Chapter 4

Database Security

1
 Objectives of the Chapter

At the end of the chapter 4 : the student able to understand :-

 Introduction to DB Security Issues

 Threats to Databases

 Control Measures

 Discretionary Access Control Based on Granting /Revoking of Privileges

 Mandatory Access Control for Multilevel Security

 Role Based Access Control 2

 Database Security

Database security is the mechanisms that protect the database against

intentional or accidental threats.

A threat means any situation or event whether intentional or accidental

that may adversely affect the organization.

3
 Database Security Issues

Legal and ethical issues regarding the right to access certain information.
 For example, some information may be considered to be private and cannot be accessed
legally by unauthorized organizations or persons.

Policy issues: at the governmental, institutional, or corporate level makes sure

what kinds of information should not be made publicly available and what
to be made available
 For example, personal medical records, bank account statement etc..
4
 Cont’d

System-related issues: such as the system levels at which various security

functions should be enforced
 For example, whether a security function should be handled at the physical hardware
level, the operating system level, or the DBMS level.

Identify multiple security levels to categorize the data and users based on these
classifications
 For example, top secret, secret, confidential, and unclassified. The security policy of the
organization with respect to permitting access to various classifications of data must be
5
enforced.
 Threats to Databases

Loss of integrity
 Database integrity refers to the requirement that information be protected from
improper modification.
 Integrity is lost if unauthorized changes are made to the data by either intentional or
accidental acts.
 If the loss of system or data integrity is not corrected, continued use of the
contaminated system or corrupted data could result in inaccuracy, fraud, or erroneous
decisions.
6
 Threats to Databases

Loss of availability:
 Database availability refers to making objects available to a human user or a program to
which they have a legitimate right.
 Loss of availability is the database objects is not available to legitimate/authorized users.

Loss of confidentiality:
 Database confidentiality refers to the protection of data from unauthorized disclosure.

 Unauthorized or unintentional disclosure could result in loss of public confidence,

embarrassment, or legal action against the organization.
7
 Control Measures

To protect databases against the different types of threats, it is

common to implement four kinds of control measures:
 Access control
 Inference control
 Flow control
 Encryption.
8
 1. Access control

Access control is a mechanism used to preventing unauthorized persons from

accessing the system itself, either to obtain information or to make malicious
changes in a portion of the database.

The security mechanism of a DBMS must include provisions for restricting

access to the database system as a whole.

It is handled by creating user accounts and passwords to control the login
process by the DBMS.
9
 2. Inference Control

It is the security problem associated with controlling the access to a statistical database.

Statistical databases are used mainly to produce statistics about various populations. (A
population is a set of tuples of a relation (table) that satisfy some selection condition.)

Statistical users are not allowed to retrieve individual data, such as the income of a specific
person.

Statistical users are permitted to retrieve statistical information about the populations, such
as averages, sums, counts, maximums, minimums, and standard deviations.

10
 3. Flow Control
It prevents information from flowing in such a way that it reaches unauthorized users.

A flow policy specifies the channels along which information is allowed to move.

 The simplest flow policy specifies just two classes of information:

• confidential (C) and non-confidential (N)

 and allows all flows except those from class C to class N.

Covert channels are pathways for information to flow implicitly in ways that
violate the security policy of an organization.
11
 4. Data Encryption

It is used to protect sensitive data (such as credit card numbers) that is being
transmitted via some type communication network.

The data is encoded using some encoding algorithm.

An unauthorized user who access encoded data will have difficulty deciphering it.

But authorized users are given decoding or decrypting algorithms (or keys) to
decipher data.

12
 Cont’d
Terminology
• Plain text (or clear text): any data that has meaning and can be read or acted
upon without the application of decryption.

• Cipher text: Encrypted (enciphered) data.

• Encryption: The process of transforming plaintext into cipher text.

• Decryption: The process of transforming cipher text back into plaintext.

13
 Database Security and the database administrator (DBA)

The database administrator (DBA) is the central authority for managing a

database system.

The DBA is responsible for the overall security of the database system.

The DBA has a DBA account in the DBMS, sometimes called a system or super
user account, which provides powerful capabilities that are not made
available to regular database accounts and users.
14
 Cont’d

DBA-privileged commands include commands for performing the following

types of actions:

Action 1: Account creation. This action creates a new account and password
for a user or a group of users to enable access to the DBMS.

Action 2: Privilege granting. This action permits the DBA to grant certain
privileges to certain accounts.

15
 Cont’d

Action 3: Privilege revocation. This action permits the DBA to revoke (cancel)
certain privileges that were previously given to certain accounts.

Action 4: Security level assignment. This action consists of assigning user

accounts to the appropriate security clearance level.

16
 Authorization Subsystem

• There are 3 different authorization subsystems.

1. Discretionary Access Control

2. Mandatory Access Control
3. Role Based Access Control

17
 1. Discretionary Access Control Based on Granting and Revoking Privileges

These are used to grant privileges to users, including the capability to access specific data
files, records, or fields in a specified mode (such as read, insert, delete, or update).
The main idea is to include statements in the query language that allow the DBA and
selected users to grant and revoke privileges.
Operations may also be controlled; thus, having an account does not necessarily entitle
the account holder to all the functionality provided by the DBMS.

18
 Cont’d

Informally, there are two levels for assigning privileges to use the database
system:

The account level :- At this level, the DBA specifies the particular privileges
that each account holds independently of the relations in the database.

The relation (or table) level :- At this level, the DBA can control the privilege
to access each individual relation or view in the database.

19
 Cont’d

Access matrix model is an authorization model for discretionary privileges

used to granting and revoking of privileges.

In access matrix model, where the rows of a matrix M represent subjects (users,
accounts, programs) and the columns represent objects (relations, records,
columns, views, operations).

 Each position M(i, j) in the matrix represents the types of privileges (read, write,
update) that subject i holds on object j.
20
 Cont’d

The owner account holder can pass privileges on any of the owned relations to other users by
granting privileges to their accounts.

In SQL a GRANT command is included for the purpose of granting privileges.

The mechanism of views is an important discretionary authorization mechanism in its own

right.

For example, if the owner A of a relation R wants another account B to be able to retrieve only
some fields of R, then A can create a view V of R that includes only those attributes and then
grant SELECT on V to B.
21
 Cont’d

In some cases it is desirable to grant a privilege to a user temporarily.

For example, the owner of a relation may want to grant the SELECT privilege to a user for a
specific task and then revoke that privilege once the task is completed.

In SQL a REVOKE command is included for the purpose of cancelling privileges.

Whenever the owner A of a relation R grants a privilege on R to another account B, the

privilege can be given to B with or without the GRANT OPTION.

22
 Cont’d
If the GRANT OPTION is given, this means that B can also grant that privilege on R to other
accounts.

 In this way, privileges on R can propagate to other accounts without the knowledge of the
owner of R.

If the owner account A now revokes the privilege granted to B, all the privileges that B
propagated based on that privilege should automatically be revoked by the system.
GRANT syntax: GRANT<privilege list> ON <relation name /view name> To<user/ role list>;

REVOCK syntax: REVOCK <privilege list> ON <relation name /view name> From<user/ role list>;

23
 Example:

Assume DBA creates four user accounts: A1, A2, A3, A4.

1. DBA allow A1 to create table /relations.

• GRANT Create Table To A1; (Account Privilege)

• Assume A1 creates Employee and Department tables and hence has all the privileges on
each of them.

2. Account A1 wants to grant to account A2 the privilege to insert and delete tuples in both of
these relations. However, A1 does not want A2 to be able to propagate these privileges to
additional accounts.
• GRANT INSERT, DELETE ON EMPLOYEE, DEPARTMENT TO A2; 24
 Example:

3. A1 wants to allow account A3 to retrieve information from either of the two

tables and also to be able to propagate the SELECT privilege to other accounts.
 GRANT SELECT ON EMPLOYEE, DEPARTMENT TO A3 WITH GRANT OPTION;

4. A3 want to grant the SELECT privilege on the EMPLOYEE relation to A4.

 GRANT SELECT ON EMPLOYEE TO A4;

 Here A4 cannot propagate the SELECT privilege to other accounts.

25
 Example:

5. A1 want to revoke the SELECT privilege on the EMPLOYEE relation from

A3;
 REVOKE SELECT ON EMPLOYEE FROM A3;

 Here DBMS now revoke the SELECT privilege on EMPLOYEE from A3,
and it also automatically revokes the SELECT privilege on EMPLOYEE
from A4.

26
 Example:

6. Suppose that A1 wants to give to A3 a limited capability to SELECT only the Name, Bdate,
and Address attributes and only for the tuples with Dno = 5 from the EMPLOYEE relation and
wants to allow A3 to be able to propagate the privilege. Concept of view also can be used.

• Syntax: CREATE VIEW view_name AS SELECT column1, column2, ...FROM table_name

WHERE condition;

• A1 then can create the following view:

CREATE VIEW A3EMPLOYEE AS

SELECT Name, Bdate, Address

FROM EMPLOYEE
27
WHERE Dno = 5;
 Example:

• After the view is created, A1 can grant SELECT on the view A3EMPLOYEE to A3 as
follows:

• GRANT SELECT ON A3EMPLOYEE TO A3 WITH GRANT OPTION;

7. A1 wants to allow A4 to update only the Salary attribute of EMPLOYEE;

• GRANT UPDATE ON EMPLOYEE (Salary) TO A4;

28
 2. Mandatory Access Control

Mandatory access control is a security mechanism used to classifies data and users based on
security classes.

This approach would typically be combined with the discretionary access control
mechanisms.

Typical security classes are top secret (TS), secret (S), confidential (C), and unclassified
(U), where TS is the highest level and U the lowest.

For simplicity, TS ≥ S ≥ C ≥ U

29
 Cont’d

Bell-LaPadula model is a model for multilevel security, it classifies each

subject (user, account, program) and object (relation, tuple, column, view,
operation) into one of the security classifications TS, S, C, or U.

Classification of a subject S is referred to as class(S) and the classification of

an object O as class(O).

30
 Cont’d

• Based on the subject/object classifications two restrictions are enforced on data

access :

1. A subject S is not allowed read access to an object O unless class(S) ≥

class(O). This is known as the simple security property. (A user with TS
clearance can read a table with S, C, U clearance.)

2. A subject S is not allowed to write an object O unless class(S) ≤ class(O). This

is known as the star property (or * property). (A user with S clearance can write
only objects with S or TS classification.) 31
 Cont’d
Consider the instance of the Boats table shown Users with S
and TS clearance get both rows in the answer when they ask to see all rows in
Boats.
A user with C clearance gets only the second row, and a user with U
clearance gets no rows.

BID BName Bcolor Security class

101 salsa black S
102 pinto brown C

32
Example

33
 Cont’d

 Assume that the Name attribute is the apparent key, and consider the query SELECT * FROM
EMPLOYEE;

 A user with security clearance S would see the same relation shown in fig(a) since all tuple
classifications are less than or equal to S.

 A user with security clearance C would not be allowed to see the values for Salary of ‘Brown’ and
Job_performance of ‘Smith’, since they have higher classification.

 The tuples would be filtered to appear as shown in Figure (b) with Salary and Job_performance
appearing as null.

For a user with security clearance U, the filtering allows only the Name attribute of ‘Smith’ to
appear, with all the other attributes appearing as null Thus, filtering introduces null values for
34
attribute values whose security classification is higher than the user’s security clearance.
 3. Role-Based Access Control

Role: is a named group of related privileges that can be granted to the user.

This method makes it easier to revoke and maintain privileges.

 A user can have access to several roles, and several users can be assigned the
same role.

 Roles are typically created for a database application.

35
 3. Role-Based Access Control

Its basic notion is that privileges and other permissions are associated with
organizational roles, rather than individual users.

Individual users are then assigned to appropriate roles.

Roles can be created using the CREATE ROLE and removed by DROP
ROLE commands.

The GRANT and REVOKE commands can then be used to assign and revoke
privileges from roles, as well as for individual users when needed. 36
 Creating and assigning Role:

First the DBA must create the role. Then the DBA can assign privileges and assign the role to
users.
Syntax : CREATE ROLE role_name;

Example:

To create a role: CREATE ROLE MANAGER;

Grant privileges to role : GRANT CREATE TABLE, CREATE VIEW TO MANAGER;

Grant role to users : GRANT MANAGER TO TOM (if TOM is a user)

37
Thank You!

38