Computer Security:

Principles and Practice

Chapter 5:
Database Security
EECS710: Information Security
Professor Hossein Saiedian
Fall 2014
Outline
• Introduced databases and DBMS
• Relational databases
• Database access control issues
▪ SQL, role-based
• Inference
• Statistical database security issues
• Database encryption
Database systems
• Structured collection of data stored for use by one or more
applications
• Contains the relationships between data items and groups of data
items
• Can sometimes contain sensitive data that needs to be secured
• Query language: Provides a uniform interface to the database
Database Security
Relational Databases
• Constructed from tables of data
▪ each column holds a particular type of data
▪ each row contains a specific value these
▪ ideally has one column where all values are unique, forming an identifier/key
for that row
• Have multiple tables linked by identifiers
• Sse a query language to access data items meeting specified criteria
Relational databases
• Table of data consisting of rows and columns
▪ Each column holds a particular type of data
▪ Each row contains a specific value for each column
▪ Ideally has one column where all values are unique, forming an identifier/key
for that row
• Enables the creation of multiple tables linked together by a unique
identifier that is present in all tables
• Use a relational query language to access the database
▪ Allows the user to request data that fit a given set of criteria
A relational database example
Relational database terms
• Relation/table/file
• Tuple/row/record
• Attribute/column/field
• Primary key: uniquely identifies a row
• Foreign key: links one table to attributes in another
• View/virtual table: Result of a query that returns selected rows and
columns from one or more tables
Abstract view of a relation
Relational Database Elements
 Structured Query Language
• Structure Query Language (SQL)
▪ originally developed by IBM in the mid-1970s
▪ standardized language to define, manipulate, and query
data in a relational database
▪ several similar versions of ANSI/ISO standard
CREATE TABLE department ( CREATE VIEW newtable (Dname, Ename, Eid, Ephone)
Did INTEGER PRIMARY KEY, AS SELECT D.Dname E.Ename, E.Eid, E.Ephone
Dname CHAR (30), FROM Department D Employee E
Dacctno CHAR (6) )
WHERE E.Did = D.Did

CREATE TABLE employee (

Ename CHAR (30),
Did INTEGER,
SalaryCode INTEGER,
Eid INTEGER PRIMARY KEY,
Ephone CHAR (10),
FOREIGN KEY (Did) REFERENCES department (Did) )
SQL injection attacks
• One of the most prevalent and dangerous network-based security
threats
• Sends malicious SQL commands to the database server
• Depending on the environment SQL injection can also be exploited to:
▪ Modify or delete data
▪ Execute arbitrary operating system commands
▪ Launch denial-of-service (DoS) attacks
A typical
injection
attack
Sample SQL injection
• The SQLi attack typically works by prematurely terminating a text
string and appending a new command

SELECT fname
FROM student
where fname is ‘user prompt’;

User: John’; DROP table Course;--

Sample SQL injection: tautology
$query= “
SELECT info FROM user WHERE name =
`$_GET[“name”]’ AND pwd = `GET[“pwd”]`
”;

Attacker enters: ` OR 1=1 –-

In-band attacks
• Tautology: This form of attack injects code in one or more conditional
statements so that they always evaluate to true
• End-of-line comment: After injecting code into a particular field,
legitimate code that follows are nullified through usage of end of line
comments
• Piggybacked queries: The attacker adds additional queries beyond
the intended query, piggy-backing the attack on top of a legitimate
request
Database Access Control
• DBMS provide access control for database
• assume have authenticated user
• DBMS provides specific access rights to portions of the database
▪ e.g. create, insert, delete, update, read, write
▪ to entire database, tables, selected rows or columns
▪ possibly dependent on contents of a table entry
• can support a range of policies:
▪ centralized administration
▪ ownership-based administration
▪ decentralized administration
Inferential attack (gathering info)
• There is no actual transfer of data, but the attacker is able to
reconstruct the information by sending particular requests and
observing the resulting behavior of the Website/database server
▪ Illegal/logically incorrect queries: lets an attacker gather important
information about the type and structure of the backend database of a Web
application
Out-band attack
• This can be used when there are limitations on information retrieval,
but outbound connectivity from the database server is lax
SQLi countermeasures
• Defensive coding: stronger data validation
• Detection
▪ Signature based
▪ Anomaly based
▪ Code analysis
• Runtime prevention: Check queries at runtime to see if they conform
to a model of expected queries
SQL Access Controls
• If the user has access to the entire database or just portions of it
• Two commands:
▪ GRANT {privileges | role} [ON table] TO {user | role | PUBLIC}
[IDENTIFIED BY password] [WITH GRANT OPTION]
o e.g. GRANT SELECT ON ANY TABLE TO john
▪ REVOKE {privileges | role} [ON table] FROM {user | role |
PUBLIC}
o e.g. REVOKE SELECT ON ANY TABLE FROM john
▪ WITH GRANT OPTION: whether grantee can grant “GRANT” option to
other users
• Typical access rights are:
▪ SELECT, INSERT, UPDATE, DELETE, REFERENCES
Cascading Authorizations
Role-Based Access Control
• Role-based access control work well for DBMS
▪ eases admin burden, improves security
• Categories of database users:
▪ application owner
▪ end user
▪ administrator
• DB RBAC must manage roles and their users
Inference
Inference Example
Inference Countermeasures
• Inference detection at database design
▪ alter database structure or access controls
• Inference detection at query time
▪ by monitoring and altering or rejecting queries
Statistical Databases
• Provides data of a statistical nature
▪ e.g. counts, averages
• Two types:
▪ pure statistical database
▪ ordinary database with statistical access
o some users have normal access, others statistical
• Access control objective to allow statistical use without revealing
individual entries
• Security problem is one of inference
Protecting Against Inference
Perturbation
• Add noise to statistics generated from data
▪ will result in differences in statistics
• Data perturbation techniques
▪ data swapping
▪ generate statistics from probability distribution
• Output perturbation techniques
▪ random-sample query
▪ statistic adjustment
• Must minimize loss of accuracy in results
Database Encryption
• Databases typical a valuable info resource
▪ protected by multiple layers of security: firewalls, authentication, O/S access control systems,
DB access control systems, and database encryption
• Can encrypt
▪ entire database - very inflexible and inefficient
▪ individual fields - simple but inflexible
▪ records (rows) or columns (attributes) - best
o also need attribute indexes to help data retrieval
• Varying trade-offs
Summary
• Introduced databases and DBMS
• Relational databases
• Database access control issues
▪ SQL, role-based
• Inference
• Statistical database security issues
• Database encryption
Bài tập
The following table shows a list of pets and their owners that is used by a veterinarian service.
• Describe four problems that are likely to occur when using this table.
• Break the table into two tables in a way that fixes the four problems.
Bài tập
Consider an SQL statement:
SELECT id, forename, surname FROM authors WHERE forename ‘john’ AND surname ‘smith’
a. What is this statement intended to do?
b. Assume the forename and surname fields are being gathered from user-suppliedinput, and
suppose the user responds with:
• Forename: jo’hn
• Surname: smith
• What will be the effect?
c. Now suppose the user responds with:
• Forename: jo’; drop table authors--
• Surname: smith
• What will be the effect?
Bài tập
• shows a fragment of code that implements the login functionality for a database application. The code dynamically
builds an SQL query and submits it to adatabase.
1. String login, password, pin, query
2. login = getParameter(“login”);
3. password = getParameter(“pass”);
3. pin = getParameter(“pin”);
4. Connection conn.createConnection(“MyDataBase”);
5. query = “SELECT accounts FROM users WHERE login=’” +
6. login + “‘AND pass = ’” + password +
7. “‘AND pin=” + pin;
8. ResultSet result = conn.executeQuery(query);
9. if (result!=NULL)
10 displayAccounts(result);
11 else
12 displayAuthFailed();
Code for Generating an SQL Query:
a. Suppose a user submits login, password, and pin as doe, secret, and 123. Show theSQL query that is generated.
b. Instead, the user submits for the login field the following:
• ’ or - -
• What is the effect?
Bài tập
c. suppose a user enters thefollowing into the login field:
• ’UNION SELECT cardNo from CreditCards where acctNo 10032 - -
• What is the effect?
Bài tập
Bài tập
• Consider the parts department of a plumbing contractor. The
department maintains an inventory database that includes parts
information (part number, description, color, size,number in stock,
etc.) and information on vendors from whom parts are obtained
(name,address, pending purchase orders, closed purchase orders,
etc.). In an RBAC system,suppose roles are defined for accounts
payable clerk, an installation foreman, and areceiving clerk. For each
role, indicate which items should be accessible for read-only andread-
write access.
Bài tập
• A sequence of grant operations for a specific access right on atable.
Assume at B revokes the access right from C. Using the conventions
defined in Section 5.2 , show the resulting diagram of access right
dependencies.
Bài tập
Imagine you are the database administrator for a military transportation system. Youhave a
table named cargo in your database that contains information on the various cargoholds
available on each outbound airplane. Each row in the table represents a singleshipment and
lists the contents of that shipment and the flight identification number. Onlyone shipment per
hold is allowed. The flight identification number may be cross-referencedwith other tables to
determine the origin, destination, flight time, and similar data. Thecargo table appears as
follows:
Bài tập
• Users hulkhogan and undertaker do not have the SELECT
access right to theInventory table and the Item table. These
tables were created by and are owned by userbruno-s. Write
the SQL commands that would enable bruno-s to grant
SELECT access tothese tables to hulkhogan and undertaker
Bài tập
• Consider a database table that includes a salary attribute. Suppose
the three queriessum, count, and max (in that order) are made on the
salary attribute, all conditioned onthe same predicate involving other
attributes. That is, a specific subset of records isselected and the
three queries are performed on that subset. Suppose the first two
queriesare answered, and the third query is denied. Is any
information leaked?