Security Issues in the Database Language SQL
W. TimothyPolk Lawrence E. Bassham July 30, 1993 ii
Abstract
The Database Language SQL (SQL) is a standard interface for accessing and ma-
nipulating relational databases. An SQL-compliant database management system
(DBMS) will include a minimum level of functionalityina varietyofareas.However,
many additional areas are left unsp eci ed by the SQL standard. In addition, there
are multiple versions of the SQL standard; the functionalitywillvary according to
the particular version.
This do cument examines the security functionalitythatmight b e required of rela-
tional DBMS's, and compares them with the requirements and options of the SQL
sp eci cations. The comparison will show that the security functionality of an SQL-
compliant DBMS mayvary greatly.Avariety of security p olicies are considered which
can b e supp orted by SQL. The do cumentendsbyshowing whichtyp es of functions
are required by the examined security p olicies. iv
Contents
1 Intro duction 1
1.1 Audience :: :: :: :: :: ::: :: :: :: :: ::: :: :: :: :: :: 1
1.2 The Standards :: :: :: ::: :: :: :: :: ::: :: :: :: :: :: 1
1.3 Using This Do cument : :: ::: :: :: :: :: ::: :: :: :: :: :: 2
1.4 Security Considerations :: ::: :: :: :: :: ::: :: :: :: :: :: 3
2 SQL Architecture 5
2.1 SQL Functionality :: :: ::: :: :: :: :: ::: :: :: :: :: :: 5
2.2 SQL Implementation : :: ::: :: :: :: :: ::: :: :: :: :: :: 6
2.3 Security Resp onsibilities: The SQL Comp onent :: :: :: :: :: :: 7
2.4 Security Resp onsibilities: Non-SQL Comp onents :: :: :: :: :: :: 8
2.4.1 Application Interface to SQL : :: :: ::: :: :: :: :: :: 8
2.4.2 SQL Interface to Physical Database :: ::: :: :: :: :: :: 8
2.4.3 SQL Interface to Non-SQL DBMS : :: ::: :: :: :: :: :: 9
2.4.4 Interface to Remote Databases : :: :: ::: :: :: :: :: :: 9
3 SecurityPolicy 11
3.1 Discretionary Access Control :: :: :: :: :: ::: :: :: :: :: :: 11
3.1.1 Privileges : :: :: ::: :: :: :: :: ::: :: :: :: :: :: 11
3.1.2 Authorization Identi er :: :: :: :: ::: :: :: :: :: :: 13
3.1.3 Roles :: :: :: :: ::: :: :: :: :: ::: :: :: :: :: :: 14
3.2 Mandatory Access Control ::: :: :: :: :: ::: :: :: :: :: :: 14
3.2.1 Polyinstantiation : ::: :: :: :: :: ::: :: :: :: :: :: 15
3.2.2 TCB Subset Architecture : :: :: :: ::: :: :: :: :: :: 17
3.2.3 Trusted Sub ject Architecture : :: :: ::: :: :: :: :: :: 18
3.2.4 IntegrityLockArchitecture :: :: :: ::: :: :: :: :: :: 18
3.3 Schema Manipulation : :: ::: :: :: :: :: ::: :: :: :: :: :: 20
3.4 Integrity Constraints : :: ::: :: :: :: :: ::: :: :: :: :: :: 20
3.4.1 Table Constraints : ::: :: :: :: :: ::: :: :: :: :: :: 20
3.4.2 Column Constraints and Check Constraints :: :: :: :: :: 22
3.4.3 Assertions : :: :: ::: :: :: :: :: ::: :: :: :: :: :: 23
3.4.4 Domains :: :: :: ::: :: :: :: :: ::: :: :: :: :: :: 23
3.4.5 The SQL'89 SecurityBug : :: :: :: ::: :: :: :: :: :: 24 v
3.5 Ob ject Reuse : :: :: :: ::: :: :: :: :: ::: :: :: :: :: :: 24
3.6 Lab els ::: :: :: :: :: ::: :: :: :: :: ::: :: :: :: :: :: 24
3.7 Inference :: :: :: :: :: ::: :: :: :: :: ::: :: :: :: :: :: 25
3.8 Aggregation :: :: :: :: ::: :: :: :: :: ::: :: :: :: :: :: 26
4 Accountability 27
4.1 Identi cation & Authentication :: :: :: :: ::: :: :: :: :: :: 27
4.2 Auditing :: :: :: :: :: ::: :: :: :: :: ::: :: :: :: :: :: 28
5 Assurance 29
5.1 Testing and Evaluation :: ::: :: :: :: :: ::: :: :: :: :: :: 29
5.1.1 FIPS Conformance ::: :: :: :: :: ::: :: :: :: :: :: 30
5.1.2 NCSC Evaluation : ::: :: :: :: :: ::: :: :: :: :: :: 31
5.2 Reliability : :: :: :: :: ::: :: :: :: :: ::: :: :: :: :: :: 31
5.2.1 Fault Tolerant Systems : :: :: :: :: ::: :: :: :: :: :: 31
5.2.2 Disk ArrayTechnology : :: :: :: :: ::: :: :: :: :: :: 32
5.3 Transaction Management(Integrity) : :: :: ::: :: :: :: :: :: 33
5.4 Diagnostics Management : ::: :: :: :: :: ::: :: :: :: :: :: 34
6 Summary/Recommendations 35 vi
1 Intro duction
Federal agencies maintain an increasing amountofvaluable and sensitive information
in relational database management systems (DBMS). These agencies are required
to utilize Federal Information Pro cessing Standard (FIPS) 127-compliant database
1
management systems. FIPS 127 sp eci es the Database Language SQL (SQL) for
accessing and manipulating relational databases.
SQL requires certain levels of functionalityinschema sp eci cation, retrieval and
mo di cation of data, and transaction management. However, a numb er of security-
relevant areas are not addressed. As a result, SQL-compliant DBMS systems o er
varying levels of security functionality.
This do cument examines the various security asp ects of SQL. Security-relevant fea-
tures are identi ed, in conjunction with the version of the SQL standard that sup-
p orts them. Critical but unsp eci ed security features are noted, as well as the typ es
of mechanisms that could b e o ered byvendors.
Finally, three broad security p olicies are examined. The level of supp ort o ered by
the various SQL versions is contrasted for each p olicy, and critical controls unsp eci ed
byanyversion of SQL are identi ed.
1.1 Audience
This do cumentisintended to assist information technology (IT) managers in the se-
lection of DBMS's with appropriate security functionality. IT managers with knowl-
edge of security p olicies and mechanisms, and familiarity with DBMS's will nd it
most useful. However, the do cument do es not assume that familiarity.Background
information regarding b oth security and databases is included to assist the reader.
1.2 The Standards
SQL is a widely used language for accessing and manipulating relational databases.
Several levels of SQL are de ned; these levels are generally upwardly compatible.
Certain security-relevant features are required in an SQL-compliant DBMS. Other
security features are not sp eci ed by SQL, but may app ear in particular pro ducts.
The exact functionality of an SQL-compliantDBMSvaries according to the particular
1
SQL is not an acronym, although it derives from \Structured Query Language." The complete
name is Database Language SQL. 1
1 INTRODUCTION
SQL sp eci cation and the set of unsp eci ed enhancements which are also included.
The basic SQL de nition is ANSI X3.135-1989, Database Language - SQL with In-
tegrity Enhancement [ANS89a], and will b e referred to as SQL'89. The functionalityof
SQL'89 includes schema de nition, data manipulation, and transaction management.
SQL'89 and ANSI X3.168-1989, Database Language - EmbeddedSQL[ANS89b], form
the basis for FIPS 127-1 [FIP90].
ANSI X3.135-1992 [ANS92] describ es an enhanced SQL, known as SQL'92. The en-
hancements include schema manipulation, dynamic creation and execution of SQL
statements, and network environment features for connection and session manage-
ment. FIPS 127-2 [FIP93] is based up on X3.135-1992.
Finally, a third version of SQL is currently under development in ANSI and ISO.
This version will b e referred to as SQL3 in the remainder of this do cument. SQL3
enhancements will include the ability to de ne, create, and manipulate user-de ned
data typ es in addition to tables.
ISO/IEC Draft International Standard 9579-1 [ISO90a ] and 9579-2 [ISO90b] de ne
the Remote Database Access (RDA) standard. RDAprovides a metho d for intercon-
necting database management systems. 9579-1 describ es the generic mo del; 9579-2
presents the SQL sp ecialization information.
1.3 Using This Do cument
Section 2, SQL Architecture,provides an overview of the functionalityandinteraction
of the comp onents of a system supp orting an SQL-compliant DBMS. The section
includes a survey of the security resp onsibilities of each comp onentinsuch a system.
Sections 3, 4, and 5 present required features and enhancemants of SQL-compliant
2
DBMS systems. These sections are structured to re ect the Security Requirements
describ ed in [TCS85 ]. Section 3 presents mechanisms that can b e used to enforce
Security Policy. Section 4 addresses Accountability mechanisms. Section 5 includes
Assurance measures. (The TCSEC security requirement Documentation is omitted.)
The content of these sections do es not strictly adhere to the TCSEC security require-
ments. Items are added or omitted to re ect the requirements of non-DoD federal
agencies. Mo di cations include:
2
\Enhancements" are features which are not sp eci ed in the SQL sp eci cations, but are not
ruled out by the standard either. The vendor has the option of including such features for pro duct
di erentiation. 2
1.4 Security Considerations
augmenting the integrity requirements in security p olicy;
omission of covert channels;
inclusion of fault tolerant hardware, such as Redundant Array of Inexp ensive
Disks (RAID) storage units;
discussion of assurance value of FIPS conformance testing; and
discussion of inference and aggregation.
The nal section of this pap er presents a review of required and optional security
features. These features are examined in conjunction with general securitychoices
(e.g., mandatory vs. discretionary access control). The level of supp ort o ered by
the various SQL versions is contrasted for each of these choices, and critical controls
that are not sp eci ed byanyversion of SQL are identi ed.
1.4 Security Considerations
The basic security requirements are, as always, preservation of con dentialityand
integrity while maintaining availability. There are a numb er of sp eci c threats within
these categories that merit sp ecial consideration here.
Inference and aggregation are usually considered threats to mandatory access control
p olicies. There are also a numb er of DBMS sp eci c security issues, such as referential
integrity and p olyinstantiation. Classic op erating systems problems suchasdeadlock
and transaction completion problems must also b e considered.
The following de nitions will b e used in this do cument:
inference: Derivation of new information from known information. The infer-
ence problem refers to the fact that the derived information may b e classi ed
at a level for which the user is not cleared. The inference problem is that of
users deducing unauthorized information from the legitimate information they
acquire.[Thu92]
aggregation: The result of assembling or combining distinct units of data when
handling sensitive information. Aggregation of data at one sensitivitylevel may
result in the total data b eing designated at a higher sensitivitylevel.[Rob91]
p olyinstantiation: Polyinstantiation allows a relation to contain multiple rows
with the same primary key; the multiple instances are distinguished by their
security levels.[SFD92]
referential integrity: A database has referential integrity if all foreign keys ref-
erence existing primary keys.[Cam90] 3
1 INTRODUCTION
entityintegrity: A tuple in a relation cannot haveanull value for anyofthe
primary key attributes.[DJ92]
granularity: The degree to which access to ob jects can b e restricted. Granu-
larity can b e applied to b oth the actions allowable on ob jects, as well as to the
users allowed to p erform those actions on the ob ject.
An example of p olyinstantiation is included in section 3.2, Mandatory Access Control.
Examples of inference and aggregation may b e found in sections 3.4 and 3.5, Inference
Controls and Aggregation resp ectively. 4
2 SQL Architecture
This section b egins with a brief description of the functionality of SQL. Secondly,a
mo del of an SQL implementation is presented. Finally, the security problems asso ci-
ated with each comp onent of the mo del are highlighted.
2.1 SQL Functionality
SQL de nes standard comp onents and facilities for relational database management
systems. The comp onents of an SQL database are schemas, tables,andviews. A
schema describ es the structure of related tables and views. Tables hold the actual
data in the database; they consist of rows and columns. Eachrow is a set of columns;
each column is a single data element. Views are derived tables, and may b e comp osed
of a subset of a table or the result of table op eration (e.g., a join of di erent tables).
The SQL standard describ es facilities to p erform four sp eci c functions:
Schema De nition: Used to de ne the structure of the database, integrity con-
straints, and access privileges;
Retrieval: Retrieve data from a database with a standard query interface;
Data Manipulation: Populate and mo dify the contents of a database by adding,
mo difying or deleting rows and columns;
3
Schema Manipulation : Mo dify the structure, integrity constraints, and privi-
leges asso ciated with the tables and views in the database; and
Transaction Management: The ability to de ne and manage SQL transactions.
Each of these comp onents is related to certain security threats. Schema de nition
and manipulation relate to problems of inference and aggregation. Data retrieval
tasks must conform to con dentiality p olicies. Data manipulation must conform to
integrity p olicy.Transaction managementcontributes to maintaining the integrityof
the database.
3
Schema manipulation is intro duced in SQL'92. These facilities are unsp eci ed in SQL'89. 5
2 SQL ARCHITECTURE
Application
SQL Processor
OS
SQL
Database
Figure 1: Standalone mo del.
2.2 SQL Implementation
To p erform the security analysis, it is necessary to assume some architecture for an
SQL implementation. Figure 1 depicts a standalone mo del, which can b e imple-
mented with anylevel of SQL. Figure 2 depicts a client/server mo del, which can b e
implemented in a standard fashion with SQL'92 or SQL3 together with RDA (ISO
9579). Client/server implementations with SQL'89 will b e proprietary and may not
be interop erable with other SQL pro ducts without the use of sp ecial gateways. The
rst mo del shows an application interfacing with an SQL pro cessor, whichinterfaces
with a physical database on a lo cal system. This mo del can b e implemented with any
version of SQL. The second mo del, a simpli cation of the mo del presented in [GS92]
requiring SQL'92 or SQL3, has the following features:
An application, written in the SQL query language or utilizing emb edded SQL,
will communicate with an SQL server.
The SQL server may directly access an SQL-compliant database.
The SQL server may access a database that is not SQL-compliant through an
appropriate database pro cessor.
The SQL server may act as a client and access a remote database.
The SQL server may access a remote database by utilizing implementation-
de ned communications software and de facto standards. 6
2.3 Security Resp onsibilities: The SQL Comp onent
Application
RDA SQL Processor Remote Database Server
non-SQL processor
OS OS OS
SQL non-SQL remote
data data data
Figure 2: Client/server mo del.
The SQL server utilizes the OS services of the lo cal host to access and store
4
data on the system.
2.3 Security Resp onsibilities: The SQL Comp onent
There are valid security considerations for each of the four areas of SQL functionality:
Database Schema: The database schema must b e well designed to ensure that
aggregation and inference are not threats.
Retrieval: The SQL server is resp onsible for maintaining access control for SQL
level ob jects.
Mo di cation: The SQL server is resp onsible for maintaining access control for
SQL level ob jects. The SQL server is resp onsible for enforcing typ e checking
and ranges; these are external consistency issues. The SQL server is resp onsible
4
In certain cases, such as database machines, the system may not have a general purp ose op erating
system. The system will still o er certain services to the SQL layer, though. 7
2 SQL ARCHITECTURE
for enforcing check constraints and uniqueness requirements; these are internal
consistency issues.
Transaction Management: The SQL server must ensure orderly access to data
5
when concurrent transactions attempt to access and mo dify the same data.
The SQL server must provide appropriate transaction management features:
6
incomplete transactions can result in loss of external consistency - the tables
and elements are no longer \synchronized."
2.4 Security Resp onsibilities: Non-SQL Comp onents
2.4.1 Application Interface to SQL
The interface b etween the SQL pro cessor and an application may utilize the emb edded
SQL language or the SQL language (interactively or invoked bya front-end pro cessor).
The application must supply accurate information regarding the identity of the user
to the SQL pro cessor. This places two requirements on the system: appropriate
selection and managementofidenti cation and authentication (I&A) controls and
control of this critical attribute's propagation.
If the I&A control is weak or p o orly managed, there is little assurance of accuracy
for this attribute. Consider passwords where the account name and password are
identical (a.k.a., \jo e accounts"). If an application accesses SQL for such an account,
there is an increased probability that the actual user is not the authorized account
user. Identity-based controls b ecome severely weakened.
Some systems include programs or features that allow users to mo dify their identity.
The UNIX op erating system, for instance, includes the le attributes setuid,which re-
sets the user id, and setgid, which re-sets the group id. Termination of the program
is intended to cause the old user and group id's to resume. However, aws in the
implementation of these features mayallow a user to continue to masquerade as the
other user, executing SQL programs with unauthorized privileges.
2.4.2 SQL Interface to Physical Database
The op erating system provides the basic services that enable the SQL pro cessor to
store, retrieve, and mo dify data on the system. The op erating system is resp onsible
5
Deadlo ck (and denial of service) is one p ossible result of such concurrent transactions; loss of
data integrity is another.
6
as de ned by Clark and Wilson in [CLARK87]. 8
2.4 Security Resp onsibilities: Non-SQL Comp onents
7
for guaranteeing the simple integrity of the data and preventing denial of service.
The op erating system must also prevent data from b eing accessed outside the SQL
pro cessor. Access to raw DBMS les, database exp ort les, or journal les may violate
security p olicy. Such actions can result in loss of integrity (e.g., improp er mo di cation
of data) or con dentiality (e.g., bycircumventing internal access controls of SQL).
2.4.3 SQL Interface to Non-SQL DBMS
The SQL interface to non-SQL DBMS's is unsp eci ed in SQL'89. SQL'92 intro duces
the concepts of an SQL client and an SQL server. By matching an SQL client with
a non-SQL server, SQL queries may b e p erformed on non-conforming databases;
however, this requires that the non-SQL server provide an SQL-conformant view of
its services and data.
The interface b etween a client and server must b e protected. Other pro cesses on the
system could eavesdrop, insert incorrect information, or p erhaps even delete informa-
tion. These actions would result in loss of integrity or con dentiality.
2.4.4 Interface to Remote Databases
The RDA standard is designed as a generic interface b etween lo cal and remote
database servers. RDA also has an SQL Sp ecialization for connecting SQL-compliant
databases. Currently,RDA is only de ned for use in an OSI network environment.
Partially conformant pro ducts which use TCP/IP are also available.
Use of RDA on an op en network may exp ose the system to many threats. Eaves-
dropping, packet replay, and host sp o o ng are likely threats. These threats can b e
minimizedby employing encryption techniques and strong authentication measures.
The RDA standard allows for exchange of authentication data. However, it is not
required. Encryption techniques may b e employed at several di erentlayers of the
OSI stack. RDA do es not require or forbid suchtechniques; therefore, the security
achieved will b e dep endent up on the implementation.
Where proprietary proto cols are used, the system will b e exp osed to all the same
threats as use of RDA. From a security standp oint, the same threats must b e ad-
dressed. (From an op en systems standp oint, there are also interop erability problems.)
In addition, if a translator gateway is required this may add a single p oint of failure
to a distributed database architecture.
7
Simple integrity refers to the op erating system reading and writing data in a predictable manner. 9
2 SQL ARCHITECTURE 10
3 SecurityPolicy
This section addresses mechanisms for enforcing security p olicy on computer sys-
tems. It concentrates on controlling the access to, and mo di cation of, data. This
corresp onds roughly to con dentialityandintegrity p olicy although availability can
sometimes b e a ected.
The section b egins by addressing access control mechanisms. Discretionary and
mandatory access controls are examined in turn. Next, the section reviews integrity
constraints. This is followed by the more traditional security features of ob ject reuse
and lab eling. The section closes by examining mechanisms for controlling inference
and aggregation.
3.1 Discretionary Access Control
Discretionary access control (DAC) is a means by which access to ob jects is restricted
to sp eci c users or groups of users. The access control is discretionary in that access
privileges may b e passed on to other users, either directly or indirectly,by the owner
of the ob ject.
3.1.1 Privileges
Privileges are the means by which SQL enforces DAC. Privileges are granted with a
Grant statement and are used to sp ecify an allowable action on a sp eci c ob ject, e.g.,
to UPDATE the rows in a sp eci c table, to a grantee.
SQL'89
SQL'89 de nes the following ve privileges which establish the granularity of access
available to users of the database: INSERT, DELETE, SELECT, UPDATE,and
REFERENCES.
The INSERT privilege grants a user the ability to create new rows in a base
table or a viewed table. If the new row is to b e added to a base table, the
candidate rowmust include every column of the base table for which no default
value has b een either implicitly or explicitly de ned. If the candidate rowisto
b e added to a viewed table, the candidate rowmust include every column in
the base table from which the viewed table is derived. Additionally, the view
must b e up datable. 11
3 SECURITY POLICY
The DELETE privilege grants a user the ability to delete rows from a table.
In order to delete rows from a table or view, the delete privilege needs to have
been granted and the view must not b e read-only.
The SELECT privilege grants a user the ability to retrievevalues from a table.
Essentially, the select privilege allows users to read tables.
The UPDATE privilege grants users the ability to up date, or change, the con-
tents of a row in a table. In addition, to p erform up dates on a view, the view
must not b e read-only. Column constraints can b e sp eci ed when granting this
privilege; that is, a user maybeallowed to up date certain columns within a
table or view.
The REFERENCES privilege grants a user the ability to sp ecify a foreign key
reference across schemas. Foreign keys are elds which coincide with a unique
eld (e.g., primary key elds) in the grantor's table. A security implication
of the references privilege is that it can b e used, p ossibly inadvertently,to
implement a denial of service attack. When table B references table A, records
from table A cannot b e deleted or the primary key eld cannot b e changed
if a record from table B corresp onds to that record from table A. Another
security implication of the references privilege is that a user could, based on
the constraint de nition, determine all legal values for the referenced column.
A p olicy violation would o ccur if this information was used to infer knowledge
from which a user had b een exluded.
Privileges can b e granted to individuals or to everyone (if PUBLIC is sp eci ed).
Caution should b e used when utilizing the PUBLIC sp eci er. Additionally, privileges
can b e granted with the WITH GRANT OPTION. This gives the grantee of a privilege
the ability to subsequently grant that privilege to other users. As a result, the owner
may lo ose control over his own table. Finally, privileges can b e granted one byone,
as a comma separated list, or with the ALL sp eci er. The ALL sp eci er, however,
refers only to those privileges grantable by that user.
A signi cant security aw in SQL'89 is the fact that there is no standard wayto
revoke privileges. As job requirements change, necessary access to the database could
also change. It should b e noted that the standard do es not exclude vendors from
incorp orating a statement for revoking privileges into an implementation, and many
8
vendors do include such a statement. The standard simply do es not require sucha
statement, or sp ecify the semantics of such a statement if included.
8
In fact, the authors do not knowofany pro duct which omits a mechanism for revoking privilege. 12
3.1 Discretionary Access Control
SQL'92
A new privilege has b een de ned for SQL'92. The USAGE privilege is used to allowor
restrict access to domains, collations, character sets, and translations. Additionally,
all privileges from SQL'89 hold with the following extensions:
The INSERT privilege can b e sp eci ed with a column constraintaswell as on
whole tables. (SQL'89 sp eci ed column constraints only for the UPDATE and
REFERENCES privileges.)
The REFERENCES privilege has several extensions. These extensions maintain
referential integrity on delete and up date op erations in the base table. Instead
of a delete or up date op eration in the base table b eing blo cked b ecause the
record is referenced in another table, the reference can b e sp eci ed with one of
the following actions:
{ The CASCADE sp eci er will propagate the change from the base table to
the referencing table. On up date, the up date will app ear in the referenc-
ing table. On delete, matching rows in the referencing table will also b e
deleted.
{ The SET NULL sp eci er will set, for b oth up date and delete, the refer-
encing column in all matching rows to the null value.
{ The SET DEFAULT sp eci er will set, for b oth up date and delete, the
referencing column in all matching rows to the default value, as sp eci ed
with the \
{ The NO ACTION sp eci er p erforms no referential integrity function. It is
included for backward compatibility reasons. It results in the same func-
tionality as SQL'89. When no referential integrity constraint is sp eci ed,
theNOACTION sp eci er is implicit.
SQL'92 adds the REVOKE statement. With this statement, all grantable access
privileges can b e revoked. The revoke statement can also b e used to revoke the grant
option from a user. As a result that user could no longer grant privileges to other
users.
3.1.2 Authorization Identi er
For b oth SQL'89 and SQL'92
to sp ecify users (e.g.,
dep endentway. This means SQL do es not de ne how op erating system users are
mapp ed to SQL users. See Section 4.1, Identi cation and Authentication, for more
information. 13
3 SECURITY POLICY
3.1.3 Roles
With currentversions of the SQL standard, maintenance of appropriate access control
restrictions is dicult. The Grant and Revoke statements are available to allo cate
individual privileges, but this leaves much for an administrator to maintain. A change
in job requirements by one user can require manychanges to database access for that
user. To complicate matters further, if the user whose job requirements changed has
granted privileges to other users, those privileges must b e examined for correctness.
Another drawback of the current privilege system is that a user accumulates privileges
required for di erent job functions. For example, separate job functions for one
individual may include payroll clerk and purchasing agent. It may b e desirable to
allow the user access to only payroll related ob jects while p erforming payroll clerk
functions and purchasing related ob jects while p erforming purchasing agent functions.
SQL3, the newest version of SQL b eing develop ed, has an enhanced facility for the
manipulation of access rights. In addition to the existing Grant and Revoke state-
ments, a new construct, called Roles, is b eing develop ed. This facility will allow
database administrators to create individual roles with corresp onding database ac-
cess requirements. Then, for example, when a user's job requirements change to no
longer include payroll clerk activities, only one Role needs to b e revoked instead of
revoking access privileges to all ob jects needed only for payroll clerk activities.
An additional b ene t of Roles is that a user can have only one Role active at a time.
This would allow a user to access only payroll related ob jects when working under
the Payroll Role, and access pro curement related ob jects when working under the
Purchasing Role.
3.2 Mandatory Access Control
Mandatory access control (MAC) is not supp orted directly in SQL. However, there are
several di erent metho ds for implementing a mandatory access control mo del. The
ma jor architectures for trusted DBMS pro ducts [Cam90] are the Trusted Computing
Base (TCB) Subset Architecture (Figure 6), Trusted Sub ject Architecture (Figure 7),
and IntegrityLockArchitecture (Figure 8). Eachisintended for use with a Trusted
Op erating System (OS), but requires di erentcontrols.
It should b e noted that an SQL-based DBMS with mandatory access controls can b e
designed without mo di cation of the SQL syntax. However, certain mo di cations in
SQL semantics must b e made if p olyinstantiation is used to control inference. 14
3.2 Mandatory Access Control
3.2.1 Polyinstantiatio n
Polyinstantiation is frequently used with mandatory access control database systems
to control inference. This section is intended to explain p olyinstantiation. Inference,
and the application of p olyinstantiation for inference control, are describ ed in Section
3.4, Inference.
In the following example, the database is a single relational table. The table contains
two columns: Patient name and Disease. The Patientname eldisthekey for this
table. There are two clearance levels, HIGH and LOW. Two sets of data exist; the
rst set is HIGH data (Figure 3) and the second is the LOW data set (Figure 4).
Patient Disease Name
Howard AIDS Gordon Syphilis
Jackson Gunshot wounds
Figure 3: HIGH data.
The HIGH data include patients under p olice guard, suchasJackson,orpatients with
con dential diseases. The LOW data include all other patients, and p erhaps some of
the HIGH patients with di erent data.
Patient Disease Name
Smith Lung Cancer Howard Pneumonia Jones 2nd degree burns
Hamp heart failure
Figure 4: LOW data.
When users with LOW securitylevel browse the database, they are only p ermitted
to see the LOW data. If a user wishes to add a LOW record with primary key X, the
command is accepted even if a HIGH record exists with that key.
When a user with HIGH securitylevel browses the database, he sees all of the HIGH
records, as well as the LOW records with a primary key that is not found in the HIGH 15
3 SECURITY POLICY
Patient Name Disease
Howard AIDS Smith Lung Cancer Gordon Syphilis Jackson Gun Shot wound Jones 2nd degree burns
Hamp heart failure
Figure 5: HIGH user's view.
data. The resulting table is shown in Figure 5. Note that the record for Howard do es
not app ear twice; only the HIGH level record app ears.
This feature may b e useful in a number of ways. LOW users cannot determine if a
HIGH record exists with key Gordon by attempting to create a record and checking
for an error message. Dual records could b e used, as in the case of Howard, to prevent
LOW users from discovering the true nature of Howard's illness. This is intended to
prevent disclosure by inference.
In many situations, p olyinstantiation may b e implemented by a lo cal database secu-
rity administrator using only standard features from SQL'89. The ab ove example is
easily implemented with two base tables, known only to the security administrator,
and a single view available to all other users.
BaseTable1(PatientName,Disease,Level) with Primary Key(PatientName,Level)
BaseTable2(UserName,SecurityLevel) with Primary Key(UserName)
CREATE VIEW PatientInfo(PatientName,Disease)
AS SELECT PatientName,Disease
FROM BaseTable1
WHERE BaseTable1.Level = (SELECT SecurityLevel FROM BaseTable2
WHERE UserName = CURRENT USER
)
OR
(BaseTable1.Level = "LOW"
AND
NOT EXISTS (SELECT * FROM BaseTable1 AS X
WHERE X.PatientName = BaseTable1.PatientName 16
3.2 Mandatory Access Control
AND X.Level = "HIGH"
)
)
With view optimization techniques available in most SQL-conformant pro cessors, user
access through the PatientInfo view should su er no signi cant p erformance p enalty
over direct access to BaseTable1.
This view is always up dateable, provided that a DEFAULTvalue exists for Level in
BaseTable1. In SQL'89 and SQL'92, the default clause do es not allow a case expansion
to determine the default, so one cannot sp ecify in the schema that insert values for
Level are HIGH for high level users and LOW for lowlevel users. Instead, one would
9
sp ecify a default and all new inserts would havethatLevel initially assigned.
Ensuring that new inserts are all assigned the appropriate securitylevel requires a
second view, to b e used only by HIGH level users. The second view would assign
inserts a HIGH value for Level by default. The rst view would have a default of
LOWforLevel.
3.2.2 TCB Subset Architecture
The TCB Subset mo del implements MACby maintaining the database in multiple,
single-level, les. The op erating system enforces the access control p olicy, restricting
the DBMS pro cess to appropriate information. This means that the DBMS do es
not have to b e trusted, so evaluation is simpli ed. The DBMS might still enforce
privilege based access controls, but would not enforce MAC p olicy.IfnoDAC p olicy
is required, all users would have all privileges for all tables.
The TCB Subset mo del implies p olyinstantiation. If a record r exists with keys K,
1
but is classi ed SYSTEM HIGH, a SYSTEM LOW user cannot see it. If a SYSTEM
LOW user attempts to add a record r with keys K, the system must do so. Nowthe
2
DBMS has two records with the same set of keys in the same table. SYSTEM LOW
users will see r . SYSTEM HIGH users will see r instead; r is considered incorrect.
2 1 2
This can reduce inference problems, but results in a varietyofintegrity problems.
Thedatainthetwo records may b ecome out-of-date. Then if one record is changed,
but the other is not, the DBMS loses integrity.
Note that this is quite complicated if categories are b eing utilized. The TCSEC
suggests that MAC systems supp ort a minimum of eight securitylevels and 256
9
The emerging SQL3 sp eci cation includes facilities that easily get around this problem. 17
3 SECURITY POLICY
High User Low User
High DBMS Low DBMS Process Process
Trusted Operating System
High Low Database Database
File File
Figure 6: TCB Subset Architecture.
categories. Since the les must supp ort combinations of categories for each level,
the numb er of les is unmanageable. Toavoid this problem, the DBMS could have
to enforce the category asp ect, but this defeats the purp ose of the architecture: the
DBMS pro cess must b e a trusted pro cess.
3.2.3 Trusted Sub ject Architecture
ATrusted Sub ject Architecture DBMS enforces b oth MAC and DAC. The database
is stored on the system as SYSTEM HIGH OS ob jects. Within those les, DBMS
ob jects are lab eled according to security p olicy. Those lab els are used as the basis
for MAC enforcement. DAC enforcement is based up on the usual SQL DAC sp eci -
cations.
The Trusted Sub ject Architecture do es not imply or rule out p olyinstantiation. Sup-
p ort for p olyinstantiation must b e built in if it is required.
3.2.4 IntegrityLockArchitecture
The IntegrityLockArchitecture uses an untrusted DBMS in conjunction with a
trusted OS and trusted lter to enforce security p olicy. The DBMS could enforce
DAC p olicy, but MAC p olicy and lab eling would b e enforced by the trusted lter. En- 18
3.2 Mandatory Access Control
User Application
Trusted Subject DBMS
Trusted Operating System
Database File
( High)
Figure 7: Trusted Sub ject Architecture.
Single-Level User Single-Level User Front End Front End
Untrusted Front End Trusted Filter
Trusted Operating System
Database File
( High)
Figure 8: IntegrityLock Architecture. 19
3 SECURITY POLICY
cryption and cryptographic checksums are employed to protect the security lab el from
mo di cation. The IntegrityLockArchitecture implies supp ort for p olyinstantiation.
This architecture allows use of o -the-shelf DBMS software. It has disadvantages due
to high overhead.
These are the most common architectures for MAC DBMS's, but are not the only
ones. They can also b e combined to some extent. For instance, the IntegrityLock
Architecture could b e used to add category enforcement to the TCB Subset Archi-
tecture.
3.3 Schema Manipulation
SQL'92 allows manipulation of the schema itself, rather than just the data. Columns
and constraints on columns can b e added or removed from tables. Additionally,
schema ob ject, such as domains and constraints, can b e altered or deleted. Also
new to SQL'92 are schema de nition tables. These tables are created by the SQL
pro cessor and are treated as views, in that they can b e accessed but not directly
changed in SQL.
3.4 Integrity Constraints
Data integrity is addressed byavariety of data constraints sp eci ed in the database
schema. These constraints describ e relationships b etween tables, relationships b e-
tween rows in a table, and p ermissible values for elements. Relationships b etween
tables, or b etween rows in a table, are known as table constraints. Range checks and
other sp eci cations for data values are element constraints.
3.4.1 Table Constraints
SQL'89
SQL'89 de nes three typ es of integrity constraints that may b e placed up on tables.
These constraints are:
unique constraints;
referential constraints; and
check constraints. 20
3.4 Integrity Constraints
T-1 T-2
T a b c d T a b c d
i i
T 2 2 3 4 T 2 2 3 4
1 1
T 2 2 4 4 T 2 2 4 4
2 2
T 2 2 3 5 T 2 2 3 5
3 3
T 6 2 3 4 T 2 6 3 4
4 4
Table 1: Uniqueness examples: contents of T-1 and T-2
SQL'89 also de nes with CHECK option on views.
A unique constraint de nition sp eci es a list of columns in the table T. T cannot
contain multiple rows where the values of each of the corresp onding columns are
identical. Each of the listed columns must b e de ned as NOT NULL.
Example: Assume T has columns fa,b,c,dg and is constrained for uniqueness on
fa,c,dg.Row T has values fa ,b ,c ,d g. T meets the constraint if there are no rows
i i i i i
T and T such that fa = a , c = c , and d = d g. In Table 1, T-1 meets the
j k j k j k j k
constraints, but T-2 do es not. Rows T and T are not unique for the sp eci ed
1 4
columns.
A referential constraint de nition sp eci es columns in T which reference keys in an-
other table F. If all sp eci ed columns in a row of T are non-null, then a rowinFmust
exist such that all corresp onding columns match. The table has referential integrity
10
if every row meets this criteria, or has a null value in the sp eci ed columns.
A check constraint de nition sp eci es a condition whichallrows in T must satisfy.
The condition may restrict a column, or may restrict relationships b etween columns.
(For example, within a row MAX-TEMP >= MIN-TEMP.) The condition is ternary;
it mayevaluate to \true," \false," or \unknown." The condition may sp ecify illegal
values or legal value ranges. The table do es not satisfy the check condition if and
only if there exists a row for which the condition evaluates to \false."
Views with check options are similar to check constraints up on tables. However, the
constraint is satis ed if and only if the condition evaluates to \true."
SQL'92
SQL'92 enhanced referential constraints with the MATCH FULL and MATCH PAR-
10
If one or more sp eci ed columns in the rowarenull, corresp ondence can not b e established. 21
3 SECURITY POLICY
TIAL sp eci cations. If no matchtyp e is sp eci ed, the functionalityisidentical to
SQL'89. If MATCH FULL is sp eci ed, then for eachrowinT:
all referencing columns must b e null; OR
all referencing columns must b e non-null and there must b e a rowinFsuch
that all corresp onding referencing columns are equal value.
If MATCH PARTIAL is sp eci ed, then for eachrowinT:
there must b e a rowinFsuch that all corresp onding referencing columns are
equal value, or a referencing column value in T is null.
3.4.2 Column Constraints and Check Constraints
SQL'89 de nes six typ es of integrity constraints that may b e placed up on columns.
These constraints are:
data typ e;
precision;
references sp eci cation;
default clause;
CHECK constraint de nition; and
NOT NULL.
The de ned data typ es for SQL'89 are character strings and numb ers. The character
strings are sp eci ed with a xed length. Numb ers maybe exact numeric valuesor
approximate numeric values.
Exact numeric values include integers and real numb ers with a precision and scale.
A real numb er of exact numeric value is a string of decimal digits of length precision.
The exact numeric value is the integer value of the signi cant digits multipliedby