
• maintain a log of transactions
• replay log to restore the systems to a stable point

9
 4/2/2018

 Element integrity
o integrity of specific database elements is their correctness or
accuracy
• field checks
– allow only acceptable values
• access controls
– allow only authorized users to update elements
• change log
– used to undo changes made in error
• referential Integrity (key integrity concerns)
• two phase locking process

 Auditability
o log read/write to database

 User Authentication
o may be separate from OS
o can be rigorous (hard)
 Availability
o concurrent users
• granularity of locking
o reliability

10
 4/2/2018

 Access Control (similar to OS)

o logical separation by user access privileges
o more complicated than OS due to complexity of DB
(granularity/inference/aggregation)
o DAC, MAC, RBAC,
 Quiz: Database access control can be managed
centrally by a few privileged users. This is an example
of...
DAC

MAC

 a DACS: provides a specific capability that controls access

to portions of the database (DAC or BRAC)
 A DBMS can support a range of administrative policies:
 Centralized administration: A small number of privileged users may
grant and revoke access rights.
 Ownership-based administration: The owner (creator) of a table may
grant and revoke access rights to the table.
 Decentralized administration: In addition to granting and revoking
access rights to a table, the owner of the table may grant and revoke
authorization rights to other users, allowing them to grant and revoke
access rights to the table.

11
 4/2/2018

 DACS: distinguishes different access right

 Access rights (create, insert, delete, update, read and write) to:
 the entire database,
 individual tables,
 selected rows or columns within a table.
 be determined based on the contents of a table entry.
 SQL provides 2 commands: GRANT and REVOKE

Choose the best answer.

Alice has SELECT access to a table and she can propagate this
access to Bob when...
Alice was granted this access with GRANT option

She can always propagate an access she has

Cascading authorizations occur when an access is propagated

multiple times and possibly by several users. Assume that Alice
grants access to Bob who grants it further to Charlie. When Alice
revokes access to Bob, should Charlie’s access be also revoked?
Yes No

12
 4/2/2018

 SQL security model implements DAC based on

o users: users of database - user identity checked during login
process;
o actions: including SELECT, UPDATE, DELETE and INSERT;
o objects: tables (base relations), views, and columns (attributes)
of tables and views
 Users can protect objects they own
o when object created, a user is designated as ‘owner’ of object
o owner may grant access to others
o users other than owner have to be granted privileges to access
object

 Components of privilege are

o grantor, grantee, object, action, grantable
o privileges managed using GRANT and REVOKE operations
o the right to grant privileges can be granted
 Issues with privilege management
o each grant of privileges is to an individual or to “Public”
o makes security administration in large organizations difficult
o individual with multiple roles may have too many privileges for
one of the roles
o SQL3 is moving more to role based privileges

13
 4/2/2018

 Inherent weakness of DAC

o DAC allows subject to be written to any other object which can
be written by that subject
o trojan horses to copy information from one object to another
 Mandatory access controls (MAC)
o no read up, no write down
o traditional MAC implementations in RDBMS have focused solely
on MLS
o there have been three commercial MLS RDBMS offerings
• trusted Oracle ,Informix OnLine/Secure, Sybase Secure SQL Server

 Enforce MAC using security labels

o assign security levels to all data
• label associated with a row
o assign a security clearance to each users
• label associated with the user
o DBMS enforces MAC
• access to a row based upon
– the label associated with that row and the label associated with the
user accessing that row.

14
 4/2/2018

 RBAC:
o is a natural fit for database access control
o use of roles in database security
o provides a means of easing the administrative burden and improving
security.
 A database RBAC facility needs to provide the capabilities:
• Create and delete roles.
• Define permissions for a role.
• Assign and cancel assignment of users to roles.
 SQL supports 3 types of roles: server, database, user-defined.
o The first two types of roles are referred to as fixed roles, are
preconfigured for a system with specific access rights.
o The administrator or user cannot add, delete, or modify fixed roles; it is
only possible to add and remove users as members of a fixed role.
4/1/2018 30

 Authentication & identification mechanisms

o CONNECT <user> USING<password>
o DBMS may chose OS authentication
o or its own authentication mechanism
• Kerberose
• PAM

15
 4/2/2018

 The grant option enables an access right to cascade through

a number of users

using the grant option:

- the granting of privileges cascades
from one user to another,
- the revocation of privileges also
cascaded.

4/1/2018 32

● SQL Injection
● Inference attacks

16
 4/2/2018

 Malicious SQL commands are sent to a database

 Can impact both
 confidentiality (extraction of data) and
 integrity (corruption of data)
 In a web application environment, typically a script
takes user input and builds an SQL query
 Web application vulnerability can be used to craft
an SQL injection
 SQL injection attack is one of the most prevalent
and dangerous network-based security threats

send malicious SQL

commands to the
database server
=> Results:
- dump database tables
- modify or delete data,
- execute arbitrary OS
commands,
- Launch DoS attacks.

17
 4/2/2018

The SQLi attack typically works:

 early terminating a text string
 appending a new command.
 terminates the injected string with a comment mark “--”.
Example:
Var Shipcity;
Shipcity = Request.form (“Shipcity”);
Var sql = “select * from OrdersTable
where
Shipcity = ‘” + Shipcity + “‘’”;

a user will enter the name of a city. Ex, REDMOND,

● Script generates:
SELECT * FROM OrdersTable Where Shipcity = ‘Redmond’.

● What if user enters:

Redmond’ ; DROP table OrdersTable--
● In this case, script is generated:
SELECT * FROM OrdersTable WHERE Shipcity = ‘Redmond’ ;
DROP OrdersTable
 Server will:
- select all records in OrdersTable where ShipCity is Redmond.
- Then, it executes the DROP request
● Malicious user is able to inject code to delete the table
●Many other code injection examples exist

18
 4/2/2018

 User input: In this case, attackers inject SQL commands by

providing suitably crafted user input.
 Server variables: variables are logged to a database without
sanitization, this could create an SQL injection vulnerability.
 Second-order injection: a malicious user could rely on data
already present in the system or database to trigger an SQL
injection attack
 Cookies: an attacker could alter cookies when the application
server builds an SQL query based on the cookie’s content, the
structure and function of the query is modified.
 Physical user input: could be scanned using optical character
recognition and passed to a database management system.
4/1/2018 38

 SQL Injections can do more harm than just by passing

the login algorithms. Some of the attacks include
o Deleting data
o Updating data
o Inserting data
o Executing commands on the server that can download and
install malicious programs such as Trojans
o Exporting valuable data such as credit card details, email, and
passwords to the attacker’s remote server
o Getting user login details etc

4/1/2018 39

19
 4/2/2018

 An integrated set of techniques is necessary:

Detection
•Manual defensive •Check queries at
coding practices runtime to see if
•Parameterized •Signature based they conform to a
query insertion •Anomaly based model of expected
•SQL DOM •Code analysis queries

Defensive Run-time
coding prevention

4/1/2018 40

Mark all applicable answers.

A web application script uses the following code to generate a
query:
Query = “SELECT accounts FROM users WHERE login = ‘ “
+ login + “ ‘ AND pass = ‘ “ + password + “ ‘ AND pin = “ +
pin; The various arguments are read from a form to generate
Query.
This query is executed to get a user’s account information when the
following is provided correctly...

Login name Password PIN

20
 4/2/2018

Choose the best answer.

Query = “SELECT accounts FROM users WHERE login = ‘ “
+ login + “ ‘ AND pass = ‘ “ + password + “ ‘ AND pin = “ +
pin; The various arguments are read from a form to generate
Query.
If a user types “‘or 1 = 1 --” for login in the above query...

Query will fail because the provided login is not a correct

user
An injection attack will result in all users’ account data
being returned

● Inference attacks:
● relates to database security
● is the process of performing authorized queries
and deducing unauthorized information from the
legitimate responses received.
● Problem:
● the combination of a number of data items is more
sensitive than the individual items,
● the combination of data items can be used to infer
data of a higher sensitivity

21
 4/2/2018

•Anonymous medical data:

SSN Name Race DOB Sex Zip Marital Heath

Asian 09/07/64 F 22030 Married Obesity
Black 05/14/61 M 22030 Married Obesity
White 05/08/61 M 22030 Married Chest pain
White 09/15/61 F 22031 Widow Aids

•Public available voter list:

Name Address City Zip DOB Sex Party

…. …. …. …. …. …. ….
Sue Carlson 900 Market St. Fairfax 22031 09/15/61 F Democra
t
•Sue Carlson has Aids!
4/1/2018 44

 Types of attack
o direct attack: aggregate computed over a small
sample so individual data items leaked
o indirect attack: combines several aggregates;
o tracker attack: type of indirect attack (very effective)
o linear system vulnerability: takes tracker attacks
further, using algebraic relations between query sets
to construct equations yielding desired information

22
 4/2/2018

NAME SEX RACE AID FINES DRUGS DORM

Adams M C 5000 45 1 Holmes

Bailey M B 0 0 0 Grey
Chin F A 3000 20 0 West
Dewitt M B 1000 35 3 Grey
Earhart F C 2000 95 1 Holmes
Fein F C 1000 15 0 West
Groff M C 4000 0 3 West
Hill F B 5000 10 2 Holmes
Koch F C 0 0 1 West
Liu F A 0 10 2 Grey
Majors M C 2000 0 2 Grey

 Direct Attack
o determine values of sensitive fields by seeking them directly with
queries that yield few records
o request LIST which is a union of 3 sets
LIST NAME where (SEX =M  DRUGS = 1) 
(SEX  M  SEX F)  (DORM = Ayres)
• No dorm named Ayres , Sex either M or F
o “n items over k percent” rule helps prevent attack

23
 4/2/2018

Indirect attack: combines several aggregates

Sums of Financial Aid by Dorm and Sex
Holmes Grey West Total

M 5000 3000 4000 12000

F 7000 0 4000 11000

Total 12000 3000 8000 23000

Students by Dorm and Sex

Holmes Grey West Total

M 1 3 1 5

F 2 1 3 6

Total 3 4 4 11

• 1 Male in Holmes receives 5000

• 1 Female in Grey received no aid
o request a list of names by dorm (non sensitive)

2 inference techniques:

- analyzing functional
dependencies between
attributes within a table
or across tables,

- merging views with the

same constraints.

24
 4/2/2018

 Often databases protected against delivering small

response sets to queries
 Trackers can identify unique value
o request (n) and (n-1) values
o given n and n – 1, we can easily compute the desired single
element

removes an inference channel by altering the database

structure or by changing the access control regime to
Inference detection prevent inference
during database
design often result in unnecessarily stricter access controls that
reduce availability
Two
approaches
seeks to eliminate an inference channel violation during a
query or series of queries
Inference
detection at
query time If an inference channel is detected, the query is denied or
altered

25
 4/2/2018

Choose the best answer.

The database that stores student exam scores allows
queries that return average score for students coming from
various states. Can this lead to an inference attack in this
system?
Yes, depending on how many students come
from each state

No, it is not possible

Choose the best answer.

Assume in (1), the data in the database is de-identified by

removing student id (and other information such as names).
Furthermore, the field that has the state of the student is
generalized by replacing it with the US region (e.g., Midwest).
The generalization ensures that there are at least two students
from each region. Are inference attacks still possible?

Yes No

26
 4/2/2018

 The database is protected by multiple layers of security:

o Firewalls
o Authentication mechanisms
o General access control systems
o Database access control systems.

 Database encryption is warranted and often implemented for particularly

sensitive data
 There are two disadvantages to database encryption:
• Key management: Authorized users must have access to the
decryption key for the data. Providing secure keys to selected parts of
the database to authorized users and applications is a complex task.
• Inflexibility: When part or all of the database is encrypted, it becomes
more difficult to perform record searching.

4/1/2018 54

organization that produces data to be

human entity that presents
made available for controlled release
queries to the system

frontend that transforms user queries an organization that receives the encrypted
into queries on the encrypted data data from a data owner and makes them
stored on the server available for distribution to clients

27
 4/2/2018

●Used to store lots of sensitive data that can be

accessed via programs (queries)

●Access control must be based on operations

allowed by databases

●New attacks on databases arise due to their unique

characteristics

●Defenses must address such attacks

4/1/2018 57

28