Computer Security: Principles and

Practice

Chapter 5: Database Security

Database systems
• Structured collection of data stored for use by
one or more applications
• Contains the relationships between data items
and groups of data items
• Can sometimes contain sensitive data that
needs to be secured
• Query language: Provides a uniform interface to
the database

2
Database Security

3
Relational Databases
• Constructed from tables of data
– each column holds a particular type of data
– each row contains a specific value these
– ideally has one column where all values are unique,
forming an identifier/key for that row
• Have multiple tables linked by identifiers
• Sse a query language to access data items
meeting specified criteria

4
Relational databases
• Table of data consisting of rows and columns
– Each column holds a particular type of data
– Each row contains a specific value for each column
– Ideally has one column where all values are unique,
forming an identifier/key for that row
• Enables the creation of multiple tables linked
together by a unique identifier that is present in all
tables
• Use a relational query language to access the
database
– Allows the user to request data that fit a given set of
criteria

5
A relational database example

6
Relational database terms

• Relation/table/file
• Tuple/row/record
• Attribute/column/field
• Primary key: uniquely identifies a row
• Foreign key: links one table to attributes in
another
• View/virtual table: Result of a query that
returns selected rows and columns from one or
more tables
7
Abstract view of a relation

8
Relational Database Elements

9
 Structured Query Language
• Structure Query Language (SQL)
– originally developed by IBM in the mid-1970s
– standardized language to define, manipulate, and
query data in a relational database
– several similar versions of ANSI/ISO standard
CREATE TABLE department ( CREATE VIEW newtable (Dname, Ename, Eid, Ephone)
Did INTEGER PRIMARY KEY, AS SELECT D.Dname E.Ename, E.Eid, E.Ephone
Dname CHAR (30), FROM Department D Employee E
Dacctno CHAR (6) )
WHERE E.Did = D.Did
CREATE TABLE employee (
Ename CHAR (30),
Did INTEGER,
SalaryCode INTEGER,
Eid INTEGER PRIMARY KEY,
Ephone CHAR (10),
FOREIGN KEY (Did) REFERENCES department (Did) )

10
SQL injection attacks
• One of the most prevalent and dangerous
network-based security threats
• Sends malicious SQL commands to the database
server
• Depending on the environment SQL injection
can also be exploited to:
– Modify or delete data
– Execute arbitrary operating system commands
– Launch denial-of-service (DoS) attacks

11
A typical
injection
attack

12
Sample SQL injection
• The SQLi attack typically works by prematurely
terminating a text string and appending a new
command

SELECT fname
FROM student
where fname is ‘user prompt’;

User: John’; DROP table Course;--

13
Sample SQL injection: tautology
$query= “
SELECT info FROM user WHERE name =
`$_GET[“name”]’ AND pwd = `GET[“pwd”]`
”;

Attacker enters: ` OR 1=1 –-

14
In-band attacks
• Tautology: This form of attack injects code in one
or more conditional statements so that they always
evaluate to true
• End-of-line comment: After injecting code into a
particular field, legitimate code that follows are
nullified through usage of end of line comments
• Piggybacked queries: The attacker adds additional
queries beyond the intended query, piggy-backing
the attack on top of a legitimate request

15
Database Access Control

• DBMS provide access control for database

• assume have authenticated user
• DBMS provides specific access rights to portions of the
database
– e.g. create, insert, delete, update, read, write
– to entire database, tables, selected rows or columns
– possibly dependent on contents of a table entry
• can support a range of policies:
– centralized administration
– ownership-based administration
– decentralized administration

16
Inferential attack (gathering info)
• There is no actual transfer of data, but the
attacker is able to reconstruct the information
by sending particular requests and observing
the resulting behavior of the Website/database
server
– Illegal/logically incorrect queries: lets an attacker
gather important information about the type and
structure of the backend database of a Web
application

17
Out-band attack
• This can be used when there are limitations on
information retrieval, but outbound
connectivity from the database server is lax

18
SQLi countermeasures
• Defensive coding: stronger data validation
• Detection
– Signature based
– Anomaly based
– Code analysis
• Runtime prevention: Check queries at runtime
to see if they conform to a model of expected
queries

19
SQL Access Controls
• If the user has access to the entire database or just
portions of it
• Two commands:
– GRANT {privileges | role} [ON table] TO {user |
role | PUBLIC} [IDENTIFIED BY password] [WITH
GRANT OPTION]
• e.g. GRANT SELECT ON ANY TABLE TO john
– REVOKE {privileges | role} [ON table] FROM
{user | role | PUBLIC}
• e.g. REVOKE SELECT ON ANY TABLE FROM john
– WITH GRANT OPTION: whether grantee can grant
“GRANT” option to other users
• Typical access rights are:
– SELECT, INSERT, UPDATE, DELETE, REFERENCES

20
Cascading Authorizations

21
Role-Based Access Control
• Role-based access control work well for DBMS
– eases admin burden, improves security
• Categories of database users:
– application owner
– end user
– administrator
• DB RBAC must manage roles and their users

22
Inference

23
Inference Example

24
Inference Countermeasures
• Inference detection at database design
– alter database structure or access controls
• Inference detection at query time
– by monitoring and altering or rejecting queries

25
Statistical Databases

• Provides data of a statistical nature

– e.g. counts, averages
• Two types:
– pure statistical database
– ordinary database with statistical access
• some users have normal access, others statistical
• Access control objective to allow statistical use
without revealing individual entries
• Security problem is one of inference

26
Protecting
Against
Inference

27
Perturbation
• Add noise to statistics generated from data
– will result in differences in statistics
• Data perturbation techniques
– data swapping
– generate statistics from probability distribution
• Output perturbation techniques
– random-sample query
– statistic adjustment
• Must minimize loss of accuracy in results

28
Database Encryption

• Databases typical a valuable info resource

– protected by multiple layers of security: firewalls,
authentication, O/S access control systems, DB access control
systems, and database encryption
• Can encrypt
– entire database - very inflexible and inefficient
– individual fields - simple but inflexible
– records (rows) or columns (attributes) - best
• also need attribute indexes to help data retrieval
• Varying trade-offs

29
Database Encryption

30