Slide1: Database Security and Authorization By Yazmin Escoto Rodriguez Christine Tannuwidjaja


Main Types of Security:: Main Types of Security: Enforce security of portions of a database against unauthorized access - Database Security and Authorization Subsystem Prevent unauthorized persons from accessing the system itself - Access Control Control the access to statistical databases - Statistical Database Security Protect sensitive data that is being transmitted via some type of communications - Data Encryption


Database Security and Authorization Subsystem : Database Security and Authorization Subsystem Discretionary Security Mechanisms - concerned with defining, modeling, and enforcing access to information Mandatory Security Mechanisms for Multilevel Security - requires that data items and users are assigned to certain security labels


Mandatory Access Control : Mandatory Access Control Elements: OBJECTS CLASSIFICATIONS --class(o)-- SUBJECTS CLEARANCE --clear(s)-- Levels: Top Secret, Secret, Confidential, Unclassified


Mandatory Access Control : Mandatory Access Control Rules: Simple Property: subject s is allowed to read data item d if clear(s) ≥ class(d) *-property: subject s is allowed to write data item d if clear(s) ≤ class(d) Simple Property protects information from unauthorized access *-property protects data from contamination or unauthorized modification


Multilevel Security Databases- example: Multilevel Security Databases- example Set up: we have: - subject x with clear(x) = TS - subject y with clear(y) = S - subject z with clear(z) = U


Multilevel Security Databases- example: Multilevel Security Databases- example


Slide8: Multilevel Security Databases- example


Multilevel Security Databases- example: Multilevel Security Databases- example subject z wants to insert the next tuple Polyinstantiation : the existence of multiple data objects with the same key


Multilevel Security Databases- example: Multilevel Security Databases- example subject z wants to replace the null values with certain data items


Security Relevant Knowledge: Security Relevant Knowledge Entity Relationship -- describes the structural part of the database Data Flow Diagram -- represents the functions the system should perform Classification Constraints To assign to security classifications concepts of schemas: ones that classify items ones that classify query results


System Object: System Object What is it? Entity type Specialization type Relationship type In security it is the target of protection Notation O(A1..,An) - Ai (i=1..N) is an attribute and is defined over domain Di Has an identity property (key attributes) A ⊆ (A1,..,An)


Multilevel Secure Application: Multilevel Secure Application MAJOR QUESTION: Which way should the attributes and occurrences of O be assigned to proper security classifications? CLASSIFICATION RESULT: Security object O  multilevel security object Om Performed by means of security constraints


Graphical Extensions to the ER: Graphical Extensions to the ER N X P (U) (Co) (S) [U..S] [Co..TS] (TS) Secrecy Levels Ranges of Secrecy Levels Aggregation leading to TS (N..constant) Inference leading to Co Evaluation of predicate P Security dependency


Slide15: SSN Name Dep Salary Title Title Function SSN Date Client Subject Employee Project Is Assigned to (0,N) (0,M) ER Diagram


Object Classification Constraints – Simple Constraints: Object Classification Constraints – Simple Constraints Let X be a set of attributes of security object O (X ⊆ {A1,…,An}) SiC (O(X))=C, (C ∈ SL) Results in a multilevel object Om(A1, C1,…, An, Cn,TC) where Ci=C ∀ Ai ∈ X, Ci left unchanged for Ai ∉ X Application to ER: - SiC(Is Assigned to,{Function},S) - assigns property Function of relationship “Is Assigned to” to a classification of secret.


Slide17: SSN Name Dep Salary Title Title Function SSN Date Client Subject Employee Project Is Assigned to (0,N) (0,M) ER Diagram – classifying properties of security objects


Object Classification Constraints – Content-based Constraints: Object Classification Constraints – Content-based Constraints Let Ai be an attribute of security object O with domain Di, let P be a predicate defined on Ai and let X ⊆ {Ai,…,An} CbC (O(X), P: Ai θ a) = C or CbC (O(X), P: Ai θ Aj) = C (θ ∈ {=,≠,,≤,≥}, a ∈ Di, i ≠ j, C ∈ SL) For any instance o of security object O(A1,…,An) for which a predicate evaluates into true the transformation into o(a1,c1,…,an,cn,tc) is performed Classifications are assigned in a way that ci = C in the case Ai ∈ X, ci left unchanged otherwise Application to ER: - CbC (Employee, {SSN, Name}, Salary, ‘≥’, ‘100’, Co)) - represents the semantic that properties SSN and Name of employees with a salary ≥ 100 are treated as confidential information


Slide19: SSN Name Dep Salary Title Title Function SSN Date Client Subject Employee Project Is Assigned to P (0,N) (0,M) ER Diagram – classifying properties of security objects


Object Classification Constraints – Complex Constraints: Object Classification Constraints – Complex Constraints Let O, O’ be two security objects and the existence of an instance o of O is dependent on the existence of a corresponding occurrence o’ of O’ where the k values of the identifying property K’ of o’ are identical to k values of attributes of o (foreign key) Let P(O’) be a valid predicate defined on o’ and let X ⊆ {A1,…,An} be an attribute set of O CoC (O(X), P(O’)) = C (C ∈ SL) For every instance o of security object O(A1,…,An) for which a predicate evaluates into true in the related object o’ of O’ the transformation into o(a1,c1,…,an,cn,tc) is performed Classifications are assigned in a way that ci = C in the case Ai ∈ X, ci left unchanged otherwise


Slide21: Object Classification Constraints – Complex Constraints (con’t) Application to ER: - CoC (Is Assigned to, {SSN}, Project, Subject, ‘=‘, ‘Research’, S) - individual assignment data (SSN) is regarded as secret information in the case the assignment refers to a project with Subject = ‘Research’


Slide22: SSN Name Dep Salary Title Title Function SSN Date Client Subject Employee Project Is Assigned to P P (0,N) (0,M) ER Diagram – classifying properties of security objects


Slide23: Object Classification Constraints – Level-based Constraints Let level (Ai) be a function that returns the classification ci of the value of attribute Ai in object o(a1,c1,…,an,cn,tc) of a multilevel security object Om Let X be a set of attributes of Om such that X ⊆ {A1,…,An} LbC (O(X)) = level (Ai) Result for every object o(a1,c1,…,an,cn,tc) to the assignment cj = ci in the case Aj ∈ X Application to ER: - LbC (Project, {Client}, Subject) - states that property Client of security object Project must always have the same classification as the property Subject of the Project


Slide24: SSN Name Dep Salary Title Title Function SSN Date Client Subject Employee Project Is Assigned to P P (0,N) (0,M) ER Diagram – classifying properties of security objects


Slide25: Query Result Classification Constraints – Association-based Constraints Let O (A1,…An) be a security object with identifying property K Let X (X ⊆ {A1,…,An} (K ⋂ X = {}) be a set of attributes of O AbC (O (K,X)) = C (C ∈ SL) Results in the assignment of security level C to the retrieval result of each query that takes X together with identifying property K Application to ER: - AbC (Employee, {Salary}, Co) - the salary of an individual person is confidential - the value of salaries without the information which employee gets what salary is unclassified


Slide26: SSN Name Dep Salary Title Title Function SSN Date Client Subject Employee Project Is Assigned to (0,N) (0,M) ER Diagram – classifying query results [Co]


Slide27: Query Result Classification Constraints – Aggregation Constraints Let count(O) be a function that returns the number of instances referenced by a particular query and belonging to security object O (A1,…,An) Let X (X ⊆ {A1,…,An}) be sensitive attributes of O AgC (O, (X, count(O) > n = C (C ∈ SL, n ∈ N) Result into the classification C for the retrieval result of a query in the case count(O) > n, i.e. the number of instances of O referenced by a query accessing properties X exceeds the value n


Slide28: Query Result Classification Constraints – Aggregation Constraints (con’t) Application to ER: - AgC (Is Assigned to, {Title}, ‘3’, S) - the information which employee is assigned to what projects is regarded as unclassified - aggregating all assignments for a certain project and thereby inferring which team is responsible for what project is considered secret


Slide29: SSN Name Dep Salary Title Title Function SSN Date Client Subject Employee Project Is Assigned to (0,N) (0,M) ER Diagram – classifying query results [Co] 3


Slide30: Query Result Classification Constraints – Inference Constraints Let PO be the set of multilevel objects involved in a potential logical inference Let O, O’ be two particular objects from PO with corresponding multilevel representation O (A1,C1,…,An,Cn,TC) and O’ (A’1,C’1,…,A’n,C’n,TC’) Let X ⊆ {A1,…,An} and Y ⊆ {A’1,…,A’n}) IfC (O(X), O’(Y)) = C Results into the assignment of security level C to the retrieval result of each query that takes Y together with the properties in X


Slide31: Query Result Classification Constraints – Inference Constraints (con’t) Application to ER: - IfC (Employee, {Dep}, Project, {Subject}, Co) - consider the situation where the information which employee is assigned to what projects is considered as confidential - from having access to the department an employee works for and to the subject of a project, users may infer which department may be responsible for the project and thus may conclude which employee are involved


Slide32: SSN Name Dep Salary Title Title Function SSN Date Client Subject Employee Project Is Assigned to (0,N) (0,M) ER Diagram – classifying query results X [Co] 3


Slide33: QUESTION?