數據庫安全問題

Database Security Issues數據庫安全問題：

包括兩個方面：

 

The two main database security issues this section addresses are aggregation and
inference.

 

Aggregation：

Aggregation happens when a user does not have the clearance or permission
to access specific information, but she does have the permission to access components
of this information. She can then figure out the rest and obtain restricted information.
She can learn of information from different sources and combine it to learn something
she does not have the clearance to know.

notes：

Aggregation is the act of combining information from separate
sources. The combination of the data forms new information, which the
subject does not have the necessary rights to access. The combined
information has a sensitivity that is greater than that of the individual parts.

 

例如：For example, if a clerk were restricted from knowing the planned movements of
troops based in a specific country, but did have access to food shipment requirements
forms and tent allocation documents, he could figure out that the troops were moving
to a specific place because that is where the food and tents are being shipped. The food
shipment and tent allocation documents were classified as confidential, and the troop
movement was classified as top secret. Because of the varying classifications, the clerk
could access and ascertain top-secret information he was not supposed to know.

 

解決方法：

The trick is to prevent the subject, or any application or process acting on behalf of
that subject, from indirectly gaining access to the inferable information. This problem
is usually dealt with in the development of the database by implementing content- and
context-dependent access control rules. Content-dependent access control is based on
the sensitivity of the data. The more sensitive the data, the smaller the subset of individuals who can gain access to the data.

 

Context-dependent access control means that the software 「understands」 what actions
should be allowed based upon the state and sequence of the request. So what
does that mean? It means the software must keep track of previous access attempts by
the user and understand what sequences of access steps are allowed. Where contentdependent access control can go like this, 「Does Julio have access to File A?」 and the system reviews the ACL on File A and returns with a response of 「Yes, Julio can access the file, but can only read it.」 In a context-dependent access control situation, it would be more like, 「Does Julio have access to File A?」 The system then reviews several pieces of data: What other access attempts has Julio made? Is this request out of sequence of how a safe series of requests takes place? Does this request fall within the allowed time period of system access (8 A.M. to 5 P.M.)? If the answers to all of these questions are within a set of preconfigured parameters, Julio can access the file. If not, he needs to go find something else to do.

 

 

inference：

The other security issue is inference, which is the intended result of aggregation. The
inference problem happens when a subject deduces the full story from the pieces he
learned of through aggregation. This is seen when data at a lower security level indirectly
portrays data at a higher level.

 應對方法：

Common attempts to prevent inference attacks are cell suppression, partitioning
the database, and noise and perturbation.

 

Cell suppression ：

Cell suppression is a technique used to hide
specific cells that contain information that could be used in inference attacks.

 

Partitioning：

Partitioning a database involves dividing the database into different parts, which makes it much
harder for an unauthorized individual to find connecting pieces of data that can be
brought together and other information that can be deduced or uncovered.

 

Noise and perturbation ：

Noise and perturbation  is a technique of inserting bogus information in the hopes of misdirecting an attacker or confusing the matter enough that the actual attack will not be fruitful.