M.tech notes of Computer Science

Socialize

Wednesday, 2 November 2016

Information Security & DBMS

Database Security

Relational Database: - Table of data consisting of rows and columns. Each column holds a particular type of data. Each raw contain a specific value for each column. Relational query language is used to access the database.
Elements of Relational Database: -
1)    Primary key: Uniquely identifies a row and consists of one or more column names.

2)    Foreign key: Links one table to an attributes in another.


3)    View/virtual table: Result of a query that returns selected rows and columns from one or more tables.
Structured Query Language: - Developed by IBM in min-1970s. It is a standardized language used to define, manipulate query data in relational table. SQL statements can be used for: -
·         Create table.
·         Create / insert data into tables.
·         Create views
·         Retrieve data with query statements.
SQL Injection Attacks: - One of the most prevalent and dangerous network-based security threats.
·         It is designed to exploit the nature of web application pages.

·         Sends malicious SQL commands to the database server.


·         Most common attack goal is bulk extraction of data.

·         Depending on the environment SQL injection can be exploited to:
     Modify or delete data
     Launch denial-of-service (DoS) attacks
     Execute arbitrary operating system commands.

Inband Attack: -  Uses the same communication for injecting SQL code and retrieving results. The retrieved data are presented directly in application web page.
     Tautology: - This form of attack injects code in one or more conditional statements so that they always evaluate to true.

     End-of-line comment: - After injecting code into a particular field, legitimate code that follows are nullified through usage of end of line comments.

     Piggybacked queries: - The attacker adds additional queries beyond the intended query, piggy-backing the attack on top of a legitimate request

Inferential Attack: - There is no actual transfer of data, but the attacker is able to reconstruct the information by sending particular requests and observing the resulting behavior of the Website/database server.
Include:
     Illegal/logically incorrect queries
      This attack lets an attacker gather important information about the type and structure of the backend database of a Web application
      The attack is considered a preliminary, information-gathering step for other attacks
     Blind SQL injection
      Allows attackers to infer the data present in a database system even when the system is sufficiently secure to not display any erroneous information back to the attacker.
                                                                                          



Database Access Control: - It determines
·         if the user has access to the entire database or just portion of it.

·         What access rights the user has (create, delete, update, read, write)

Can support a range of administrative policies: -
1)    Centralized Administration: - Small number of privileged users may grant and revoke access rights.

2)    Ownership-based Administration: - The creator of the table may grant and revoke access rights to the table.

3)    Decentralized Administration: - The owner of the table may grant and revoke authorization rights to other users, allowing them to grant and revoke access rights to the table.
Role Based Access Control (RBAC): -  Role-based access control eases administrative burden and improves security
A database RBAC needs to provide the following capabilities:
      Create and delete roles
      Define permissions for a role
      Assign and cancel assignment of users to roles
Categories of database users:     
1)    Application owner: An end user who owns database objects (tables, columns, rows) as part of an application. That is, the database objects are generated by the application or are prepared for use by the application.

2)    End user other than application owner: An end user who operates on database
objects via a particular application but does not own any of the database objects.

3)    Administrator: User who has administrative responsibility for part or all of the
database.
A database RBAC facility needs to provide the following capabilities:
• Create and delete roles.
• Define permissions for a role.
• Assign and cancel assignment of users to roles.
Statistical Databases (SDB): - provides data of a statistical nature such as counts and averages
     pure statistical database
     ordinary database with statistical access
      access control objective
     provide users with the needed information
     without compromising the confidentiality
      security problem is one of inference
Pure statistical database: This type of database only stores statistical data.
      An example is a census database. Typically, access control for a pure SDB is straightforward: certain users are authorized to access the entire database.
Ordinary database with statistical access: This type of database contains individual entries; this is the type of database discussed so far in this chapter. The database supports a population of nonstatistical users who are allowed access to selected portions of the database using discretionary access control (DAC), role-based access control (RBAC), or mandatory access control (MAC).
Statistical Database Security: -
·         use a characteristic formula C
     a logical formula over the values of attributes
     e.g. (Sex=Male) AND ((Major=CS) OR (Major=EE))
·         query set X(C) of characteristic formula C, is the set of records matching C
·         a statistical query is a query that produces a value calculated over a query set


2 comments: