Skip to main content

Database Security

  • DB Confidentiality - Protection of sensitive data within a DB
  • DB Integrity - Data in a DB is accurate, complete, consistent and valid
  • DB Availability - Data in a DB is readily available for use when needed

Includes integrity protection to achieve data consistency

  • Internal Consistency - Database entries obey some predefined rules
  • External Consistency - Database entries are correct

SQL Security

Implements access control based on three entities

  • Users
  • Actions
  • Objects Users invoke actions on objects Newly created objects are owned by the creator Privileges can be granted - Granter, Grantee, Object, Action, Grantable

View-based security

Views are derived relations

CREATE VIEW pharm_order AS
SELECT DrugDB.Name, SUM(Total)
FROM Patients, DrugDB
GROUP BY (DrugDB.Name)
WITH CHECK OPTION
  • They are flexible way of creating policies closer to application requirements
  • Can simplify complex queries and enhance data security by restricting direct access to tables
  • Data can easily be reclassified
  • INSERT/UPDATE actions depend on CHECK options, else might be blind inserts
  • Completeness and consistency are not achieved automatically

Statistical Database Security

  • Use for statistical analysis and generating aggregate data

Inference

  • Due to individual items being sensitive, cannot permit access
  • Queries are useful, but by definition refer to the data
  • Some queries can reveal information on the underlying data

Further Defences

  • Data swapping - Swap records by keep stats the same
  • Noise addition - Alter aggregate output (a little)
  • Table splitting - Separate data completely
  • User tracking - Log queries

SQL Injection

  • Common for user input to be read and then used within an SQL query
  • Unexpected user input can completely rewrite the query Bears striking similarities to Cross-Site Scripting (XSS) attacks
  • Vulnerable if it doesn't filter SQL control characters
    • ' represents the beginning or end of a string
    • ; represents the end of a command
    • /*...*/ represents comments
    • -- represents a comment for the rest of the line
  • UNION appends (not joins) two tables together