DBMS Module 5
DBMS Module 5
DBMS – Module – 5
Locking Techniques
1. Check the following condition whenever a transaction Ti issues a Read (X) operation:
Where,
o TS protocol ensures freedom from deadlock that means no transaction ever waits.
o But the schedule may not be recoverable and may not even be cascade- free.
1. Read phase: In this phase, the transaction T is read and executed. It is used to read the value of various data
items and stores them in temporary local variables. It can perform all the write operations on temporary
variables without an update to the actual database.
2. Validation phase: In this phase, the temporary variable value will be validated against the actual data to see
if it violates the serializability.
3. Write phase: If the validation of the transaction is validated, then the temporary results are written to the
database or system otherwise the transaction is rolled back.
Validation (Ti): It contains the time when Ti finishes its read phase and starts its validation phase.
o This protocol is used to determine the time stamp for the transaction for serialization using the time stamp
of the validation phase, as it is the actual phase which determines if the transaction will commit or rollback.
o Hence TS(T) = validation(T).
o The serializability is determined during the validation process. It can't be decided in advance.
o While executing the transaction, it ensures a greater degree of concurrency and also less number of conflicts.
o Thus it contains transactions which have less number of rollbacks.
Multiple Granularity
Let's start by understanding the meaning of granularity.
Multiple Granularity:
o It can be defined as hierarchically breaking up the database into blocks which can be locked.
3
o The Multiple Granularity protocol enhances concurrency and reduces lock overhead.
o It maintains the track of what to lock and how to lock.
o It makes easy to decide either to lock a data item or to unlock a data item. This type of hierarchy can be
graphically represented as a tree.
In this example, the highest level shows the entire database. The levels below are file, record, and fields.
Intention-Exclusive (IX): It contains explicit locking at a lower level with exclusive or shared locks.
4
Shared & Intention-Exclusive (SIX): In this lock, the node is locked in shared mode, and some node is locked in
exclusive mode by the same transaction.
Compatibility Matrix with Intention Lock Modes: The below table describes the compatibility matrix for these lock
modes:
It uses the intention lock modes to ensure serializability. It requires that if a transaction attempts to lock a node, then
that node must follow these protocols:
Observe that in multiple-granularity, the locks are acquired in top-down order, and locks must be released in bottom-
up order.
o If transaction T1 reads record Ra9 in file Fa, then transaction T1 needs to lock the database, area A 1 and file
Fa in IX mode. Finally, it needs to lock Ra2 in S mode.
o If transaction T2 modifies record Ra9 in file Fa, then it can do so after locking the database, area A1 and file
Fa in IX mode. Finally, it needs to lock the Ra9 in X mode.
o If transaction T3 reads all the records in file F a, then transaction T3 needs to lock the database, and area A in
IS mode. At last, it needs to lock Fa in S mode.
o If transaction T4 reads the entire database, then T4 needs to lock the database in S mode.
Log-Based Recovery
o The log is a sequence of records. Log of each transaction is maintained in some stable storage so that if any
failure occurs, then it can be recovered from there.
o If any operation is performed on the database, then it will be recorded in the log.
o But the process of storing the logs should be done before the actual transaction is applied in the database.
Let's assume there is a transaction to modify the City of a student. The following logs are written for this transaction.
5
1. <Tn, Commit>
1. If the log contains the record <Ti, Start> and <Ti, Commit> or <Ti, Commit>, then the Transaction Ti needs
to be redone.
2. If log contains record<Tn, Start> but does not contain the record either <Ti, commit> or <Ti, abort>, then
the Transaction Ti needs to be undone.
Database Security
Security of databases refers to the array of controls, tools, and procedures designed to ensure and safeguard
confidentiality, integrity, and accessibility. This tutorial will concentrate on confidentiality because it's a component
that is most at risk in data security breaches.
Security for databases must cover and safeguard the following aspects:
Security of databases is a complicated and challenging task that requires all aspects of security practices and
technologies. This is inherently at odds with the accessibility of databases. The more usable and accessible the
database is, the more susceptible we are to threats from security. The more vulnerable it is to attacks and threats, the
more difficult it is to access and utilize.
According to the definition, a data breach refers to a breach of data integrity in databases. The
amount of damage an incident like a data breach can cause our business is contingent on various
consequences or elements.
Numerous software configurations that are not correct, weaknesses, or patterns of carelessness or
abuse can lead to a breach of security. Here are some of the most prevalent kinds of reasons for
security attacks and the reasons.
Insider Dangers
An insider threat can be an attack on security from any three sources having an access privilege
to the database.
Insider dangers are among the most frequent sources of security breaches to databases. They
often occur as a consequence of the inability of employees to have access to privileged user
credentials.
Human Error
The unintentional mistakes, weak passwords or sharing passwords, and other negligent or
uninformed behaviours of users remain the root causes of almost half (49 percent) of all data
security breaches.
Hackers earn their money by identifying and exploiting vulnerabilities in software such as
databases management software. The major database software companies and open-source
databases management platforms release regular security patches to fix these weaknesses.
However, failing to implement the patches on time could increase the risk of being hacked.
A specific threat to databases is the infusing of untrue SQL as well as other non-SQL string
attacks in queries for databases delivered by web-based apps and HTTP headers. Companies that
do not follow the safe coding practices for web applications and conduct regular vulnerability
tests are susceptible to attacks using these.
Buffer overflow happens when a program seeks to copy more data into the memory block with a
certain length than it can accommodate. The attackers may make use of the extra data, which is
stored in adjacent memory addresses, to establish a basis for they can begin attacks.
In a denial-of-service (DoS) attack in which the attacker overwhelms the targeted server -- in this case, the database
server with such a large volume of requests that the server is unable to meet no longer legitimate requests made by
actual users. In most cases, the server is unstable or even fails to function.
Malware
Malware is software designed to exploit vulnerabilities or cause harm to databases. Malware can be accessed via any
device that connects to the databases network.
Attacks on Backups
Companies that do not protect backup data using the same rigorous controls employed to protect databases
themselves are at risk of cyberattacks on backups.
o Data volumes are growing: Data capture, storage, and processing continue to increase exponentially in
almost all organizations. Any tools or methods must be highly flexible to meet current as well as far-off
needs.
o The infrastructure is sprawling: Network environments are becoming more complicated, especially as
companies shift their workloads into multiple clouds and hybrid cloud architectures and make the selection
of deployment, management, and administration of security solutions more difficult.
o More stringent requirements for regulatory compliance: The worldwide regulatory compliance landscape
continues to increase by complexity. This makes the compliance of every mandate more challenging.
In evaluating the security of databases in our workplace to determine our organization's top priorities, look at each of
these areas.
o Security for physical security: If the database servers are on-premises or the cloud data centre, they should
be placed in a secure, controlled climate. (If our server for database is located in a cloud-based data centre,
the cloud provider will handle the security on our behalf.)
o Access to the network and administrative restrictions: The practical minimum number of users granted
access to the database and their access rights should be restricted to the minimum level required to fulfil
their tasks. Additionally, access to the network is limited to the minimum permissions needed.
o End security of the user account or device: Be aware of who has access to the database and when and
how data is used. Monitoring tools for data can notify you of data-related activities that are uncommon or
seem to be dangerous. Any device that connects to the network hosting the database must be physically
secured (in the sole control of the appropriate person) and be subject to security checks throughout the day.
o Security: ALL data--including data stored in databases, as well as credential information should be secured
using the highest-quality encryption when in storage and while in transport. All encryption keys must be
used in accordance with the best practices guidelines.
o Security of databases using software: Always use the most current version of our software to manage
databases and apply any patches immediately after they're released.
o Security for web server applications and websites: Any application or web server that connects to the
database could be a target and should be subjected to periodic security testing and best practices
management.
o Security of backups: All backups, images, or copies of the database should have the identical (or equally
rigorous) security procedures as the database itself.
o Auditing: Audits of security standards for databases should be conducted every few months. Record all the
logins on the server as well as the operating system. Also, record any operations that are made on sensitive
data, too.
o Discovery: The ability to discover is often needed to meet regulatory compliance requirements. Look for a
tool that can detect and categorize weaknesses across our databases, whether they're hosted in the cloud or
on-premises. It will also provide recommendations to address any vulnerabilities that are discovered.
o Monitoring of Data Activity: The solution should be capable of monitoring and analysing the entire data
activity in all databases, whether our application is on-premises, in the cloud, or inside a container. It will
alert us to suspicious activity in real-time to allow us to respond more quickly to threats. It also provides
visibility into the state of our information through an integrated and comprehensive user interface. It is also
important to choose a system that enforces rules that govern policies, procedures, and the separation of
duties. Be sure that the solution we select is able to generate the reports we need to comply with the
regulations.
o The ability to Tokenize and Encrypt Data: In case of an incident, encryption is an additional line of
protection against any compromise. Any software we choose to use must have the flexibility to protect data
cloud, on-premises hybrid, or multi-cloud environments. Find a tool with volume, file, and application
encryption features that meet our company's regulations for compliance. This could require tokenization
(data concealing) or advanced key management of security keys.
o Optimization of Data Security and Risk Analysis: An application that will provide contextual insights
through the combination of security data with advanced analytics will allow users to perform optimizing, risk
assessment, and reporting in a breeze. Select a tool that is able to keep and combine large amounts of
recent and historical data about the security and state of your databases. Also, choose a solution that
provides data exploration, auditing, and reporting capabilities via an extensive but user-friendly self-service
dashboard.
• Assumption: The underlying computer system (housing the database) has authenticated the user to
access the system as well as granted access to the database.
• A Database Access Control System provides a specific capability that controls access to portions of the
database.
– Centralized admin: A small number of privileged users may grant and revoke access rights
– E.g., In a personnel database, a department manager may only be allowed to view salary info for
employees in his/her department.
10
• SQL provides two commands for managing access rights: GRANT and
REVOKE.
• GRANT command
– Used to grant one or more access rights or can be used to assign a user to a role.
– For access rights, the command can optionally specify that it applies only to a specified table.
– The TO clause specifies the user or role to which the rights are granted.
– A PUBLIC value indicates that any user has the specified access rights.
– The optional IDENTIFIED BY clause specifies a password that must be used to revoke the access rights
of this GRANT command.
– The GRANT OPTION indicates that the grantee can grant this access right to other users, with or
without the grant option.
Example: GRANT SELECT ON ANY TABLE TO kenny This statement permits user ‘kenny’ to query any
table in the database.
Inference
• Inference is the process of performing authorized queries and deducing unauthorized information
from the legitimate responses received.
• The inference problem arises when a combination of a number of data items is more sensitive than
the individual items, or when a combination of data items can be used to infer data of a higher
sensitivity.
• The attackers may use non-sensitive data and metadata (knowledge about correlations or
dependencies among data items)
• The information transfer path by which unauthorized data is obtained is referred to as an inference
channel.
• Two types:
– Pure statistical database: Only stores statistical data (like census database)
• The access control objective of an SDB is to provide users with the aggregate information without
compromising the confidentiality of any individual entity present in the database.
• Statistics are derived from a database by means of a logical Boolean formula (referred as Characteristic
• A Characteristic formula uses the operators OR, AND, and NOT (+, *, ~), written here in the increasing
order of priority.
– E.g., (Sex = Male) * ( (Major = CS) + (Major = EE)) specifies all male students majoring in either CS or EE
– For numerical attributes, relational operators may be used. E.g., (GP > 3.7) specifies all students whose
grade point average is above 3.7.
• For simplicity, we may omit the attribute names if they are clear from context. E.g., Male * (CS + EE)