Slide1: Database Security and Authorization By
Yazmin Escoto Rodriguez
Christine Tannuwidjaja
Main Types of Security:: Main Types of Security: Enforce security of portions of a database against unauthorized access
- Database Security and Authorization Subsystem
Prevent unauthorized persons from accessing the system itself
- Access Control
Control the access to statistical databases
- Statistical Database Security
Protect sensitive data that is being transmitted via some type of communications
- Data Encryption
Database Security and Authorization Subsystem : Database Security and Authorization Subsystem Discretionary Security Mechanisms
- concerned with defining, modeling, and enforcing access to information
Mandatory Security Mechanisms for Multilevel Security
- requires that data items and users are assigned to certain security labels
Mandatory Access Control : Mandatory Access Control Elements:
OBJECTS CLASSIFICATIONS
--class(o)--
SUBJECTS CLEARANCE
--clear(s)--
Levels: Top Secret, Secret, Confidential, Unclassified
Mandatory Access Control : Mandatory Access Control Rules:
Simple Property: subject s is allowed to read data item d if clear(s) ≥ class(d)
*-property:
subject s is allowed to write data item d if clear(s) ≤ class(d) Simple Property protects information from unauthorized access
*-property protects data from contamination or unauthorized modification
Multilevel Security Databases- example: Multilevel Security Databases- example Set up:
we have: - subject x with clear(x) = TS
- subject y with clear(y) = S
- subject z with clear(z) = U
Multilevel Security Databases- example: Multilevel Security Databases- example
Slide8: Multilevel Security Databases- example
Multilevel Security Databases- example: Multilevel Security Databases- example subject z wants to insert the next tuple
Polyinstantiation : the existence of multiple data objects with the same key
Multilevel Security Databases- example: Multilevel Security Databases- example
subject z wants to replace the null values with certain data items
Security Relevant Knowledge: Security Relevant Knowledge Entity Relationship
-- describes the structural part of the database Data Flow Diagram -- represents the functions the system should perform Classification Constraints
To assign to security classifications concepts of schemas:
ones that classify items
ones that classify query results
System Object: System Object What is it? Entity type
Specialization type
Relationship type In security it is the target of protection Notation O(A1..,An)
- Ai (i=1..N) is an attribute and is defined over domain Di Has an identity property (key attributes)
A ⊆ (A1,..,An)
Multilevel Secure Application: Multilevel Secure Application MAJOR QUESTION:
Which way should the attributes and occurrences of O be assigned to proper security classifications? CLASSIFICATION RESULT: Security object O multilevel security object Om Performed by means of security constraints
Graphical Extensions to the ER: Graphical Extensions to the ER N X P (U) (Co) (S) [U..S] [Co..TS] (TS) Secrecy Levels
Ranges of Secrecy Levels
Aggregation leading to TS (N..constant)
Inference leading to Co
Evaluation of predicate P
Security dependency
Slide15: SSN Name Dep Salary Title Title Function SSN Date Client Subject Employee Project Is
Assigned
to (0,N) (0,M) ER Diagram
Object Classification Constraints – Simple Constraints: Object Classification Constraints – Simple Constraints Let X be a set of attributes of security object O (X ⊆ {A1,…,An})
SiC (O(X))=C, (C ∈ SL)
Results in a multilevel object Om(A1, C1,…, An, Cn,TC) where Ci=C ∀ Ai ∈ X, Ci left unchanged for Ai ∉ X
Application to ER:
- SiC(Is Assigned to,{Function},S)
- assigns property Function of relationship “Is Assigned to” to a classification of secret.
Slide17: SSN Name Dep Salary Title Title Function SSN Date Client Subject Employee Project Is
Assigned
to (0,N) (0,M) ER Diagram – classifying properties of security objects
Object Classification Constraints – Content-based Constraints: Object Classification Constraints – Content-based Constraints Let Ai be an attribute of security object O with domain Di, let P be a predicate defined on Ai and let X ⊆ {Ai,…,An}
CbC (O(X), P: Ai θ a) = C or CbC (O(X), P: Ai θ Aj) = C
(θ ∈ {=,≠,,≤,≥}, a ∈ Di, i ≠ j, C ∈ SL)
For any instance o of security object O(A1,…,An) for which a predicate evaluates into true the transformation into o(a1,c1,…,an,cn,tc) is performed
Classifications are assigned in a way that ci = C in the case Ai ∈ X, ci left unchanged otherwise
Application to ER:
- CbC (Employee, {SSN, Name}, Salary, ‘≥’, ‘100’, Co))
- represents the semantic that properties SSN and Name of employees with a salary ≥ 100 are treated as confidential information
Slide19: SSN Name Dep Salary Title Title Function SSN Date Client Subject Employee Project Is
Assigned
to P (0,N) (0,M) ER Diagram – classifying properties of security objects
Object Classification Constraints – Complex Constraints: Object Classification Constraints – Complex Constraints Let O, O’ be two security objects and the existence of an instance o of O is dependent on the existence of a corresponding occurrence o’ of O’ where the k values of the identifying property K’ of o’ are identical to k values of attributes of o (foreign key)
Let P(O’) be a valid predicate defined on o’ and let X ⊆ {A1,…,An} be an attribute set of O
CoC (O(X), P(O’)) = C (C ∈ SL)
For every instance o of security object O(A1,…,An) for which a predicate evaluates into true in the related object o’ of O’ the transformation into o(a1,c1,…,an,cn,tc) is performed
Classifications are assigned in a way that ci = C in the case Ai ∈ X, ci left unchanged otherwise
Slide21: Object Classification Constraints – Complex Constraints (con’t)
Application to ER:
- CoC (Is Assigned to, {SSN}, Project, Subject, ‘=‘, ‘Research’, S)
- individual assignment data (SSN) is regarded as secret information in the case the assignment refers to a project with Subject = ‘Research’
Slide22: SSN Name Dep Salary Title Title Function SSN Date Client Subject Employee Project Is
Assigned
to P P (0,N) (0,M) ER Diagram – classifying properties of security objects
Slide23: Object Classification Constraints – Level-based Constraints Let level (Ai) be a function that returns the classification ci of the value of attribute Ai in object o(a1,c1,…,an,cn,tc) of a multilevel security object Om
Let X be a set of attributes of Om such that X ⊆ {A1,…,An}
LbC (O(X)) = level (Ai)
Result for every object o(a1,c1,…,an,cn,tc) to the assignment cj = ci in the case Aj ∈ X
Application to ER:
- LbC (Project, {Client}, Subject)
- states that property Client of security object Project must always have the same classification as the property Subject of the Project
Slide24: SSN Name Dep Salary Title Title Function SSN Date Client Subject Employee Project Is
Assigned
to P P (0,N) (0,M) ER Diagram – classifying properties of security objects
Slide25: Query Result Classification Constraints – Association-based Constraints Let O (A1,…An) be a security object with identifying property K
Let X (X ⊆ {A1,…,An} (K ⋂ X = {}) be a set of attributes of O
AbC (O (K,X)) = C (C ∈ SL)
Results in the assignment of security level C to the retrieval result of each query that takes X together with identifying property K
Application to ER:
- AbC (Employee, {Salary}, Co)
- the salary of an individual person is confidential
- the value of salaries without the information which employee gets what salary is unclassified
Slide26: SSN Name Dep Salary Title Title Function SSN Date Client Subject Employee Project Is
Assigned
to (0,N) (0,M) ER Diagram –
classifying query results [Co]
Slide27: Query Result Classification Constraints – Aggregation Constraints Let count(O) be a function that returns the number of instances referenced by a particular query and belonging to security object O (A1,…,An)
Let X (X ⊆ {A1,…,An}) be sensitive attributes of O
AgC (O, (X, count(O) > n = C (C ∈ SL, n ∈ N)
Result into the classification C for the retrieval result of a query in the case count(O) > n, i.e. the number of instances of O referenced by a query accessing properties X exceeds the value n
Slide28: Query Result Classification Constraints – Aggregation Constraints (con’t) Application to ER:
- AgC (Is Assigned to, {Title}, ‘3’, S)
- the information which employee is assigned to what projects is regarded as unclassified
- aggregating all assignments for a certain project and thereby inferring which team is responsible for what project is considered secret
Slide29: SSN Name Dep Salary Title Title Function SSN Date Client Subject Employee Project Is
Assigned
to (0,N) (0,M) ER Diagram –
classifying query results [Co] 3
Slide30: Query Result Classification Constraints – Inference Constraints Let PO be the set of multilevel objects involved in a potential logical inference
Let O, O’ be two particular objects from PO with corresponding multilevel representation O (A1,C1,…,An,Cn,TC) and O’ (A’1,C’1,…,A’n,C’n,TC’)
Let X ⊆ {A1,…,An} and Y ⊆ {A’1,…,A’n})
IfC (O(X), O’(Y)) = C
Results into the assignment of security level C to the retrieval result of each query that takes Y together with the properties in X
Slide31: Query Result Classification Constraints – Inference Constraints (con’t) Application to ER:
- IfC (Employee, {Dep}, Project, {Subject}, Co)
- consider the situation where the information which employee is assigned to what projects is considered as confidential
- from having access to the department an employee works for and to the subject of a project, users may infer which department may be responsible for the project and thus may conclude which employee are involved
Slide32: SSN Name Dep Salary Title Title Function SSN Date Client Subject Employee Project Is
Assigned
to (0,N) (0,M) ER Diagram –
classifying query results X [Co] 3
Slide33: QUESTION?