Bài giảng Bảo mật CSDL - Chap 2: Security Models

Giảng Viên: Trần Thị Kim Chi SECURITY MODELSOperating System Security FundamentalsTiếp theo bài 1 bắt đầu từ Slide 10 Agendaa. Access controlb. Inference and covert channelsc. Open/close policyd. Database Application Security ModelsDiscretionary/mandatory access controlAccess controlAccess control is a security technique that can be used to regulate who or what can view or use resources in a computing environment.Access control systems perform authorization identification, authentication, access approval, and accountability of entities through login credentials includingpasswords, personal identification numbers (PINs), biometric scans, and physical or electronic keys.Types of Access controlThere are two main types of access control: Physical, logical. Physical access control limits access to campuses, buildings, rooms and physical IT assets. Logical access limits connections to computer networks, system files and data.Types of Access controlThe four main categories of access control are:Mandatory access controlDiscretionary access controlRole-based access controlRule-based access controlMandatory access control (MAC)Mandatory access control (MAC) is a system-controlled policy restricting access to resource objects (such as data files, devices, systems, etc.) based on the level of authorization or clearance of the accessing entity, be it person, process, or device. access control (DAC)Discretionary access control (DAC) is a type of access control defined by the Trusted Computer System Evaluation Criteria "as a means of restricting access to objects based on the identity of subjects and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject (unless restrained by mandatory access control)".Discretionary access control is commonly discussed in contrast to mandatory access control (MAC, sometimes termed non-discretionary access control). Role-based access control (RBAC)Role-based access control (RBAC) is a method of regulating access to computer or network resources based on the roles of individual users within an enterprise... Based Access ControlRules Based Access Control is a strategy for managing user access to one or more systems, where business changes trigger the application of Rules, which specify access changes.Implementation of Rules Based Access Control systems is feasible so long as the number of triggering business events and the set of possible actions that follow those events are both small.- See more at: MethodsAuthentication:Verifies user identityPermits access to the operating systemPhysical authentication:Allows physical entrance to company propertyMagnetic cards and biometric measuresDigital authentication: verifies user identity by digital meansAuthentication MethodsDigital certificates: digital passport that identifies and verifies holder of certificateDigital token (security token):Small electronic deviceDisplays a number unique to the token holder; used with the holder’s PIN as a passwordUses a different password each timeAuthentication MethodsDigital card:Also known as a security card or smart cardSimilar to a credit card; uses an electronic circuit instead of a magnetic stripStores user identification informationKerberos:Developed by MITUses tickets for authentication purposesAuthentication MethodsLightweight Directory Access Protocol (LDAP):Developed by the University of MichiganA centralized directory database stores:Users (user name and user ID)PasswordsInternal telephone directorySecurity keysEfficient for reading but not suited for frequently changing informationAuthentication MethodsNTLM:Developed and used by MicrosoftEmploys a challenge/response authentication protocolPublic Key Infrastructure (PKI):User keeps a private keyAuthentication firm holds a public keyEncrypt and decrypt data using both keysAuthentication MethodsRADIUS: used by network devices to provide a centralized authentication mechanismSecure Socket Layer (SSL): authentication information is transmitted over the network in an encrypted formSecure Remote Password (SRP):Password is not stored locallyInvulnerable to brute force or dictionary attacksAuthorizationProcess that decides whether users are permitted to perform the functions they requestAuthorization is not performed until the user is authenticatedDeals with privileges and rightsOperating System AuthenticationMany databases (including Microsoft SQL Server 2000) depend on OS to authenticate usersReasons:Once an intruder is inside the OS, it is easier to access the databaseCentralize administration of usersUsers must be authenticated at each levelUser AdministrationCreate user accountsSet password policiesGrant privileges to usersBest practices:Use a consistent naming conventionAlways provide a password to an account and force the user to change it at the first logonProtect passwordsDo not use default passwordsCreating a SQL Server UserCreate a login ID first; controls access to SQL Server systemAssociate login ID with a database userMust be member of fixed server roles (SYSADMIN or SECURITYADMIN)Two types of login IDs:Windows Integrated (trusted) loginSQL Server loginCreating Windows Integrated LoginsCommand line:SP_GRANTLOGIN system stored procedureCan be associated local, domain, group usernamesEnterprise Manager:Use the Security containerLogins -> New LoginCreating Windows Integrated LoginsCreating SQL Server LoginsCommand line:SP_ADDLOGIN system stored procedurePassword is encrypted by defaultSpecify a default databaseEnterprise Manager:Security containerLogins -> New LoginSQL Server Authentication optionCreating SQL Server LoginsCommand line:SP_ADDLOGIN system stored procedurePassword is encrypted by defaultSpecify a default databaseEnterprise Manager:Security containerLogins -> New LoginSQL Server Authentication optionRemoving UsersSimple processMake a backup firstObtain a written request (for auditing purposes)SQL Server: Removing Windows Integrated LoginsCommand line: SP_DENYLOGIN system stored procedureEnterprise Manager:Highlight the desired login Choose Delete from the Action menuModifying UsersModifications involve:Changing passwordsLocking an accountIncreasing a storage quotaALTER USER DDL statementSQL Server: Modifying Windows Integrated Login AttributesCommand line:SP_DEFAULTDB system stored procedureSP_DEFAULTLANGUAGE stored procedureEnterprise Manager:Expand the security containerSelect desired loginProperties (on the Action Menu)Default UsersOracle default users:SYS, owner of the data dictionarySYSTEM, performs almost all database tasksORAPWD, creates a password fileSQL Server default users:SA, system administratorBUILT_IN\AdministratorsRemote UsersDatabase LinksConnection from one database to another: allow DDL and SQL statementsTypes: PUBLIC and PRIVATEAuthentication Methods:CURRENT USERFIXED USERCONNECT USERDatabase LinksConnection from one database to another: allow DDL and SQL statementsTypes: PUBLIC and PRIVATEAuthentication Methods:CURRENT USERFIXED USERCONNECT USERLinked ServersAllow you to connect to almost any:Object Linking and Embedding Database (OLEDB)Open Database Connectivity (ODBC)OPENQUERY functionMap logins in your SQL Server instance to users in the linked databaseRemote servers: allow communication using RPCPractices for Administrators and ManagersManage:AccountsData filesMemoryAdministrative tasks:BackupRecoveryPerformance tuningBest PracticesFollow company’s policies and proceduresAlways document and create logsEducate usersKeep abreast of database and security technologyReview and modify proceduresBest PracticesFor SQL server:Mimic Oracle’s recommended installation for UNIXUse local Windows or domain Windows accountsBlock direct access to database tablesLimit and restrict access to the serverUse strong passwordsPatches, patches, patches Best PracticesFor SQL server:Mimic Oracle’s recommended installation for UNIXUse local Windows or domain Windows accountsBlock direct access to database tablesLimit and restrict access to the serverUse strong passwordsPatches, patches, patches Best PracticesDocument tasks and procedures for auditing purposesCreating users:CREATE USER statement in OracleLogin ID in SQL ServerRemoving users:SQL DROP statementSP_DENYLOGIN Windows system stored procedureBest PracticesModifying user attributes: ALTER USER DDL statementLocal database and usersRemote usersDatabase linksLinked serversPassword PoliciesFirst line of defenseDictionary attack: permutation of words in dictionaryMake hard for hackers entering your systemsBest password policy:Matches your company missionsEnforced at all level of the organizationDefining and Using ProfilesProfile:Describes limitation of database resourcesDefines database users behaviorPrevents users from wasting resourcesNot offered by every database system:Oracle doesMicrosoft SQL Server 2000 does notCreating Profiles in SQL ServerProfiles are not available in Microsoft SQL Server 2000 or 2005Query and connection time-outs: handled at application level within OLEDBDesigning and Implementing Password PoliciesPassword is the key to open a user account; strong passwords are harder to breakUser authentication depends on passwordsHacker violations begin with breaking a passwordCompanies spend on:TrainingEducationWhat Is a Password Policy?Set of guidelines:Enhances the robustness of a passwordReduces the likelihood of password breakingDeals with:ComplexityChange frequencyReuseImportance of Password PoliciesFirst line of defenseMost companies invest considerable resources to strengthen authentication by adopting technological measures that protect their assetsForces employees to abide by the guidelines set by the company and raises employee awareness of password protectionHelps ensure that a company does not fail auditsDesigning Password PoliciesComplexity: set of guidelines for creating passwordsAging: how long a password can be usedUsage: how many times a password can be usedStorage: storing a password in an encrypted mannerImplementing Password PoliciesMicrosoft SQL Server 2000:Integrated server systemWindows authentication modeNTLM:Challenge/response methodologyChallenge is eight bytes of random dataResponse is a 24-byte DES-encrypted hashImplementing Password PoliciesMicrosoft SQL Server 2000:Integrated server systemWindows authentication modeNTLM:Challenge/response methodologyChallenge is eight bytes of random dataResponse is a 24-byte DES-encrypted hashImplementing Password PoliciesKerberos:A key known by client and server encrypts handshake dataRequires a Key Distribution Center (KDC)TicketsTime must be synchronized networkwideImplementing Password PoliciesPassword PoliciesBest practices:Password agingPassword reusePassword historyPassword encryptionPassword storage and protectionPassword complexityLogon retriesSingle sign-onGranting and Revoking User PrivilegesPermit or deny access to data or to perform database operationsIn Oracle:System privileges:Granted only by a database administratorGranted by a user with administration privilegesObject privileges:Granted to a user by the schema ownerGranted by a user with GRANT privilegesGranting and Revoking User PrivilegesIn SQL Server (4 levels); system/server privileges:SysadminServeradminSetupadminSecurityadminProcessadminDbcreatorDiskadminBulkadminGranting and Revoking User PrivilegesIn SQL Server (continued):Database privileges:Fixed database rolesStatement permissionsGrant permission using the GRANT statementRevoke permission using the REVOKE statementEnterprise ManagerDeny permission using the DENY statementGranting and Revoking User PrivilegesGranting and Revoking User PrivilegesGranting and Revoking User PrivilegesGranting and Revoking User PrivilegesIn SQL Server:Table and database objects privileges:GRANT, REVOKE, and DENYEXECUTE permissionEnterprise Manager (3 methods)Column privileges:GRANT, REVOKE, and DENYEnterprise Manager (2 methods)Creating, Assigning, and Revoking User RolesRole:Used to organize and administer privilegesIt is like a user, except it cannot own objectCan be assigned privilegesCan be assigned to usersCreating, Assigning, and Revoking User RolesIn SQL Server; user-defined roles:Standard and applicationCreate roles using SP_ADDROLE system-stored procedureAdd members to a role using SP_ADDROLEMEMBER stored procedureDrop members from a role using SP_DROPROLEMEMBER stored procedureCreating, Assigning, and Revoking User RolesIn SQL Server (continued):User-defined roles (continued):Drop roles using SP_DROPROLE stored procedureUse Enterprise ManagerFixed server roles:Cannot be modified or createdAdd member to a role using SP_ADDSRVROLEMEMBER stored procedureCreating, Assigning, and Revoking User RolesCreating, Assigning, and Revoking User RolesIn SQL Server (continued):Fixed server roles (continued):Drop members from a role using SP_DROPSRVROLEMEMBER stored procedureUse Enterprise ManagerFixed database roles:Cannot be modifiedGive access to database administrative tasksAdd members to a role using SP_ADDROLEMEMBER stored procedureCreating, Assigning, and Revoking User RolesCreating, Assigning, and Revoking User RolesIn SQL Server (continued):Fixed database roles (continued):Drop members from a role using SP_DROPROLEMEMBER stored procedureUse Enterprise ManagerPublic database role:Cannot be droppedUsers automatically belong to this roleUsers cannot be droppedBest PracticesDevelop a secure environment:Never store passwords for an application in plaintextChange passwords frequentlyUse passwords at least eight characters longPick a password that you can rememberUse roles to control and administer privilegesReport compromise or loss of a passwordReport any violation of company guidelinesBest PracticesDevelop a secure environment (continued):Never give your password to anyoneNever share your password with anyoneNever give your password over the phone.Never type your password in an e-mailMake sure your password is complex enoughUse Windows integrated security modeIn Windows 2000/3 domain use domain users and take advantage of KerberosBest PracticesWhen configuring policies:Require complex passwords with special characters in the first seven bytesRequire a password length of at least eightSet an account lockout thresholdDo not allow passwords to automatically resetExpire end-user passwordsDo not expire application-user passwordsEnforce a password historyBest PracticesProfiles define database users behaviorIn Oracle:DBA_PROFILE viewALTER USERSQL Server does not support profilesPassword policy:Enhances password robustnessReduces likelihood of password breakingBest PracticesIn SQL Server:NTLMKerberosIn Oracle:System privilegesObject privilegesIn SQL Server:System or server, database, table and column privilegesBest PracticesGRANT and REVOKERole is used to:Organize and administer privileges in an easy mannerRole is like a user but cannot own objectsRole can be assigned privilegesGRANT and REVOKEBest practices for developing a secure environmentE-mail SecurityTool must widely used by publicMay be the tool must frequently used by hackers:VirusesWormsSpamOthersUsed to send private and confidential data as well as offensive materialE-mail SecurityUsed by employees to communicate with:ClientsColleaguesFriendsRecommendations:Do not configure e-mail server on the same machine were sensitive data residesDo not disclose technical details about the e-mail serverSecurity problems with filesCommon threats:File permissionFile sharingFiles must be protected from unauthorized reading and writing actionsData resides in files; protecting files protects dataFile PermissionsRead, write, and execute privilegesIn Windows 2000:Change permission on the Security tab on a file’s Properties dialog boxAllow indicates grantDeny indicates revokeFile PermissionsIn UNIXThree permission settings: owner; group to which owner belongs; all other usersEach setting consist of rwxr for reading, w for writing, and x for executingCHMOD command used to change file permissionsFile TransferFTP (File Transfer Protocol):Internet service for transferring files from one computer to anotherTransmits usernames and passwords in plaintextRoot account cannot be used with FTPAnonymous FTP: ability to log on to the FTP server without being authenticatedFile TransferBest practices:Use Secure FTP utility if possibleMake two FTP directories:One for uploads with write permissions onlyOne for downloads with read permissions onlyUse specific accounts with limited permissionsLog and scan FTP activitiesAllow only authorized operatorsSharing FilesNaturally leads to security risks and threatsPeer-to-peer programs: allow users to share files over the InternetReasons for blocking file sharing:Malicious codeAdware and spywarePrivacy and confidentialityPornographyCopyright issuesMemoryHardware memory available on the systemCan be corrupted by badly written softwareTwo options:Stop using the programApply a patch (service pack) to fix itCan harm data integrityCovert channelsMLS designed to restrict legitimate channels of communicationMay be other ways for information to flowFor example, resources shared at different levels may signal informationCovert channel: “communication path not intended as such by system’s designers”Covert Channel ExampleAlice has TOP SECRET clearance, Bob has CONFIDENTIAL clearanceSuppose the file space shared by all usersAlice creates file FileXYzW to signal “1” to Bob, and removes file to signal “0”Once each minute Bob lists the filesIf file FileXYzW does not exist, Alice sent 0If file FileXYzW exists, Alice sent 1Alice can leak TOP SECRET info to Bob!Covert Channel ExampleAlice:Time:Create fileDelete fileCreate fileDelete fileBob:Check fileCheck fileCheck fileCheck fileCheck fileData:10101Covert Channel ExampleOther examples of covert channelsPrint queueACK messagesNetwork traffic, etc., etc., etc.When does a covert channel exist?Sender and receiver have a shared resourceSender able to vary property of resource that receiver can observeCommunication between sender and receiver can be synchronizedCovert Channel ExampleCovert channels exist almost everywhereEasy to eliminate covert channelsProvided you eliminate all shared resources and all communicationVirtually impossible to eliminate all covert channels in any useful systemDoD guidelines: goal is to reduce covert channel capacity to no more than 1 bit/secondImplication is that DoD has given up trying to eliminate covert channels!Covert Channel ExampleConsider 100MB TOP SECRET filePlaintext version stored in TOP SECRET placeEncrypted with AES using 256-bit key, ciphertext stored in UNCLASSIFIED locationSuppose we reduce covert channel capacity to 1 bit per secondIt would take more than 25 years to leak entire document thru a covert channelBut it would take less than 5 minutes to leak 256-bit AES key thru covert channel!Inference Control Example Suppose we query a databaseQuestion: What is average salary of female CS professors at SJSU?Answer: $95,000Question: How many female CS professors at SJSU?Answer: 1Specific information has leaked from responses to general questions! Inference Control and ResearchFor example, medical records are private but valuable for researchHow to make info available for research and protect privacy?How to allow access to such data without leaking specific information?Naïve Inference ControlRemove names from medical records?Still may be easy to get specific info from such “anonymous” dataRemoving names is not enoughAs seen in previous exampleWhat more can be done?Less-naïve Inference ControlQuery set size controlDon’t return an answer if set size is too smallRandomizationAdd small amount of random noise to dataMany other methods  none satisfactoryTuring TestProposed by Alan Turing in 1950Human asks questions to one other human and one computer (without seeing either)If human questioner cannot distinguish the human from th