Database Security and Authorization

By
Yazmin Escoto Rodriguez
Christine Tannuwidjaja

Main Types of Security:

Enforce security of portions of a database against
unauthorized access
- Database Security and Authorization Subsystem
Prevent unauthorized persons from accessing the
system itself
- Access Control
Control the access to statistical databases
- Statistical Database Security
Protect sensitive data that is being transmitted via some
type of communications
- Data Encryption

Database Security and

Authorization Subsystem
Discretionary Security Mechanisms
- concerned with defining, modeling, and
enforcing access to information

Mandatory Security Mechanisms for

Multilevel Security
- requires that data items and users are
assigned to certain security labels

Mandatory Access Control

Elements:
OBJECTS
SUBJECTS

CLASSIFICATIONS
--class(o)-CLEARANCE
--clear(s)--

Levels: Top Secret, Secret, Confidential, Unclassified

Mandatory Access Control

Rules:
Simple Property:
subject s is allowed
to read data item d if
clear(s) class(d)
*-property:
subject s is allowed
to write data item d if
clear(s) class(d)

Simple Property
protects information
from unauthorized
access
*-property protects
data from
contamination or
unauthorized
modification

Multilevel Security Databasesexample

Set up:
Project Name

Topic

Location

TC

Black, TS

Databases, TS

Los Angeles, TS

Silver, S

Supply Chain, S

New York, S

Gold, U

Inventories, S

Atlanta, S

Indigo, U

Telecommunication, U

Austin, U

we have: - subject x with clear(x) = TS

- subject y with clear(y) = S
- subject z with clear(z) = U

TS

Multilevel Security Databasesexample

Project Name

Topic

Location

TC
TS

Black, TS

Databases, TS

Los Angeles, TS

Silver, S

Supply Chain, S

New York, S

Gold, U

Inventories, S

Atlanta, S

Indigo, U

Telecommunication, U

Austin, U

Project Name

Topic

Location

TC

Silver, S

Supply Chain, S

New York, S

Gold, U

Inventories, S

Atlanta, S

Indigo, U

Telecommunication, U

Austin, U

Multilevel Security Databasesexample

Project Name

Topic

Location

TC
TS

Black, TS

Databases, TS

Los Angeles, TS

Silver, S

Supply Chain, S

New York, S

Gold, U

Inventories, S

Atlanta, S

Indigo, U

Telecommunication, U

Austin, U

Project Name

Topic

Location

TC

Gold, U

-, U

-, U

Indigo, U

Telecommunication, U

Austin, U

Multilevel Security Databasesexample

subject z wants to insert the next tuple
< Silver, LP, Omaha>
Project Name

Topic

Location

TC
TS

Black, TS

Databases, TS

Los Angeles, TS

Silver, S

Supply Chain, S

New York, S

Gold, U

Inventories, S

Atlanta, S

Indigo, U

Telecommunication, U

Austin, U

Silver, U

Linear Programming, U

Omaha, U

Polyinstantiation : the existence of multiple data objects with the same key

Multilevel Security Databasesexample

Project Name

Topic

Location

TC

Gold, U

-, U

-, U

Indigo, U

Telecommunication, U

Austin, U

subject z wants to replace the null values with certain data items
< Markov Chain, New Jersey>

Project Name

Topic

Location

TC
TS

Black, TS

Databases, TS

Los Angeles, TS

Silver, S

Supply Chain, S

New York, S

Gold, U

Inventories, S

Atlanta, S

Indigo, U

Telecommunication, U

Austin, U

Gold, U

Markov Chain, U

New Jersey, U

Security Relevant Knowledge

Entity Relationship
-- describes the
structural part of the
database

Data Flow Diagram

-- represents the
functions the
system should
perform

Classification Constraints
To assign to security classifications concepts of schemas:
- ones that classify items
- ones that classify query results

System Object
What is it?

Notation

Entity type
Specialization type
Relationship type

In security
it is the
target of
protection

O(A1..,An)
- Ai (i=1..N) is an
attribute and is
defined over
domain Di

Has an identity
property (key
attributes)
A (A1,..,An)

Multilevel Secure Application

MAJOR QUESTION:
Which way should the attributes and occurrences of O
be assigned to proper security classifications?
CLASSIFICATION
RESULT:
Security object O multilevel security object Om
Performed by means of security constraints

Graphical Extensions to the ER

Secrecy Levels
(U)

[U..S]

(Co)

[Co..TS]

(S)

(TS)

Ranges of Secrecy
Levels

Aggregation leading
to TS (N..constant)

Inference leading to
Co

Evaluation of
predicate P
Security dependency

ER Diagram
SSN

Date

Function
Title

Name
Employee

(0,N)

Is
Assigned
to

(0,M)

Project

Subject

Dep
Client

Salary
SSN

Title

Object Classification Constraints

Simple Constraints
Let X be a set of attributes of security object O (X {A1,,An})
SiC (O(X))=C, (C SL)
Results in a multilevel object Om(A1, C1,, An, Cn,TC) where Ci=C
Ai X, Ci left unchanged for Ai X
Application to ER:
- SiC(Is Assigned to,{Function},S)
- assigns property Function of relationship Is Assigned to to a
classification of secret.

ER Diagram classifying
properties of security objects
SSN

Date

Function
Title

Name
Employee

(0,N)

Is
Assigned
to

(0,M)

Project

Subject

Dep
Client

Salary
SSN

Title

Object Classification Constraints

Content-based Constraints
Let Ai be an attribute of security object O with domain D i, let P be a predicate
defined on Ai and let X {Ai,,An}
CbC (O(X), P: Ai a) = C or CbC (O(X), P: Ai Aj) = C
( {=,,<,>,,}, a Di, i j, C SL)
For any instance o of security object O(A 1,,An) for which a predicate
evaluates into true the transformation into o(a 1,c1,,an,cn,tc) is performed
Classifications are assigned in a way that c i = C in the case Ai X, ci left
unchanged otherwise
Application to ER:
- CbC (Employee, {SSN, Name}, Salary, , 100, Co))
- represents the semantic that properties SSN and Name of employees with a
salary 100 are treated as confidential information

ER Diagram classifying
properties of security objects
SSN

Date

Function
Title

Name
Employee

(0,N)

Is
Assigned
to

(0,M)

Project

Subject

Dep
Client

Salary
SSN

Title

Object Classification Constraints

Complex Constraints
Let O, O be two security objects and the existence of an instance o of O is
dependent on the existence of a corresponding occurrence o of O where the k
values of the identifying property K of o are identical to k values of attributes
of o (foreign key)
Let P(O) be a valid predicate defined on o and let X {A1,,An} be an
attribute set of O
CoC (O(X), P(O)) = C (C SL)
For every instance o of security object O(A 1,,An) for which a predicate
evaluates into true in the related object o of O the transformation into o(a1,c1,
,an,cn,tc) is performed
Classifications are assigned in a way that c i = C in the case Ai X, ci left
unchanged otherwise

Object Classification Constraints

Complex Constraints (cont)

Application to ER:
- CoC (Is Assigned to, {SSN}, Project, Subject, =, Research, S)
- individual assignment data (SSN) is regarded as secret information in
the case the assignment refers to a project with Subject = Research

ER Diagram classifying
properties of security objects
SSN

Date

Function
Title

Name
Employee

(0,N)

Is
Assigned
to

(0,M)

Project

Subject

Dep
Client

Salary
SSN

Title
P

Object Classification Constraints

Level-based Constraints
Let level (Ai) be a function that returns the classification c i of the value
of attribute Ai in object o(a1,c1,,an,cn,tc) of a multilevel security
object Om
Let X be a set of attributes of Om such that X {A1,,An}
LbC (O(X)) = level (Ai)
Result for every object o(a1,c1,,an,cn,tc) to the assignment cj = ci in
the case Aj X
Application to ER:
- LbC (Project, {Client}, Subject)
- states that property Client of security object Project must always have
the same classification as the property Subject of the Project

ER Diagram classifying
properties of security objects
SSN

Date

Function
Title

Name
Employee

(0,N)

Is
Assigned
to

(0,M)

Project

Subject

Dep
Client

Salary
SSN

Title
P

Query Result Classification Constraints

Association-based Constraints
Let O (A1,An) be a security object with identifying property K
Let X (X {A1,,An} (K X = {}) be a set of attributes of O
AbC (O (K,X)) = C (C SL)
Results in the assignment of security level C to the retrieval result of
each query that takes X together with identifying property K
Application to ER:
- AbC (Employee, {Salary}, Co)
- the salary of an individual person is confidential
- the value of salaries without the information which employee gets
what salary is unclassified

ER Diagram
classifying query results
SSN

Date

Function
Title

Name
Employee

(0,N)

Is
Assigned
to

(0,M)

Project

Subject

Dep
Client

[Co]
Salary
SSN

Title

Query Result Classification Constraints

Aggregation Constraints
Let count(O) be a function that returns the number of instances
referenced by a particular query and belonging to security object O
(A1,,An)
Let X (X {A1,,An}) be sensitive attributes of O
AgC (O, (X, count(O) > n = C (C SL, n N)
Result into the classification C for the retrieval result of a query in the
case count(O) > n, i.e. the number of instances of O referenced by a
query accessing properties X exceeds the value n

Query Result Classification Constraints

Aggregation Constraints (cont)
Application to ER:
- AgC (Is Assigned to, {Title}, 3, S)
- the information which employee is assigned to what projects is
regarded as unclassified
- aggregating all assignments for a certain project and thereby inferring
which team is responsible for what project is considered secret

ER Diagram
classifying query results
SSN

Date

Function
Title

Name
Employee

(0,N)

Is
Assigned
to

(0,M)

Project

Subject

Dep
Client

[Co]
Salary
SSN

Title

Query Result Classification Constraints

Inference Constraints
Let PO be the set of multilevel objects involved in a potential logical
inference
Let O, O be two particular objects from PO with corresponding
multilevel representation O (A1,C1,,An,Cn,TC) and
O (A1,C1,,An,Cn,TC)
Let X {A1,,An} and Y {A1,,An})
IfC (O(X), O(Y)) = C
Results into the assignment of security level C to the retrieval result of
each query that takes Y together with the properties in X

Query Result Classification Constraints

Inference Constraints (cont)
Application to ER:
- IfC (Employee, {Dep}, Project, {Subject}, Co)
- consider the situation where the information which employee is
assigned to what projects is considered as confidential
- from having access to the department an employee works for and to
the subject of a project, users may infer which department may be
responsible for the project and thus may conclude which employee are
involved

ER Diagram
classifying query results
SSN

Date

Function
Title

Name
Employee

(0,N)

Is
Assigned
to

(0,M)

Project

Subject

Dep
Client

[Co]
Salary
SSN

Title

QUESTION?