Database Security IV CSE

DATABASE SECURITY NOTES

UNIT-1

UNIT 1 Page 1
 Database Security IV CSE

UNIT I SYLLABUS

1. Introduction to Database Security

2. Problems in Database Security,
3. Database Security Conclusions
4. SECURITY MODELS -1: Introduction
5. Access Matrix Model
6. Take-Grant Model
7. Acten Model
8. PN Model,
9. Hartson and Hsiao's Model
10. Fernandez's Model.
11. Bussolati and Martella's Model for Distributed databases

UNIT 1 Page 2
 Database Security IV CSE

UNIT 1 OUTCOME
Students can explain the importance and fundamentals of the databases.
Students can discuss the issues in data security.
Students can describe the problems in database security
Students Can Analyze and design different security models.
Students can describe Distributed Databases
Students can design modles for distributed databases

INTRODUCTION TO DATABASE SECURITY

DATABASE:
A Database is an Organized Collection of Integrated files.A company
database might include files of all past and current employees of all the
department.

DATABASE SECURITY:
Database Security contains policies and mechanisms to protect
the data and ensure that it is not accessed,altered or deleted without proper
authorization.Database security methods focus on preventing unauthorized
users from accessing the database because DBMS features that make the
database easy to access and manipulate ,also open doors to intruders,most
DBMS’s include security features that allow only authorized persons or
programs to access data and then restrict the types of processing that can
be accomplished once access is made.
IMPORTANCE OF DATA

Bank/Demat Accounts
Credit card,Salary,Income tax data
University Admissions,marks/grades.
Land records,Licenses
Medical Records

UNIT 1 Page 3
 Database Security IV CSE

NEWS PAPER HEADLINES REGARDING DATA

HACKING

July 2014:Chinese Hackers break intoUS Federal Employee database.

March 2014:Ebay account information breach.
Dec 2013:Target store Security breach(debit card+PIN number)
Auto-Rickshaw License Fraud in New Delhi(2008).
On May 31,2018, Ticketfly suffered an attack that resulted in the concert
and sporting-event ticketing website being vandalized, taken down, and
disrupted for a week.
RECENT HEADLINES

At least 87 million records breached (though likely many more)

Date disclosed: March 17, 2018
Who can forget the data scandal that rocked Facebook in March 2018? At
that time, reports emerged of how a political data firm called Cambridge
Analytica collected the personal information of 50 million Facebook users
via an app that scraped details about people’s personalities, social
networks, and engagement on the platform.

OBJECTIVES

Confidentiality:Information should not be disclosed to unauthorized users.

Integrity:Only authorized users should be allowed to modify data.

Availability:Authorized users should not be denied access.

UNIT 1 Page 4
 Database Security IV CSE

NEED FOR DATABASE SECURITY

 It protects data from unauthorized users from altering and deleting

data.

 It protects data from hacking by implementing Security mechanisms.

 It allows users to access only that data what is required by enabling
necessary access permissions.

 It implements encryption,decryption,firewalls,antivirus
software,database backups,physical and logical security on the
database.

PROBLEMS IN DATABASE SECURITY

Threats:

People
Natural disasters
Malicious code
TechnologicalDisaster

UNIT 1 Page 5
 Database Security IV CSE

1.People:

People intentionally or unintentionally inflict damage,violation,or destruction to all or

violation ,or destruction to all or any of the database environment components
(people,applications,networks,operating systems,database management
systems,datafilesor data)

Example:Employees,Contractors,Consultants,Visitors,Hackers,Terrorists

2.Malicious Code:

Software code that in most cases is intentionally written to damage or violate one or
more of the database environment components .

Example:Viruses,Boot Sector viruses,Worms,Trojan horses,Bugs

3.Natural disaster:Calamities caused by nature,which can destroy any or all of the

database environment components.

Example:Hurricanes,Tornados,Earthquakes,Flood,Fire

Technological disasters:Often caused by some sort of malfunction in equipment or

hardware,technological disasters can inflict damage to networks,operating
systems,database management systems,datafiles or data.

UNIT 1 Page 6
 Database Security IV CSE

Example:Power failure,Media failure,Hardware failure,Network failure

DATABASE PROTECTION REQUIREMENTS:

 Protection from unauthorized access.

 Protection from Inference.
 Integrity of database.
 User Authentication.
 Management and Protection of
Sensitive data.

1. Protection from unauthorized access:

It protects the data from being accessed by the unauthorized users.The
requirement which has been sent by user or applications to access database
or files should be verified by database management system.It should check
whether the user is authorized or not.However,the access control for
database is quite difficult than to control the files,since the control in
database is to be applied to each and every attribute and value of the
database.

2. Protection from Inference.

Inference refers to the protection of data from a type of threat where in an
unauthorized user tries to extract or retrieve the confidential information from
non-confidential data.Here,the hacker usually targets the statistical
databases and hence precautions should be taken to protect each entity
right from ststistical aggregated information in order to prevent the statiscal
database from such threats.

3.Integrity of Database:

It refers to the protection of databse from unauthorized access.The threats

can be either in the form of errors,virus,failures in the system or modification
of contents present in data.However,protection for database is provided by

UNIT 1 Page 7
 Database Security IV CSE

database management system,backup and recovery procedures and adhoc

security procedures.
Backup and recovery procedures preserve the consistency of data using
atomicity .That is,the modifications performed on data are made permanent
after the termination of transaction,thus preserving its
consistency.whereas,the adhoc security procedure protects the data from
unauthorized modifications,insertions and deletions.
4.User Authentication:

It refers to the identification of the database users.This requirement is used

to enable on the authorized users to access the data.

5.Management and protection of Sensitive data:It protects the sensitive

data from being accessed by unauthorized users.Database consists of the
type of data which can either be sensitive,public or both.Thus,this
requirement protects the contents of all types of data from hackers.

SECURITY CONTROL CONCLUSIONS

The process of regulating the flow of information between any two
accessible objects is known as flow control.
Consider two objects ‘A’ and ‘B’.
The flow is said to occur between these two objects when a statement
accesses an object ‘A’,reads a value from it and writes the same value in
object ‘B’.
Flow control protects the information from flowing explicitly or implicitly into
low protected objects.
Hence,if proper flow control is not available ,the user can access the value in
‘B’object which he cannot access directly in object ‘A’.
So higher class objects are much more protected compared to lower class
class objects for access.
Hence,flow control will not allow the transfer of information from higher class
objects to lower class objects.

UNIT 1 Page 8
 Database Security IV CSE

SECURITY MODELS-1 INTRODUCTION

The objective is to obtain a conceptual model of the desired security system.

There are many security models, covering one or more of the following:

 OS security

 DB security

 mandatory or discretionary policy

 focus on secrecy or integrity

 protect direct access to information

 protect flow or inference of information

ACCESS MATRIX MODEL:

The access matrix model is the policy for user authentication, and has
several implementations such as access control lists (ACLs) and
capabilities. It is used to describe which users have access to what objects.
The access matrix model consists of four major parts:
A list of objects
A list of subjects
A function T which returns an object's type
The matrix itself, with the objects making the columns and the subjects
making the rows In the cells where a subject and object meet lie the rights
the subject has on that object. Some example access rights are read, write,
execute, list and delete
EXAMPLE ACCESS MATRIX
Objects
index.html JavaVM
Subjects
file Virtual Machine
John Doe rwld x
Sally Doe rl -

UNIT 1 Page 9
 Database Security IV CSE

An access matrix has several standard operations associated with it:

• i. Entry of a right into a specified cell

• ii. Removal of a right from a specified cell

• iii. Creation of a subject

• iv. Creation of an object

• v. Removal of a subject

• vi. Removal of an object

• The two most used implementations are access control lists and capabilities.
Access control lists are achieved by placing on each object a list of users and their
associated rights to that object. An interactive demonstration of access control lists
can be seen here. For example, if we have file1, file2 and file3, and users
(subjects) John and Sally, an access control list might look like:

Objects (Files)
Users File1 File2 File3
John RWX R-X RW-
Sally --- RWX R--

• The rights are R (Read), W (Write) and X (Execute). A dash indicates the user
does not have that particular right. Thus, John does not have permission to
execute File3, and Sally has no rights at all on File1.
• Capabilities are accomplished by storing on each subject a list of rights the
subject has for every object. This effectively gives each user a keyring. To remove
UNIT 1 Page 10
 Database Security IV CSE

access to a particular object, every user (subject) that has access to it must be
"touched". A touch is an examanition of a user's rights to that object and potentially
removal of rights. This brings back the problem of sweeping changes in access
rights. Here is what an implementation of capabilities might look like, using the
above example:

Users
John file1:RWX file2:R-X file3:RW-
Sally file1:--- file2:RWX file3:R--

• Access restrictions such as access control lists and capabilities sometimes are
not enough. In some cases, information needs to be tightened further, sometimes
by an authority higher than the owner of the information. For example, the owner
of a top secret document in a government office might deem the information
available to many users, but his manager might know the information should be
restricted further than that. In this case, the flow of information needs to be
controlled -- secure information cannot flow to a less secure user.

TAKE-GRANT MODEL:

The take-grant protection model is a formal model used in the field of computer
security to establish the safety of a given computer system that follows specific
rules.
The model represents a system as directed graph, where vertices are either
subjects or objects.
The edges between them are labelled and the label indicates the rights that
the source of the edge has over the destination.
Two rights occur in every instance of the model: take and grant.

They play a special role in the graph rewriting rules describing admissible
changes of the graph.

 There are a total of four such rules:

 Take rule allows a subject to take rights of another object (add an edge
originating at the subject)

UNIT 1 Page 11
 Database Security IV CSE

 Grant rule allows a subject to grant own rights to another object (add an
edge terminating at the subject)

 Create rule allows a subject to create new objects (add a vertex and an
edge from the subject to the new vertex)

 Remove rule allows a subject to remove rights it has over on another

object (remove an edge originating at the subject)

TAKE RULE

Take rule: Let x, y, and z be three distinct vertices in a protection graph G0

and let x be a subjectLet there is an edge from x to y labeled γ where t∈ γ, an
edge from y to z labeled β. Then the take rule defines a new graph G1 by
adding an edge to the protection graph from x to z labeled α, where α⊆β. Fig
1.(a) shows the take rule graphically.

GRANT RULE

Grant rule: Let x, y, and z be three distinct vertices in a protection graph G0

and let x be a subject. Let there is an edge from x to y labeled γ where g∈ γ, an
edge from x to z labeled β. Then the grant rule defines a new graph G1 by
adding an edge to the protection graph from y to z labeled α, where α⊆β.
Fig.1(b) shows the grant rule graphically
TAKE RULE AND GRANT RULE

fig. 1.
(a) take rewriting rule. (b) grant rewriting rule.

ACTEN (ACTION-ENTITY) MODEL

Extension to the Take-Grant model:

UNIT 1 Page 12
 Database Security IV CSE

 New administrative privileges:(use, create, delete, ...)

 Predicates on authorizations:
(conditions to be satisfied for access to be allowed)

 Representation using two graphs:

(one for the authorizations for static actions and one for the
authorizations for dynamic actions)

Access modes:
Use: typical for application programs: this right means the program can be
executed.
Read/Update/Create/Delete: access/modify an entity, or add/remove entities
to/from the system.
Grant/Revoke: the privilege allows an entity Ei to grant (resp. revoke) a static
access mode m on an entity Ek to an entity Ej.
Delegate/Abrogate: this privilege allows an entity Ei to grant (resp. revoke) the
dynamic authorization grant related to access mode m on entity Ek to an entity
Ej.

ACTEN (ACTION-ENTITY) MODEL

Access modes and levels:

 Create/Delete 4
 Update 3
 Read 2
 Use 1
Administration rights and levels:
 Delegate/Abrogate 2
 Grant/Revoke 1

UNIT 1 Page 13
 Database Security IV CSE

ACTEN (ACTION-ENTITY) MODEL

Authorization for static access modes:

Binary relation between entities, with access mode, direction and predicates.
Aij = a ~ {pij}
Entity Ei holds access right a on Ej if the conditions f pij are met.

Authorization for dynamic access modes:

Aij/k = a ~ {pij}
Entity Ei may grant Ej the right to grant others access right a on entity Ek if pij is
met.
Authorization state Sa of entity Ei: Sa(Ei) is the set of all authorizations Ei holds
on all the other system entities.

Protection state Sp of entity Ei:Sp(Ei) is the set of all authorizations held by

other system entities onto Ei.
ACTEN (ACTION-ENTITY) MODEL

Classification of Entities:

 Active entity: if Sa(Ei) Ø. An active entity can execute some actions

on some other system entities.

 Passive entity: if Sp(Ei) Ø. A passive entity is an entity that can

undergo actions from other system entities.

 Active and Passive entity: if Sa(Ei) Ø and Sp(Ei) Ø. Such an

entity can both execute and undergo actions.
Two graphs:
 Static Graph SG: contains the authorizations for static actions
(for read, update, ...).
Arcs are labeled with (sets of) access modes.
 Dynamic Graph DG: contains the authorizations for dynamic
actions
(grant/revoke and delegate/abrogate).

UNIT 1 Page 14
 Database Security IV CSE

Arcs are labeled with tuples E, DA, SA, {M}:

E is the entity to which the access refers,
DA is the dynamic action (e.g. grant),
SA is the static action (e.g. read),
M are the entities which can receive SA by delegation.

ACTEN (ACTION-ENTITY) MODEL

READ UPDATE
E1 E2 E4

The X READ

means that USE CREATE/DELETE

there is a
condition E5
. E3

Fig:Example of a static graph.

UNIT 1 Page 15
 Database Security IV CSE

Acten (Action-Entity) model

E3 E5
Grant Grant
E1 read E2 E4
use

E6 Delegate update
{10,9}

E8 E7
Grant E6
read

Fig:Example of a dynamic graph.

PN MODEL

Petrinets are graphical representation of complex Logical interactions that

exists between physical components as well as activities carried out in a
system.
The situations that can undergo modelling using PN include

 Synchronization

 Sequentially

 Concurrency

 Conflict


UNIT 1 Page 16
 Database Security IV CSE

Petrinets consists of the following elements:

 Places

This element is denoted by which signifies the state or

condition prior to execution of any action.
 Transition
This element is denoted by which specifies the action to be
executed or fired.
 Token
This element is denoted by Places consists of token which can move
from place to another by execution respective action.
Arc Arc is denoted with symbol signifies flow.

P1
P
P2

T T
T

P3 P4

FIG:PETRINET
In the Diagram above the transition ‘T’ is fired only if the places P1 and P4 contain tokens.Upon
triggering of transition ,these tokens are removed and new tokens are placed on P2 and P3
UNIT 1 Page 17
 Database Security IV CSE

HARTSON AND HSIAO’S MODEL

Hartson and Hsiao’s proposed a semantic model Of Protection.
This model is based on the semantics of protection languages,via which it is
possible to dynamically enter access control information of any kind.
The basic model of access control consists of following elements
 Individual/group of users (U)
 Authorizers(A)
 Set of data elements(D)
 Elementaryoperations(O)(open,create,execute,update)
 Set of states (S)

 The elements constitute five discrete dimensions of security space

(A,U,D,O,S)

 Moreover an Access request “Req” is a set of 4 tuple that represents a

subspace of security space.
 Req=(U,O,D,S)
 Authorization Specification(AS) is a set of 5 –tuple that represent a
subspace of security space
 AS=(A,U,D,O,S)
 This statement specifies that a user can perform any set operation(O) on
any data element(E) whenever the system is on a state of ‘S’.
 This statement is said by an authorize(A).The Authorization process
performs validation on every ownership associated with each
authorization.Once the validation process gets completed ,protection
language expressions are converted into internal representation of
access control information.
 The purpose of performing validation is to know the set of rules that
governs the various levels of ownership by authorizers.

UNIT 1 Page 18
 Database Security IV CSE

FERNANDEZ’S MODEL
Fernandez proposed an authorization model for object oriented database ,which
consists of following elements.

 Set of policies

 Structure for authorization rules.

 Algorithm to evaluate access requests.

The purpose of designing authorization model for object oriented databases ,is
the addition of semantic relationship ,due to which performing authorization
became a complex problem.

Security Policies:

Security policies enforced on authorization model include,

 i)Closed system must be used when security is of major concern
 ii)Negative authorization must be used to express important access
constraints.
 iii)Between ownership and administration,administration must be choosen
as it allows the user to access information and allows special users to
control the information.
 iv)Discretionary security policy must be selected rather than multilevel
security.
FERNANDEZ’S MODEL

 Authorization Rule is defined generally as a set of following tuples

 Subject(Subj)
 Access type(AT)
 Object Class(OC)
 Predicate(PR)
 Flag(FL)
UNIT 1 Page 19
 Database Security IV CSE

In Object Oriented databases Authorization rule is a set of 3-tuples

(Subj,AT,AO).where AO denotes the set of attributes belonging to an object
which is to be accessed.

BUSSOLATI AND MARTELLA’S MODEL FOR

DISTRIBUTED DATABASE

Distributed database is defined as collection of data that is distributed over

different computers situated at different remote location .
Distributed data management system is responsible for creating and maintaining
the distributed database.
As the data is passed over the networks, it is necessary to focus on security
factor.
Taking this issue into consideration Bussolati and Martella proposed a multilevel
security model managed by DDBMS.
The model was designed in such a way that users at different levels were able to
access as well as share distributed database without violating security.
 Multilevel Security Model consists of many interconnected homogeneous
nodes.
 This connection is done via multilevel secure network.
 Every node consists of multilevel security managed by DBMS(MLS/DBMS)
,manages local MLD (Multilevel Database)and Secure Distributed
Process(SDP).
 SDP consists of following components
 Distributed Query Processor (DQP)
 Distributed Transaction Manager(DTM)
 Distributed Constraint Processor(DCP)
Among the above components,DCP is responsible for handling security
constraints while performing query and update processing.DQP and DTM of
different nodes communicate with each other in accordance to the security
process that are enforced.
The basic mandatory security policies for multilevel security model are:
Subject and object must be an active and passive entity respectively.

UNIT 1 Page 20
 Database Security IV CSE

 Security level must be assigned to every subject and object.

 Subject must be given read access only if its security level is more than
the security level of the object to be read.
 Subject must be given write access only if its security level is more than
the security level of the object to be written.
 A subject can send a message to another subject only if the security
level of receiving subject is greater than the security level of sending
subject.
MULTILEVEL SECURITY MODEL

Fig:Multilevel Security Model

UNIT 1 Page 21
 Database Security IV CSE

PREVIOUS PAPERS QUESTIONS FROM UNIT I

1a)What is Database Security?Explain some of the problems of database

Security.
1b)Describe database security controls.
2)Explain any 3 security models for distributed databases in detail
3)Discuss the following security models for distributed databases
a)Acten Model
b)Take-Grant model.
4)Explain briefly about Fernandez ‘s model
SHORT QUESTIONS

1.What is Database?
2.Define DataBase Security .
3.What is the need for DataBase Security .
4.List types of Threats in DataBase Security .
5.List the elements in PN model
6.List the elements in Hartson and Hasiao’s model. 7.List the elements in
Fernandez’s model.
8.What is Authorization Rule.
9.List the Components in Secure Distributed Process(SDP).
10.Write a short notes on Entity classification in Acten Model.
PRACTICE BITS

1.A ________________is an organized collection of integrated files.(Database)

2.______________refers to intention which has the potential to harm or cause
danger.()
3.Access modes in Take –Grant model
________,_________,__________,________(Take,gran t,create,remove)
4.___________entity executes the actions on other entities only if entitiy in
authorization state is not equal to zero.(active)
5.___________entity executes the actions on other entities only if entitiy in
Protection state is not equal to zero.(passive)

6.Places in PN model are denoted by__________

UNIT 1 Page 22
 Database Security IV CSE

7.Token in PN Model are denoted by______.

8.Access Request in Hartson and Hasiao’s model is
_____tuple notation.(4)
9.Take-Grant model is a __________based model.(protection)
10.Bussolati and Martella proposed ___________ Managed by
DDBMS.(multilevel security)

UNIT 1 Page 23