Advanced Database Management System

Database security
 Security
▪ Introduction to Database Security
▪ Discretionary Access Control
▪ Mandatory Access Control
▪ Additional Issues Related to Security
Introduction To DB Security
▪Three main objectives
▪ Secrecy/Confidentiality
▪ Integrity
▪ Availability
Secrecy/Confidentiality
▪Information should not be disclosed to
unauthorized users.

▪ For example, a student should not be allowed to

examine other students’ grades.
Integrity
▪Only authorized users should be allowed to modify
data.

▪ For example, students may be allowed to see

their grades, yet not allowed to modify them.
Availability
▪Authorized users should not be denied access.

▪ For example, an instructor who wishes to change

a grade should be allowed to do so.
Introduction To DB Security
▪ Security policy describes the security measures
enforced.
▪ Security mechanisms of the underlying DBMS
must be utilized to enforce the policy.
▪Security measures must be taken at several levels.
▪Security leaks in the operating system or network
connections can circumvent database security
mechanisms.
Introduction To DB Security
▪Views provide a valuable tool in enforcing security
policies.
▪A view is a table whose rows are not explicitly stored
in the database but are computed as needed from a
view definition.
Introduction To DB Security
▪We can define views that give a group of users
access to just the information they are allowed to
see.
▪For example, we can define a view that allows
students to see other students’ name and age but
not their grade, and allow all students to access
this view, but not the underlying Students table.
▪Views are valuable in the context of security.
▪ Create a “window” on a collection of data
▪ Limit access to sensitive data
Access Control
▪An Access Control mechanism is a way to control
the data that is addressable to a given user.
Discretionary Access Control
▪Discretionary access control:

▪ Based on the concept of privileges, and

mechanisms for giving users such privileges.
Privilege
▪A privilege allows a user to access some data
object in a certain manner (e.g., to read or to
modify).
▪SQL-92 supports discretionary access control
through GRANT and REVOKE commands.
Mandatory Access Control
▪Mandatory access control is based on systemwide
policies that cannot be changed by individual users.

▪Each database object is assigned a security class;

each user is assigned clearance for a security class,
and rules are imposed on reading and writing of
database objects by users.
An example will be used for
interpreting the details of access
control later
Schemas used in example
Sailors(sid:integer, sname:string, rating:integer,
age:real)
Boats(bid:integer, bname:string, color:string)
Reserves(sname:string, bid:integer, day:dates)
Discretionary access control
▪It is based on the concept of access rights, or
privileges, and mechanisms for giving users such
privileges.
▪A privilege allows a user to access some database
object in a certain manner
▪SQL-92 supports discretionary access control through
the GRANT and REVOKE commands.
▪Advantage: effective
▪Disadvantage: a devious unauthorized user can trick an
authorized user into disclosing sensitive data
▪ GRANT command: Give users privileges to base
tables and views.
▪ GRANT privileges ON object TO users [WITH
GRANT OPTIONS]

▪ REVOKE command: intended to achieve the

reverse, to withdraw the granted privilege from
the user.
▪ REVOKE [GRANT OPTION FOR] privileges ON
object FROM users {RESTRICT | CASCADE}
Several privileges:
▪ SELECT : access all columns
▪ INSERT (column-name): insert rows with values in
the named column
▪ DELETE: delete rows from the table
▪ REFERENCES(column-name): define foreign
keys(in other table) that refer to the specified
column.
Suppose user Joe has created the tables
Boats, Reserves, and Sailors:
▪GRANT INSERT, DELETE ON Reserves TO Bob WITH
GRANT OPTION
▪ Bob can insert or delete Reserves rows and can
authorize other people to do the same.
▪ GRANT SELECT ON Reserves TO Michael
▪ GRANT SELECT ON Sailors TO Michael WITH GRANT
OPTION
With the SELECT privilege, Michael can:
CREATE VIEW ActiveSailors(name,age,day)
As SELECT S.sname, S.age, R.day
FROM Sailors S, Reserves R
WHERE S.sname=R.sname AND
S.rating > 6
But, he cannot grant SELECT on ActiveSailors to
others.
How about this one:

CREATE VIEW YoungSailors (sid, age, rating)

AS SELECT S.sid, S.age, S.rating
From Sailors S
WHERE S.age < 18
Here he can pass on the SELECT privilege on
YoungSailors to others.
Eg. GRANT SELECT ON YoungSailors TO ERIC
GRANT UPDATE (rating) ON Sailors TO Rose
▪ Rose can update only the rating column of Sailors
rows. For example:
UPDATE Sailors S
SET S.rating= 8;
▪ she can execute this command, which sets all
ratings to 8. However, she is not allowed to
execute SET S.age = 25, because she is not allowed
to update the age field.
UPDATE Sailors S
SET S.rating = S.rating-1

Can she execute this command?

NO!
Because it requires the SELECT privilege on the S.rating
column and Rose does not have this privilege!
GRANT FEFERENCES (bid) ON Boats TO Bill

Bill can refer to the bid column of Boats as a

foreign key in another table. For example, Bill can
create the Reserves table through the following
command:
CREATE TABLE Reserves (sname CHAR(10) NOT NULL,
bid INTEGER,
day DATE,
PRIMARY KEY (sname),
UNIQUE (sname),
FOREIGN KEY (bid) REFERENCES Boats)

If Bill did not have the REFERENCES privilege on the bid column of Boats,
he cannot execute this CREATE statement because the FOREIGN KEY
clause requires this privilege.
Specifying just the INSERT privilege in a GRANT command is
not the same as specifying SELECT (column-name) for each
column currently in the table.

▪ GRANT INSERT ON Sailors TO Michael

▪Michael has the INSERT privilege with respect to a
newly added column.
▪ GRANT INSERT ON Sailors(sid), Sailors(sname),
Sailors(rating), Sailors(age), TO
Michael
▪Michael would not have the INSERT privilege on the
new column.
REVOKE:
Is a complementary command to
GRANT that allows the withdrawal of
privileges.

REVOKE [ GRANT OPTION FOR ] privileges ON

object
FROM users { RESTRICT | CASCADE }
 Some examples on REVOKE
▪Consider what happens after the following sequence
of commands, where Joe is the creator of Sailors:

▪GRANT SELECT ON Sailors TO Art WITH GRANT

OPTION (executed by Joe)
▪GRANT SELECT ON Sailors TO Bob WITH GRANT
OPTION (executed by Art)
▪REVOKE SELECT ON Sailors FROM Art CASCADE
(executed by Joe)
 CASCADE AND RESTRICT
▪Bob’s privilege is said to be abandoned when the
privilege that he was derived from is revoked.

▪When the CASCADE keyword is specified, all the

abandoned privileges are also revoked.

▪If the RESTRICT keyword is specified in the REVOKE

command, the command is rejected if revoking the
privileges would result other privileges becoming
abandoned.
GRANT SELECT ON Sailors TO Art WITH GRANT OPTION (executed by Joe)
GRANT SELECT ON Sailors TO Bob WITH GRANT OPTION (executed by Joe)
GRANT SELECT ON Sailors TO Bob WITH GRANT OPTION (executed by Art)
REVOKE SELECT ON Sailors FROM Art CASCADE (executed by Joe)

Here Art will lose the SELECT privilege on Sailors.

Bob received this privilege from Art, but he also
received it independently from Joe. Thus Bob
retains this privilege.
GRANT SELECT ON Sailors TO Art WITH GRANT OPTION (executed by Joe)
GRANT SELECT ON Sailors TO Art WITH GRANT OPTION (executed by Joe)
REVOKE SELECT ON Sailors FROM Art CASCADE (executed by Joe)

Although Joe granted the same privilege to Art

several times, he can revoke it with a single
REVOKE command.
▪GRANT SELECT ON Sailors To Art WITH GRANT
OPTION (executed by Joe)
▪REVOKE GRANT OPTION FOR SELECT ON Sailors
FROM Art CASCADE (executed by Joe)

▪This command would leave Art with the SELECT

privilege on Sailors, but Art wont’ have the grant
option and can ‘t pass it to others.
 GRANT SELECT ON Sailors TO Art WITH GRANT OPTION
(executed by Joe)
GRANT SELECT ON Sailors TO Bob WITH GRANT OPTION
(executed by Art)
sys GRANT SELECT ON Sailors TO Art WITH GRANT OPTION
tem (executed by Bob)
GRANT SELECT ON Sailors TO Cal WITH GRANT OPTION
(executed by Joe)
GRANT SELECT ON Sailors TO Bob WITH GRANT OPTION
(executed by Cal)
Joe Art REVOKE SELECT ON Sailors FROM Art CASCADE
(executed by Joe)

Bo
Cal b
Important points:
▪A view may be dropped because a SELECT privilege
is revoked from the user who created the view.
▪If the creator of a view gains additional privileges
on the underlying tables, he or she automatically
gains additional privileges on the view.
▪The distinction between the REFERENCES and
SELECT privileges is important.
Mandatory access control
▪It is based on system wide policies that can not be
changed by individual users
▪In this approach each database object is assigned a
security class , each user is assigned clearance for a
security class, and rules are imposed on reading and
writing of database object by users
▪Discretionary access control is susceptible to Trojan horse
Schemes whereby a devious unauthorized user can trick an
authorized user into disclosing sensitive data
▪Mandatory access control aims at the loopholes in discretionary
access control
Role of Database Administrator (DBA)
▪Responsible for the overall security of the system !
▪Why?
▪DBA is the owner of data
▪DBA contributes to developing a security policy
▪DBA has a special account called system account
The DBA deals with…
▪Creating a new accounts
▪ Each new user or group of users must be
assigned an authorization id and a password
▪ Application programs that access the database
have the same authorization id as the user
executing the program
▪Mandatory control issues
▪ Assign security classes to each database object
and assign security clearance to each
authorization
SQL injection attacks
▪One of the most prevalent and dangerous network-
based security threats
▪Sends malicious SQL commands to the database
server
▪Depending on the environment SQL injection can
also be exploited to:
▪ Modify or delete data
▪ Execute arbitrary operating system commands
▪ Launch denial-of-service (DoS) attacks
A typical injection attack
Sample SQL injection
The SQLi attack typically works by prematurely terminating a text string
and appending a new command

SELECT fname
FROM student
where fname is ‘user prompt’;

User: John’; DROP table Course;

 Sample SQL injection:
tautology
$query= “
SELECT info FROM user WHERE name =
`$_GET[“name”]’ AND pwd = `GET[“pwd”]`
”;

Attacker enters: ` OR 1=1 –-

In-band attacks
Tautology: This form of attack injects code in one or more conditional
statements so that they always evaluate to true
End-of-line comment: After injecting code into a particular field,
legitimate code that follows are nullified through usage of end of line
comments
Piggybacked queries: The attacker adds additional queries beyond the
intended query, piggy-backing the attack on top of a legitimate request
Inferential attack (gathering
info)
▪There is no actual transfer of data, but the attacker
is able to reconstruct the information by sending
particular requests and observing the resulting
behavior of the Website/database server
▪ Illegal/logically incorrect queries: lets an attacker
gather important information about the type and
structure of the backend database of a Web
application
SQLi countermeasures
▪Defensive coding: stronger data validation
▪Detection
▪ Signature based
▪ Anomaly based
▪ Code analysis
▪Runtime prevention: Check queries at runtime to
see if they conform to a model of expected queries
References
https://www.imperva.com/learn/application-security/sql-injection-sqli/