Scribd
Upload
29 views20 pages

1-1 Intro

Uploaded by

pohkangyu
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
29 views20 pages

1-1 Intro

Uploaded by

pohkangyu
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 20

CS5322 Database Security

Lecturer

 Xiaokui XIAO (Cedric)

 Email: [email protected]

 Office: COM1-03-25
Coming Next
 Overview of CS5322
 A short break
 Discretionary Access Control
Course Objective
 Provide an overview of database security
concepts and techniques
 Discuss new directions of database security
 Mostly introductory stuff, with a focus in the
database context
Background required
 Databases
 Relational model, SQL, etc
πCompany, Shop
 SELECT XXX FROM YYY WHERE ZZZ
 Index structures (e.g., B-trees), Χ
query processing algorithms
 Basic cryptography σProduct = ‘Toy’ σProduct = ‘Toy’
 Public-key cryptography
 Cryptographic hash function Produce Sell
 …
 Basic probabilistic analysis
 Pr[A | B] = Pr[A & B] / Pr[B]
 …
References
 Databases
 Raghu Ramakrishnan and Johannes Gehrke: Database Management
Systems.
 Hector Garcia-Molina, Jeffrey D. Ullman, and Jennifer Widom:
Database Systems -- The Complete Book.
 A. Silberschatz, H. Korth, and S. Sudarshan: Database System Concepts
 Security
 Charles P. Pfleeger, Shari L. Pfleeger, and Jonathan Margulies: Security
in Computing
 William Stallings: Cryptography and Network Security
 David C. Knox, William Maroulis, and Scott Gaetjen: Oracle Database
12c Security
 Additional research papers for each topic
Assessment
 Final exam (50 marks)
 Project (50 marks)
 Team-based (up to 6(?) students per team)
 2 sub-projects + 1 research paper presentation
 Research paper presentations will be in the Weeks 10-13
lectures
 Details to be announced later
Note
 You are to form project teams by Week 4
 We will send out email announcements for this
 In general, please pay close attention to email
announcements from this course
 Otherwise, it could cause significant delays that are
difficult to make up for
 Anecdote:
 In the previous years, there were always students who
chose to ignore all emails until near the recess week
 I hope that it won't happen this year…
Why Do We Care About Database
Security?

 Amount of acquired data is increasing


 More sensitive data being exposed
 Access to data has become much easier
 Leaks and misuses of data could have huge
consequences
Why Do Attackers Attack?
 Profit
 Data is a valuable asset
 It could even be sold (e.g., in the dark web)
 Espionage
 Damage
 Fun
How Do We Secure Databases?
 A lot of different techniques
 Access control
 Query auditing
 Data sanitization
 Query authentication
 Encrypted database
 Trusted hardware
 …
 Different techniques serve different purposes
Database Security: Main Requirements

 Confidentiality
 Information is disclosed only to those authorized
 Integrity
 Maintaining data validity against malicious or
accidental modifications
 Availability
 Maintaining the data/resource/service deliverable
to authorized users
Database Security: Additional
Requirements
 Accountability
 Hold a subject responsible for his/her actions
 Example
 If a database entry is maliciously modified, there
should be a way to trace back to the culprit
 If a database entry is leaked, there should be a way
to identify a list of persons who have accessed the
entry
Database Security: Additional
Requirements
 Privacy
 Maintaining confidentially of sensitive personal
information
 Can be regarded as a special type of confidentiality
 Example
 A hospital shares data with medical researchers
 The shared data should be useful for a medical study,
but should not reveal the identities of the patients
 i.e., it is about how we can reveal useful data without
disclosing sensitive personal information
How Do We Secure Databases?
 We will talk about how the above requirements can be
satisfied using
 Access control
 Query auditing
 Data sanitization
 Query authentication
 Encrypted database
 Trusted hardware
 …
 But in general, there is no silver bullet for database security
 Attacks can be rather tricky
Example: Inference Attacks
Name Gender Program Grade
Alice F CS 80
Bob M CS 90
Cathy F IS 90
Daisy F IS 100
Eric M CS 90
Fred M CS 90
 Suppose that we are have the above table T about
CS5322 grades
 Requirements:
 Users are not allowed to inquire about any individual student’s
grade
 But are allowed to check grade statistics
Example: Inference Attacks
Name Gender Program Grade
Alice F CS 80
Bob M CS 90
Cathy F IS 90
Daisy F IS 100
Eric M CS 90
Fred M CS 90
 A user issues three queries:
 SELECT COUNT(*), AVG(Grade) FROM T WHERE Gender = ‘F’
 SELECT COUNT(*), AVG(Grade) FROM T WHERE Program = ‘CS’
 SELECT COUNT(*), AVG(Grade) FROM T
 Is this OK?
Course Objective
 Provide an overview of database security
concepts and techniques
 Discuss new directions of database security
 Mostly introductory stuff, with a focus in the
database context

You might also like