IA Course CPSC 4670/5670:

Database Security and Auditing

Course Description

Database security has a great impact on the design of today's information systems. This course will provide an overview of database security concepts and techniques and discuss new directions of database security in the context of Internet information management. The topics will cover database application security models, database and data auditing, XML access control, trust management and privacy protection.

Purpose and Objectives

The expected results from this course are:

  • Master security architecture
  • Master the databases security models
  • Master multilevel secure relational model
  • Master auditing in relational databases
  • Master XML access control and enforcement.


Sam Afyouni Database Security and Auditing: Protecting Data Integrity and Accessibility. Thomson. ISBN: 0-619-21559-3, 2005.

Marshall D. Abrams, Sushil Jajodia, and Harold J. Podell, eds. Information Security: An Integrated Collection of Essays, IEEE Computer Society Press, 1995.
Available on line at https://www.amazon.com/Information-Security-Integrated-Collection-Essays/dp/0788191985

We will also draw material from the literature in the relevant journals and conferences (e.g., SIGMOD, VLDB, IEEE S&P, CCS). Students will read and present the selected papers and to complete a term project. Matt Bishop. Computer Security: Art and Science. Addison Wesley Professional, 2002, ISBN: 0201440997

CPSC4670 Syllabus

CPSC5670 Syllabus

Lecture Notes

Week 1: Course Description and Security Architecture, Database Basics, SQL

Week 2: Operating System Security Fundamentals

Week 3: Administration of Users Profiles, password policies, privileges, and roles

Week 4: Database Application Security Models

Week 5: Multilevel Secure Relational Model, polyinstantiation

Week 6: Access Control Models: MAC, DAC, RBAC

Week 7: Stored Procedures and Functions: PL/SQL I, PL/SQL II

Week 8: Virtual Private Databases, SQL Injection

Week 9: Database Vault

Week 10: Auditing Database Activities

Week 11: XML Access Control

Week 12: Watermarking in Relational Database

Week 13: Regulations, Compliance and Privacy Protection

Week 14: NoSQL


Project #1 Database Installation and Basics, chapter4.zip

Project #2 Implement Discretionary Access Control

Project #3 Implement Mandatory Access Control Using Oracle Label Security

Project #4 PL/SQL

Project #5 Virtual Private Databases

Project #6 Auditing

Project #7 SQL Injection

Oracle by Example Series: Oracle Database 10g Tutorial:


SQL Server Best Practice Analyzer Tool includes and packages a set of best practices, known vulnerabilities and items that map well to compliance requirements. It is free.


Recommended Book

Implementing Database Security and Auditing By Ron Ben-Natan

Free preview version is available from Google online.>>

This book is about database security and auditing. You will learn many methods and techniques that will be helpful in securing, monitoring and auditing database environments. It covers diverse topics that include all aspects of database security and auditing - including network security for databases, authentication and authorization issues, links and replication, database Trojans, etc.

Oracle 10g Programming: A Primer by Rajshekhar Sunderraman, Addison Wesley

Resources and Further Reading


www.petefinnigan.com: Pete Finigan is one of the world's foremost Oracle security experts, and he posts a lot of useful information on his website.

http://www.petefinnigan.com/weblog/archives/: PeteFinigan's Oracle security blog.

www.dba-oracle.com/articles.htm#burleson_arts: Many good articles on Oracle and some on Oracle security published by Don Burleson

www.linuxexposed.com: A good resource for security includes an excellent paper "Exploiting and Protecting Oracle".

http://www.appsecinc.com: Application security Inc.'s whitepaper page, including a white paper titled "Protecting Oracle databases".

www.dbasupport.com: Miscellaneous articles, resources and tips on Oracle.

Oracle Security Handbook by MarleneTheriaultand Aaron Newman

Effective Oracle Database 10g Security by Design by David Knox

Oracle Privacy Security Auditing by Arup Nanda and Donald Burleson

SQL Server

www.sqlsecurity.com: Web site dedicated to SQL server security

http://www.sqlmag.com/: SQL server magazine's security page

http://vyaskn.tripod.com/sql_server-security_best_practices.htm: Overview of SQL Server security model and best practices.

http://www.appsecinc.com: Application security Inc.'s white paper page, including a white paper titled "Hunting Flaws in Microsoft SQL Server White Paper"

SQL Server Security by Chip Andrews, David Litchfield, Bill Grindlay, and Next Generation Security Software.


http://www.databasejournal.com/features/db2/:Database Journal for DB2

www.db2mag.com: DB2 Magazine

http://www.appsecinc.com: Presentations on various topics, including "Hacker-proofing DB2"


www.isug.com/ISUG3/Index.html: Sybase user group


www.nextgenss.com/papers.htm: papers on various topics, including MySQL security (e.g., "Hacker-proofing MySQL").

http://dev.mysql.com/doc/mysql/en/Security.html: Security section from MySQL manual

www.appsecinc.com/index.html: Presentations on various topics including "Hacker-proofing MySQL".

Hardening Linux

Hardening Linux by John Terpstra, et al

Hardening Linux by James Turnbull

Hardening Windows

Hardening Windows Systems by Roberta Bragg

Hardening Windows by Jonathan Hasell

Hardening Solaris


Hardening AIX

A great IBM whitepaper is available at: http://www-03.ibm.com/systems/p/os/aix/whitepapers/aix_security.html

Strengthening AIX Security: A System-Hardening Approach

Hardening HP/UX

HP-UX 11 Operating System Hardening Guideline Document: http://www.nortel.com/solutions/securenet/collateral/hp-ux_hardening_guide_v1.pdf


More IA Study Materials

IA Academic Links

IA Journals

  • University of Tennessee at Chattanooga (UTC) library: http://www.lib.utc.edu/ Note many journals are available in UTC libraries, and some of them are accessible from any computers in UTC.
  • ACM Transactions on Information and System Security (TISSEC): http://tissec.acm.org/ (On-line journal is accessible from any computer in UTC)
  • IEEE security & privacy (available in UTC library): https://ieeexplore.ieee.org/xpl/RecentIssue.jsp?punumber=8013
  • The Virus Bulletin: http://www.virusbtn.com/index
  • IEEE Transactions on Dependable and Secure Computing (available in UTC library):
  • Information Systems Control (available in UTC library): http://www.isaca.org/Content/NavigationMenu/Members_and_Leaders/Publications/Journal/Information_Systems_Control_Journal_Home.htm
  • IEEE communications magazine (available in UTC library)
  • IEEE distributed systems online (available in UTC library)
  • IEEE eTransactions on network and service management (available in UTC library)
  • IEEE internet computing (available in UTC library)
  • IEEE network (0890-8044)(available in UTC library)
  • IEEE parallel & distributed technology (available in UTC library)
  • IEEE personal communications (available in UTC library)
  • Journal of Cryptography: http://www.springer.com/west/home/computer/lncs?SGWID=4-164-70-1009426-0&referer=www.springeronline.com&SHORTCUT=www.springer.com/sgw/cda/frontpage/0,11855,4-164-70-1009426-0,00.html
  • International Journal of Information and Computer Security: http://www.inderscience.com/browse/index.php?journalCODE=ijics
  • IEEE communications magazine (available in UTC library)
  • IEEE distributed systems online (available in UTC library)
  • IEEE eTransactions on network and service management (available in UTC library)
  • IEEE internet computing (available in UTC library)
  • IEEE network (0890-8044)(available in UTC library)
  • IEEE parallel & distributed technology (available in UTC library)
  • IEEE personal communications (available in UTC library)


Interesting books


Historical Documents