Introduction to Database Security

© Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC 8NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT IntroductionFOR SALE OR DISTRIBUTION toNOT FOR SALE OR DISTRIBUTION

© Jones8.1 & IssuesBartlett in Database Learning, Security LLC © Jones In & this Bartlett chapter you Learning, will learn the LLC NOT 8.2FOR SALE Fundamentals OR DISTRIBUTIONof Access Control NOT FORfollowing: SALE OR DISTRIBUTION U 8.3 Database Access Control The meaning of database 8.4 Using Views for Access Control security U 8.5 Security Logs and Audit Trails How security protects privacy and confidentiality © Jones & Bartlett8.6 Learning, Encryption LLC © Jones & Bartlett Learning, LLC U Examples of accidental or NOT FOR SALE OR8.7 DISTRIBUTION SQL Data Control Language NOT FOR SALE OR DISTRIBUTION deliberate threats to security 8.8 Security in Oracle U Some database security 8.9 Statistical Database Security measures 8.10 SQL Injection U The meaning of user 8.11 Database© Jones Security & and Bartlett the Internet Learning, LLC © Jones & Bartlett Learning, LLC authentication 8.12 Chapter NOT Summary FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION U The meaning of authorization Exercises U How access control can be represented © Jones & Bartlett Learning, LLC © JonesU & How Bartlett the view Learning, functions as a LLC NOT FOR SALE OR DISTRIBUTION NOT FOR securitySALE device OR DISTRIBUTION

© Jones & Bartlett Learning, LLC© Jones & Bartlett Learning, LLC.© NOTJones FOR SALE& Bartlett OR DISTRIBUTION. Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 9781284079050_CH08_PASS03.indd 361 11/06/15 5:23 pm © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION

362 CHAPTER 8 Introduction to Database Security

© Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC U The purpose ofNOT the FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION security log and audit trail 8.1 Issues in Database Security U How and why data Database security involves protecting the database from unauthorized encryption is performed access, modi cation, or destruction. Since the database represents an essential ©U HowJones to protect & Bartlett databases Learning, corporate LLC resource, database security© is Jonesan important & Bartlett subcomponent Learning, of LLC NOTagainst FOR SQL SALE injection OR DISTRIBUTIONany organization’s overall informationNOT systems FOR security SALE plan. OR In DISTRIBUTIONaddition to the need to preserve and protect data for the smooth functioning of the U How security is enforced organization, database designers have a responsibility to protect the privacy in some systems of individuals about whom data is kept. Privacy is the right of individuals to U How Internet security is have some control over information about themselves. Many countries have © Jones & Bartlettimplemented Learning, LLC laws designed to protect© Jonesprivacy, and & everyBartlett organization Learning, that collects LLC and stores NOT FOR SALE OR DISTRIBUTION information about individualsNOT FOR is legally SALE obliged OR to DISTRIBUTIONadopt policies that conform to local privacy legislation. e database design should re ect the organization’s commitment to the protection of individual privacy rights by including only those items that the organization has a right to know and keeping them secure. © Jones & Bartlett e security Learning, of information LLC typically follows the CIA © model, Jones where & CIABartlett Learning, LLC NOT FOR SALEstands forOR con DISTRIBUTION dentiality , integrity, and availability. Con NOT dentiality FOR requires SALE OR DISTRIBUTION that only authorized users have access to information in order to preserve the privacy of individuals, business intellectual property, and national security e orts. With the growth of social media and online business due to the Internet, maintaining con dentiality involves using appropriate encryption techniques © Jones & Bartlett Learning,as well LLCas user authorization, identi cation,© Jones and authentication & Bartlett procedures. Learning, LLC NOT FOR SALE OR DISTRIBUTION Integrity requires that only authorizedNOT users beFOR allowed SALE to modify OR data,DISTRIBUTION thus maintaining data consistency and trustworthiness. If data is incorrect, it is no longer useful. Incorrect data can also be harmful to individuals (such as wrong data on a credit report) and organizations (such as invalid nancial reports). Availability requires that information be accessible by authorized users when © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC needed. Security attacks against an organization can cause business services to NOT FOR SALE OR DISTRIBUTION become unavailable, NOTleading FOR to violations SALE of ORservice DISTRIBUTION level agreements that are critical to business operations. Some of the laws and standards requiring controls on access, disclosure, and modi cation of sensitive data are: © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC U The Federal Information Security Management Act (FISMA) . NOT FOR SALE FISMAOR DISTRIBUTION requires federal agencies in the United StatesNOT to developFOR SALE and OR DISTRIBUTION implement an agency-wide information security plan in support of federal operations. U e European General Data Protection Regulation (GDPR) . © Jones & Bartlett Learning, LLC e GDPR establishes data protection© Jones regulations & Bartlett for allLearning, foreign LLC NOT FOR SALE OR DISTRIBUTIONcompanies that process data of NOTEuropean FOR Union SALE residents. OR DISTRIBUTION

© Jones & Bartlett Learning, LLC© Jones & Bartlett Learning, LLC.© NOTJones FOR SALE& Bartlett OR DISTRIBUTION. Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 9781284079050_CH08_PASS03.indd 362 11/06/15 5:23 pm © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION

8.1 Issues in Database Security 363

U e ©U.S. Jones Health & Insurance Bartlett Portability Learning, and LLC Accountability Act © Jones & Bartlett Learning, LLC (HIPAA)NOT. HIPAA FOR de SALE nes requirements OR DISTRIBUTION for health care organizations NOT FOR SALE OR DISTRIBUTION for maintaining security and privacy of patient data. U e U.S. Sarbanes-Oxley (SOX) Act . SOX de nes strict regulations for nancial reporting activities of publically traded companies. © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC U e U.S. Gramm-Leach-Bliley Act (GLBA) . GLBA establishes pro- NOT FORvisions SALE to ensureOR DISTRIBUTION the protection of consumers’ nancial information.NOT FOR SALE OR DISTRIBUTION U e Worldwide Payment Card Industry Data Security Standard (PCI DSS) . PCI DSS de nes a framework for secure processing of consumer credit card information. © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR Violation DISTRIBUTION of these practices and regulations canNOT lead FOR to fraud, SALE nancial OR DISTRIBUTION losses, and severe penalties. Security threats are events or situations that could harm the system by compromising privacy or con dentiality, or by damaging the database itself. A vulnerability is a weakness in a system, such as inappropriate access control or loopholes in© rewall Jones protection, & Bartlett that allows Learning, a threat to LLCoccur. Security threats © Jones & Bartlett Learning, LLC can occur eitherNOT accidentally FOR SALE or deliberately OR DISTRIBUTION . Putting a database security plan NOT FOR SALE OR DISTRIBUTION in place should include a risk assessment process that identi es threats and vulnerabilities and establishes appropriate controls in the context of the CIA model. © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT 8.1.1FOR SALE Accidental OR DISTRIBUTION Security Threats NOT FOR SALE OR DISTRIBUTION Some examples of accidental security violations are the following:

U e user may unintentionally request an object or an operation for which he or she should not be authorized, and the request could © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC be granted because of an oversight in authorization procedures or NOT FOR SALE OR DISTRIBUTIONbecause of an error in the database managementNOT FOR system SALE or operating OR DISTRIBUTION system. U A person may accidentally be sent a message that should be directed to another user, resulting in unauthorized disclosure of database contents.© Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION U A communications system error might connect a user to a session that belongs to another user with di erent access privileges. U e operating system might accidentally overwrite les and destroy part of the database, fetch the wrong les, and then inadvertently © Jones &send Bartlett them to Learning, the user, or it LLC might fail to erase les that should© Jones be & Bartlett Learning, LLC NOT FORdestroyed. SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC© Jones & Bartlett Learning, LLC.© NOTJones FOR SALE& Bartlett OR DISTRIBUTION. Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 9781284079050_CH08_PASS03.indd 363 11/06/15 5:23 pm © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION

364 CHAPTER 8 Introduction to Database Security

© Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE 8.1.2 OR Deliberate DISTRIBUTION Security ThreatsNOT FOR SALE OR DISTRIBUTION Deliberate security violations occur when a user intentionally gains unauthorized access and/or performs unauthorized operations on the database. A disgruntled employee who is familiar with the organization’s computer system poses a tremendous threat to security. Industrial spies © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC seeking information for competitors also threaten security. Privileged users NOT FOR SALE OR DISTRIBUTIONsuch as DBAs who access end-user dataNOT that FORthey should SALE not OR be permitted DISTRIBUTION to see threaten security. ere are many ways deliberate security breaches can be accomplished, including:

U © Jones & Bartlett Learning, LLC Wiretapping ©of Jonescommunication & Bartlett lines to Learning, intercept messages LLC to and NOT FOR SALE OR DISTRIBUTION from the databaseNOT FOR SALE OR DISTRIBUTION U Electronic eavesdropping, to pick up signals from workstations, printers, or other devices within a building U Reading display screens and reading or copying printouts le © Jones & Bartlettunsupervised Learning, by authorized LLC users © Jones & Bartlett Learning, LLC NOT FOR SALEU ImpersonatingOR DISTRIBUTION an authorized user, or a user withNOT greater FOR access, SALE by OR DISTRIBUTION using his or her log-in and password U Writing systems programs with illegal code to bypass the database management system and its authorization mechanism, and to access © Jones & Bartlett Learning, databaseLLC data directly through the© Jonesoperating & system Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTIONU Writing applications programs withNOT code FOR that performsSALE OR unauthorized DISTRIBUTION operations U Deriving information about hidden data by clever querying of the database © Jones & Bartlett Learning, LLC U Modifying database© Jones queries & Bartlett through Learning, SQL injection LLC to gain NOT FOR SALE OR DISTRIBUTION unauthorizedNOT access FOR to data SALE or to OR maliciously DISTRIBUTION modify or delete data U Removing physical storage devices from the computer facility U Making physical copies of stored les without going through © Jones & Bartlettthe Learning,database management LLC system, thereby bypassing© Jones its security & Bartlett Learning, LLC NOT FOR SALE mechanismsOR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION U Bribing, blackmailing, or otherwise in uencing authorized users in order to use them as agents in obtaining information or damaging the database © Jones & Bartlett Learning,U UsingLLC system privileges to grant© oneselfJones access & Bartlett to con dential Learning, user LLC NOT FOR SALE OR DISTRIBUTIONdata NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC© Jones & Bartlett Learning, LLC.© NOTJones FOR SALE& Bartlett OR DISTRIBUTION. Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 9781284079050_CH08_PASS03.indd 364 11/06/15 5:23 pm © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION

8.2 Fundamentals of Access Control 365

© Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC 8.2 NOT Fundamentals FOR SALE OR DISTRIBUTION of NOT FOR SALE OR DISTRIBUTION Access Control In any organization, access control methods should be de ned to restrict © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC access to company resources as well as employee and client data. Access control NOTis FOR a fundamental SALE ORcomponent DISTRIBUTION in the support of con dentiality andNOT integrity. FOR SALE OR DISTRIBUTION Access control must be addressed in the context of physical security as well as information system access control. To protect the information system, the database administrator is responsible for the following major tasks: © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC U Installing the database management system and con guring it securely NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION U Creating and securing user accounts and developing appropriate access controls for users U Developing and enforcing standards for applications programs that access© the Jones database & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC U EncryptingNOT sensitiveFOR SALE data OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION U Ensuring that network connections to the data are secure U Establishing appropriate audit mechanisms for the database U Protecting the database against intruders by identifying and guarding © Jones &against Bartlett security Learning, threats and LLCapplying security controls and© security Jones & Bartlett Learning, LLC NOT FORupdates SALE as OR needed DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 8.2.1 Physical Security An access control plan should begin with physical security measures for © Jones & Bartlettthe Learning, building itself, LLC with special precautions for© Jonesthe computer & Bartlett facilities. Learning, LLC NOT FOR SALE ORDesigning DISTRIBUTION a physically secure building is clearlyNOT outside FOR the domain SALE of OR the DISTRIBUTION database designer. However, the DBA or data administrator should be able to suggest measures that would control access to database facilities. O en these begin at the front door, where all employees must be identi ed visually by guards or by using badges, handprints, sign-ins, or other mechanisms. Additional identi © Jones cation & should Bartlett be required Learning, to enter theLLC computer facilities. © Jones & Bartlett Learning, LLC Physical securityNOT measures FOR SALE should beOR extended DISTRIBUTION to cover any location where NOT FOR SALE OR DISTRIBUTION o ine data, such as backups, are stored as well. 8.2.2 Information System Access Control © Jones Development & Bartlett of information Learning, system LLC access control is a process that© involves Jones & Bartlett Learning, LLC NOT authorizationFOR SALE, identi OR cationDISTRIBUTION , authentication, and accountability. NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC© Jones & Bartlett Learning, LLC.© NOTJones FOR SALE& Bartlett OR DISTRIBUTION. Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 9781284079050_CH08_PASS03.indd 365 11/06/15 5:23 pm © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION

366 CHAPTER 8 Introduction to Database Security

© Jones & Bartlett Authorization Learning, requires LLC de ning who has access to ©the Jones system and & Bartlettthe Learning, LLC NOT FOR SALEspeci c OR data DISTRIBUTIONthey are allowed to access. Most database managementNOT FOR systems SALE OR DISTRIBUTION designed for multiple users have their own security subsystems. ese subsystems provide for user authorization, a method by which users are assigned rights to use database objects. Most multiple-user systems have a © Jones & Bartlett Learning, data control LLC language, also called an ©authorization Jones & languageBartlett, that Learning, is part LLC NOT FOR SALE OR DISTRIBUTIONof the data sublanguage. For example, NOTSQL provides FOR SALEstandard OR authorization DISTRIBUTION commands to grant privileges to users, as discussed in Section 8.7. e DBA uses the authorization language to specify users’ rights by means of authorization rules , statements that specify which users have access to what information, and what operations they are permitted to use on what data. e © Jones & Bartlett Learning, LLC authorization mechanism© Jones is designed & Bartlett to protect Learning, the database LLCby preventing NOT FOR SALE OR DISTRIBUTION individuals from unauthorizedNOT FOR reading, SALE updating, OR DISTRIBUTION or destruction of database contents. ese restrictions are added to the security mechanisms provided by the operating system. However, in a surprisingly large number of cases, database security subsystems are minimal or are not fully utilized. Recognizing © Jones & Bartlettthat data is aLearning, valuable corporate LLC resource, the designer should© Jonesinclude available & Bartlett Learning, LLC NOT FOR SALEsecurity OR mechanisms DISTRIBUTION as an important factor in evaluating NOTalternative FOR database SALE OR DISTRIBUTION management systems, and should develop e ective security policies utilizing whatever controls are available with the chosen system. Identi cation refers to the way in which users are identi ed. A user ID is a common form of identi cation. In addition to a computer system © Jones & Bartlett Learning,user ID, LLC users may also have a speci ©c database Jones ID, & whichBartlett forms Learning, the basis LLC NOT FOR SALE OR DISTRIBUTIONfor de ning access rules using the databaseNOT FORauthorization SALE sublanguage. OR DISTRIBUTION In conjunction with physical security, users may have other forms of identity, such as smart cards that are swiped through an electronic card reader to gain access to parking lots, buildings, and rooms that house database facilities as © Jones & Bartlett Learning, LLC well as other general ©workspaces. Jones &Biometrics Bartlett can Learning, provide a more LLC secure form NOT FOR SALE OR DISTRIBUTION of identi cation, especiallyNOT FORin highly SALE con ORdential DISTRIBUTION applications. Biometrics can include ngerprints, handprints, face recognition, voice recognition, and retina scans. Authentication is the process of verifying the identity of a user—checking to ensure that the actual user is who he or she claims to be. Authentication is © Jones & Bartlettinitially implemented Learning, at the LLC operating system level. When© the Jones user signs & Bartletton, Learning, LLC NOT FOR SALEhe or she OR enters DISTRIBUTION a user ID, which is checked for validity. NOTe system FOR has a SALE user OR DISTRIBUTION pro le for that ID, giving information about the user. e pro le normally includes a password, which should be known only to the user. Passwords should be kept secret and changed frequently. A simple security precaution © Jones & Bartlett Learning,is for the LLC system to require length and© special Jones character & Bartlett requirements Learning, for a LLC NOT FOR SALE OR DISTRIBUTIONpassword and that passwords be changedNOT frequently. FOR SALE e system OR should DISTRIBUTION never display passwords at log-in, and the stored pro les should be kept secure, in encrypted form. Another security precaution is to lock a user out of an account

© Jones & Bartlett Learning, LLC© Jones & Bartlett Learning, LLC.© NOTJones FOR SALE& Bartlett OR DISTRIBUTION. Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 9781284079050_CH08_PASS03.indd 366 11/06/15 5:23 pm © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION

8.3 Database Access Control 367

a er several ©invalid Jones log-in & attempts. Bartlett eLearning, lockout policy LLC prevents hackers from © Jones & Bartlett Learning, LLC a brute-forceNOT attempt FOR at guessing SALE a user’s OR password.DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Although passwords are the most widely used authentication method, they are not very secure, since users sometimes write them down, choose words that are easy to guess, or share them with others. In some organizations, © Jonesa multifactor & Bartlett approach Learning, to authentication LLC is used, where users must© provide Jones & Bartlett Learning, LLC NOTtwo FOR or moreSALE forms OR of DISTRIBUTION authentication. In the multifactor approach,NOT a user FOR SALE OR DISTRIBUTION might provide a user ID and password as well as a smartcard, badge, token, or some form of biometrics. An authentication procedure might also consist of answering a series of questions that would take longer and be more di cult to reproduce than a single password. Although authentication may be done only © Jones & Bartlettat theLearning, operating system LLC level, it is desirable to require© Jones it again &at theBartlett database Learning, LLC NOT FOR SALE ORlevel. DISTRIBUTION At the very least, the user should be requiredNOT to produce FOR SALEan additional OR DISTRIBUTION password to access the database. e nal component of information system access control is accountability. Accountability refers to the need to capture and maintain log les that can be used for ©traceability Jones when & Bartlett security incidentsLearning, occur. LLC For example, operat- © Jones & Bartlett Learning, LLC ing systems NOTmaintain FOR login SALE information OR about DISTRIBUTION users as well as the directories, NOT FOR SALE OR DISTRIBUTION les, and databases that they access. Log les are also maintained about network tra c that can be used to trace remote access to a system. Database systems maintain log les as part of the database recovery system, recording user access information as well as the inserts, updates, and deletes that occur. © JonesLog les& canBartlett provide Learning,important information LLC about user access to speci © Jones c data & Bartlett Learning, LLC NOT itemsFOR when SALE conducting OR DISTRIBUTION forensic activity a er a security breach. NOT FOR SALE OR DISTRIBUTION

8.3 Database Access Control © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC Database access control is the process of making sure that data or other NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION resources are accessed only in authorized ways. In planning access, the DBA might use an access control matrix for the database, as shown in FIGURE 8.1 . e column headings represent database objects, which may be the names of tables, views, data items, objects, modules, or other categories, depending© Jones on & the Bartlett database modelLearning, and management LLC system used. © Jones & Bartlett Learning, LLC e row labelsNOT represent FOR individuals, SALE OR roles, DISTRIBUTION groups of users, or applications. NOT FOR SALE OR DISTRIBUTION e cell entries specify the type of access permitted. Values of entries will also depend on the particular system used, but the choices usually include READ , INSERT , UPDATE , DELETE , EXECUTE , CREATE , and others. Once the access © Jonescontrol & matrix Bartlett is complete, Learning, the DBA LLC must use the appropriate authorization© Jones & Bartlett Learning, LLC language to implement it. e DBA, of course, is permitted to create and NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION change the structure of the database, and to use the authorization language to grant data access to others or to revoke access. Some systems allow the

© Jones & Bartlett Learning, LLC© Jones & Bartlett Learning, LLC.© NOTJones FOR SALE& Bartlett OR DISTRIBUTION. Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 9781284079050_CH08_PASS03.indd 367 11/06/15 5:23 pm © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION

368 CHAPTER 8 Introduction to Database Security

OBJECT © Jones & BartlettStudent Learning, LLC WrapUp Faculty © Enroll Jones & BartlettCREATE Learning, LLC SUBJECT table StuView1 Procedure table table TABLE NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION User U101 READ, READ EXECUTE READ YES UPDATE

User U102 READ NO

......

© Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC DBA to delegate some of this power, granting users the power to authorize NOT FOR SALEother users OR toDISTRIBUTION perform operations on the database. However,NOT having FOR manySALE OR DISTRIBUTION such “authorizers” can be extremely dangerous. Since authorizers can create other authorizers, the situation can get out of hand very quickly, making it di cult for the DBA to revoke authorizations. © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 8.4 Using Views for Access Control © Jones & Bartlett Learning, LLC e view is a widely used© Jones method &for Bartlettimplementing Learning, access control LLC in database NOT FOR SALE OR DISTRIBUTION applications. e viewNOT mechanism FOR SALE has a twofold OR DISTRIBUTION purpose. It is a facility for the user, simplifying and customizing the external model through which the user deals with the database, freeing the user from the complexities of the underlying model. It is also a security device, hiding structures and data © Jones & Bartlettthat the user Learning, should not see.LLC In the relational and object-relational© Jones models, & Bartlett Learning, LLC NOT FOR SALEa user’s ORexternal DISTRIBUTION model can consist entirely of views, or NOTsome combinationFOR SALE OR DISTRIBUTION of base tables and views. By specifying restrictions in the WHERE line of the SELECT statement used to create views, the view can be made value- dependent . FIGURE 8.2(A) gives an example of a view created from the Student table by including only data about students whose major is CSC. © Jones & Bartlett Learning, Value-independent LLC views are created© by Jones specifying & columnsBartlett of baseLearning, tables LLC NOT FOR SALE OR DISTRIBUTIONand omitting the WHERE line of the SELECT NOT statement.FOR SALE FIGURE OR 8.2(B) DISTRIBUTION gives an example of a view of the Student table showing only columns stuId , lastName , firstName , and major .

© Jones & Bartlett Learning, LLC© Jones & Bartlett Learning, LLC.© NOTJones FOR SALE& Bartlett OR DISTRIBUTION. Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 9781284079050_CH08_PASS03.indd 368 11/06/15 5:23 pm © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION

8.5 Security Logs and Audit Trails 369

© Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION FIGURE NOT FOR 8.2(A) SALE OR DISTRIBUTION CREATE VIEW CSCMAJ AS Value-dependent View SELECT stuId, lastName, firstName, credits FROM Student © Jones & BartlettWHERE Learning, major = 'CSC'; LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION

FIGURE 8.2(B) CREATE VIEW StuView1 AS Value-independent SELECT stuId, lastName, firstName, major © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning,View LLC FROM Student; NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION

8.5 © Security Jones & Bartlett Logs Learning, and LLC © Jones & Bartlett Learning, LLC NOTAudit FOR Trails SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Another important security tool is the security log , which is a journal that keeps a record of all attempted security violations. e violation can © Jonesbe simply & Bartlett recorded Learning,in the log, or LLC it can trigger an immediate© message Jones & Bartlett Learning, LLC NOT toFOR the systemSALE operator OR DISTRIBUTION or to the DBA. Knowing about the existenceNOT FORof SALE OR DISTRIBUTION the log can be a deterrent in itself. If the DBA suspects that data is being compromised without triggering security log entries, it is possible to set up an audit trail . Such an auditing system records all access to the database, keeping information about the user who requested the access, the operation © Jones & Bartlettperformed, Learning, the workstationLLC used, the exact time© Jonesof occurrence, & Bartlett the data Learning, LLC NOT FOR SALE ORitem, DISTRIBUTION its old value, and its new value, if any. NOTe audit FOR trail canSALE therefore OR DISTRIBUTION uncover the sources of suspicious operations on the database, even if they are performed by authorized users, such as disgruntled employees. Triggers can also be used to set up an audit trail for a table, recording all changes, the time they© were Jones made, & and Bartlett the identity Learning, of the user LLC who made them. For © Jones & Bartlett Learning, LLC example, in Oracle, if we wish to monitor changes to grade in the Enroll NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION table, we could rst set up a table to hold the audit records. e schema for that table might be:

EnrollAudit(dateandTimeOfUpdate, userId, oldStuId, oldClassNo, oldGrade, newGrade) © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR e trigger SALE should OR insert DISTRIBUTION a record in the EnrollAudit table whenNOT a user FOR SALE OR DISTRIBUTION tries to update a grade in the Enroll table. e code to do this is shown in FIGURE 8.3 . It uses SYSDATE and USER , which are referred to as

© Jones & Bartlett Learning, LLC© Jones & Bartlett Learning, LLC.© NOTJones FOR SALE& Bartlett OR DISTRIBUTION. Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 9781284079050_CH08_PASS03.indd 369 11/06/15 5:23 pm © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION

370 CHAPTER 8 Introduction to Database Security

CREATE OR REPLACE TRIGGER EnrollAuditTrail © JonesBEFORE & Bartlett UPDATE Learning, OF grade ONLLC Enroll © Jones & Bartlett Learning, LLC NOT FORFOR SALEEACH ROW OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION BEGIN INSERT INTO EnrollAudit VALUES(SYSDATE, USER, :OLD.stuId, :OLD.classNumber, :OLD.grade, © Jones & Bartlett Learning, LLC :NEW.grade); © Jones & Bartlett Learning, LLC NOT FOR SALE END; OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION

pseudocolumns in Oracle. Both act as functions that return appropriate © Jones & Bartlettvalues. SYSDATE Learning, returns LLCthe current date and time, while© USER Jones returns & Bartlettthe Learning, LLC NOT FOR SALE ID of the OR current DISTRIBUTION user. Oracle itself has built-in auditing NOTthat can FOR be used SALE to OR DISTRIBUTION set up various types of audit trails as well as other security measures.

© Jones & Bartlett Learning, 8.6 LLC Encryption © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION To counter the possibility of havingNOT les accessedFOR SALE directly OR through DISTRIBUTION the operating system or having les stolen, data can be stored in the database in encrypted form. Only the database management system can unscramble the data, so that anyone who obtains data by any other means will receive © Jones & Bartlett Learning, LLC jumbled data. When© authorized Jones &users Bartlett access the Learning, information LLC properly, the NOT FOR SALE OR DISTRIBUTION DBMS retrieves theNOT data and FOR decodes SALE it automatically. OR DISTRIBUTION Encryption should also be used whenever data is communicated to other sites, so that wire tappers will also receive scrambled data. Encryption requires a cipher system , which consists of the following components:

U © Jones & Bartlett An encryptingLearning, algorithm LLC , which takes the normal© text Jones ( plaintext & Bartlett ) as Learning, LLC NOT FOR SALE input,OR DISTRIBUTIONperforms some operations on it, and producesNOT the FOR encrypted SALE OR DISTRIBUTION text ( ciphertext ) as output U An encryption key, which is part of the input for the encrypting algorithm and is chosen from a very large set of possible keys © Jones & Bartlett Learning,U ALLC decrypting algorithm , which© operatesJones on & theBartlett ciphertext Learning, as input LLC NOT FOR SALE OR DISTRIBUTIONand produces the plaintext as outputNOT FOR SALE OR DISTRIBUTION U A decryption key, which is part of the input for the decrypting algorithm and is chosen from a very large set of possible keys

© Jones & Bartlett Learning, LLC© Jones & Bartlett Learning, LLC.© NOTJones FOR SALE& Bartlett OR DISTRIBUTION. Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 9781284079050_CH08_PASS03.indd 370 11/06/15 5:23 pm © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION

8.6 Encryption 371

© Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC 8.6.1 SymmetricNOT FOR SALE Key OR Encryption DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Symmetric key encryption is a form of encryption where the decryption key is the same as the encryption key, and the decrypting algorithm is the inverse of the encrypting algorithm. One widely used symmetric key encryption scheme was the Data Encryption Standard (DES) , devised © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC by IBM for the U.S. National Bureau of Standards and adopted in 1977. NOTIn FOR the DES SALE scheme, OR the DISTRIBUTION algorithm itself is public, while the key isNOT private. FOR SALE OR DISTRIBUTION FIGURE 8.4 gives an overview of the DES process. e DES algorithm uses a 56-bit key on 64-bit blocks of plaintext, producing 64-bit blocks of ciphertext. When data is encoded, it is split up into 64-bit blocks. Within © Jones & Bartletteach Learning, block, characters LLC are substituted and rearranged© Jones according & Bartlett to the Learning, LLC NOT FOR SALE ORvalue DISTRIBUTION of the key. e decoding algorithm usesNOT the same FOR key SALE to put backOR DISTRIBUTION the original characters and to restore them to their original positions in each block.

NOT FOR SALE OR DISTRIBUTION FIGURE NOT FOR 8.4 SALE OR DISTRIBUTION 64-bit Block of Overview of DES Plaintext Encryption

NOT FOR SALE OR DISTRIBUTION64-bit Block of NOT FOR SALE OR DISTRIBUTION Plaintext

© Jones & Bartlett Learning, LLC© Jones & Bartlett Learning, LLC.© NOTJones FOR SALE& Bartlett OR DISTRIBUTION. Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 9781284079050_CH08_PASS03.indd 371 11/06/15 5:23 pm © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION

372 CHAPTER 8 Introduction to Database Security

© Jones & Bartlett Two major Learning, challenges LLC with the DES system involve key© Jonessecurity and& Bartlettthe Learning, LLC NOT FOR SALEease of ORcracking DISTRIBUTION the code. e key must be kept secure orNOT the encryption FOR SALE is OR DISTRIBUTION worthless, since anyone with the key has access to the data. erefore, the security depends on the secrecy of the key, but all authorized users must be told the key. e more people who know the key, the more likely it is that the © Jones & Bartlett Learning,key will LLC be disclosed to unauthorized users.© Jones Also, it &is necessaryBartlett to Learning, distribute LLC NOT FOR SALE OR DISTRIBUTIONthe key to receivers of encrypted messages.NOT If FOR telecommunications SALE OR DISTRIBUTIONlines are used, transmitting the key in plaintext would allow wire tappers easy access to encrypted messages. O en, more secure lines are used for key distribution, or the key is distributed by mail or messenger. DES is not a very secure scheme, since it can be cracked in a reasonable amount of time due to the shortness of © Jones & Bartlett Learning, LLC the keys. As a result ©of severalJones famous & Bartlett cases where Learning, DES keys were LLC cracked, a NOT FOR SALE OR DISTRIBUTION more secure version,NOT called FOR Triple DESSALE or 3DES OR , DISTRIBUTIONwas recommended in 1999 by the U.S. National Institute of Standards and Technology, the successor to the National Bureau of Standards. Triple DES is now widely used commercially and is still permitted for some government agency use. e triple DES system © Jones & Bartlettuses three keysLearning, and essentially LLC performs the DES encryption© threeJones times, & once Bartlett Learning, LLC NOT FOR SALEwith each OR key. DISTRIBUTION NOT FOR SALE OR DISTRIBUTION In 2001, an improved encryption scheme called the Advanced Encryption Standard (AES) was developed. AES was the result of a ve-year worldwide competition, with the winning design coming from two Belgian cryptographers, Daemen and Rijmen, who proposed a scheme they called © Jones & Bartlett Learning, Rijndael LLC. It was adopted as a standard© forJones U.S. government & Bartlett agency Learning, use in LLC NOT FOR SALE OR DISTRIBUTION2002, and it is widely used commercially.NOT It usesFOR a symmetricSALE OR scheme DISTRIBUTION that is more sophisticated than the DES scheme, and it supports three possible key sizes of 128 bits, 192 bits, or 256 bits, depending on the level of security needed. e data itself is broken into 128-bit blocks and is subjected to four © Jones & Bartlett Learning, LLC rounds of transformations,© Jones each & with Bartlett several Learning,steps whose exact LLC nature is NOT FOR SALE OR DISTRIBUTION determined by the key.NOT Because FOR of theSALE larger ORkey sizes, DISTRIBUTION cracking the scheme is more challenging.

8.6.2 Public-Key Encryption © Jones & Bartlett An alternative Learning, approach toLLC encryption is public-key encryption© Jones , which & Bartlett is Learning, LLC NOT FOR SALEalso known OR DISTRIBUTIONas asymmetric encryption . Public-key encryptionNOT FOR uses SALEtwo OR DISTRIBUTION separate keys, where one key is a public key and the other key is a private key. FIGURE 8.5 provides an overview of public-key encryption. For each user, a pair of large prime numbers, (p , q ), is chosen as the user’s private key, and the product of the pair, p *q, becomes the user’s public key. Public © Jones & Bartlett Learning,keys are LLC shared freely, so that anyone wishing© Jones to send & aBartlett message to Learning, a user can LLC NOT FOR SALE OR DISTRIBUTION nd his or her public key easily. e publicNOT keyFOR is then SALE used ORas input DISTRIBUTION to an encryption algorithm, which produces the ciphertext for that user. When the

© Jones & Bartlett Learning, LLC© Jones & Bartlett Learning, LLC.© NOTJones FOR SALE& Bartlett OR DISTRIBUTION. Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 9781284079050_CH08_PASS03.indd 372 11/06/15 5:23 pm © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION

8.7 SQL Data Control Language 373

NOT FOR SALE OR DISTRIBUTION CiphertextNOT FOR SALE OR DISTRIBUTION

user receives an encrypted message, he or she must produce the prime factors © Jones & Bartlettof theLearning, public key LLCto decode it. Since there is no quick© Jones method & of Bartlett nding the Learning, LLC NOT FOR SALE ORprime DISTRIBUTION factors of a large number, it is di cult forNOT an intruder FOR SALEto nd theseOR DISTRIBUTION factors. However, an intruder who is determined to break the key can do so, provided he or she is willing to commit substantial resources to the task. is method is only as secure as the private key, so users must be given their private keys ©in someJones secure & fashionBartlett and Learning, must protect theLLC private keys against © Jones & Bartlett Learning, LLC disclosure. OneNOT well-known FOR SALE method OR of public-key DISTRIBUTION encryption is RSA , named NOT FOR SALE OR DISTRIBUTION for its developers, Rivest, Shamir, and Adleman.

© Jones 8.7 & Bartlett SQL Learning, Data Control LLC Language© Jones & Bartlett Learning, LLC NOT SQLFOR has SALE an authorization OR DISTRIBUTION sublanguage, Data Control Language,NOT that FOR SALE OR DISTRIBUTION includes statements to grant privileges to and revoke privileges from users.

© Jones & Bartlett Learning, LLC© Jones & Bartlett Learning, LLC.© NOTJones FOR SALE& Bartlett OR DISTRIBUTION. Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 9781284079050_CH08_PASS03.indd 373 11/06/15 5:23 pm © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION

374 CHAPTER 8 Introduction to Database Security

© Jones & BartlettA privilege Learning, is an action, LLCsuch as creating, executing, reading,© Jones updating, & Bartlett or Learning, LLC NOT FOR SALEdeleting, OR that DISTRIBUTION a user is permitted to perform on database objects.NOT FOR In standard SALE OR DISTRIBUTION SQL, the creator of a schema is given all privileges on all the objects (tables, views, roles, applications) in it, and can pass those privileges on to others. Ordinarily, only the creator of the schema can modify the schema itself © Jones & Bartlett Learning,(adding LLC tables, columns, and so on). © eJones statement & forBartlett granting Learning,privileges LLC NOT FOR SALE OR DISTRIBUTIONhas the following form: NOT FOR SALE OR DISTRIBUTION GRANT {ALL PRIVILEGES | privilege-list } ON { object-name} TO {PUBLIC | user-list| role-list } [ WITH GRANT OPTION]; © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION e possible privilegesNOT for base FOR tables SALE are SELECT OR , DISTRIBUTION DELETE , INSERT , UPDATE , or REFERENCES( col-name) . If a table is named in the ON clause, then ALL PRIVILEGES includes all of these operations. If a view is named in the ON clause, and the view was constructed in such a way that it is updatable, the SELECT , DELETE , INSERT , and UPDATE privileges can be granted on that © Jones & Bartlettview. For views Learning, that are not LLC updatable, only the SELECT can© Jones be granted. & Bartlett e Learning, LLC NOT FOR SALE UPDATE OR privilege DISTRIBUTION can be made more restrictive by specifyingNOT a FOR column SALE list OR DISTRIBUTION in parentheses a er the word UPDATE , restricting the user to updating only certain columns, as in: GRANT UPDATE ON Student(major) TO U101; © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION e REFERENCES privilege is applied toNOT columns FOR that SALE may be usedOR asDISTRIBUTION foreign keys. is privilege allows the user to refer to those columns in creating foreign key integrity constraints. For example, to allow a user who can update the Enroll table to be able to reference stuId in the Student table in order to match its values for the Enroll table, we might write: © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC GRANT REFERENCES (stuId) ON Student TO U101; NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION e user list in the TO clause can include a single user, several users, or all users (the public). e optional WITH GRANT OPTION clause gives the newly authorized user(s) permission to pass the same privileges to others. For © Jones & Bartlettexample, we Learning, could write: LLC © Jones & Bartlett Learning, LLC NOT FOR SALE GRANT OR SELECT, DISTRIBUTION INSERT, UPDATE ON Student NOT TO U101, FOR SALE OR DISTRIBUTION U102, U103 WITH GRANT OPTION ;

Users U101, U102, and U103 would then be permitted to write SQL SELECT , INSERT , and UPDATE statements for the Student table, and to pass that © Jones & Bartlett Learning,permission LLC on to other users. Because© of Jones the ability & ofBartlett users with Learning, the grant LLC NOT FOR SALE OR DISTRIBUTIONoption to authorize other users, the systemNOT must FOR keep SALE track of ORauthorizations DISTRIBUTION using a grant diagram, also called an authorization graph. FIGURE 8.6 shows an authorization graph. Here, the DBA, who (we assume) is the creator

© Jones & Bartlett Learning, LLC© Jones & Bartlett Learning, LLC.© NOTJones FOR SALE& Bartlett OR DISTRIBUTION. Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 9781284079050_CH08_PASS03.indd 374 11/06/15 5:23 pm © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION

8.7 SQL Data Control Language 375

DBA © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION

U1 U2 U3 © Jones & Bartlett Learning, LLC SELECT © JonesSELECT & Bartlett Learning,SELECT LLC Student Student Student NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION

© Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE ORof the DISTRIBUTION schema, gave a speci c privilege (for example,NOT to FOR use SELECT SALE on OR the DISTRIBUTION Student table) WITH GRANT OPTION to users U1 , U2 , and U3 . We will use a double arrowhead to mean granting with grant option, and a single arrowhead to mean without it. A solid outline for a node will mean that the node has received© Jones the grant & option,Bartlett and Learning,a dashed outline LLC will mean it has not. © Jones & Bartlett Learning, LLC U1 U21 U22 passed alongNOT the FOR privilege SALE to OR and DISTRIBUTION , both without the grant option. NOT FOR SALE OR DISTRIBUTION U2 also passed the privilege to U22 , this time with the grant option, and U22 passed the privilege to U31 , without the grant option. U3 authorized U23 and U24 , both without the grant option. Note that if we give a di erent privilege to one of these users, we will need a new node to represent the new privilege. © JonesEach node& Bartlett on the graph Learning, represents LLCa combination of a privilege and© a Jonesuser. & Bartlett Learning, LLC NOT FOR SQL SALE DCL includes OR DISTRIBUTION the capability to create user roles. A role can beNOT thought FOR SALE OR DISTRIBUTION of as a set of operations that should be performed by an individual or a group of individuals as part of a job. For example, in a university, advisors may need

© Jones & Bartlett Learning, LLC© Jones & Bartlett Learning, LLC.© NOTJones FOR SALE& Bartlett OR DISTRIBUTION. Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 9781284079050_CH08_PASS03.indd 375 11/06/15 5:23 pm © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION

376 CHAPTER 8 Introduction to Database Security

© Jones & Bartlettto be able toLearning, read student LLCtranscripts of selected students,© so Jonesthere may & be Bartlett an Learning, LLC NOT FOR SALE Advisor OR role DISTRIBUTION to permit that. Depending on the policies ofNOT the university, FOR SALE the OR DISTRIBUTION Advisor role might also include the privilege of inserting enrollment records for students at registration time. Students may be permitted to perform SELECT but not UPDATE operations on their personal data, so there may be a © Jones & Bartlett Learning, Student LLC role that permits such access.© Once Jones the DBA & Bartletthas identi edLearning, a role, a LLC NOT FOR SALE OR DISTRIBUTIONset of privileges is granted for the role, andNOT then FOR user accounts SALE can OR be DISTRIBUTIONassigned the role. Some user accounts may have several roles. To create a role, we write a statement such as: CREATE ROLE AdvisorRole; © Jones & Bartlett Learning, LLC CREATE ROLE FacultyRole;© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION We then grant privilegesNOT toFOR the roleSALE just ORas we DISTRIBUTION would to individuals, by writing statements such as:

GRANT SELECT ON Student TO AdvisorRole; © Jones & Bartlett GRANT Learning,SELECT, UPDATE LLC ON Enroll TO AdvisorRole;© Jones & Bartlett Learning, LLC NOT FOR SALEGRANT OR SELECT DISTRIBUTION ON Enroll TO FacultyRole; NOT FOR SALE OR DISTRIBUTION

To assign a role to a user, we write a statement such as:

GRANT AdvisorRole TO U999;

© Jones & Bartlett Learning, We can LLC even assign a role to another role© Jonesby writing, & forBartlett example: Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION GRANT FacultyRole TO AdvisorRole;

is provides a means of inheriting privileges through roles. e SQL DCL statement to remove privileges has this form:

© Jones & Bartlett Learning, LLC REVOKE {ALL PRIVILEGES© Jones & | Bartlett privilege-list Learning, } LLC NOT FOR SALE OR DISTRIBUTION ON object-listNOT FOR SALE OR DISTRIBUTION FROM {PUBLIC | user-list | role-list }; [ CASCADE | RESTRICT ];

© Jones & Bartlett For example, Learning, for U101 , to LLC whom we previously granted© SELECT Jones , INSERT & Bartlett , Learning, LLC NOT FOR SALEand UPDATE OR DISTRIBUTION on Student with the grant option, we couldNOT remove FOR someSALE OR DISTRIBUTION privileges by writing this:

REVOKE INSERT ON Student FROM U101;

© Jones & Bartlett Learning, is revokes LLC U101 ’s ability both to insert© JonesStudent & records Bartlett and to Learning, authorize LLC Student NOT FOR SALE OR DISTRIBUTIONothers to insert records. WeNOT can FORrevoke SALE just the ORgrant DISTRIBUTION option, without revoking the insert, by writing this:

REVOKE GRANT OPTION FOR INSERT ON Student FROM U101;

© Jones & Bartlett Learning, LLC© Jones & Bartlett Learning, LLC.© NOTJones FOR SALE& Bartlett OR DISTRIBUTION. Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 9781284079050_CH08_PASS03.indd 376 11/06/15 5:23 pm © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION

8.8 Security in Oracle 377

If an individual© Jones has the grant& Bartlett option for Learning, a certain privilege LLC and the privilege © Jones & Bartlett Learning, LLC or the grantNOT option FOR on it SALEis later revoked, OR DISTRIBUTION all users who have received the NOT FOR SALE OR DISTRIBUTION privilege from that individual have their privilege revoked as well. In this way, revocations cascade , or trigger other revocations. If a user obtained the same privilege from two authorizers, one of whom has authorization revoked, © Jonesthe user & still Bartlett retains the Learning, privilege from LLC the other authorizer. us, if© the Jones DBA & Bartlett Learning, LLC NOTrevoked FOR SALEthe authorization OR DISTRIBUTION of user U1 in Figure 8.6 , U21 would lose all privileges,NOT FOR SALE OR DISTRIBUTION but U22 would retain whatever privileges were received from U2. Since U22 has the grant option, user U21 could regain privileges from U22 . In this way, unscrupulous users could conspire to retain privileges despite attempts by the DBA to revoke them. For this reason, the DBA should be very careful about © Jones & Bartlettpassing Learning, the grant LLC option to others. If the RESTRICT © Jones option is& speci Bartlett ed, the Learning, LLC NOT FOR SALE ORsystem DISTRIBUTION checks to see if there are any cascading NOTrevocations FOR and SALE returns OR an DISTRIBUTION error if they exist, without executing the revoke statement. CASCADE is the default. When a privilege is revoked, the authorization graph is modi ed by removing the node(s) that lose their privileges. © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC 8.8 NOTSecurity FOR SALE in OR Oracle DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Oracle provides robust security that goes far beyond the SQL authorization language commands. ere are many di erent ways to set up and manage © Jonesthe security & Bartlett of an Oracle Learning, database installation LLC besides the methods ©discussed Jones & Bartlett Learning, LLC NOT here.FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 8.8.1 Security Features Security features include facilities for all the following activities: © Jones & Bartlett Learning,U Management LLC of user accounts . User accounts© Jones can be & created, Bartlett user Learning, LLC NOT FOR SALE OR DISTRIBUTIONrights de ned, and password and pro leNOT policies FOR set upSALE in several OR DISTRIBUTION ways. Strong passwords can be enforced. User views, user privileges, and roles can be used to limit user access to data. U Authentication of users can be performed for the database from the operating© Jones system level& Bartlett and from Learning,a network. LLC © Jones & Bartlett Learning, LLC U ApplicationNOT FOR security SALE policies OR can DISTRIBUTION be set for all applications that NOT FOR SALE OR DISTRIBUTION access the database. U Privilege analysis allows the DBA to identify privileges that are being used, track the source of the privileges, and identify privileges that © Jones &are Bartlett not being Learning,used. is information LLC can be used to tighten© security. Jones & Bartlett Learning, LLC NOT FORU UserSALE session OR information DISTRIBUTION for applications . Information suchNOT as theFOR SALE OR DISTRIBUTION user name and location can be gathered automatically and used to control the user’s access through an application.

© Jones & Bartlett Learning, LLC© Jones & Bartlett Learning, LLC.© NOTJones FOR SALE& Bartlett OR DISTRIBUTION. Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 9781284079050_CH08_PASS03.indd 377 11/06/15 5:23 pm © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION

378 CHAPTER 8 Introduction to Database Security

© Jones & BartlettU Virtual Learning, Private Database LLC (VPD) is an additional© levelJones of security & Bartlett Learning, LLC NOT FOR SALE thatOR can DISTRIBUTION be used to control access on the row and NOTcolumn FOR level. SALE OR DISTRIBUTION U Data redaction is a method of masking data at run time, when queries are executed. Some or all of the characters are hidden or replaced in the results set. For example, only the last four digits of © Jones & Bartlett Learning, aLLC Social Security number or a credit© Jones card number & Bartlett may be Learning,displayed. LLC NOT FOR SALE OR DISTRIBUTIONRedaction is o en done to complyNOT with FOR regulations SALE such OR as PCIDISTRIBUTION DSS or SOX. U Transparent sensitive data protection can be used as a method of identifying and protecting all columns that hold sensitive data, © Jones & Bartlett Learning, LLC even across several© Jones databases. & Bartlett Once identi Learning, ed, the columns LLC may be NOT FOR SALE OR DISTRIBUTION protected usingNOT VPD FOR or data SALE redaction. OR DISTRIBUTION U Network data encryption can be performed automatically or manually using the DBMS_CRYPTO PL/SQL package. Oracle Net Services can be con gured to provide data encryption and integrity © Jones & Bartletton serversLearning, and clients. LLC in Java Database Connectivity© Jones (JDBC) & Bartlett Learning, LLC NOT FOR SALE clientsOR DISTRIBUTION can be con gured for secure connections toNOT databases. FOR SALE OR DISTRIBUTION U Strong authentication. Available industry-standard authentication methods include centralized authentication and single sign-on, Secure Sockets Layer (SSL), Remote Authentication Dial-In User © Jones & Bartlett Learning, ServiceLLC (RADIUS), and Kerberos.© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 8.8.2 Administrative Accounts On installation, Oracle provides several prede ned administrative super accounts, including SYS , SYSTEM , and DBSNMP , as well as some sample © Jones & Bartlett Learning, LLC schemas. DBSNMP is© used Jones for administration& Bartlett Learning,tasks in Oracle LLC Enterprise NOT FOR SALE OR DISTRIBUTION Manager, and the managementNOT FOR agent SALE can manage OR DISTRIBUTION and monitor the database using the DBSNMP account. e SYS account stores data dictionary information for base tables and views, and should be used only by the DBMS itself, not by users. e SYSTEM account stores other tables and tools used © Jones & Bartlettby Oracle andLearning, tables for administration.LLC None of these accounts© Jones should & Bartlett be Learning, LLC used to create user tables, and access to them should be strictly controlled. NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION On installation, these three administrator accounts are open, and the system prompts for passwords for all three of them, although default passwords are provided. Since these passwords are widely known, it is strongly recommended that new passwords be created to protect the database from © Jones & Bartlett Learning,attack. LLC e accounts automatically have© theJones DBA role, & Bartlett which permits Learning, a user LLC NOT FOR SALE OR DISTRIBUTIONto create roles and users; to grant privilegesNOT FOR to other SALE users; ORand toDISTRIBUTION create, modify, and delete schemas and objects. Oracle suggests that administrative tasks are best performed using more targeted accounts that are authorized

© Jones & Bartlett Learning, LLC© Jones & Bartlett Learning, LLC.© NOTJones FOR SALE& Bartlett OR DISTRIBUTION. Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 9781284079050_CH08_PASS03.indd 378 11/06/15 5:23 pm © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION

8.8 Security in Oracle 379

for speci c jobs,© Jones a concept & calledBartlett separation Learning, of duties LLC . To this end, there are © Jones & Bartlett Learning, LLC six additionalNOT administrator FOR SALE accounts OR that DISTRIBUTION should be opened and assigned NOT FOR SALE OR DISTRIBUTION to administrators to be used for speci c tasks. ey are SYSDBA , SYSOPER , SYSASM , SYSBACKUP , SYSDG , and SYSKM . Privileges granted to database users can be object privileges or system © Jonesprivileges & . Bartlett An object Learning,privilege is the LLC right to perform an action using© Jones DML & Bartlett Learning, LLC NOTcommands FOR SALE on a table,OR DISTRIBUTIONview, procedure, function, sequence, or package.NOT FORe SALE OR DISTRIBUTION creator of a schema automatically has all object privileges on all objects in the schema and can grant the same object privileges to other users. For tables, the privileges include SELECT , INSERT , UPDATE , DELETE , and REFERENCES, as described in Section 8.7, but also ALTER (the right to use the ALTER TABLE © Jones & Bartlettcommand) Learning, and INDEX LLC (the right to use the CREATE © Jones INDEX command).& Bartlett For Learning, LLC NOT FOR SALE ORupdatable DISTRIBUTION views, privileges are SELECT , INSERT NOT , UPDATE FOR , andSALE DELETE OR . DISTRIBUTION System privileges include the right to perform actions using DDL commands on database data, schemas, tablespaces, or other Oracle resources, as well as the right to create user accounts. © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC 8.8.3 SecurityNOT FOR ToolsSALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Some of the tools the DBA can use to secure the database installation are Oracle Database Con guration Assistant, Oracle Enterprise Manager, SQL*Plus, and Oracle Net Manager. Oracle Enterprise Manager is an online © Jonestool found & Bartlett on the Oracle Learning, Database LLCHome page. On a Windows installation,© Jones & Bartlett Learning, LLC NOT SQL*PlusFOR SALE can be OR found DISTRIBUTION in the Application Tools subdirectoryNOT of theFOR SALE OR DISTRIBUTION Ora home directory, and the two other tools within the Configuration and Migration Tools subdirectory.

U Oracle Database Con guration Assistant has options to create, © Jones & Bartlett Learning,con gure, LLCor delete databases and other operations,© Jones including & Bartlett setting Learning, LLC NOT FOR SALE OR DISTRIBUTIONan audit policy. NOT FOR SALE OR DISTRIBUTION U Oracle Enterprise Manager is a Web-based facility that o ers options for granting and revoking privileges. e DBA has to log in initially using a privileged account such as SYSTEM to the Oracle Database© Jones home page & Bartlettto access the Learning, Enterprise Manager. LLC To create user © Jones & Bartlett Learning, LLC accounts from there, the DBA can choose the Administration NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION icon, then Users , then Create . e DBA lls in the new user name and password, enters a temporary password, and can choose to have the password expire immediately. is will cause the new user to be prompted for a new password the rst time he or she uses the © Jones &account. Bartlett e Learning,account status LLC should be set to Unlocked. © Jonese user & Bartlett Learning, LLC NOT FORrole SALE and privilegesOR DISTRIBUTION should be chosen from the list provided,NOT and FOR SALE OR DISTRIBUTION the CREATE button should be clicked to nish the operation. It is recommended that the rst account created be one that will be used

© Jones & Bartlett Learning, LLC© Jones & Bartlett Learning, LLC.© NOTJones FOR SALE& Bartlett OR DISTRIBUTION. Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 9781284079050_CH08_PASS03.indd 379 11/06/15 5:23 pm © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION

380 CHAPTER 8 Introduction to Database Security

© Jones & Bartlettby a Learning, security administrator, LLC and that this account© be Jones given all & rights Bartlett Learning, LLC NOT FOR SALE relatedOR DISTRIBUTION to security, to separate those tasks from otherNOT administrative FOR SALE OR DISTRIBUTION responsibilities. at account should then be used for managing security. U SQL*Plus can also be used to create users and roles. A er signing in © Jones & Bartlett Learning, toLLC a privileged account such as SYSTEM © Jones, or having & Bartlett been authorized Learning, to LLC NOT FOR SALE OR DISTRIBUTIONcreate users, the DBA writes a NOTCREATE FOR USER SALE command, OR which DISTRIBUTION has this form: CREATE USER username IDENTIFIED BY password; For example: © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION CREATE USERNOT U999 FOR IDENTIFIED SALE OR BY DISTRIBUTIONSESAME; However, this command does not give any privileges to the user, so U999 will not be able to establish a session unless the DBA also writes the following: © Jones & Bartlett GRANT Learning, CREATE SESSION LLC TO U999; © Jones & Bartlett Learning, LLC NOT FOR SALE ToOR require DISTRIBUTION the user to change his or her passwordNOT at the FOR rst actual SALE OR DISTRIBUTION log-in, the DBA uses this command: ALTER USER username PASSWORD EXPIRE ; © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC When the user tries to connect, he or she will be given a message NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION saying the password has expired and prompting for a new one before being connected. Once connected, the user can also change his or her own password at any time by writing the following in SQL* Plus: ALTER USER username © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC IDENTIFIED BY newpassword; NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Although the user will be connected, he or she will not be able to access any data, since the only privilege given is the one to create a session. To actually use Oracle’s facilities, the user needs to be given additional privileges, which can be either object privileges or system © Jones & Bartlettprivileges Learning, as described LLC earlier. © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION e syntax for granting object privileges is the same as the standard SQL DCL syntax shown in Section 8.7. For example, the DBA might give U999 wide privileges on the Student table by writing as follows: © Jones & Bartlett Learning, GRANTLLC ALL PRIVILEGES ON Student© Jones TO U999 & Bartlett WITH GRANT Learning, OPTION ; LLC NOT FOR SALE OR DISTRIBUTION If there is a stored procedure calledNOT WrapUp FOR , theSALE DBA ORcan give DISTRIBUTION U999 permission to run the procedure by writing this command: GRANT EXECUTE ON WrapUp TO U999;

© Jones & Bartlett Learning, LLC© Jones & Bartlett Learning, LLC.© NOTJones FOR SALE& Bartlett OR DISTRIBUTION. Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 9781284079050_CH08_PASS03.indd 380 11/06/15 5:23 pm © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION

8.9 Statistical Database Security 381

ere© are Jones 236 di & erent Bartlett system Learning,privileges possible. LLC A list of system © Jones & Bartlett Learning, LLC privilegesNOT can FOR be seen SALE by writing OR theDISTRIBUTION following SQL command: NOT FOR SALE OR DISTRIBUTION SELECT name FROM SYSTEM_PRIVILEGE_MAP; © Jones & System Bartlett privileges Learning, can be given LLC through SQL * Plus using ©a GRANTJones & Bartlett Learning, LLC NOT FORcommand SALE ORof this DISTRIBUTION form: NOT FOR SALE OR DISTRIBUTION GRANT systemprivilege TO username [ WITH ADMIN OPTION]; © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC For example, we could allow U999 to create tables by writing: NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION GRANT CREATE TABLE TO U999 WITH ADMIN OPTION ; Additionally, privileges that are object privileges on single tables can be extended to become system privileges that extend to any table by using© the Jones keyword & ANY Bartlett , as in: Learning, LLC © Jones & Bartlett Learning, LLC GRANTNOT SELECT FOR ANY SALE TABLE OR TO DISTRIBUTION U999; NOT FOR SALE OR DISTRIBUTION e WITH ADMIN OPTION clause allows the user to pass the privilege on to others. As in the SQL standard, Oracle allows privileges to be given to a role © Jones &as Bartlettwell as to individuals Learning, or groups LLC of users. A role consists of© a Jones group & Bartlett Learning, LLC NOT FORof SALE privileges. OR Any DISTRIBUTION number of roles can be granted to a user. NOTRoles can FOR SALE OR DISTRIBUTION also be granted to other roles, allowing inheritance of privileges. Roles can be created in SQL*Plus using the DCL commands discussed in Section 8.7. © Jones & Bartlett Learning,U Oracle Net LLC Manager . During installation,© JonesOracle creates & Bartlett an initial Learning, LLC NOT FOR SALE OR DISTRIBUTIONnetwork con guration, including a defaultNOT listener. FOR Changes SALE can OR be DISTRIBUTION made to the con guration by using the Net Con guration Assistant, which is found in the Configuration and Migration Tools subdirectory of the Ora home directory. A er con guration, the Oracle Net Manager in the same subdirectory can be used to manage© Jonesthe networks. & Bartlett e DBA Learning, can set pro les,LLC choose encryption © Jones & Bartlett Learning, LLC for theNOT server FOR and client, SALE provide OR anDISTRIBUTION encryption seed, and choose one NOT FOR SALE OR DISTRIBUTION or more of several encryption methods.

© Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR 8.9 SALE Statistical OR DISTRIBUTION Database SecurityNOT FOR SALE OR DISTRIBUTION Statistical databases are designed to provide data to support statistical analysis on populations. e data itself may contain facts about individuals,

© Jones & Bartlett Learning, LLC© Jones & Bartlett Learning, LLC.© NOTJones FOR SALE& Bartlett OR DISTRIBUTION. Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 9781284079050_CH08_PASS03.indd 381 11/06/15 5:23 pm © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION

382 CHAPTER 8 Introduction to Database Security

© Jones & Bartlettbut the data Learning, is not meant LLC to be retrieved on an individual© Jonesbasis. Users & Bartlettare Learning, LLC NOT FOR SALEgranted OR permission DISTRIBUTION to access statistical information suchNOT as totals, FOR counts, SALE OR DISTRIBUTION or averages, but not information about individuals. For example, if a user is permitted statistical access to an employee database, he or she is able to write queries such as: © Jones & Bartlett Learning,SELECT LLC SUM (Salary) © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION FROM Employee NOT FOR SALE OR DISTRIBUTION WHERE Dept = 10;

but not: © Jones & Bartlett Learning, LLC SELECT Salary© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION FROM EmployeeNOT FOR SALE OR DISTRIBUTION WHERE empId = 'E101';

Special precautions must be taken when users are permitted access to statistical data, to ensure that they are not able to deduce data about © Jones & Bartlettindividuals. Learning, For the preceding LLC example, if there are no restrictions© Jones in & place Bartlett Learning, LLC NOT FOR SALEexcept thatOR allDISTRIBUTION queries must involve COUNT, SUM, or AVERAGENOT , FOR a user SALEwho OR DISTRIBUTION wishes to nd the employee of E101 can do so by adding conditions to the WHERE line to narrow the population down to that one individual, as in:

SELECT SUM (Salary) © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION FROM Employee NOT FOR SALE OR DISTRIBUTION WHERE Dept = 10 AND jobTitle = 'Programmer' AND dateHired > '01-Jan-2015';

e system can be modi ed to refuse to answer any query for which only one © Jones & Bartlett Learning, LLC record satis es the predicate.© Jones However, & Bartlett this restriction Learning, is easily LLC overcome, NOT FOR SALE OR DISTRIBUTION since the user can askNOT for total FOR salaries SALE for theOR department DISTRIBUTION and then ask for the total salary without that of E101 . Neither of these queries is limited to one record, but the user can easily deduce the salary of employee E101 from them. To prevent users from deducing information about individuals, the system can restrict queries by requiring that the number of records satisfying © Jones & Bartlettthe predicate Learning, must be above LLC some threshold and that the© number Jones of records & Bartlett Learning, LLC NOT FOR SALEsatisfying OR a pair DISTRIBUTION of queries simultaneously cannot exceedNOT some FORlimit. It SALE can OR DISTRIBUTION also disallow sets of queries that repeatedly involve the same records.

© Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION 8.10 SQL InjectionNOT FOR SALE OR DISTRIBUTION Database applications must take security precautions to protect a database against a form of attack known as SQL injection . e term injection refers

© Jones & Bartlett Learning, LLC© Jones & Bartlett Learning, LLC.© NOTJones FOR SALE& Bartlett OR DISTRIBUTION. Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 9781284079050_CH08_PASS03.indd 382 11/06/15 5:23 pm © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION

8.10 SQL Injection 383

to the fact that© Jonesuser input & from Bartlett a client throughLearning, the application LLC interface can © Jones & Bartlett Learning, LLC be designedNOT to take FOR advantage SALE of vulnerabilities OR DISTRIBUTION associated with the dynamic NOT FOR SALE OR DISTRIBUTION construction of SQL queries. Using SQL injection, an attacker can insert (or inject ) code into a query that can be used to retrieve information that the attacker is not authorized to see, maliciously delete or modify data, or © Jonesinsert data& Bartlett that would Learning, give an attacker LLC unauthorized access to the ©database. Jones & Bartlett Learning, LLC NOTSQL FOR injection SALE was OR rstDISTRIBUTION discovered around 1998 and is now rankedNOT FORas SALE OR DISTRIBUTION a top so ware security concern by the Open Web Application Security Project and by the Common Weakness Enumeration/SANS Top 25 Most Dangerous So ware Errors. SQL injection poses threats to con dentiality, integrity, availability, authentication, and authorization. © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 8.10.1 Examples of SQL Injection SQL injection takes advantage of the fact that SQL queries can be dynamically constructed in application code. As an example, consider a Web form that allows a student© Jones to enter &his Bartlett or her identi Learning, er and password LLC into the variables © Jones & Bartlett Learning, LLC userID andNOT password FOR . SALE e website OR then DISTRIBUTION uses this information to retrieve NOT FOR SALE OR DISTRIBUTION the student’s con dential information from the Student table. Inside of the application code, the query can be constructed dynamically through the following statement:

© Jones studentInfoQuery & Bartlett Learning, = "SELECT LLC * FROM student WHERE© Jones & Bartlett Learning, LLC NOT FORuserID SALE = '"OR +DISTRIBUTION userID + "' AND password = NOT'" + FOR SALE OR DISTRIBUTION password + "';"

e + character represents the string concatenation operator. If userID contains the value John and password contains the value x1y2z3 , then © Jones & BartlettstudentInfoQuery Learning, LLC would contain the following© JonesSELECT statement:& Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION SELECT * FROM student WHERE userID = 'John' AND password = 'x1y2z3'; © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC studentInfoQuery e NOT FOR SALE would thenOR DISTRIBUTIONbe submitted to the database for NOT FOR SALE OR DISTRIBUTION retrieval of the information. is query only works as intended if the input value for userID and/or password does not contain a single quote character. For example, if the user enters x1y'z3 by mistake, the query becomes: © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FORSELECT SALE * OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION FROM student WHERE userID = 'John' AND password = 'x1y'z3';

© Jones & Bartlett Learning, LLC© Jones & Bartlett Learning, LLC.© NOTJones FOR SALE& Bartlett OR DISTRIBUTION. Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 9781284079050_CH08_PASS03.indd 383 11/06/15 5:23 pm © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION

384 CHAPTER 8 Introduction to Database Security

© Jones & Bartlett e extraneous Learning, single quote LLC in the password will cause© SQLJones to generate & Bartlett Learning, LLC NOT FOR SALEan error OR message DISTRIBUTION since 'x1y'z3'; is invalid syntax in theNOT SQL FOR parser. SALE An OR DISTRIBUTION attacker will sometimes use this technique to initially discover that a database is vulnerable to an SQL injection attack, where the syntax error message gives an attacker a clue that the query is being dynamically constructed © Jones & Bartlett Learning,without LLC any input validation. A subsequent© Jones malicious & Bartlett query can Learning, then be LLC NOT FOR SALE OR DISTRIBUTIONconstructed that will give the attacker accessNOT toFOR John’s SALE information OR asDISTRIBUTION well as the information of all other students. As an example, suppose an attacker does not know any valid user IDs or passwords and that the attacker enters the value X as the userID and Y' or 'a'='a as the password. e query then becomes: © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION SELECT * NOT FOR SALE OR DISTRIBUTION FROM student WHERE userID = 'X' AND password = 'Y' OR 'a'='a';

© Jones & Bartlett Even with Learning,an incorrect LLCuserID and password , this ©query Jones will &always Bartlett Learning, LLC or NOT FOR SALEevaluate OR to DISTRIBUTIONtrue because the condition will alwaysNOT beFOR satis SALE ed. OR DISTRIBUTION Furthermore, the query will essentially evaluate as the query below, which returns information about all students:

SELECT * © Jones & Bartlett Learning, FROM LLC student © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTIONWHERE 'a'='a'; NOT FOR SALE OR DISTRIBUTION

Since some database products allow the execution of multiple SQL statements separated by semicolons within a single query string, attackers can also take advantage of this vulnerability together with single quotes in © Jones & Bartlett Learning, LLC input values to enter© additional Jones malicious& Bartlett statements. Learning, To illustrate LLC this type NOT FOR SALE OR DISTRIBUTION of attack, assume theNOT attacker FOR enters SALE the value OR X as DISTRIBUTION the userID and the value Y' or 'a'='a'; DELETE * FROM student; -- as the password. In this case, the query becomes:

SELECT * © Jones & Bartlett FROM student Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION WHERE userID = 'X' AND password = 'Y' OR 'a'='a'; DELETE * FROM student; --';

© Jones & Bartlett Learning, e query LLC will retrieve all student information© Jones and & Bartlettthen delete Learning, all of the LLC NOT FOR SALE OR DISTRIBUTIONinformation in the Student table. NoticeNOT that FOR the “-- SALE” comment OR characters DISTRIBUTION are used at the end of the password string so that any extraneous characters will be commented out of the query execution to avoid a syntax error.

© Jones & Bartlett Learning, LLC© Jones & Bartlett Learning, LLC.© NOTJones FOR SALE& Bartlett OR DISTRIBUTION. Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 9781284079050_CH08_PASS03.indd 384 11/06/15 5:23 pm © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION

8.11 Database Security and the Internet 385

© Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC 8.10.2 NOTMitigation FOR SALE of ORSQL DISTRIBUTION Injection NOT FOR SALE OR DISTRIBUTION As illustrated in the previous subsection, SQL injection can be used to cause serious harm to a database application. In addition to the examples described earlier that violate con dentiality and integrity, other SQL statements can be injected into a query that give an attacker access to the database, such © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC as creating a new unauthorized user ID and password with special security NOTprivileges. FOR SALE In some OR cases, DISTRIBUTION it is even possible to invoke certain operatingNOT FOR SALE OR DISTRIBUTION system commands from an SQL query. Fortunately, there are several actions that can be taken to mitigate SQL injection attacks. e most basic vulnerability lies in the dynamic construction © Jones & Bartlettof theLearning, SQL query LLCas a string. is approach to building© Jones a query & in Bartlett application Learning, LLC NOT FOR SALE ORcode DISTRIBUTION is not considered a safe programming practiceNOT and FOR should SALE be avoided. OR DISTRIBUTION An alternative approach is to use parameterized statements, as in prepared statements of the JDBC API. Using parameterized queries forces the values of variables that are used to construct a query to conform to a speci c type value instead of an arbitrary string that can contain malicious SQL statements. © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC JBDC and parameterized queries are covered in more detail in Chapter 5 . e use of storedNOT procedures FOR as SALE described OR in ChapterDISTRIBUTION 5 can also be used to avoid NOT FOR SALE OR DISTRIBUTION SQL injection attacks as long as SQL queries are not dynamically constructed in the stored procedure. Another mitigation technique is to always validate user input to make © Jonessure the & inputBartlett conforms Learning, to valid types LLC and patterns before the input© isJones used & Bartlett Learning, LLC NOT toFOR construct SALE an SQLOR query. DISTRIBUTION Database permissions should also be limitedNOT FORto SALE OR DISTRIBUTION a need to know basis to protect against SQL injection attacks. Some database products, such as Oracle, help to mitigate SQL injection by not allowing query strings that contain multiple SQL statements separated by semicolons. © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 8.11 Database Security and the Internet Unless security© Jones so ware & is Bartlett used, all messagesLearning, sent LLCover the Internet are © Jones & Bartlett Learning, LLC transmitted NOTin plaintext FOR andSALE can ORbe detected DISTRIBUTION by intruders using packet NOT FOR SALE OR DISTRIBUTION s n i n g so ware. Both senders and receivers need to be con dent that their communications are kept private. Obviously, customers who wish to purchase products need to have assurance that their credit card information is secure when they send it over the Internet. Companies that allow Web © Jonesconnections & Bartlett to their Learning, internal networks LLC for access to their database© needJones to & Bartlett Learning, LLC NOT beFOR able toSALE protect OR it from DISTRIBUTION attack. Receivers of messages need to haveNOT ways FOR to SALE OR DISTRIBUTION be sure that those messages are genuine and trustworthy and have not been tampered with. Senders of messages should not be able to repudiate them,

© Jones & Bartlett Learning, LLC© Jones & Bartlett Learning, LLC.© NOTJones FOR SALE& Bartlett OR DISTRIBUTION. Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 9781284079050_CH08_PASS03.indd 385 11/06/15 5:23 pm © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION

386 CHAPTER 8 Introduction to Database Security

© Jones & Bartlettdenying that Learning, they sent them. LLC Web users who download ©executable Jones content& Bartlett Learning, LLC NOT FOR SALEsuch as OR Java DISTRIBUTIONapplets, ActiveX, or VBScript need to have NOTways to FOR assure SALE that OR DISTRIBUTION the code will not corrupt their databases or otherwise harm their systems. Several techniques are used to address these issues.

© Jones & Bartlett Learning, 8.11.1 LLC Proxy Servers © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION A proxy server is a computer or programNOT FORthat acts SALE as an ORintermediary DISTRIBUTION between a client and another server, handling messages in both directions. When the client requests a service such as a connection or Web page, the proxy evaluates it and determines whether it can ful ll the request itself. If © Jones & Bartlett Learning, LLC not, it lters the request,© Jones perhaps & altering Bartlett it, and Learning, requests the LLC service from NOT FOR SALE OR DISTRIBUTION the server or other NOTresource. FOR It may SALE cache OR (store DISTRIBUTION a copy of) the server’s response so that a subsequent request can be ful lled from the stored content without using the server again. e proxy server can be used for several purposes, including to maintain security by hiding the actual IP address of the server, to improve performance by caching, to prevent access to sites that © Jones & Bartlettan organization Learning, wishes to LLCblock from its members, to protect© Jones the server & from Bartlett Learning, LLC NOT FOR SALEmalware, OR and DISTRIBUTION to protect data by scanning outbound messagesNOT for FOR data leaks.SALE OR DISTRIBUTION 8.11.2 Firewalls A r e w a l l is a hardware and/or so ware barrier that is used to protect an © Jones & Bartlett Learning,organization’s LLC internal network (intranet)© Jonesfrom unauthorized & Bartlett access. Learning, Various LLC NOT FOR SALE OR DISTRIBUTIONtechniques are used to ensure that messagesNOT enteringFOR SALE or leaving OR the DISTRIBUTION intranet comply with the organization’s standards. For example, a proxy server can be used to hide the actual network address. Another technique is a packet lter, which examines each packet of information before it enters or leaves the intranet, making sure it complies with a set of rules. Various gateway © Jones & Bartlett Learning, LLC techniques can apply© security Jones mechanisms & Bartlett to applications Learning, or connections.LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 8.11.3 Digital Signatures Digital signatures use a double form of public-key encryption to create secure two-way communications that cannot be repudiated. A digital signature allows © Jones & Bartletta user to verify Learning, the authenticity LLC of the person they are communicating© Jones & with, Bartlett Learning, LLC NOT FOR SALEand provides OR DISTRIBUTIONa means to prove that a message must have comeNOT from FOR that person SALE OR DISTRIBUTION and that it has not been tampered with in transmission. One method of using digital signatures is for the sender to encode a message rst with his or her own private key, and then with the public key of the receiver. e receiver decrypts the message rst using his or her private key, and then uses the sender’s public © Jones & Bartlett Learning,key. eLLC double encryption ensures that ©both Jones parties are& authentic,Bartlett since Learning, neither LLC NOT FOR SALE OR DISTRIBUTIONone could have encoded or decoded theNOT message FOR without SALE his or herOR private DISTRIBUTION key. It also ensures that the message is intact, since tampering would invalidate the signature, making it impossible to decode the message.

© Jones & Bartlett Learning, LLC© Jones & Bartlett Learning, LLC.© NOTJones FOR SALE& Bartlett OR DISTRIBUTION. Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 9781284079050_CH08_PASS03.indd 386 11/06/15 5:23 pm © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION

8.11 Database Security and the Internet 387

© Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC 8.11.4 NOTCertification FOR SALE AuthoritiesOR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION Customers who wish to purchase goods from an e-commerce website need to feel con dent that the site they are communicating with is genuine and that their ordering information is transmitted privately. A widely used method of verifying that a site is genuine is by means of certi cation authorities © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC such as Verisign. e process uses public-key encryption. e site begins NOTthe FOR certi SALE cation processOR DISTRIBUTION by generating a public key and a privateNOT key and FOR SALE OR DISTRIBUTION sending a request to Verisign, along with the site’s public key. Verisign issues an encrypted certi cate to the site, which stores it for future use. When a customer wishes to place an order using a secure connection to the site, his © Jones & Bartlettor Learning,her browser asks LLC the site for its Verisign certi © cate,Jones which & itBartlett receives in Learning, LLC NOT FOR SALE ORencrypted DISTRIBUTION form. e browser decrypts the certi NOT cate using FOR Verisign’s SALE public OR DISTRIBUTION key, and veri es that this is indeed a Verisign certi cate and that the site’s URL is the correct one. e certi cate also contains the site’s public key. e browser creates a session key—which it encrypts using the site’s public key from the certi cate—and sends the session key to the site. Since the session © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC key is encrypted with the site’s public key, only the actual site can decrypt it using its NOTprivate FOR key. Since SALE both OR the DISTRIBUTIONbrowser and the site are the sole NOT FOR SALE OR DISTRIBUTION holders of the session key, they can now exchange messages encrypted with the session key, using a simpler protocol such as 3DES or AES. e process described here is the one used in the Secure Sockets Layer (SSL) protocol © Jonesand is &typically Bartlett used Learning, for messages toLLC and from a customer during© an Jones order & Bartlett Learning, LLC NOT process.FOR SALE An additional OR DISTRIBUTION measure of security is usually used for transmissionNOT FOR SALE OR DISTRIBUTION of credit card numbers. While the user’s browser sends the seller site most of the order information encoded with its public key, when the customer is ready to transmit credit card information at the end of the order process, that information, along with the amount to be charged, is sent directly to the © Jones & Bartlettcard Learning, company site LLC for authorization and approval.© Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION e SET (Secure Electronic Transactions) protocol,NOT FOR which SALE was used OR for DISTRIBUTION this process, has been superseded by newer protocols such as Visa’s Veri ed by Visa, which provides both authentication and approval of the purchase. It uses an XML-based protocol called 3-D Secure. Kerberos© isJones an authentication & Bartlett protocol Learning, for networks LLC that allows mutual © Jones & Bartlett Learning, LLC authentication,NOT in which FOR both SALE client OR and serverDISTRIBUTION can verify identity. A trusted NOT FOR SALE OR DISTRIBUTION Kerberos server is used as a certi cation authority. It has a key distribution center that stores the secret keys of each client and server on the network, and it uses these as input to generate time-stamped tickets when the client requests service. A ticket is then used to demonstrate to the server that the client is © Jonesapproved & Bartlett for service. Learning, Messages can LLCbe encrypted using either symmetric© Jones key & Bartlett Learning, LLC NOT orFOR public-key SALE protocols. OR DISTRIBUTION Both the protocol and the free so ware implementingNOT FOR SALE OR DISTRIBUTION it were developed at the Massachusetts Institute of Technology. It is used by both Oracle and Caché, as well as many other vendors.

© Jones & Bartlett Learning, LLC© Jones & Bartlett Learning, LLC.© NOTJones FOR SALE& Bartlett OR DISTRIBUTION. Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION 9781284079050_CH08_PASS03.indd 387 11/06/15 5:23 pm © Digital_Art/Shutterstock 11/06/15 5:23 pm

public- decrypting decryption decryption © Digital_Art/Shutterstock authorization authorization © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC & Bartlett Learning, © Jones SALE OR DISTRIBUTION NOT FOR encrypting algorithm Triple Data Encryption Data Triple , by which , by authorization covers the covers control Access matrix access control can language authorization to , a encryption key , an , an specifying which rules authorization © Jones & Bartlett Learning, LLC © Jones & Bartlett OR DISTRIBUTION NOT FOR SALE © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION that consists of an an of consists that can be used to set up an audit trail. be audit can used an set to up Triggers , an , an ciphertext is the right of individuals to have some some have to individuals of the right is Privacy , verifying the identity of users. e operating users. of , verifying the identity refers to the need to keep certain information certain thekeep need information to to refers into into , and , and Encryption (AES) Advanced Standard © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC Learning, Bartlett & Jones © DISTRIBUTION OR SALE FOR NOT Learning, LLC © Jones & Bartlett OR DISTRIBUTION NOT FOR SALE cipher system Data Control Language Control Data Chapter Summary Summary Chapter plaintext records all access to the database, keeping information about about information keeping the database, all to access records authentication Con dentiality Con can be used as a simple method for implementing access control. control. access implementing methodfor be can used a simple as means protecting the database from unauthorized access, access, unauthorized from the database protecting means security

SQL has a has SQL Most database management systems designed for multiple users have a have users multiple designed for systems management database Most Views audit trail 8.12 8.12 is a journal for storing records of attempted security violations. security violations. attempted of records storing a journal for is security log provide security. the and authorization, used is for e GRANT statement security. provide that reproduces plaintext from ciphertext, and a and ciphertext, from plaintext reproduces that algorithm hardware en o which is algorithm, uses a standard . DES/AES key encryption key a public as primes of encryption uses Public-key a product implemented. key. a private as the product of factors the prime and users have what type of access to database objects. database to access type of what have users the encryption are used for schemes . Widely key , the (3DES) Standard system normally has some means of establishing a user’s identity, using using identity, user’s a establishing of means some has normally system keys, badges, procedures, authentication passwords, les, user IDs, user pro becan authentication Additional theuser. of characteristics physical or the database. access to required for provide ese subsystems security subsystem. an have objects. Most use database to rights assigned are users write to the DBA allows that language An authorizations. implementing for mechanisms permitted are users erent di be types operations used identify of what to delegate sometimes can e DBA objects. database various perform on to others. to powers authorization A An converts that Introduction to Database Security Database to 8 Introduction CHAPTER Database destruction. or cation, modi in many law by protected is and themselves, about information over control countries. by be can protected dentiality Both con being known. privacy and from and deliberate, be or can accidental Security violations security. database securityA ways. of variety a in be can accomplished securitybreaches the building for security begin measures physical with should plan control workstations of Security facilities. control the computer especiallyand for user involves the requester, the operation performed, the workstation used, and the time, used, and the workstation performed, the operation therequester, involved. values and items, data uses a Encryption © Jones & Bartlett Learning, LLC. NOT FOR SALE OR DISTRIBUTION. © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC & Bartlett Learning, © Jones SALE OR DISTRIBUTION NOT FOR 388 © Jones & Bartlett Learning, LLC © Jones & Bartlett OR DISTRIBUTION NOT FOR SALE © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION 9781284079050_CH08_PASS03.indd 388

NOT FOR SALE OR DISTRIBUTION NOT FOR SALE LLC © Jones & Bartlett Learning, © Jones & Bartlett Learning, LLC © Jones & Bartlett 11/06/15 5:23 pm 389 © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC & Bartlett Learning, © Jones SALE OR DISTRIBUTION NOT FOR

to such object grade Kerberos © Jones & Bartlett Learning, LLC © Jones & Bartlett OR DISTRIBUTION NOT FOR SALE © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION Class , SQL injection SQL and S-HTTP 8.12 Summary Chapter or Student

SSL SSL © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC Learning, Bartlett & Jones © DISTRIBUTION OR SALE FOR NOT Learning, LLC © Jones & Bartlett OR DISTRIBUTION NOT FOR SALE certi authorities cation certi , permission to read and update and update read permission to using using schedule, room) grade) that does not include the 201 rewalls . . facId, Enroll classNumber, digital certi cates cates digital certi . © Jones & Bartlett Learning, LLC. NOT FOR SALE OR DISTRIBUTION. digital signatures digital signatures stuId, 201 . the DCL using language ey be can granted . privileges system © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC & Bartlett Learning, © Jones SALE OR DISTRIBUTION NOT FOR attribute, and give user attribute, the view. Give permission to read the tables tables the read Give permission to Create a view of Create user a. b. Enroll( , lastName, firstName, major, credits) Student(stuId, lastName, firstName, major, Faculty(facId, name, department, rank) Class(classNumber, For each of the following, write SQL statements to create views create to SQL statements write of the following, each For the University for privileges the indicated grant needed and to where with this schema: database In Oracle, there are many ways to secure the database and assign secure and to the database ways many are there Oracle, In Statistical databases must take special precautions to make sure that that sure make to take specialprecautions must databases Statistical When the database is accessible through the Internet, special security the Internet, through accessible is the database When Exercises Exercises or similar protocols for user authentication, stronger protocols for nancial for protocols stronger user authentication, for protocols similar or and information, 8.1 REVOKE statement is used to retract authorization. Privileges can be given to be can given Privileges used authorization. is retract to statement REVOKE individuals. to given is then the role and a role, to or individuals they can and open, are accounts administrative super Initially, privileges. include Privileges users. and roles, accounts, other be used create to and privileges be can data Sensitive Manager. Enterprise the Oracle through or in SQL*Plus secured Virtual with and protection data sensitive ed transparent with identi also can be data secured with Network redaction. data or Database Private Manager. Data Network information. dential con useddeduce to not are queries also poses a signi cant threat to database applications by taking advantage taking advantage by applications database to threat cant also poses a signi with queries of construction the dynamic with associated vulnerabilities of SQL avoid can developers Database been validated. not has that user input techniques development ware secure so more following by attacks injection queries. of construction the dynamic for ese include needed. are techniques issue that Verisign as © Jones & Bartlett Learning, LLC © Jones & Bartlett OR DISTRIBUTION NOT FOR SALE © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, NOT FOR SALE OR DISTRIBUTION © Digital_Art/Shutterstock © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION 9781284079050_CH08_PASS03.indd 389

NOT FOR SALE OR DISTRIBUTION NOT FOR SALE LLC © Jones & Bartlett Learning, © Jones & Bartlett Learning, LLC © Jones & Bartlett © Digital_Art/Shutterstock 11/06/15 5:23 pm

. Class tables. but not but , and the AVERAGE Class Class , and , and Class , . © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, NOT FOR SALE OR DISTRIBUTION and © Jones & Bartlett Learning, LLC & Bartlett Learning, © Jones SALE OR DISTRIBUTION NOT FOR SUM , . Write the command the command . Write , to read and modify read , to 205 500 Student COUNT Class , and , and Faculty , and to grant those rights to those rights to grant , and to 204 , , an assistant dean, to read and read to dean, , an assistant to read read to © Jones & Bartlett Learning, LLC © Jones & Bartlett OR DISTRIBUTION NOT FOR SALE © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION 203 206 , 300 Enroll 202 records of students majoring in Math and of students records records for these students. , and Student Class Enroll , . authorizes user authorizes © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC Learning, Bartlett & Jones © DISTRIBUTION OR SALE FOR NOT Learning, LLC © Jones & Bartlett OR DISTRIBUTION NOT FOR SALE 206

to modify to records. For the advisor in the Math department, give permission For records. the read to to to do this. given privileges the all showing graph authorization an Create of combination each node for will need a separate You so far. privilege and user. was dean that the assistant privilege the authorization Revoke modification and reading own her or his keep but (d), in given on the authorization would you show this change How privileges. graph? user the Registrar, Give permission to modify (insert, delete, update) the update) (insert,modify delete, Create a role that includes reading includes reading that a role Create Write a legal SQL query find the salary a legal to Write of the only faculty in the Art department. member who is an instructor which only answer queries for to will refuse Assume the system of set a legal as in (a). Write satisfies the predicate one record the salary deduce queries that allows the user to of the Art instructor. in the Art department. members 10 faculty are Assume that there of number the where queries answer to refuses system The to satisfying the query is less than six. It will also refuse records satisfying the number of records of queries where answer pairs Would these restrictions three. exceeds them simultaneously another legal is there If so, your querymake (a) or (b) illegal? for Student Faculty User This user can authorize others to read and modify read to others authorize This user can others. others. all read to permission give advisors, academic all For Give permission to user to Give permission

view created in (b). Give that role to all clerks in the dean’s o ice, o dean’s the in clerks all to role that Give (b). in viewcreated which includes users f. i. c. c. e. g. a. h. b. d. , lastName, firstName, department, newFaculty(facId, lastName, firstName, department, salary, rank, dateHired) Assume you have a statistical database with the following schema. with the following database Assume you have a statistical those involving are queries The only legal Introduction to Database Security Database to 8 Introduction CHAPTER 8.2 © Jones & Bartlett Learning, LLC. NOT FOR SALE OR DISTRIBUTION. © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC & Bartlett Learning, © Jones SALE OR DISTRIBUTION NOT FOR 390 © Jones & Bartlett Learning, LLC © Jones & Bartlett OR DISTRIBUTION NOT FOR SALE © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION 9781284079050_CH08_PASS03.indd 390

NOT FOR SALE OR DISTRIBUTION NOT FOR SALE LLC © Jones & Bartlett Learning, © Jones & Bartlett Learning, LLC © Jones & Bartlett 11/06/15 5:23 pm 391 © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC & Bartlett Learning, © Jones SALE OR DISTRIBUTION NOT FOR

, that SELECT userID userID © Jones & Bartlett Learning, LLC © Jones & Bartlett OR DISTRIBUTION NOT FOR SALE © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION , , Student email , , 8.12 Summary Chapter . Using the to read both views. © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC Learning, Bartlett & Jones © DISTRIBUTION OR SALE FOR NOT Learning, LLC © Jones & Bartlett OR DISTRIBUTION NOT FOR SALE 125 studentID statement to execute? execute? to statement lastName table shown in Exercise 8.2. 8.2. shown in Exercise table INSERT , and : newFaculty table. What values have to be input for the be input for have to What values table. . Do not include the whole table. . Do not include the whole table. firstName password © Jones & Bartlett Learning, LLC. NOT FOR SALE OR DISTRIBUTION. , table contains the fields the fields contains table and Student © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC & Bartlett Learning, © Jones SALE OR DISTRIBUTION NOT FOR includes only seniors. statement to create a value-dependent view a value-dependent of create to statement and password to get the get to and password Write an SQL statement for a value-independent viewvalue-independent a of for an SQL statement Write Faculty set of queries that will allow you to deduce the salary the deduce Art the of to you allow will that queries of set instructor? Show how SQL injection can be used to insert a new student into a new insert into be used to student Show how SQL injection can the Print the list of trusted publishers, locations, and documents for for and documents locations, publishers, Print the list of trusted your computer. and encrypt the database you created database Open an Access with a password. c. user authorize to a statement Write c. Sign your database and package it for distribution. c. distribution. it for and package Sign your database a. a. b. b.

statement from Section 8.10.1, which selects students based on their based which selects students Section 8.10.1, from statement Student password userID a. Using the University schema shown in Exercise 8.1, write an SQL 8.1, write in Exercise schema shown the University Using a. Log on to an e-commerce website, such as that of a large bookseller. bookseller. large a that of as such website, an e-commerce to on Log security of online about provided the information and read Locate is protocol or some other secure SSL whether Determine transactions. Verisign the about information the print and display possible, If used. may find this in the options in your browser. You the site. for certificate the by reading Access in Microso features the security Examine Then do the following: online Help on the topic. the process to It refers exploit a database. en used to SQL injection is o or modify a database, sensitive data, read of using SQL injection to In preparation on a database. operations administrative execute en use SQL injection o attackers an SQL injection exploitation, for SQL how Investigate about the database. information discover to In about a database. information discover be used to injection can information discover SQL injection be used to how can particular, names, or even email addresses? such as field names, table that the you have discovered 8.7, assume on Exercise Building Write a trigger to create an audit trail that will track all updates to the to all updates that will track trail an audit create to a trigger Write salary field of the 8.3 8.5 8.6 8.7 8.8 8.4 © Jones & Bartlett Learning, LLC © Jones & Bartlett OR DISTRIBUTION NOT FOR SALE © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, NOT FOR SALE OR DISTRIBUTION © Digital_Art/Shutterstock © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION 9781284079050_CH08_PASS03.indd 391

NOT FOR SALE OR DISTRIBUTION NOT FOR SALE LLC © Jones & Bartlett Learning, © Jones & Bartlett Learning, LLC © Jones & Bartlett © Digital_Art/Shutterstock 11/06/15 5:23 pm © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC & Bartlett Learning, © Jones SALE OR DISTRIBUTION NOT FOR © Jones & Bartlett Learning, LLC © Jones & Bartlett OR DISTRIBUTION NOT FOR SALE © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC Learning, Bartlett & Jones © DISTRIBUTION OR SALE FOR NOT Learning, LLC © Jones & Bartlett OR DISTRIBUTION NOT FOR SALE What are some reasons why the SQL injection attack to insert a insert to attack injection SQL the why reasons some are What new user might fail? SQL injection show how email address, a student’s If you know email address. your to the email address change to be used can email the student’s at changing successful you are Assuming password? the student’s to access you then get can how address, your own password get you how do Web pages, HINT: On most when you don’t remember it? c. b. d. Introduction to Database Security Database to 8 Introduction CHAPTER © Jones & Bartlett Learning, LLC. NOT FOR SALE OR DISTRIBUTION. © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC & Bartlett Learning, © Jones SALE OR DISTRIBUTION NOT FOR 392 © Jones & Bartlett Learning, LLC © Jones & Bartlett OR DISTRIBUTION NOT FOR SALE © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION 9781284079050_CH08_PASS03.indd 392

NOT FOR SALE OR DISTRIBUTION NOT FOR SALE LLC © Jones & Bartlett Learning, © Jones & Bartlett Learning, LLC © Jones & Bartlett