Chapter one

Introduction to query
processing and optimization

April,2015 1
 Basic Query Processing Steps ...
1. Query parsing and translation (query compiler)
check the syntax (e.g. SQL for relational DBMS)
verify that the mentioned relations do exist.
transform the SQL query to a query plan
represented by a relational algebra expression (for
relational DBMS)
• different possible relational algebra expressions for a
single query

April,2015 2
 Basic Query Processing Steps ...
2. Query optimization (query optimizer)
transform the initial query plan into the
best possible query plan based on the given
data set.
• specify the execution of single query plan
operations (evaluation primitives)
• the query execution plan is defined by a
sequence of evaluation primitives

April,2015 3
 Basic Query Processing Steps ...
3. Query evaluation (command processor)
• execute the query execution plan and
return the result

April,2015 4
Different Algorithms for query
processing…

April,2015 5
 Selection Operation algorithms

1. file-scan algorithm

• The lowest-level query processing operator for

accessing data is the file scan.
• search and retrieve records for a given selection
condition
• In the following we discuss different file scan
algorithms
• we assume that blocks of the file are stored
continuously.
April,2015 6
 Cont’d…
Linear search
• given a file with n blocks, we scan each
block and check if any records satisfy the
condition
• a selection on a candidate key attribute
(unique) can be terminated after a record
has been found

April,2015 7
 Cont’d…
• average costs: tS + n/2 * tT ,
• worst case costs: tS + n * tT
• applicable to any file regardless of ordering,
the availability of indices or the type of
selection operation

April,2015 8
 Cont’d…
Binary search
• an equality selection condition on a file that is
ordered on the selection attribute (n blocks)
can be realized via a binary search
• note that this only works if we assume that the
blocks of the file are stored continuously!
• worst case costs: log2(n) * (tS + tT)

April,2015 9
2. Index based selection operation

A search algorithm that makes use of an index is

called an index scan and the index structure is
called access path
i. Primary index and equality on candidate key
• retrieve a single record based on the index
• costs for a B+-tree with height h: (h + 1) * (tS + tT)
ii. Primary index and equality on non-candidate
key
• multiple records might fulfill the condition (possibly spread
over n successive blocks)

April,2015 10
 Cont’d…
iii. Secondary index and equality on candidate
key
• retrieve a single record based on the index
iv. Secondary index and equality on non-
candidate key
• each matching record may be in a different block
(matching records spread over n blocks)
• for large number of blocks n with matching records, this
can be very expensive and cost even more than a linear
scan!
April,2015 11
 Cont’d…
v. Primary index and comparison on attribute A
– we assume that the relation is sorted on attribute
A
– δA
• use index to find the first record that has a value of A v
and do a sequential file scan from there
– δA
• sequential file scan until A v without using any index

April,2015 12
 Cont’d…

• Secondary index and comparison on attribute A

– δA or δA
– for a B+-tree index we can scan the leaf index blocks
from the smallest value to v or from v to the largest value
– each record may be in a different block (spread over n
blocks)
– for large number of records n, this can be very expensive
and cost even more than a linear scan!
April,2015 13
 Conjunctive Selection Operation
A conjunctive selection has the form θn(r)
i. Conjunctive selection using a single index
– check if there is an access path available for an
attribute in one of the simple conditions θi
– use one of the approaches described before (with
minimal cost) to retrieve the records and check
the other conditions in memory

April,2015 14
 Cont’d…
ii. Conjunctive selection using a composite index
– use the appropriate multi-key index if available
iii. Conjunctive selection using multiple indices
– requires indices with record pointers
– retrieve record pointers from different indices and
perform an intersection of the sets of record
pointers
– additional conditions (without index) might be
checked in memory
April,2015 15
 Disjunctive Selection Operation
A disjunctive selection has the form
θn(r)

Disjunctive selection using indices :-

– indices can only be used if there is an index for all
conditions; otherwise a linear scan of the relation
has to be performed anyway

April,2015 16
 Sorting
• Sorting in database systems is important for two
reasons
– a query may specify that the output should be sorted
– the processing of some relational query operations can be
implemented more efficiently based on sorted relations
-e.g. join operation
– For relations that fit into memory, techniques like
quicksort can be used
– For relations that do not fit into memory an external
merge sort algorithm can be used

April,2015 17
April,2015 18
 Cont’d…
• Let us assume that there is space for M
memory blocks
(1)Create runs
• repeatedly read M blocks of the initial relation,
sort them and write them back as run Ri
(resulting in a total of N runs).

April,2015 19
 Cont’d…
(2)Merge the runs (N-way merge), for N < M
– use N memory blocks to buffer the input runs (one
block per run) and one block as an output buffer
– repeat the following steps until all input buffer blocks
are empty
• select the smallest record rs from all input runs and
write it to the output block
– if the output block is full then write it to the disk
• remove the record rs from the buffered block of
run Ri
– if the buffered block of run Ri becomes empty,
then fetch the next block of the input run Ri into
the buffer April,2015 20
 Cont’d…
• If N M then multiple merge passes are
required
– in each pass continuous groups of M - 1 runs are
merged
– each pass reduces the number of runs by a factor
M-1

April,2015 21
April,2015 22
 Cont’d…
• See example on sort and merge algorithm
from your text book.

April,2015 23
 Join Operation algorithms
• Different algorithms for implementing join
operations
– nested-loop join
– block nested-loop join
– index nested-loop join
– Sort-merge join
– hash join

April,2015 24
 1. Nested loop join
• Lets take a relation r and s:
for each tuple tr in r {
for each tuple ts in s {
if (tr and ts satisfy the join condition q) {
add tuple tr x ts to the result set
}
}
}
 Where tr and ts are tuples of r and s respectively.
April,2015 25
 Cont’d…
• r is called the outer relation and s
the inner relation of the join.
• Requires no indices and can be used
with any kind of join condition.
• Expensive since it examines every
pair of tuples in the two relations.

April,2015 26
 2. Block Nested-Loop Join
• Variant of nested-loop join in which every block of inner relation
is paired with every block of outer relation.
for each block Br of r do begin
for each block Bs of s do begin
for each tuple tr in Br do begin
for each tuple ts in Bs do begin
Check if (tr,ts) satisfy the join condition
if they do, add tr • ts to the result.
end
end
end
end
April,2015 27
 3. Indexed Nested-Loop Join
• Index lookups can replace file scans if
– join is an equi-join or natural join and
– an index is available on the inner relation’s join
attribute
• Can construct an index just to compute a join.
• For each tuple tr in the outer relation r, use the
index to look up tuples in s that satisfy the join
condition with tuple tr.

April,2015 28
 4. Merge-Join
1. Sort both relations on their join attribute (if
not already sorted on the join attributes).
2. Merge the sorted relations to join them

April,2015 29
 5. Hash join
• The records of files R and S are both hashed to
the same hash file, using the same hashing
function on the join attributes A of R and B of S
as hash keys.
• A single pass through the file with fewer
records (say, R) hashes its records to the hash
file buckets.
• A single pass through the other file (S) then
hashes each of its records to the appropriate
bucket, where the record is combined with all
matching records from R.
April,2015 30
 cont’d…
Ri compared with si

April,2015 31
 Heuristic optimization
• Heuristic optimization transforms the query-tree by
• using a set of rules that typically (but not in all cases)
• improve execution performance:

– Perform selection early (reduces the number of tuples)

– Perform projection early (reduces the number of attributes)
– Perform most restrictive selection and join operations
• before other similar operations.
– Some systems use only heuristics,
• others combine heuristics with partial cost-based
optimization.

April,2015 32
 Cont’d…
• Heuristic Optimization of Query Trees:
– The same query could correspond to many different relational
algebra expressions — and hence many different query trees.
– The task of heuristic optimization of query trees is to find a final
query tree that is efficient to execute.

• Example:
Q: SELECT LNAME
FROM EMPLOYEE, WORKS_ON, PROJECT
WHERE PNAME = ‘AQUARIUS’ AND
PNMUBER=PNO AND ESSN=SSN
AND BDATE > ‘1957-12-31’;

April,2015 33
April,2015 34
April,2015 35
 Using Selectivity and Cost Estimates in
Query Optimization
• Cost-based query optimization:
– Estimate and compare the costs of executing a
query using different execution strategies and
choose the strategy with the lowest cost estimate.
– (Compare to heuristic query optimization)

• Issues
– Cost function
– Number of execution strategies to be considered
April,2015 36
 Cont’d…
• Cost Components for Query Execution
1. Access cost to secondary storage
2. Storage cost
3. Computation cost
4. Memory usage cost
5. Communication cost

• Note: Different database systems may focus

on different cost components.
April,2015 37
 Cont’d…
• Catalog Information Used in Cost Functions
– Information about the size of a file
• number of records (tuples) (r),
• record size (R),
• number of blocks (b)
• blocking factor (bfr)
– Information about indexes and indexing attributes of a file
• Number of levels (x) of each multilevel index
• Number of first-level index blocks (bI1)
• Number of distinct values (d) of an attribute
• Selectivity (sl) of an attribute
• Selection cardinality (s) of an attribute. (s = sl * r)

April,2015 38
 Cont’d…
• Examples of Cost Functions for SELECT
• S1. Linear search (brute force) approach
– CS1a = b;
– For an equality condition on a key, CS1a = (b/2) if the record
is found; otherwise CS1a = b.
• S2. Binary search:
– CS2 = log2b + (s/bfr) –1
– For an equality condition on a unique (key) attribute, CS2
=log2b
• S3. Using a primary index (S3a) or hash key (S3b) to retrieve a
single record
– CS3a = x + 1; CS3b = 1 for static or linear hashing;
– CS3b = 1 for extendible hashing;
April,2015 39
 Cont’d…
• Examples of Cost Functions for SELECT (contd.)
• S4. Using an ordering index to retrieve multiple records:
– For the comparison condition on a key field with an
ordering index, CS4 = x + (b/2)
• S5. Using a clustering index to retrieve multiple records:
– CS5 = x + ┌ (s/bfr) ┐
• S6. Using a secondary (B+-tree) index:
– For an equality comparison, CS6a = x + s;
– For an comparison condition such as >, <, >=, or <=,
– CS6a = x + (bI1/2) + (r/2)

April,2015 40
 cont’d…
• Examples of Cost Functions for SELECT (contd.)
• S7. Conjunctive selection:
– Use either S1 or one of the methods S2 to S6 to solve.
– For the latter case, use one condition to retrieve the
records and then check in the memory buffer whether
each retrieved record satisfies the remaining conditions in
the conjunction.
• S8. Conjunctive selection using a composite index:
– Same as S3a, S5 or S6a, depending on the type of index.

• Examples of using the cost functions.

April,2015 41
 Cont’d…
• Examples of Cost Functions for JOIN
– Join selectivity (js)
– js = | (R C S) | / | R x S | = | (R C S) | / (|R| * |S
|)
• If condition C does not exist, js = 1;
• If no tuples from the relations satisfy condition C, js = 0;
• Usually, 0 <= js <= 1;
• Size of the result file after join operation
– | (R C S) | = js * |R| * |S |
April,2015 42
 Cont’d…
• Examples of Cost Functions for JOIN (contd.)
• J1. Nested-loop join:
– CJ1 = bR + (bR*bS) + ((js* |R|* |S|)/bfrRS)
– (Use R for outer loop)
• J2. Single-loop join (using an access structure to retrieve the
matching record(s))
– If an index exists for the join attribute B of S with index levels xB,
we can retrieve each record s in R and then use the index to
retrieve all the matching records t from S that satisfy t[B] = s[A].
– The cost depends on the type of index.

April,2015 43
 Cont’d…
• Examples of Cost Functions for JOIN (contd.)
• J2. Single-loop join (contd.)
– For a secondary index,
• CJ2a = bR + (|R| * (xB + sB)) + ((js* |R|* |S|)/bfrRS);
– For a clustering index,
• CJ2b = bR + (|R| * (xB + (sB/bfrB))) + ((js* |R|* |S|)/bfrRS);
– For a primary index,
• CJ2c = bR + (|R| * (xB + 1)) + ((js* |R|* |S|)/bfrRS);
– If a hash key exists for one of the two join attributes — B of S
• CJ2d = bR + (|R| * h) + ((js* |R|* |S|)/bfrRS);
• J3. Sort-merge join:
• CJ3a = CS + bR + bS + ((js* |R|* |S|)/bfrRS);
• (CS: Cost for sorting files)
April,2015 44
 Semantic Query Optimization
• Semantic Query Optimization:
– Uses constraints specified on the database schema in order to modify
one query into another query that is more efficient to execute.
• Consider the following SQL query,
SELECT E.LNAME, M.LNAME
FROM EMPLOYEE E M
WHERE E.SUPERSSN=M.SSN AND E.SALARY>M.SALARY
• Explanation:
– Suppose that we had a constraint on the database schema that stated
that no employee can earn more than his or her direct supervisor. If
the semantic query optimizer checks for the existence of this
constraint, it need not execute the query at all because it knows that
the result of the query will be empty. Techniques known as theorem
proving can be used for this purpose.

April,2015 45
 summary
Topics discussed…
0. Introduction to Query Processing
1. Translating SQL Queries into Relational Algebra
2. Algorithms for External Sorting
3. Algorithms for SELECT and JOIN Operations
4. Combining Operations using Pipelining
5. Using Heuristics in Query Optimization
6. Using Selectivity and Cost Estimates in Query
Optimization
7. Semantic Query Optimization
April,2015 46
Chapter-two

Database Security
and Authorization

April,2015 47
Introduction to database security
Prevent/detect/deter improper
Disclosure of information

Prevent/detect/deter Secrecy
Improper modification
of information

Integrity Availability

Prevent/detect/deter improper
Denial of access to services

April,2015 48 48
 Cont’d…
• To protect databases against these types of threats four kinds
of countermeasures can be implemented:
– Access control – handled by creating username/ passwords.
– Inference control - controlling the access to a statistical
database, which is used to provide statistical information
or summaries of values based on various criteria.
– Flow control - prevents information from flowing in such a
way that it reaches unauthorized users(covert channels).
– Encryption - used to protect sensitive data (such as credit
card numbers) that is being transmitted via some type
communication network.

April,2015 49
 Database Security and the DBA
• The database administrator (DBA) is the
central authority for managing a database
system.
– The DBA’s responsibilities include
• granting privileges to users who need to use the system
• classifying users and data in accordance with the policy
of the organization
• The DBA is responsible for the overall security
of the database system.
April,2015 50
 Cont’d…
• The DBA has a DBA account in the DBMS
– Sometimes these are called a system or superuser account
– These accounts provide powerful capabilities such as:
• 1. Account creation
• 2. Privilege granting
• 3. Privilege revocation
• 4. Security level assignment
– Action 1 is access control, whereas 2 and 3 are
discretionary and 4 is used to control mandatory
authorization

April,2015 51
 Access Protection, User Accounts, and
Database Audits
 User (including the DBA) must log in to the
DBMS by entering account id and password
whenever database access is needed.

April,2015 52
 Cont’d…
• The database system must also keep track of
all operations on the database that are
applied by a certain user throughout each
login session.
– To keep a record of all updates applied to the
database and of the particular user who applied
each update, we can modify system log, which
includes an entry for each operation applied to the
database that may be required for recovery from a
transaction failure or system crash.
April,2015 53
 Cont’d…
• If any tampering with the database is
suspected, a database audit is performed
– A database audit consists of reviewing the log to
examine all accesses and operations applied to the
database during a certain time period.
• A database log that is used mainly for security
purposes is sometimes called an audit trail.

April,2015 54
 Discretionary Access Control Based on
Granting and Revoking Privileges
 The typical method of enforcing discretionary
access control in a database system is based
on the granting and revoking privileges.

April,2015 55
 Types of Discretionary Privileges
• The account level:
– At this level, the DBA specifies the particular
privileges that each account holds independently of
the relations in the database.
– Independent of the database content
• The relation level (or table level):
– At this level, the DBA can control the privilege to
access each individual relation or view in the
database.
– Dependent of the database content
April,2015 56
 Cont’d…
• The privileges at the account level apply to the capabilities
provided to the account itself and can include
– the CREATE SCHEMA or CREATE TABLE privilege, to create a
schema or base relation;
– the CREATE VIEW privilege;
– the ALTER privilege, to apply schema changes such adding or
removing attributes from relations;
– the DROP privilege, to delete relations or views;
– the MODIFY privilege, to insert, delete, or update tuples;
– and the SELECT privilege, to retrieve information from the
database by using a SELECT query.

April,2015 57
 Cont’d…
• The second level of privileges applies to the relation
level
– This includes base relations and virtual (view) relations.
• The granting and revoking of privileges generally
follow an authorization model for discretionary
privileges known as the access matrix model where
– The rows of a matrix M represents subjects (users,
accounts, programs)
– The columns represent objects (relations, records,
columns, views, operations).
– Each position M(i,j) in the matrix represents the types of
privileges (read, write, update) that subject i holds on
object j.
April,2015 58
 Cont’d…
• To control the granting and revoking of relation
privileges, each relation R in a database is assigned
and owner account, which is typically the account
that was used when the relation was created in the
first place.
– The owner of a relation is given all privileges on that
relation.
– In SQL2, the DBA can assign and owner to a whole schema
by creating the schema and associating the appropriate
authorization identifier with that schema, using the
CREATE SCHEMA command.
– The owner account holder can pass privileges on any of
the owned relation to other users by granting privileges to
their accounts.
April,2015 59
 Cont’d…
• In SQL the following types of privileges can be
granted on each individual relation R:
– SELECT (retrieval or read) privilege on R:
• Gives the account retrieval privilege.
• In SQL this gives the account the privilege to use the
SELECT statement to retrieve tuples from R.
– MODIFY privileges on R:
• This gives the account the capability to modify tuples of
R.
• In SQL this privilege is further divided into UPDATE,
DELETE, and INSERT privileges to apply the
corresponding SQL command to R.
• In addition, both the INSERT and UPDATE privileges can
specify that only certain attributes can be updated by
the account.
April,2015 60
 Cont’d…
• In SQL the following types of privileges can be
granted on each individual relation R (contd.):
– REFERENCES privilege on R:
• This gives the account the capability to reference relation
R when specifying integrity constraints.
• The privilege can also be restricted to specific attributes
of R.

• Notice that to create a view, the account must

have SELECT privilege on all relations involved
in the view definition.
April,2015 61
 Specifying Privileges Using Views
• The mechanism of views is an important
discretionary authorization mechanism in its own
right. For example,
– If the owner A of a relation R wants another account B to
be able to retrieve only some fields of R, then A can create
a view V of R that includes only those attributes and then
grant SELECT on V to B.
– The same applies to limiting B to retrieving only certain
tuples of R; a view V’ can be created by defining the view
by means of a query that selects only those tuples from R
that A wants to allow B to access.

April,2015 62
 Grant command
GRANT <privilege> ON <relation>
To <user>
------------------------------------------------------------------------------------------------------------------------------------

e.g.
 GRANT SELECT * ON Student TO Matthews
 GRANT SELECT *, UPDATE(GRADE) ON Student TO FARKAS
 GRANT SELECT(NAME) ON Student TO Brown

GRANT command applies to base relations as well as views

April,2015 63
 Revoking Privileges
• In some cases it is desirable to grant a
privilege to a user temporarily.
– Hence, a mechanism for revoking privileges is
needed. In SQL, a REVOKE command is included
for the purpose of canceling privileges.
Syntax;
REVOKE <privileges> [ON <relation>]
FROM <user>

April,2015 64
Propagation of Privileges using the GRANT
OPTION

GRANT SELECT ON Employee GRANT SELECT ON Employee

TO Black TO Red
Black Red
WITH GRANT OPTION
?
Brown revokes grant
given to Black
?
Brown does not want
Brown (owner) Red to access the
Employee relation
GRANT UPDATE(Salary) ON
Employee TO White

White
April,2015 65 65
 Cont’d…
Command:
GRANT <privilege> ON <relation>
To <user>
WITH GRANT OPTION

April,2015 66
 An Example…
• Suppose that the DBA creates four accounts
– A1, A2, A3, A4
• and wants only A1 to be able to create base relations. Then
the DBA must issue the following GRANT command in SQL
GRANT CREATETAB TO A1;
• In SQL2 the same effect can be accomplished by having the
DBA issue a CREATE SCHEMA command as follows:
CREATE SCHAMA EXAMPLE AUTHORIZATION
A1;

April,2015 67
 Cont’d…
 User account A1 can create tables under the schema
called EXAMPLE.
 Suppose that A1 creates the two base relations
EMPLOYEE and DEPARTMENT
 A1 is then owner of these two relations and hence all the
relation privileges on each of them.
 Suppose that A1 wants to grant A2 the privilege to insert
and delete tuples in both of these relations, but A1 does
not want A2 to be able to propagate these privileges to
additional accounts:
GRANT INSERT, DELETE ON
EMPLOYEE, DEPARTMENT TO A2;

April,2015 68
Cont’d…

April,2015 69
 Cont’d…
 Suppose that A1 wants to allow A3 to retrieve
information from either of the two tables and also to be
able to propagate the SELECT privilege to other
accounts.
 A1 can issue the command:
GRANT SELECT ON EMPLOYEE, DEPARTMENT
TO A3 WITH GRANT OPTION;
 A3 can grant the SELECT privilege on the EMPLOYEE
relation to A4 by issuing:
GRANT SELECT ON EMPLOYEE TO A4;
 Notice that A4 can’t propagate the SELECT privilege
because GRANT OPTION was not given to A4

April,2015 70
 Cont’d…
 Suppose that A1 decides to revoke the SELECT
privilege on the EMPLOYEE relation from A3; A1
can issue:
REVOKE SELECT ON EMPLOYEE FROM A3;
 The DBMS must now automatically revoke the
SELECT privilege on EMPLOYEE from A4, too,
because A3 granted that privilege to A4 and A3
does not have the privilege any more.

April,2015 71
 Cont’d…
 Suppose that A1 wants to give back to A3 a limited capability to
SELECT from the EMPLOYEE relation and wants to allow A3 to be
able to propagate the privilege.
 The limitation is to retrieve only the NAME, BDATE, and

ADDRESS attributes and only for the tuples with DNO=5.

 A1 then create the view:
CREATE VIEW A3EMPLOYEE AS
SELECT NAME, BDATE, ADDRESS
FROM EMPLOYEE
WHERE DNO = 5;
 After the view is created, A1 can grant SELECT on the view
A3EMPLOYEE to A3 as follows:
GRANT SELECT ON A3EMPLOYEE TO A3
WITH GRANT OPTION;

April,2015 72
 Cont’d…
 Finally, suppose that A1 wants to allow A4 to update only
the SALARY attribute of EMPLOYEE;
 A1 can issue:
GRANT UPDATE ON EMPLOYEE (SALARY) TO
A4;

 The UPDATE or INSERT privilege can specify particular

attributes that may be updated or inserted in a relation.
 Other privileges (SELECT, DELETE) are not attribute
specific.

April,2015 73
 Specifying Limits on Propagation of
Privileges
– Limiting horizontal propagation to an integer
number i means that an account B given the
GRANT OPTION can grant the privilege to at most i
other accounts.

April,2015 74
• Vertical propagation is more complicated; it limits
the depth of the granting of privileges.

April,2015 75
Mandatory Access Control and Role-Based
Access Control for Multilevel Security
 DAC is an all-or-nothing method:
 A user either has or does not have a certain privilege.
 In many applications, and additional security policy is
needed that classifies data and users based on security
classes.
 This approach as mandatory access control, would
typically be combined with the discretionary access
control mechanisms

April,2015 76
 Cont’d…
 Security label
- Top-Secret, Secret, Public
 Objects: security classification
- File 1 is Secret, File 2 is Public
 Subjects: security clearances
- Brown is cleared to Secret, Black is cleared to Public
 Dominance ()
- Top-Secret  Secret  Public

April,2015 77
 Cont’d…
 Access rights: defined by comparing the
security classification of the requested objects
with the security clearance of the subject
 If access control rules are satisfied, access is
permitted
 Otherwise access is rejected
 Granularity of access rights!

April,2015 78
 Cont’d…
 Single security property: a subject S is allowed a
read access to an object O only if label(S)
dominates label(O)
 Star-property: a subject S is allowed a write access
to an object O only if label(O) dominates label(S)

No direct flow of information from

high security objects to low security objects!
April,2015 79 79
 Multi level relation
Attribute values and tuples are considered
as objects.
 Each attribute A is associated with a classification attribute C.
 In some models, a tuple classification attribute
TC is added to the relation.
Example:
Employee (SSN, Name, BDate, Salary) ->
Employee (SSN, CSSN, Name, CName, BDate, CBDate,
Salary, CSalary, TC)
 Such a relation is called a multi-level relation.

April,2015 80
 Cont’d…
 Apparent key:
The set of attributes that would have formed the
primary key in a regular (single-level) relation.
 Polyinstantiation
Several tuples can have the same apparent key
value but have different attribute values for users
at different classification levels.
 Filtering -in query replace values with null

April,2015 81
Example…

April,2015 82
 Integrity Constraints for Multilevel relations

 Entity integrity
 All attributes that are members of the apparent key
must not be null and must have the same security class.
 All other attribute values in the tuple must have a
security class greater than or equal to that of the
apparent key
 Null integrity
 If a tuple value at some security level can be derived
from a higher-level tuple, then it’s sufficient to store the
higher-level tuple.

April,2015 83
 Role-Based Access Control
 Its basic notion is that permissions are associated with
roles, and users are assigned to appropriate roles.
 Roles can be created using the CREATE ROLE and
DESTROY ROLE commands.
 Roles are a group of privileges.
 The GRANT and REVOKE commands discussed under
DAC can then be used to assign and revoke privileges
from roles.
 First we have to create the role name as follows.

Syntax:
Create role role-name;

April,2015 84
 Cont’d…
 The second task will be granting privileges to
the role created.
Syntax:
Grant objects/system privileges/All
On object name/s to role-name;
 Finally we can grant this role to users:
Syntax:
Grant role name to user/s;
April,2015 85
 Example:
Question:- Create a role named as R1 having
select and update privileges on employee and
department tables, then grant this role to users
maru and alemu.
Solution:
i) Create role R1;
ii) Grant select, update on employee,
department to R1;
iii) Grant R1 to maru, alemu;
April,2015 86
 Introduction to Statistical
Database Security
• Statistical databases are used mainly to
produce statistics on various populations.
• The database may contain confidential data
on individuals, which should be protected
from user access.
• Users are permitted to retrieve statistical
information on the populations, such as
averages, sums, counts, maximums,
minimums, and standard deviations.
April,2015 87
 Cont’d…
• A population is a set of tuples of a relation
(table) that satisfy some selection condition.
• Statistical queries involve applying statistical
functions to a population of tuples.

April,2015 88
 Cont’d…
• For example, we may want to retrieve the number of
individuals in a population or the average income in the
population.
– However, statistical users are not allowed to retrieve individual
data, such as the income of a specific person.
• Statistical database security techniques must prohibit the
retrieval of individual data.
• This can be achieved by prohibiting queries that retrieve
attribute values and by allowing only queries that involve
statistical aggregate functions such as COUNT, SUM, MIN,
MAX, AVERAGE, and STANDARD DEVIATION.
– Such queries are sometimes called statistical queries.

April,2015 89
 Cont’d…
• It is DBMS’s responsibility to ensure confidentiality of
information about individuals, while still providing useful
statistical summaries of data about those individuals to users.
Provision of privacy protection of users in a statistical
database is paramount.
• In some cases it is possible to infer the values of individual
tuples from a sequence statistical queries.
– This is particularly true when the conditions result in a
population consisting of a small number of tuples.

April,2015 90
 Introduction to Flow Control
• Flow control regulates the distribution or flow of information
among accessible objects.
• A flow between object X and object Y occurs when a program
reads values from X and writes values into Y.
– Flow controls check that information contained in some objects
does not flow explicitly or implicitly into less protected objects.
• A flow policy specifies the channels along which information
is allowed to move.
– The simplest flow policy specifies just two classes of
information:
• confidential (C) and non confidential (N)
– and allows all flows except those from class C to class N.

April,2015 91
 Covert channels
• A covert channel allows a transfer of
information that violates the security or the
policy.

• A covert channel allows information to pass

from a higher classification level to a lower
classification level through improper means.

April,2015 92
 Cont’d…
• Covert channels can be classified into two broad categories:
– Storage channels do not require any temporal synchronization,
in that information is conveyed by accessing system information
or what is otherwise inaccessible to the user.
– Timing channel allow the information to be conveyed by the
timing of events or processes.
• Some security experts believe that one way to avoid covert
channels is for programmers to not actually gain access to
sensitive data that a program is supposed to process after the
program has been put into operation.

April,2015 93
Encryption and Public Key Infrastructures

• Encryption is a means of maintaining secure

data in an insecure environment.
• Encryption consists of applying an encryption
algorithm to data using some pre specified
encryption key.
• The resulting data has to be decrypted using a
decryption key to recover the original data.

April,2015 94
 Public Key Encryption
• Uses two keys.
• The two keys used for public key encryption
are referred to as the public key and the
private key.
– the private key is kept secret, but it is referred to
as private key rather than a secret key (the word
used in conventional encryption to avoid
confusion with conventional encryption).

April,2015 95
 Cont’d…
• Public key is made for public and private key is
known only by owner.
• A general-purpose public key cryptographic
algorithm relies on
– one key for encryption and
– a different but related key for decryption.

April,2015 96