Advanced Database

systems

Chapter 3: Database
Integrity and Security

1
 Introduction to Database
Security Issues
 Types of Security
 Database security is a broad area that addresses
many issues, including the following:
 Various legal and ethical issues- for example,
some information may be deemed to be private.
 Policy issues at the governmental, institutional,
or corporate level-for example, credit ratings and
personal medical records.
 System-related issues -whether a security function
should be handled at the physical hardware level, the
operating system level, or the DBMS level.
 The need in some organizations to identify
multiple security levels -for example, top secret,
secret, confidential, and unclassified.
 Threats to Databases
 Threats to databases can result in the loss or
degradation of some or all of the following commonly
accepted security goals: integrity, availability, and
confidentiality.
 Loss of integrity- refers to the requirement that
information are not protected from improper
modification (insertion, creation and deletion).
 Loss of availability- refers to making objects not
available to a human user or a program to which they
have a legitimate right.
 Loss of confidentiality- refers to not protecting the
data from unauthorized disclosure.
 Cont’d…..
 It is now customary to refer to two types of database security
mechanisms:
 Discretionary security Mechanisms-These are used to
grant privileges to users, including the capability to access
specific data files, records, or fields in a specified mode (such
as read, insert, delete, or update).
 Mandatory security Mechanisms-These are used to
enforce multilevel security by classifying the data and users
into various security classes (or levels) and then
implementing the appropriate security policy of the
organization.
 To protect databases against the above types of threats, it is
common to implement four kinds of control measures: access
control, inference control, flow control, and encryption.
 cont’d….
Access Control
is handled by creating user accounts and passwords to

control the login process by the DBMS.

Inference control
government statisticians or market research firms are

allowed to access the database to retrieve statistical

information about a population but not to access the
detailed confidential information about specific
individuals.
Flow control
which prevents information from flowing in such a way

that it reaches unauthorized users. (covert channels.)

Data encryption
which is used to protect sensitive data (such as credit

card numbers) that is transmitted via some type of

communications network.
Database Security and
the DBA
Database Administrator (DBA)
is the central authority for managing a database

system.
performing the following types of actions:

Account creation

Privilege granting

Privilege revocation

Security level assignment

Sensitive Data and Types
of Disclosures
 Sensitivity of data is a measure of the
importance assigned to the data by its owner, for
the purpose of denoting its need for protection.
 Several factors can cause data to be classified as
sensitive:
 Inherently sensitive
 From a sensitive source
 Declared sensitive
 A sensitive attribute or sensitive record
 Sensitive in relation to previously disclosed
data(due to non sensitive data)
 Cont’d…
 The three most important factors are data
availability, access acceptability, and
authenticity assurance.
 Data availability- If a user is updating a field, then
this field becomes inaccessible and other users
should not be able to view this data.
 Access Acceptability-Data should only be
revealed to authorized users.
 Authenticity assurance- Before granting access,
certain external characteristics about the user may
also be considered. For example, a user may only be
permitted access during working hours.
 Cont’d…
 Security: Means of ensuring that data is kept
safe from corruption and that access to it is
suitably controlled. To provide security means
to disclose only non-sensitive data, and
reject any query that references a sensitive
field.
 Precision: To protect all sensitive data while
disclosing as much non-sensitive data as
possible.
 Discretionary Access
Control Based on Granting
and Revoking Privileges
 The typical method of enforcing discretionary
access control in a database system is based on
the granting and revoking of privileges.
Types of Discretionary Privileges
 The account level-At this level, the DBA
specifies the particular privileges that each
account holds independently of the relations in
the database. e.g. CREATE TAB,DROP,ALTER
 The relation (or table) level-At this level, the

DBA can control the privilege to access each

individual relation or view in the database.
 Cont’d…..
In SQL the following types of privileges can be
granted on each individual relation R:
SELECT (retrieval or read) privilege on R-Gives

the account retrieval privilege. In SQL this gives the

account the privilege to use the SELECT statement
to retrieve tuples from R.
Modification privileges on R-This gives the
account the capability to modify the tuples of R. In
SQL this includes three privileges: UPDATE, DELETE,
and INSERT.
References privilege on R-This gives the account

the capability to reference (or refer to) a relation R

when specifying integrity constraints. This privilege
can also be restricted to specific attributes of R.
 Specifying Privileges
through the Use of Views
 The mechanism of views is an important
discretionary authorization mechanism in its own
right. For example, if the owner A of a relation R
wants another account B to be able to retrieve
only some fields of R, then A can create a view V
of R that includes only those attributes and then
grant SELECT on V to B.
Revoking of Privileges
 In some cases it is desirable to grant a privilege to

a user temporarily. For example, the owner of a

relation may want to grant the SELECT privilege to
a user for a specific task and then revoke that
privilege once the task is completed.
 In SQL a REVOKE command is included for the

purpose of canceling privileges.

 Propagation of Privileges
Using the GRANT OPTION
 Whenever the owner A of a relation R grants a privilege
on R to another account B, the privilege can be given to
B with or with out the GRANT OPTION
 If the GRANT OPTION is given, this means that B can
also grant that privilege on R to other accounts
 Suppose that B is given the GRANT OPTION by A and
that B then grants the privilege on R to a third account
C, also with the GRANT OPTION. In this way, privileges
on R can propagate to other accounts without the
knowledge of the owner of R.
 If the owner account A now revokes the privilege
granted to B, all the privileges that B propagated based
on that privilege should automatically be revoked by the
system.
 Example…
 Suppose that the DBA creates four accounts—A1,A2,A3, and
A4—and wants only A1 to be able to create base relations. To
do this, the DBA must issue the following GRANT command in
SQL:
GRANT CREATE TAB TO A1;or
CREATE SCHEMA EXAMPLE AUTHORIZATION
A1;
 User account A1 can now create tables under the schema
called EXAMPLE. To continue our example, suppose that A1
creates the two base relations EMPLOYEE and DEPARTMENT.A1
is then the owner of these two relations and hence has all the
relation privileges on each of them. Next, suppose that
account A1 wants to grant to account A2 the privilege to insert
and delete tuples in both of these relations. However,A1 does
not want A2 to be able to propagate these privileges to
additional accounts.A1 can issue the following command:
GRANT INSERT, DELETE ON EMPLOYEE,
DEPARTMENT TO A2;
 Cont’d…
 Next, suppose that A1 wants to allow account A3
to retrieve information from either of the two
tables and also to be able to propagate the
SELECT privilege to other accounts.A1 can issue
the following command:
GRANT SELECT ON EMPLOYEE, DEPARTMENT
TO A3 WITH GRANT OPTION;
 Mandatory Access Control
and for Multilevel
Security
 Typical security classes are top secret (TS), secret (S),
confidential (C), and unclassified (U), where TS is the
highest level and U the lowest.
 For simplicity, we will use the system with four security
classification levels, where TS ≥S≥C≥U, to illustrate our
discussion. The commonly used model for
multilevel security, known as the Bell-La Padula
model, classifies each subject(user, account, program)
and object (relation, tuple, column, view, operation) into
one of the security classifications TS, S, C, or U. We will
refer to the clearance (classification) of a subject S as
class(S) and to the classification of an object O as
class(O).
Cont’d….
 Two restrictions are enforced on data access
based on the subject/object classifications:
1. A subject S is not allowed read access to an
object O unless class(S) ≥ class(O). This is
known as the simple security property.
2. A subject S is not allowed to write an object O
unless class(S)≤class(O). This is known as the
star property (or *-property)
 Cont’d……
 The first restriction is intuitive and enforces the obvious rule
that no subject can read an object whose security
classification is higher than the subject’s security clearance.

 The second restriction is less intuitive. It prohibits a subject

from writing an object at a lower security classification than
the subject’s security clearance. Violation of this rule would
allow information to flow from higher to lower classifications,
which violates a basic tenet of multilevel security.

 For example, a user (subject) with TS clearance may make a

copy of an object with classification TS and then write it
back as a new object with classification U, thus making it
visible throughout the system.
Cont’d
 A multilevel relation schema R with n
attributes would be represented as:
R(A1,C1,A2,C2, ...,An,Cn,TC)
where each -Ci represents the classification
attribute associated with attribute Ai
-The value of the tuple classification attribute TC
in each tuple t—which is the highest of all
attribute classification values within t—provides
a general classification for the tuple itself.
 Cont’d….
 The apparent key of a multilevel relation is the set of
attributes that would have formed the primary key in a
regular (single-level) relation.
 A multilevel relation will appear to contain different data to
subjects (users) with different clearance levels. In some
cases, it is possible to store a single tuple in the relation at
a higher classification level and produce the corresponding
tuples at a lower-level classification through a process
known as filtering.
 In other cases, it is necessary to store two or more tuples
at different classification levels with the same value for
the apparent key. This leads to the concept of
polyinstantiation ,where several tuples can have the
same apparent key value but have different attribute
values for users at different clearance levels.
Example: Consider the
Employee relation
 Cont’d..
 Assume that the Name attribute is the apparent
key, and consider the query SELECT * FROM
EMPLOYEE. A user with security clearance S would
see the same relation shown in Figure (a), since all
tuple classifications are less than or equal to S.
 However, a user with security clearance C would
not be allowed to see the values for Salary of
‘Brown’ and Job_performance of ‘Smith’, since they
have higher classification. The tuples would be
filtered to appear as shown in Figure (b), with
Salary and Job_performance appearing as null.
 Cont’d…
 For a user with security clearance U, the
filtering allows only the Name attribute of
‘Smith’ to appear, with all the other attributes
appearing as null (Figure (c)). Thus, filtering
introduces null values for attribute values
whose security classification is higher than the
user’s security clearance.