Database Security
Relational
Database: - Table of data consisting of rows and columns.
Each column holds a particular type of data. Each raw contain a specific value
for each column. Relational query language is used to access the database.
Elements
of Relational Database: -
1)
Primary
key: Uniquely identifies a row and consists of one or more
column names.
2)
Foreign
key: Links one table to an attributes in another.
3)
View/virtual
table: Result of a query that returns selected rows and columns
from one or more tables.
Structured
Query Language: - Developed by IBM in min-1970s. It is a standardized
language used to define, manipulate query data in relational table. SQL
statements can be used for: -
·
Create table.
·
Create / insert data into tables.
·
Create views
·
Retrieve data with query statements.
SQL Injection
Attacks: - One of the most prevalent and dangerous
network-based security threats.
·
It is designed to exploit the nature of web
application pages.
·
Sends malicious SQL commands to the database
server.
·
Most common attack goal is bulk extraction of
data.
·
Depending on the environment SQL injection can
be exploited to:
– Modify
or delete data
– Launch
denial-of-service (DoS) attacks
– Execute
arbitrary operating system commands.
Inband
Attack: - Uses
the same communication for injecting SQL code and retrieving results. The
retrieved data are presented directly in application web page.
–
Tautology: - This form of attack injects code in one or
more conditional statements so that they always evaluate to true.
–
End-of-line comment: - After injecting code into a particular field, legitimate
code that follows are nullified through usage of end of line comments.
–
Piggybacked queries: - The attacker adds additional queries beyond the
intended query, piggy-backing the attack on top of a legitimate request
Inferential Attack: - There is no actual transfer of data, but the
attacker is able to reconstruct the information by sending particular requests
and observing the resulting behavior of the Website/database server.
Include:
– Illegal/logically
incorrect queries
• This attack lets an attacker gather important
information about the type and structure of the backend database of a Web
application
• The attack is considered a preliminary,
information-gathering step for other attacks
– Blind
SQL injection
• Allows attackers to infer the data present in a
database system even when the system is sufficiently secure to not display any
erroneous information back to the attacker.
Database Access Control: - It determines
·
if the user has
access to the entire database or just portion of it.
·
What access rights the
user has (create, delete, update, read, write)
Can support a range of administrative policies:
-
1) Centralized
Administration: - Small number of
privileged users may grant and revoke access rights.
2) Ownership-based
Administration: - The creator of the
table may grant and revoke access rights to the table.
3) Decentralized
Administration: - The owner of the
table may grant and revoke authorization rights to other users, allowing them
to grant and revoke access rights to the table.
Role Based Access Control (RBAC): - Role-based
access control eases administrative burden and improves security
A database RBAC needs to provide
the following capabilities:
• Create and delete roles
• Define permissions for a role
•
Assign and cancel
assignment of users to roles
Categories of database users:
1)
Application owner: An end user who owns database objects (tables,
columns, rows) as part of an application. That is, the database objects are
generated by the application or are prepared for use by the application.
2)
End user other than application owner: An end user who operates on database
objects via a
particular application but does not own any of the database objects.
3)
Administrator: User who has administrative responsibility for
part or all of the
database.
A database
RBAC facility needs to provide the following capabilities:
• Create and delete roles.
• Define permissions for a role.
• Assign and cancel assignment of users to roles.
Statistical Databases
(SDB): - provides data of a
statistical nature such as counts and averages
–
pure statistical
database
–
ordinary database
with statistical access
• access control objective
–
provide users with
the needed information
–
without compromising
the confidentiality
• security problem is one of inference
Pure statistical database: This type of database only stores statistical data.
• An example is a census database. Typically, access
control for a pure SDB is straightforward: certain users are authorized to
access the entire database.
Ordinary database with
statistical access: This type of database contains individual entries; this is the type of database discussed so
far in this chapter. The database supports a population of nonstatistical users
who are allowed access to selected portions of the database using discretionary
access control (DAC), role-based access control (RBAC), or mandatory access
control (MAC).
Statistical Database
Security: -
·
use a characteristic
formula C
–
a logical formula
over the values of attributes
–
e.g. (Sex=Male)
AND ((Major=CS) OR (Major=EE))
·
query set X(C) of characteristic formula C, is the set of
records matching C
·
a statistical
query is a query that produces a value calculated over a query set
simple and easy :)
ReplyDeletesimple and easy :)
ReplyDelete