Chapter 2

Database Security and Authorization

1
1 Introduction to Database Security
Security issues
◦ Legal and ethical issues: The right to access
certain information. Some information may also
need to be kept private and cannot be accessed by
unauthorized people.
◦ Policy issues: At the governmental, institutional
and corporate level.
◦ System-related issues: Such as the system level at
which various security functions should be
enforced. For example, Hardware, OS or DBMS
level.
◦ The need to identify multiple security levels:  

2
Cont…

Threats to databases
◦ Loss of integrity
◦ Loss of availability
◦ Loss of confidentiality
To protect databases against these types of
threats, four kinds of countermeasures can be
implemented:
◦ Access control
◦ Inference control
◦ Flow control
◦ Encryption

3
Introduction (cont…)
 A DBMS typically includes a database security and
authorization subsystem that is responsible for ensuring the
security portions of a database against unauthorized access.
 Two types of database security mechanisms:
◦ Discretionary security mechanisms
◦ Mandatory security mechanisms
 The security mechanism of a DBMS must include
provisions for restricting access to the database as a whole
◦ This function is called access control and is handled by
creating user accounts and passwords to control login
process by the DBMS.

4
Introduction (cont…)
 The security problem associated with databases is that of
controlling the access to a statistical database, which is
used to provide statistical information or summaries of
values based on various criteria.
 Statistical database security problem should be handled
using inference control measures
 Another security is that of flow control, which prevents
information from flowing in such a way that it reaches
unauthorized users.
 Channels that are pathways for information to flow
implicitly in ways that violate the security policy of an
organization are called covert channels.

5
Introduction (cont…)
Another security issue is data encryption,
which is used to protect sensitive data (such
as credit card numbers) that is being
transmitted via some type of communication
network
Using encryption method, the data is
encoded using some encoding algorithm.
◦ Unauthorized user who access encoded data will
have difficulty deciphering it, but authorized users
are given decoding or decrypting algorithms (or
keys) to decipher data

6
1.2 Database Security and the DBA
The database administrator (DBA) is the
central authority for managing a database
system.
◦ The DBA’s responsibilities include
 Granting privileges to users who need to use the
system
 Classifying users and data in accordance with the
policy of the organization
The DBA is responsible for the overall
security of the database system.
7
1.2 Database Security and the DBA (cont…)

 The DBA has a DBA account in the DBMS

◦ Sometimes these are called a system or
superuser account
◦ These accounts provide powerful capabilities
such as:
1.Account creation
2.Privilege granting
3.Privilege revocation
4.Security level assignment
◦ Action 1 is access control, whereas 2 and 3 are
discretionary and 4 is used to control mandatory
authorization

8
1.3 Access Protection, User Accounts, and
Database Audits
Whenever a person or group of persons need
to access a database system, the individual or
group must first apply for a user account
◦ The DBA will then create a new account id and
password for the user if he/she deems there is a
legitimate need to access the database
The user must log in to the DBMS by
entering account id and password whenever
database access is needed

9
1.3 Access Protection, User Accounts, and
Database Audits (cont…)
The database system must also keep
track of all operations on the database
that are applied by a certain user
throughout each login session
◦ To keep a record of all updates applied to the
database and of the particular user who
applied each update, we can modify system
log, which includes an entry for each
operation applied to the database that may be
required for recovery from a transaction
failure or system crash

10
1.3 Access Protection, User Accounts, and
Database Audits (cont…)
If any tampering with the database is
suspected, a database audit is performed
◦ A database audit consists of reviewing the log
to examine all accesses and operations applied
to the database during a certain time period.
A database log that is used mainly for
security purposes is sometimes called an
audit trail.

11
 Discretionary Access Control

 This is the typical method of enforcing access control in

a database based on the granting and revoking
privileges.
2.1 Types of Discretionary Privileges
 The account level:
 At this level, the DBA specifies the particular
privileges that each account holds independently of
the relations in the database.
 The relation level (or table level):
◦ At this level, the DBA can control the privilege to
access each individual relation or view in the database.

12
Discretionary Privileges (cont…)
The Privileges at the account level apply to the
capabilities provided to the account itself and can
include
◦ the CREATE SCHEMA or CREATE TABLE
privilege, to create a schema or base relation;
◦ the CREATE VIEW privilege;
◦ the ALTER privilege, to apply schema changes such
as adding or removing attributes from relations;
◦ the DROP privilege, to delete relations or views;
◦ the MODIFY privilege, to insert, delete, or update
tuples;
◦ and the SELECT privilege, to retrieve information
from the database by using a SELECT query.

13
 Cont…
 The second level of privileges applies to the relation level
◦ This includes privileges on base relations and virtual
(view) relations.
 The granting and revoking of privileges generally follow
an authorization model for discretionary privileges known
as the access matrix model where
◦ The rows of a matrix M represents subjects (users,
accounts, programs)
◦ The columns represent objects (relations, records,
columns, views, operations).
◦ Each position M(i,j) in the matrix represents the types of
privileges (read, write, update) that subject i holds on
object j.

14
Types of Discretionary Privileges
(cont..)
To control the granting and revoking of relation
privileges, each relation R in a database is
assigned an owner account, which is typically the
account that was used when the relation was
created in the first place.
◦ The owner of a relation is given all privileges on that
relation.
◦ DBA can assign an owner to a whole schema by
creating the schema and associating the appropriate
authorization identifier with that schema, using the
CREATE SCHEMA command.
◦ The owner account holder can pass privileges on any
of the owned relation to other users by granting
privileges to their accounts.

15
Types of Discretionary Privileges
(cont…)
 In SQL, the following types of privileges can be granted on each
individual relation R:
◦ SELECT (retrieval or read) privilege on R:
 Gives a retrieval privilege to the account
 This gives the account holder the privilege to use the
SELECT statement to retrieve tuples from R.
◦ MODIFY privileges on R:
 This gives the account the capability to modify tuples of R.
 This privilege is further divided into UPDATE, DELETE,
and INSERT privileges to apply the corresponding SQL
command to R.
 In addition, both the INSERT and UPDATE privileges can
specify that only certain attributes can be updated by the
account

16
Types of Discretionary Privileges
(cont…)
The following types of privileges can be
granted on each individual relation R :
◦ REFERENCES privilege on R:
 This gives the account holder the right to reference
relation R when specifying integrity constraints
 The privilege can also be restricted to specific
attributes of R
Notice that to create a view, the account
must have SELECT privilege on all
relations involved in the view definition

17
2.2 Specifying Privileges Using Views

The mechanism of views is an important

discretionary authorization mechanism. For
example,
◦ If the owner A of a relation R wants another
account B to be able to retrieve only some fields
of R, then A can create a view V of R that
includes only those attributes and then grant
SELECT on V to B
◦ The same applies to limiting B to retrieving only
certain tuples of R; a view V’ can be created by
defining the view by means of a query that selects
only those tuples from R that A wants to allow B
to access

18
2.3 Revoking Privileges
In some cases, it is desirable to grant a
privilege to a user temporarily. For
example,
◦ The owner of a relation may want to grant the
SELECT privilege to a user for a specific task
and then revoke that privilege once the task is
completed
◦ Hence, a mechanism for revoking privileges
is needed.
◦ In SQL, a REVOKE command is included for
the purpose of canceling privileges.
19
2.4 Propagation of Privileges using the GRANT
OPTION
 Whenever the owner A of a relation R grants a privilege on R to
another account B, privilege can be given to B with or without the
GRANT OPTION.
 If the GRANT OPTION is given, this means that B can also grant
that privilege on R to other accounts.
◦ Suppose that B is given the GRANT OPTION by A and that B
then grants the privilege on R to a third account C, also with
GRANT OPTION.
◦ In this way, privileges on R can propagate to other accounts
without the knowledge of the owner of R.
◦ If the owner account A now revokes the privilege granted to B,
all the privileges that B propagated based on that privilege
should automatically be revoked by the system.

20
2.5 An Example
 Suppose that the DBA creates four accounts
◦ A1, A2, A3, A4
 and wants only A1 to be able to create base relations. Then, the
DBA must issue the following GRANT command in SQL
GRANT CREATE TABLE TO A1;
 The same effect can be accomplished by having the DBA issue a
CREATE SCHEMA command as follows:
CREATE SCHAMA schema1 AUTHORIZATION A1;

21
An Example (cont…)
 User account A1 can create tables under the schema called shema1.
 Suppose that A1 creates the two base relations EMPLOYEE and
DEPARTMENT
◦ A1 is then owner of these two relations and hence all the relation
privileges on each of them.
 Suppose that A1 wants to grant A2 the privilege to insert and delete
tuples in both of these relations, but A1 does not want A2 to be able
to propagate these privileges to additional accounts:
GRANT INSERT, DELETE ON
EMPLOYEE, DEPARTMENT TO A2;

22
2.5 An Example (cont…)
 Suppose that A1 wants to allow A3 to retrieve information from
either of the two tables and also to be able to propagate the
SELECT privilege to other accounts.
 A1 can issue the command:
GRANT SELECT ON EMPLOYEE, DEPARTMENT
TO A3 WITH GRANT OPTION;
 A3 can grant the SELECT privilege on the EMPLOYEE relation
to A4 by issuing:
GRANT SELECT ON EMPLOYEE TO A4;
◦ Notice that A4 can’t propagate the SELECT privilege because
GRANT OPTION was not given to A4

23
2.5 An Example (cont…)
Suppose that A1 decides to revoke the
SELECT privilege on the EMPLOYEE
relation from A3; A1 can issue:
REVOKE SELECT ON EMPLOYEE FROM A3;
The DBMS must now automatically
revoke the SELECT privilege on
EMPLOYEE from A4, too, because A3
granted that privilege to A4 and A3 does
not have the privilege any more.

24
2.5 Example (cont…)
 Suppose that A1 wants to give back to A3 a limited capability to
SELECT from the EMPLOYEE relation and wants to allow A3 to
be able to propagate the privilege.
◦ The limitation is to retrieve only the NAME, BDATE, and
ADDRESS attributes and only for the tuples with DNO=5.
 A1 then create the view:
CREATE VIEW A3EMPLOYEE AS
SELECT NAME, BDATE, ADDRESS
FROM EMPLOYEE
WHERE DNO = 5;
 After the view is created, A1 can grant SELECT on the view
A3EMPLOYEE to A3 as follows:
GRANT SELECT ON A3EMPLOYEE
TO A3
WITH GRANT OPTION;
25
An Example (cont…)
 Finally, suppose that A1 wants to allow A4 to update only the
SALARY attribute of EMPLOYEE;
 A1 can issue:
GRANT UPDATE ON EMPLOYEE (SALARY) TO A4;
◦ The UPDATE or INSERT privilege can specify particular
attributes that may be updated or inserted in a relation

26
3 Mandatory Access Control and Role-Based Access
Control for Multilevel Security
The discretionary access control techniques
of granting and revoking privileges on
relations has been the main security
mechanism for relational database systems.
This is an all-or-nothing method:
◦ A user either has or does not have a certain
privilege.
In many applications, additional security
policy is needed that classifies data and users
based on security classes.
◦ This approach as mandatory access control,
would typically be combined with the
discretionary access control mechanisms.

27
 3 Mandatory Access Control and Role-Based Access
Control for Multilevel Security (cont…)
 Typical security classes are top secret (TS), secret (S),
confidential (C), and unclassified (U), where TS is the highest
level and U the lowest: TS ≥ S ≥ C ≥ U
 The commonly used model for multilevel security, classifies each
subject (user, account, program) and object (relation, tuple,
column, view, operation) into one of the security classifications,
T, S, C, or U:
◦ Clearance (classification) of a subject S as class(S) and to the
classification of an object O as class(O).
 Two restrictions are enforced on data access based on the
subject/object classifications:
◦ Simple security property: A subject S is not allowed read
access to an object O unless class(S) ≥ class(O)
28
Mandatory Access Control and Role-Based Access Control
for Multilevel Security (cont…)
To incorporate multilevel security notions
into the relational database model, it is
common to consider attribute values and
tuples as data objects.
Hence, each attribute A is associated with a
classification attribute C in the schema, and
each attribute value in a tuple is associated
with a corresponding security classification.
In addition, in some models, a tuple
classification attribute TC is added to the
relation attributes to provide a classification
for each tuple as a whole.

29
3.1 Comparing Discretionary Access Control and
Mandatory Access Control
Discretionary Access Control (DAC)
policies are characterized by a high
degree of flexibility, which makes them
suitable for a large variety of application
domains.
◦ The main drawback of DAC models is their
vulnerability to malicious attacks, such as
Trojan horses embedded in application
programs

30
3.1 Comparing Discretionary Access Control and
Mandatory Access Control (cont…)
By contrast, mandatory policies ensure a
high degree of protection in a way, they
prevent any illegal flow of information.
Mandatory policies have the drawback of
being too rigid and they are only
applicable in limited environments.
In many practical situations, discretionary
policies are preferred because they offer a
better trade-off between security and
applicability.
31
3.2 Role-Based Access Control
Role-based access control (RBAC) has emerged
rapidly in the 1990s as a proven technology for
managing and enforcing security in large-scale
enterprise wide systems.
Its basic notion is that permissions are associated
with roles, and users are assigned to appropriate
roles.
Roles can be created using the CREATE ROLE
commands.
◦ The GRANT and REVOKE commands discussed
under DAC can then be used to assign and revoke
privileges from roles

32
3.2 Role-Based Access Control
(cont…)
RBAC appears to be a viable alternative to
discretionary and mandatory access controls;
it ensures that only authorized users are
given access to certain data or resources.
Many DBMSs have allowed the concept of
roles, where privileges can be assigned to
roles.
Role hierarchy in RBAC is a natural way of
organizing roles to reflect the organization’s
lines of authority and responsibility.

33
3.2 Role-Based Access Control
(cont…)
Using RBAC model is highly desirable
goal for addressing the key security
requirements of Web-based applications.
In contrast, discretionary access control
(DAC) and mandatory access control
(MAC) models lack capabilities needed
to support the security requirements
emerging enterprises and Web-based
applications.

34
4 Introduction to Statistical
Database Security
Statistical databases are used mainly to produce
statistics on various populations.
The database may contain confidential data on
individuals, which should be protected from user
access.
Users are permitted to retrieve statistical
information on the populations, such as
averages, sums, counts, maximums, minimums,
and standard deviations.
A population is a set of tuples of a relation (table)
that satisfy some selection condition.
Statistical queries involve applying statistical
functions to a population of tuples.

35
Statistical database Security (cont…)
For example, we may want to retrieve the number of
individuals in a population or the average income in
the population.
◦ However, statistical users are not allowed to retrieve
individual data, such as the income of a specific person.
Statistical database security techniques must prohibit
the retrieval of individual data.
This can be achieved by prohibiting queries that
retrieve attribute values and by allowing only
queries that involve statistical aggregate functions
such as COUNT, SUM, MIN, MAX, AVERAGE,
and STANDARD DEVIATION.
◦ Such queries are sometimes called statistical queries.

36
Statistical database Security
(cont…)
Itis DBMS’s responsibility to ensure
confidentiality of information about individuals,
while still providing useful statistical summaries
of data about those individuals to users.
Provision of privacy protection of users in a
statistical database is paramount.
In some cases it is possible to infer the values of
individual tuples from a sequence statistical
queries.
◦ This is particularly true when the conditions result in a
population consisting of a small number of tuples.

37
5. Encryption and Public Key Infrastructures

Encryption is a means of maintaining

secure data in an insecure environment.
Encryption consists of applying an
encryption algorithm to data using some
pre specified encryption key.
The resulting data has to be decrypted
using a decryption key to recover the
original data.

38
Public Key Encryption
The two keys used for public key encryption
are referred to as the public key and the
private key.
◦ the private key is kept secret.
A public key encryption scheme or
infrastructure, has six ingredients:
◦ Plaintext: This is the data or readable message
that is fed into the algorithm as input.
◦ Encryption algorithm: The encryption algorithm
performs various transformations on the
plaintext.
◦ Public and private keys: These are pair of keys
that have been selected so that if one is used for
encryption, the other is used for decryption.

39
Public Key Encryption (cont…)
A public key encryption scheme, or
infrastructure, has six ingredients
(cont…):
◦ Ciphertext:
 This is the scrambled message produced as output.
It depends on the plaintext and the key.
 For a given message, two different keys will
produce two different ciphertexts.
◦ Decryption algorithm:
 This algorithm accepts the ciphertext and the
matching key and produces the original plaintext.

40
Public Key Encryption (cont…)
Public key is made for public and private
key is known only by owner.
A general-purpose public key
cryptographic algorithm relies on
◦ one key for encryption and
◦ a different but related key for decryption.

41