463.5.1 Database Access Control Tutorial Lars Olson UIUC CS463 Computer Security
Overview • Standard SQL access control syntax • Semantics of revocation • Reflective databases • Oracle Virtual Private Database policies • Hippocratic databases
Required • P. P. Griffiths and B. W. Wade: “An Authorization Mechanism for a Relational Database System” • Oracle Corporation: “Oracle Virtual Private Database” (white paper) • R. Agrawal et al.: “Hippocratic Databases” • Any database textbook or reference with SQL • H. Garcia-Molina et al.: “Database Systems: The Complete Book” • R. Ramakrishnan and J. Gehrke: “Database Management Systems
Access Control • A scheme for mapping users to allowed actions • Identity-Based Access Control • Role-Based Access Control • Attribute-Based Access Control • Discretionary Access Control mechanisms • An individual user can set the policy • e.g. Unix file permissions • Mandatory Access Control mechanisms • The policy is built into the system, individuals cannot modify it • e.g. memory protection mechanisms
Access Control for Databases • Challenges: • Multiple operations: select (read), insert/update/delete (write), reference, create trigger, execute stored procedure, create tables, ... • Table-level access control is too coarse-grained, cell-level access control is too tedious (more on that later) • SQL has standardized access control policy definition language • Security model developed by Griffiths and Wade in 1976
Quick SQL Review • Creating tables: createtable table_name ( column1 type1, column2 type2, ... ); • Deleting tables: droptable table_name;
Quick SQL Review • Types: • int • float • date • char(size) • Always delimited by single quote (apostrophe) • Use two single quotes to represent the apostrophe character • varchar(size) (varchar2 in Oracle) • text (long in Oracle)
Quick SQL Review • Querying tables: select column1, column2 from table_name; or select * from table_name; • Conditions: select columns from table_name where condition;
Quick SQL Review • Inserting new rows: insertinto table_name values (value1, value2); or insertinto table_name set column1=value1, column2=value2, ...; • Updating rows: update table_name set column1=value1 where condition;
Quick SQL Review • Deleting rows: deletefrom table_name where condition; • Set values in conditions: select * from table_name where column in (select_statement); or select * from table_name where column in (value1, value2, ...);
Quick SQL Review • Creating functions: create [orreplace] function function_name (parameters) return return_type as [declare_local_variables] begin ... end; /
SQL grant Syntax grant privilege_list on resource to user_list; • Privileges include select, insert, etc. • Resource may be a table, a database, a function, etc. • User list may be individual users, or may be a user group Griffiths Wade 76
Example Application • Alice owns a database table of company employees: name varchar(50), ssn int, salary int, email varchar(50) • Some information (ssn, salary) should be confidential, others can be viewed by any employee.
Simple Access Control Rules • Suppose Bob needs access to the whole table (but doesn’t need to make changes): grant select on employee to bob; • Suppose Carol is another employee, who should only access public information: grant select(name,email) on employee to carol; • not implemented in PostgreSQL (see next slide) • not implemented for select in Oracle • implemented in MySQL
Creating Views • Careful with definitions! • A subset of the database to which a user has access, or: • A virtual table created as a “shortcut” query of other tables • View syntax: createview view_name as query_definition; • Querying views is nearly identical to querying regular tables
View-Based Access Control • Alternative method to grant Carol access to name and email columns: createview employee_public asselect name,email from employee; grantselecton employee_public to carol;
Row-Level Access Control • Suppose we also allow employees to view their own ssn, salary: createview employee_Carol asselect * from employee where name='Carol'; grantselecton employee_Carol to carol; • And we allow them to update their e-mail addresses: grantupdate(email) on employee_Carol to carol; • (Or create yet another new view…)
Delegating Policy Authority grant privilege_list on resource to user_list withgrantoption; • Allows other users to grant privileges, including “with grant option” privileges • “Copy right” from Access Control lecture (slide 21) • Can grant subset privileges too • Alice: grantselecton table1 to bob withgrantoption; • Bob: grantselect(column1) on table1 to carol withgrantoption;
SQL revoke Syntax revoke privilege_list on resource from user_list; • What happens when a user is granted access from two different sources, and one is revoked? • What happens when a “with grant option” privilege is revoked?
Griffiths-Wade Model • Sequences of grant/ revoke operations • When a privilege is revoked, the ACLs should be indistinguishable from a sequence in which the grant never occurred.
Grants from Multiple Sources • grant(Alice,Bob) • grant(Alice,Carol) • grant(Carol,Bob) • revoke(Alice,Bob) • grant(Alice,Bob) • grant(Alice,Carol) • grant(Carol,Bob) • revoke(Alice,Bob) Bob Alice Carol
Not as Easy as it Looks! • grant(Alice,Bob) • grant(Bob,Carol) • grant(Carol,Bob) • revoke(Alice,Bob) • grant(Alice,Bob) • grant(Bob,Carol) • grant(Carol,Bob) • revoke(Alice,Bob) Bob Alice Carol
Cascading Revocations • grant(Alice,Bob) • grant(Alice,Carol) • grant(Carol,David) • grant(Bob,Carol) • revoke(Alice,Carol) • grant(Alice,Bob) • grant(Alice,Carol) • grant(Carol,David) • grant(Bob,Carol) • revoke(Alice,Carol) Alice ? Carol David Bob
Meanwhile, in the Real World... • Account privileges get changed all the time • We don’t always want to redo everything • Tedious • Involves other users’ actions • SQL revoke command has two optional arguments: • cascade: undoes all dependent grant commands • restrict: exits with failure if there exist dependent grants Ramakrishnan Gehrke 03
Cascading Revocations • How would “revokeselecton table1 from carol cascade” work in the previous example? • Only privileges granted solely through the revoked privileges will also be revoked. • If there exists a path in the graph from the grantor, then do not revoke. • Allows us to specify exceptions preemptively.
Disadvantages to SQL Model • Too many views to create • Tedious for many users, each with their own view • View redefinitions that change the view schema require dropping the view, redefining, then reissuing privileges • Fine-grained policies each require their own view— and no obvious way to see that the views come from the same table
Disadvantages (cont) • Complicated policy logic can be difficult to express and to update • Update anomalies • Updates need to be made in multiple places • If any steps are forgotten, the database is in an inconsistent state • e.g. Suppose we have an employees table, and all managers in this table get special update privileges.
Reflective Database Policies • Computational Reflection • Objects contain metadata about their own computation • Modifying metadata changes the actual computation process • Common example: Java’s java.lang.reflect package • Apply to database access control • The policy itself contains a database query • SQL Views may be reflective (in a limited way)
Application b Access Control Rules Database User a b Motivation for Reflective DBs • Database applications often need to serve multiple users • Programmers often give their applications elevated privileges
Motivation (cont) • Violates principle of least-privilege • Programming errors • Malicious attacks (e.g. SQL injection attacks) • Separates access control from the database • New policy may require updates on database and on application • Database may have other entry points • So why do programmers still do this? • Too many users to give database accounts • Complicated access policy logic
Enhanced Security Layer Application b (Optional access control) Database Access Control Rules User a a Ideal Model • Database enforces its own security • Can be implemented as wrapper on database or as part of the database
Database Query Table policy function VPD function evaluator User name Other data App-defined context Rewritten query Virtual Private Databases • Security model for Oracle • Policies are user-defined functions that return a condition for an SQL where clause • Applications can also define a “context,” e.g. for role-based access control Oracle 05
Features • Functions are executed each time the table is accessed. • Multiple functions can be attached to a table. • Different functions can be defined depending on: • Operation (read vs. write) • Columns being accessed
Simple Policy • Two users, Alice and Bob • Alice creates a table: createtable test (a intprimarykey, b varchar2(50)); insertinto test values(1, 'hello'); insertinto test values(2, 'world'); commit; • Alice wants to limit Bob’s access to the row where a=1 • Three steps: • Grant Bob access to the table: grantselecton test to bob; • Create a policy function • Attach the policy function to the table
Simple Policy createorreplacefunction testFilter (p_schema varchar2, p_obj varchar2) returnvarchar2as begin if (SYS_CONTEXT('userenv', 'SESSION_USER') = 'BOB') then return'a = 1'; else return''; endif; end; /
Simple Policy execute dbms_rls.add_policy( object_schema => 'alice', object_name => 'test', policy_name => 'FilterForBob', function_schema => 'alice', policy_function => 'testFilter', statement_types => 'select, update, insert',update_check => true); • Query the table, once as Alice and again as Bob: select * from alice.test;
Logging Policy • Alice wants to log all accesses to her test table • Create a log table: createtable logtable ( when date, entry long);
Logging Policy createorreplacefunction testLogging(p_schema varchar2, p_obj varchar2) returnvarchar2as begin insertinto alice.logtable values( sysdate, SYS_CONTEXT('userenv', 'SESSION_USER') || ',' || SYS_CONTEXT('userenv', 'CURRENT_SQL')); commit; return''; end; /
Logging Policy execute dbms_rls.add_policy( object_schema => 'alice', object_name => 'test', policy_name => 'LogAccesses', function_schema => 'alice', policy_function => 'testLogging', statement_types => 'select, update, insert',update_check => true);
Logging Policy • Query the test table again, once as Alice and again as Bob: select * from alice.test; • Query the logtable table: select * from logtable; • Note that the original query is recorded, not the rewritten query. • Note also that Bob cannot query logtable.
Reflective Policy • Alice wants the permissions on each row in her test table to be defined in another table, userperms. • Create the table: createtable userperms (username varchar2(50), a intreferences test); • Note the foreign key reference • Not required, but it can help optimization
Reflective Policy • Populate the table: insertinto userperms values('BOB', 1); insertinto userperms values('ALICE', 1); insertinto userperms values('ALICE', 2); commit; • Note the capital letters in BOB and ALICE • SQL commands are case-insensitive • Table values are case-sensitive
Reflective Policy createorreplacefunction testFilter(p_schema varchar2, p_obj varchar2) returnvarchar2as begin return'a in (select a from alice.userperms ' || 'where username = ''' || SYS_CONTEXT('userenv', 'SESSION_USER') || ''')'; end; /
Reflective Policy • Query the test table, both as Alice and as Bob: select * from alice.test; • Have Alice allow additional access to Bob, and then have Bob query test again: insertinto userperms values('BOB', 2); commit;
Reflective Policy • Notes: • Currently, Alice cannot insert new rows into test (since userperms only gives Alice access to a=1 or a=2) • Alice cannot insert new rows into userperms (since the foreign key constraint requires the a value to exist in test) • Solutions: • Alice can exempt herself by writing the logic in the function • Alice can be exempted after adding the policy: grantexemptaccesspolicyto alice; • Must be granted from system administrator • Exempts from all access policies, cannot specify table-by-table basis
Hippocratic Databases • Hippocrates: Greek physician, ~400 B.C. • Hippocratic Oath: statement of ethical conduct in medicine, includes respecting privacy of patients • Hippocratic Databases: • database with built-in privacy controls • requires merging security policies from database owner and from data owner(s) Agrawal et al. 02
Hippocratic DB Techniques • Query rewriting • Boolean opt-in/opt-out columns • VPD-like policies for each data cell
Key Points • Access control for databases requires scalability • SQL standard: • grant, revoke • with grant option • view-based access control • Reflective databases: • Oracle VPD policy functions • Hippocratic databases (data ownership and privacy policies)
Software Versions • PostgreSQL • testbed version 8.2 • MySQL • testbed version 5.0 • Oracle • testbed version 10.2 • Only Enterprise Edition has VPD • Other standard SQL databases • Microsoft SQL Server, IBM DB2, Sybase • should all work, but we don’t have testbeds