Professional Documents
Culture Documents
Keamanan Dan Integritas Data - 10
Keamanan Dan Integritas Data - 10
Keamanan Dan Integritas Data - 10
DTETI
2019
Relational Database
• Database
• a collection of data & set of rules that organize the data
• user works with a logical representation of the data
• Relational database
• in the relational model, data is organized as a collection of RELATIONS or tables
• relations is a set of ATTRIBUTES or columns
• each row (or record) of a relation is called a TUPLE
• Database management system (DBMS)
• maintains the DB and controls read write access
• Database administrator (DBA)
• sets the organization of and access rules to the DB
RDB Concepts
• Relationships between tables (relations) must be in the form of other relations
• base (‘real’) relations: named and autonomous relations, not derived from
other relations (have stored data)
• views: named derived relations (no stored data)
• snapshots: like views are named, derived relations, but they do have stored
data
• query results: result of a query - may or may not have name, and no
persistent existence
• Within every relation, need to uniquely identify every tuple
• a primary key of a relation is a unique and minimal identifier for that relation
• can be a single attribute - or may be a choice of attributes to use
• when primary key of one relation used as attribute in another relation it is a
foreign key in that relation
Structured Query Language
• example
CREATE VIEW AVSAL(DEPT, AVG)
AS SELECT DEPT, AVG(SALARY)
FROM EMP GROUP BY DEPT
• access can be granted to this view for every dept mgr
• example
CREATE VIEW MYACCOUNT AS
SELECT * FROM Account
WHERE Customer = current_user()
• view containing account info for current user
SQL Security Model - Views
• Advantages of views
• views are flexible, and allow access control to be defined at a description level appropriate to
application
• views can enforce context and data-dependent policies
• data can easily be reclassified
• Disadvantages of views
• access checking may become complex
• views need to be checked for correctness (do they properly capture policy?)
• completeness and consistency not achieved automatically - views may overlap or miss parts
of database
• security-relevant part of DBMS may become very large
• Inherent weakness of DAC
• DAC allows subject to be written to any other object which can be written by that subject
• trojan horses to copy information from one object to another
SQL Security Model - MAC
• Mandatory access controls (MAC)
• no read up, no write down
• traditional MAC implementations in RDBMS have focused solely on MLS
• there have been three commercial MLS RDBMS offerings
• trusted Oracle ,Informix OnLine/Secure, Sybase Secure SQL Server
• Enforce MAC using security labels
• assign security levels to all data
• label associated with a row
• assign a security clearance to each users
• label associated with the user
• DBMS enforces MAC
• access to a row based upon
– the label associated with that row and the label associated with the user
accessing that row.
SQL Security Model (9)
Managers Client records for their department and only non-confidential columns None
…. …. …. …. …. …. ….
• Types of attack
• direct attack: aggregate computed over a small sample so individual data
items leaked
• indirect attack: combines several aggregates;
• tracker attack: type of indirect attack (very effective)
• linear system vulnerability: takes tracker attacks further, using algebraic
relations between query sets to construct equations yielding desired
information
Inference Data Example
NAME SEX RACE AID FINES DRUGS DORM
• Protection techniques
• Only queries disclosing non sensitive data allowed
• difficult to discriminate between queries
• effective primarily against direct attacks
• Controls applied to individual items within the database
• suppression: don’t provide sensitive data
• concealing: provide slightly modified value
Inference Suppression
• “n item over k percent rule” not sufficient in itself prevent inference
• We must suppress one other value in each row and column to disallow
Students by Dorm and Sex, with Low Count
Suppression
Holmes Grey West Total
M – 3 – 5
F 2 – 3 6
Total 3 4 4 11
• Random sample
• partition data and take random sample from partition
• equivalent queries may or may not result in the same sample
• Random data perturbation
• intentionally introduce error into response
• Query analysis
• history Driven
• difficult
Aggregation
• Aggregation problem exists when the aggregate of two or more data items is classified at
a level higher than the least upper bound of the classification of the individual items that
comprise the aggregate
• the data items multiple instances of same entity
• Addressing the aggregation problem is difficult
• requires the DBMS to track what results each user had already received
• it can take place outside the system
• relatively few proposals for countering aggregation
• Data association: A sub-problem of aggregation
• data association – sensitive associations between instances of two or more distinct
data items
• (cardinal) aggregation - associations among multiple instances of the same entity
Inference vs. Aggregation
• Polyinstantiation
• different users operating at two different levels of security
might get two different answers to the same query
• one record can appear (be instantiated) many times, with a
different level of confidentiality each time
Polyinstantiated Records
Name Sensitivity Assignment Location
Hill, Bob C Program Mgr London
Hill, Bob TS Secret Agent South Bend