CSCI 5271

Document Sample
CSCI 5271 Powered By Docstoc
					  CSCI 5271

Almost all modern corporate/organizational
information is stored in databases

We use databases in our daily lives:
  –  Web sites (Weather, news, other…)
  –  Registration, Grades
  –  DMV, Government…
  –  Travel…
… for many reasons, including concurrency
control, centralization, management…

Databases raise unique security challenges:
integrity, privacy, and polyinstantiation.
•    A database is a collection of tables or relations.
•    Each table is a collection of rows or tuples.
•    Each tuple consists of attributes or fields.
•    An attribute in a specific tuple is an item or element.

 LName     FName   Address          ID      ID      Dept   Salary   PRev
 Davis     Fred    11 Any Pl.       72579   03648   HELP   44500    B
 Garland Dave      901 67th St      66945   10123   HR     43800    A
 Hilten    Eve     777 77th Ave S   03648   13207   R&D    62000    D
 Jenkins   Bob     100 Mulberry Ln 13207    34815   HR     38200    B
 Poling    Carol   200 Union St     34815   66945   HELP   54600    A
 Rogers    Alice   123 No Way       10123   72579   R&D    44000    B
                                            72579   ADMIN 51400     A

•  The relationship between tables is a schema.


User                      Database
         Replies   DBMS

•  Typical queries combine:
  –  Selection: select subset of rows based on a
  –  Projection: subset of columns
  –  Join: Link rows of two tables together
  –  Aggregation: Simple computations on above,
     e.g. sum, count, average, length…
•  select sum(salary) from salary_table where
   Dept=‘HR’ or Dept=‘HELP’;
The primary goal of the DBMS is to prevent corruption
of the DB, by maintaining:
 –    Physical integrity
 –    Element integrity (element values “make sense”)
 –    Referential integrity (no “dangling references”)
 –    Logical consistency (relations obey schema)
The primary tools employed by the DBMS include:
 –  Access Control prevents unauthorized users changing values
 –  Transactions and two-phase commits to prevent damage
    from write failures
 –  Logs and checkpoints to recover from erroneous changes.
 –  Procedures and triggers that enforce integrity
A Primary Key is a minimal set of attributes that
uniquely identifies each row in a table.
When a primary key is referenced in another table, it is
a Foreign Key.
A table with entity integrity has no nulls in primary keys
A table with referential integrity has no unmatched
foreign keys.
                                            ID      Dept   Salary   PRev
LName     FName   Address           ID
                                            03648   HELP   44500    B
Davis     Fred    11 Any Pl.        72579
                                            10123   HR     43800    A
Garland   Dave    901   67th   St   66945
                                            13207   R&D    62000    D
Hilten    Eve     777 77th Ave S    03648
                                            34815   HR     38200    B
Jenkins   Bob     100 Mulberry Ln   13207
                                            66945   HELP   54600    A
Poling    Carol   200 Union St      34815
                                            72579   R&D    44000    B
                                            72579   ADMIN 51400     A
A trigger is a procedure that is automatically executed in
response to an event in a table or database. (e.g. INSERT,
DELETE, UPDATE, CREATE, log on, log off…)

Triggers can enforce element integrity (element values are not
corrupted) by checking attributes, e.g.
 –  $30K <Salary< $1M
 –  length(ID) = 5 & chars(ID) ½ {0…9}
 –  PRev 2 {A,B,C,D}.

They also can enforce logical consistency (constraints on and
relationships between tables) by checking after updates, e.g.
  –  There is at most one president
  –  Date on each customer’s ticket ∈ {scheduled flight days}
  –  New employees must replace vacant positions; after a new
     employee is added, there are fewer vacant positions.
Sensitive data should only be available to some users
                                               ID      Dept   Salary   PRev
LName     FName   Address              ID
                                               03648   HELP   44500    B
Davis     Fred    11 Any Pl.           72579
                                               10123   HR     43800    A
Garland Dave      901 67th St          66945
                                               13207   R&D    62000    D
Hilten    Eve     777   77th   Ave S   03648
                                               34815   HR     38200    B
Jenkins   Bob     100 Mulberry Ln 13207
                                               66945   HELP   54600    A
Poling    Carol   200 Union St         34815
                                               72579   R&D    44000    B
Rogers    Alice   123 No Way           10123
                                               72579   ADMIN 51400     A

An inference attack is a sequence of queries that
collectively disclose information about sensitive data.
e.g., Exact value (Alice’s Salary = 43800), Bounds (30K< X<50K),
Negative results (Alice’s Perf ≠ A), Existence (Alice ∈ emp_t)
Probable values (Pr[X > 50K] < 0.1), …
Select salary from salary_t s, emp_t e where e.ID =
s.ID and e.LName=“Rogers”

Select sum(salary) where
           LName = “Rogers” or
           (Gender = “M” and Gender=“F”)

(This can be prevented by suppressing results with less
than t matching records.)

A = Select sum(salary)
B = Select sum(salary) where employee ≠ Alice

(We also need to suppress results with more than N-t
matching records.)

•  A general tracker is a predicate G that
   matches between 2t and N-2t records
•  An individual tracker F matches the record
   we want to learn.
•  Given F and G, we can learn Alice’s salary
   with three queries:
  –  select sum(salary) where F or G
  –  select sum(salary) where F or not G.
  –  select sum(salary)
•  If t < N/4, general trackers always exist.
•  This attack further generalizes to linear
   algebra – given n predicates that have only
   one record in their intersection, we can
   solve for that record with n+1 queries.
Query suppression tries to avoid giving out
results that leak sensitive data. We could:
  –  Suppress all queries that involve sensitive data.
  –  Try query analysis: attempt to decide by query
     results and the user’s history whether data is
     leaked. Unfortunately, it’s NP-Hard to decide!

Concealment strategies attempt to change
results so exact values are not revealed, using
  –  Limited response rules: a record is only included
     if, e.g. at least k other records match.
  –  Rounding
  –  Random sampling: randomly pick rows to use
  –  Random perturbation: add noise to results
   35 points “exercise-like” questions

   50 points grouped T/F

   15 points short answer

   Open book, open notes, closed computer.

Covers lectures 1-10 (includes today’s lecture)
Security is about learning to “think like an adversary.”
Security failures often result from misplaced trust.
Control Hijacking, or “Why to avoid C like the plague.”
Defensive design: Keep it simple, compartmentalize,
defense in depth, privacy, least privilege, etc...
Defensive programming: check inputs, handle errors…
Isolation & Sandboxing for least privilege
The Access Control Matrix is enforced by low-level
access control primitives: ACLs, capabilities, rings, etc.
Unix & Windows access control mechanisms…
Access control policies: BLP, Biba, C. Wall, Info flow…
“Trusted Operating Systems”, assurance, etc…
Database security and privacy concerns
void silly_function(char *pathname) {
  struct stat f, we;
  int rfd, wfd;
  char *buf;
  stat(pathname, &f);
  stat("/what/ever", &we);
  if (f.st_dev == we.st_dev && f.st_ino == we.st_ino) {
  rfd = open(pathname, O_RDONLY);
  buf = malloc(f.st_size - 1);
  read(rfd, buf, f.st_size - 1);

    stat(pathname, &f);
    if (f.st_dev == we.st_dev && f.st_ino == we.st_ino) {
    wfd = open(pathname, O_WRONLY | O_TRUNC);
    write(wfd, buf, f.st_size-1);
print "content-type: text/html\r\n\r\n";
print "<HTML><BODY>\n";
($field_name, $username_to_look_for) = split(/=/, <>);
chomp $username_to_look_for;
$result = `last -1000 | grep $username_to_look_for`;
if ($result) {
  print "$username_to_look_for has logged in recently.\n";
} else {
  print "$username_to_look_for has NOT logged in recently.\n";
print "</BODY></HTML>\n";
int accept_connection(char *user,   int *total_connections) {
  int tmp = *total_connections;
  char buf[128];
  strcpy(buf, user);
  if (tmp < 100) {
    strcat(buf, ":Y");
    *total_connections++;           REVERSING THE STACK
    tmp = 1;                        void func(char *str) {
  } else {                            char buf[128];
    strcat(buf, ":N");                strcpy(buf, str);
    tmp = 0;                          do_something();
  }                                   return;
  printf("%s\n", buf);              }
  return tmp;

char *zip(char *a, char *b) {   int fib(int n) {
  char *result;                   int tmp;
  int len, i;                     if (n == 0) return 0;
  len = strlen(a);                if (n == 1) return 1;
  result = malloc(2*len);         tmp = fib(n-2);
  for(i = 0; i <= len; i++) {     tmp += fib(n-1);
    result[2*i] = a[i];           return tmp;
    result[2*i+1] = b[i];       }
  return result;
list *merge(list *input1, list *input2) {
  list *output = NULL, *tail, *next;
  do {
    if(strcmp(input1->data, input2->data) <= 0) {
       next = input1;
       input1 = input1->next;
    } else {
       next = input2;
       input2 = input2->next;
    if (output == NULL) {
       output = tail = next;
    } else {
       tail->next = next;
       tail = tail->next;
  } while (input1 != NULL && input2 != NULL);
  if (input1 != NULL) tail->next = input1;
  else tail->next = input2;
  return output;
alice-write in out
Checks a permission file written by Alice to make sure that the ruid of the process
(the calling user) is allowed to write to the file out. If so, then the program
reads the file in and writes it over out.

alice-read in out
Checks a permission file written by Alice to make sure that the calling user is
allowed to read the file in. If so, the the program reads in and writes it to the
file out.

A multi-level classification system has three ranks: public < private
< management, and one specialized compartment, personnel.

Suppose Alice has clearance (private, {}). Draw the lattice of
classifications and mark with an “r” the classifications Alice can read and a
“w” the classifications she can write (or append to) under the BLP policy.