Database Security—

The Heart of a System

Barbara Endicott-Popovsky
CSSE592/491

In collaboration with:
Deborah Frincke, Ph.D.
Director, Center for Secure and Dependable
Systems
University of Idaho
Text Book
 Both broad survey and focused
 Chapters 1-2 lay groundwork
 Chapters 3 –7 Software
• Chapter 6
– Confidentiality and Integrity
– Inference Problems—statistical databases
– Different Sensitivity Levels
 Chapter 8 Management
 Chapter 9 Privacy, ethics, the law
 Chapter 10 Cryptography – the how
In this section of the course we
will look at…

 Protecting data—the heart of any secure

system

• Going beyond DBMS

• Looking at problems

Source: Pfleeger & Pfleeger

Agenda
 I. Introduction

 II. Security Overview

 III. Confidentiality and Integrity

 IV. Inference Problems

 V. Different Sensitivity Levels

Source: Pfleeger & Pfleeger

I. Introduction
 Terms
• Database
• Database management system (front end)
• Records
• Fields (elements)
• Schema (logical design)
• Subschema (user view)
• Entity
• Attributes
• Relation
• Queries (results in subschema)

Source: Pfleeger & Pfleeger

Management Challenges
 Traditional data file environment

 Creating database environment

 Challenges power structure

—requires restructure

 Large initial costs; delayed benefits,

Source: Laudon & Laudonr

File Organization
 BIT: Binary Digit (0,1; Y,N; On,Off)

 BYTE:
Combination of BITS representing a CHARACTER

 FIELD:
Collection of BYTES representing a DATUM or Fact

 RECORD:
Collection of FIELDS reflecting a TRANSACTION
*
Source: Laudon & Laudonr
File Organization
 FILE:
Collection of similar RECORDS

 DATABASE:
• Organization’s Electronic Library of FILES
• Organized to serve business applications

Source: Laudon & Laudonr

File Organization
 ENTITY:
Person, place, thing, event about which data must be kept

 ATTRIBUTE:
Description of a particular ENTITY

 KEY FIELD:
Field used to retrieve, update, sort
RECORD
Source: Laudon & Laudonr
Key Field
 Field in Each Record
 Uniquely Identifies THIS Record
 For RETRIEVAL
UPDATING
SORTING
*

Source: Laudon & Laudonr

Problems With Traditional File
Environment
 Data redundancy
 Program / data dependency
 Lack of flexibility
 Poor security
 Lack of data sharing & Flat File
availability

Source: Laudon & Laudonr

Sequential Vs.
Direct File Organization
 SEQUENTIAL:
Tape oriented; one file follows another--physical sequence

 DIRECT:
Disk oriented; accessible without
regard to physical sequence
*

Source: Laudon & Laudonr

Filing Methods
 Indexed sequential access method (isam) :
– Each record identified by key
– Grouped in blocks and cylinders
– Keys in index
 Virtual storage access method (vsam) :
– Memory divided into areas & intervals
– Dynamic file space
vsam widely used for relational DBs
 Direct file access method

Source: Laudon & Laudonr

Direct File Access Method
 Each record has key field

 Key field fed into transform algorithm

 Algorithm generates physical storage

location of record
(record address)

Source: Laudon & Laudonr

Database Management System
(DBMS)
 Software to create & maintain data

 Enables business apps to extract data

 Independent of specific computer programs

*

DBM
Source: Laudon & Laudonr
Components Of DBMS
 DATA DEFINITION LANGUAGE:
– Defines data elements in database

 DATA MANIPULATION LANGUAGE:

– Manipulates data for applications

 DATA DICTIONARY:
– Formal definitions of all variables in database
– Controls variety of database contents
– Data elements
*
DBM
Source: Laudon & Laudonr
Structured Query Language (SQL)
 Emerging standard
 Data manipulation language
 For relational databases
*

DBM
Source: Laudon & Laudonr
Elements Of SQL
 SELECT:
List of columns from tables desired

 FROM:
IDs tables from which columns will be selected

 WHERE:
Includes conditions for selecting specific rows,
conditions for joining multiple tables
*
DBM
Source: Laudon & Laudonr
 Two Views Of
Data
 PHYSICAL VIEW: Where is data physically?
– Drive, disk, surface, track, sector (block), record
– Tape, block, record number (key)

 LOGICAL VIEW: What data is needed by application?

– Succession of facts needed by application
– Name, type, length of field

*
DBM
Source: Laudon & Laudonr
Storage Hierarchy
BIT

BYTE

FIELD

RECORD

FILE

DATABASE

Source: Laudon & Laudonr

Relational Data Model
 Data in table format
 RELATION: Table
 TUPLE: Row (record) in table
 FIELD: Column (attribute) in table
*
HOURS RATE TOTAL
ABLE $ 40.50 $ 10.35 $ 419.18
BAXTER $ 38.00 $ 8.75 $ 332.50
CHEN $ 42.70 $ 9.25 $ 394.98
DENVER $ 35.90 $ 9.50 $ 341.05
Source: Laudon & Laudonr
 Types Of
ONE-TO-ONE: Relations ID
STUDENT

CLASS
ONE-TO-MANY:
STUDENT STUDENT STUDENT
A B C
CLASS CLASS
MANY-TO-MANY:
1 2

STUDENT STUDENT STUDENT

A B C
Source: Laudon & Laudonr
Hierarchical Data Model

ROOT Employer

1st Compensation Job Benefits

Child Assignments

2nd
Ratings Salary Pension Insurance Health
Child

Source: Laudon & Laudonr

Network Data Model
 Variation of hierarchical model
 Useful for many-to-many relationships
*

NETWORK NETWORK
1 2

NETWORK NETWORK NETWORK

A B C

Source: Laudon & Laudonr

Other Systems
 LEGACY SYSTEM: older system

 OBJECT - ORIENTED DBMS:

stores data & procedures as objects

 OBJECT - RELATIONAL DBMS: hybrid

Source: Laudon & Laudonr

Creating A Database

 Conceptual Design

 Physical Design

Source: Laudon & Laudonr

Creating A Database
Conceptual Design:

 Abstract model, business perspective

 How will data be grouped?

 Relationships among elements

 Establish end-user needs

Source: Laudon & Laudonr

Creating A Database
Physical Design:
 Detailed model by database specialists

 Entity-relationship diagram

 Normalization

 Hardware / software specific

Source: Laudon & Laudonr

 Elements Of Database
Environment

DATA DATABASE
ADMINISTRATION TECHNOLOGY &
MANAGEMENT

DATABASE
MANAGEMENT
SYSTEM

DATA
PLANNING &
MODELING USERS
METHODOLOGY

Source: Laudon & Laudonr

Entity- Relationship Diagram
ORDER ORDER: #, DATE, PART #, QUANTITY

CAN
HAVE

1
PART: #, DESCRIPTION, UNIT PRICE,
PART
SUPPLIER #

CAN
HAVE
1

SUPPLIER SUPPLIER: #, NAME,

ADDRESS Source: Laudon & Laudonr
Normalization
Process of creating small data structures
from complex groups of data

EXAMPLES:
 Accounts Receivable
 Personnel Records
 Payroll

Source: Laudon & Laudonr

Distributed Databases
 PARTITIONED:
remote CPUs (connected to host) have files
unique to that site,
e.g., records on local customers

 DUPLICATE:
ea. remote CPU has copies of common files
e.g., layouts for standard reports and forms

Source: Laudon & Laudonr

 Database Administration
 Defines / organizes database structure and content

 Develops security procedures

 Develops database documentation

 Maintains DBMS

Source: Laudon & Laudonr

Database Trends
 Multidimensional Data Analysis:
3D (or higher) groupings to store complex
data

 Hypermedia:
• Nodes contain text, graphics, sound, video, programs
• Organizes data as nodes.

Source: Laudon & Laudonr

Database Trends
 Data Warehouse:
Organization’s electronic library stores
consolidated current & historic data for
management reporting & analysis

 On-line Analytical Processing (OLAP):

Tools for multi-dimensional data
analysis
*

Source: Laudon & Laudonr

 Components Of Data Warehouse
OPERATIONAL,
HISTORICAL DATA
DATA WAREHOUSE

EXTRACT, DATA
INTERNAL TRANSFORM ACCESS &
ANALYSIS
DATA
SOURCES
QUERIES &
REPORTS
INFORMATION
DIRECTORY OLAP
DATA MINING
EXTERNAL
DATA
SOURCES

Source: Laudon & Laudonr

Database Trends
 DATA MART:
Small data warehouse for special function, e.g.,
Focused marketing based on customer info

 DATAMINING:
Tools for finding hidden patterns,
relationships, for predicting trends
*

Source: Laudon & Laudonr

Database Trends
Linking Databases To The Web:
 Web user connects to vendor database

 Special software converts html to SQL

 SQL finds data,

server converts result to HTML
*

Source: Laudon & Laudonr

II. Security Overview

 Physical Database Integrity

 Logical Database Integrity
 Element Integrity
 Auditability
 Access Control
 User Authentication
 Availability

Source: Pfleeger & Pfleeger

Integrity / Confidentiality /Availability
 Data must be trusted
• DBMS designed to manage trust
• DBMS must reconstruct
 Data must be accurate
• Field checks
• Access control (CRUD)
• Change log
 Trade-offs
• Audit vs. performance
• Access vs. performance
 Self-authentication
 High availability

Source: Pfleeger & Pfleeger

III. Confidentiality and Integrity

 Reliable software runs long time without failure

• Database Integrity

• Element Integrity

• Element Accuracy

Source: Pfleeger & Pfleeger

Two-Phase Update
 Intent Phase
• Check value of COMMIT-FLAG
• Gathers resources
• Data
• Dummy records
• Open files
• Lock out others
• Calculate final answers
• Write COMMIT-FLAG
 Permanent Change Phase
• Update made
 Rollback ability at each phase

Source: Pfleeger & Pfleeger

Detecting Inconsistencies
 Error detection / error correction
• Hamming codes
• Parity bits
• Cyclic redundancy check
 Shadow fields
 DBMS access log
 Concurrency checks
 Monitors
• Range comparisons
• State constraints
• Transition constraints More sophisticated

Source: Pfleeger & Pfleeger

Maintaining Sensitive Data
 Managing access

 Hiding existence

 Sharing vs. confidentiality

 Security vs. precision

• Perfect confidentiality
• Maximum precision

Source: Pfleeger & Pfleeger

IV. Inference Problem—
Inferring sensitive data from nonsensitive data
 Direct attack
• Infer from few records retrieved
• “n items over k percent” rule

 Indirect attack
• Using Sum, Count, Median to derive information
• Tracker attacks (Intersection of sets)
• Linear system vulnerability—
apply algebra of multiple
equations

Source: Pfleeger & Pfleeger

Controls

 Query controls—direct attack

• Query analysis
• Query inventory/person
 Data item controls—indirect attack
• Suppression, data not provided
• Suppress combinations of rows and columns
• Combine results (to hide actual answers)
• Concealing—close answers, not exact given
• Rounding
• Present range of results
• Random sample results
• Perturb random data (generate small + and – error)

Source: Pfleeger & Pfleeger

Conclusions
 No solution to inference problem
 Optimal plan
• Suppress obviously sensitive information
• Track what user knows (expensive)
• Disguise data

 Aggregation—additional problem
• Inferences from aggregating data
• Data mining increases

Source: Pfleeger & Pfleeger

V. Different Sensitivity Levels
 Granularity
• Access control policy
• Guarantee values not changed by unauthorized person

 Problems
• Global actions (i.e., backup)
• Polyinstantiation
• Small items controlled
• Cost and performance
• Consumer resistance to military model

Source: Pfleeger & Pfleeger

Separation Mechanisms
 Partitioning
• Redundancy
• Accuracy (multiple field update)
 Encryption per level
• Cumbersome decrypting with queries
 Integrity lock
• Data item
• Sensitivity level
• Checksum (above 2)
• Cryptographic checksums
 Sensitivity lock
• Unique identifier
• Sensitivity level

Source: Pfleeger &

Implementations of Separation
 Integrity lock
• Expands size of element
• Processing time efficiency
• Untrusted DBM subject to Trojan horse
 Trusted front-end
• Guard ~ reference monitor
• One-way filter—filters out reports
• Inefficient—calls, then releases much data
 Commutative filters
• Interface between user and DB
• Reformats query
• Addresses inefficiencies (above)
 Distributed DB
• Separate DB’s based on sensitivity
• Front end sends query to right DB
 Views
• Logical / functional divisions

Source: Pfleeger &