DATA SECURITY

• Protection from malicious attempts to steal

(view) or modify data.
• The science and study of methods of
protecting data (...) from unauthorized
disclosure and modification
• Data Security = Confidentiality + Integrity
 2
ACCESS CONTROL IN SQL

GRANT privileges ON object TO users

[WITH GRANT OPTIONS]

privileges = SELECT | INSERT | DELETE | . . .

object = table | attribute

REVOKE privileges ON object FROM users

[CASCADE ]
 ACCESS CONTROL IN MYSQL
• http://dev.mysql.com/doc/refman/5.0/en/privilege-system.html
• The primary function of the MySQL privilege system is to authenticate a user
who connects from a given host and to associate that user with privileges on a
database such as SELECT, INSERT, UPDATE, and DELETE
• There are some things that you cannot do with the MySQL privilege system:
• You cannot explicitly specify that a given user should be denied access. That is, you cannot
explicitly match a user and then refuse the connection.
• You cannot specify that a user has privileges to create or drop tables in a database but not to
create or drop the database itself.
• A password applies globally to an account. You cannot associate a password with a specific
object such as a database, table, or routine.
 4
VIEWS IN SQL

A SQL View = (almost) any SQL query

• Typically used as:

CREATE VIEW pmpStudents AS

SELECT * FROM Students WHERE…

GRANT SELECT ON pmpStudents TO DavidRispoli

 5
SUMMARY OF SQL SECURITY
Limitations:
• Often no row level access control
• Note: DB specific – fine-grained access control is an
active area of improvement
• Table creator owns the data (not always fair)
Access control = great success story of the DB
community...
… or spectacular failure:

• Only ~30% assign privileges to users/roles

• And then to protect entire tables, not columns
 MYSQL SECURITY
• Access control and security within the database system itself, including the
users and databases granted with access to the databases, views and stored
programs in use within the database. For more information, see Section 6.2,
“The MySQL Access Privilege System”, and Section 6.3, “MySQL User
Account Management”.
• Network security of MySQL and your system. The security is related to the
grants for individual users, but you may also wish to restrict MySQL so that it
is available only locally on the MySQL server host, or to a limited set of other
hosts.
• Ensure that you have adequate and appropriate backups of your database
files, configuration and log files. Also be sure that you have a recovery
solution in place and test that you are able to successfully recover the
information from your backups. See Chapter 7, Backup and Recovery.
 WHAT IS A SQL INJECTION
• ManyATTACK?
web applications take user input from a
form
• Often this user input is used literally in the
construction of a SQL query submitted to a
database. For example:
• SELECT productdata FROM table WHERE
productname = ‘user input product name’;
• A SQL injection attack involves placing SQL
statements in the user input
 2012 NEWS OF SQL ATTACKS
• http://www.mysqlperformanceblog.com/2012/07/18/sql-injection-still-a-proble
m/
• An SQL injection vulnerability resulted in an urgent June bugfix release of
Ruby on Rails 3.x.
• Yahoo! Voices was hacked in July. The attack acquired 453,000 user email
addresses and passwords. The perpetrators claimed to have used union-based
SQL injection to break in.
• LinkedIn.com leaked 6.5 million user credentials in June. A class action
lawsuit alleges that the attack was accomplished with SQL injection.
• SQL injection was documented as a security threat in 1998, but new incidents
still occur every month. Making honest mistakes, developers fail to defend
against this means of attack, and the security of online data is at risk for all of
us because of it.
 AN EXAMPLE SQL INJECTION
ATTACK
Product Search:
blah‘ OR ‘x’ = ‘x

• This input is put directly into the SQL statement within the Web
application:
• $query = “SELECT prodinfo FROM prodtable WHERE prodname = ‘” .
$_POST[‘prod_search’] . “’”;

• Creates the following SQL:

• SELECT prodinfo FROM prodtable WHERE prodname = ‘blah‘ OR ‘x’ = ‘x’

• Attacker has now successfully caused the entire database to be returned.

 OTHER INJECTION
• UsingPOSSIBILITIES
SQL injections, attackers can:
• Add new data to the database
• Could be embarrassing to find yourself selling
politically incorrect items on an eCommerce site
• Perform an INSERT in the injected SQL
• Modify data currently in the database
• Could be very costly to have an expensive item suddenly
be deeply ‘discounted’
• Perform an UPDATE in the injected SQL
• Often can gain access to other user’s system capabilities by
obtaining their password