CPSC 4670/5670: Database Security and Auditing
IA Course
Course Description
Database security has a great impact on the design of today's information systems. This course will provide an overview of database security concepts and techniques and discuss new directions of database security in the context of Internet information management. The topics will cover database application security models, database and data auditing, XML access control, trust management and privacy protection.
Purpose and Objectives
The expected results from this course are:
- Master security architecture
- Master the databases security models
- Master multilevel secure relational model
- Master auditing in relational databases
- Master XML access control and enforcement.
Textbooks
Sam Afyouni Database Security and Auditing: Protecting Data Integrity and Accessibility. Thomson. ISBN: 0-619-21559-3, 2005.
Marshall D. Abrams, Sushil Jajodia, and Harold J. Podell, eds. Information Security: An Integrated Collection of Essays, IEEE Computer Society Press, 1995.
Available on line at https://www.amazon.com/Information-Security-Integrated-Collection-Essays/dp/0788191985
We will also draw material from the literature in the relevant journals and conferences (e.g., SIGMOD, VLDB, IEEE S&P, CCS). Students will read and present the selected papers and to complete a term project. Matt Bishop. Computer Security: Art and Science. Addison Wesley Professional, 2002, ISBN: 0201440997
CPSC 4670 Syllabus CPSC 5670 Syllabus
Lecture Notes
Week 1: Course Description and Security Architecture, Database Basics, SQL
Week 2: Operating System Security Fundamentals
Week 3: Administration of Users Profiles, password policies, privileges, and roles
Week 4: Database Application Security Models
Week 5: Multilevel Secure Relational Model, polyinstantiation
Week 6: Access Control Models: MAC, DAC, RBAC
Week 7: Stored Procedures and Functions: PL/SQL I, PL/SQL II
Week 8: Virtual Private Databases, SQL Injection
Week 9: Database Vault
Week 10: Auditing Database Activities
Week 11: XML Access Control
Week 12: Watermarking in Relational Database
Week 13: Regulations, Compliance and Privacy Protection
Week 14: NoSQL
Projects
Project #1 Database Installation and Basics, chapter4.zip
Project #2 Implement Discretionary Access Control
Project #3 Implement Mandatory Access Control Using Oracle Label Security
Project #5 Virtual Private Databases
Project #7 SQL Injection
Oracle by Example Series: Oracle Database 10g Tutorial:
http://www.oracle.com/technology/obe/10gr2_db_single/index.htm
SQL Server Best Practice Analyzer Tool includes and packages a set of best practices, known vulnerabilities and items that map well to compliance requirements. It is free.
http://www.databasejournal.com/features/mssql/article.php/3493296
Implementing Database Security and Auditing By Ron Ben-Natan
Free preview version is available from Google online.>>
Oracle 10g Programming: A Primer by Rajshekhar Sunderraman, Addison Wesley
Resources and Further Reading
Oracle:
www.petefinnigan.com: Pete Finigan is one of the world's foremost Oracle security experts, and he posts a lot of useful information on his website.
http://www.petefinnigan.com/weblog/archives/: PeteFinigan's Oracle security blog.
www.dba-oracle.com/articles.htm#burleson_arts: Many good articles on Oracle and some on Oracle security published by Don Burleson
www.linuxexposed.com: A good resource for security includes an excellent paper "Exploiting and Protecting Oracle".
http://www.appsecinc.com: Application security Inc.'s whitepaper page, including a white paper titled "Protecting Oracle databases".
www.dbasupport.com: Miscellaneous articles, resources and tips on Oracle.
Oracle Security Handbook by MarleneTheriaultand Aaron Newman
Effective Oracle Database 10g Security by Design by David Knox
Oracle Privacy Security Auditing by Arup Nanda and Donald Burleson
www.sqlsecurity.com: Web site dedicated to SQL server security
http://www.sqlmag.com/: SQL server magazine's security page
http://vyaskn.tripod.com/sql_server-security_best_practices.htm: Overview of SQL Server security model and best practices.
http://www.appsecinc.com: Application security Inc.'s white paper page, including a white paper titled "Hunting Flaws in Microsoft SQL Server White Paper"
SQL Server Security by Chip Andrews, David Litchfield, Bill Grindlay, and Next Generation Security Software.
DB2
http://www.databasejournal.com/features/db2/:Database Journal for DB2
http://www.appsecinc.com: Presentations on various topics, including "Hacker-proofing DB2"
Sybase:
www.isug.com/ISUG3/Index.html: Sybase user group
MySQL
www.nextgenss.com/papers.htm: papers on various topics, including MySQL security (e.g., "Hacker-proofing MySQL").
Hardening Linux
Hardening Linux by John Terpstra, et al
Hardening Linux by James Turnbull
Hardening Windows
Hardening Windows Systems by Roberta Bragg
Hardening Windows by Jonathan Hasell
Hardening Solaris
http://www.boran.com/security/sp/Solaris_hardening.html
A great IBM whitepaper is available at: http://www-03.ibm.com/systems/p/os/aix/whitepapers/aix_security.html
Strengthening AIX Security: A System-Hardening Approach
HP-UX 11 Operating System Hardening Guideline Document: http://www.nortel.com/solutions/securenet/collateral/hp-ux_hardening_guide_v1.pdf
http://www.unixtools.com/hp.html
More IA Study Materials
IA Academic Links
- Institute of Electrical and Electronics Engineering/Institution of Engineering and Technology
- ACM Homepage
- National Information Assurance Training and Education Consortium (NATEC): http://www.niatec.org/
- CiteSeer.IST: http://citeseer.ist.psu.edu/
- National Vulnerability Database: http://nvd.nist.gov/
- The United States Computer Emergency Readiness Team (US-CERT): http://www.us-cert.gov/
- National Institute of Standards and Technology: http://csrc.nist.gov/
- National Security Agency: http://www.nsa.gov/
- Department of Homeland Security: http://www.dhs.gov/index.shtm
- Protocols from The Internet Engineering Task Force (IETF)
- Transmission Control Protocol (TCP): http://www.faqs.org/rfcs/rfc793.html
- User Datagram Protocol (UDP): http://tools.ietf.org/html/rfc768
- Hypertext Transfer Protocol (HTTP): http://www.ietf.org/rfc/rfc2616.txt
- HTTP over TLS: http://www.ietf.org/rfc/rfc2818.txt
- Domain Name Service (DNS): http://www.ietf.org/rfc/rfc1035.txt
- File Transfer Protocol (FTP): http://www.ietf.org/rfc/rfc0959.txt
- Simple Mail Transfer Protocol (SMTP): http://www.ietf.org/rfc/rfc0821.txt
- POP3: http://www.ietf.org/rfc/rfc1939.txt
- IMAP: http://www.ietf.org/rfc/rfc2060.txt
- Internet Protocol (IP): http://www.ietf.org/rfc/rfc0791.txt
- IPv6: http://www.ietf.org/rfc/rfc2460.txt
- The IP Network Address Translator (NAT): http://www.ietf.org/rfc/rfc1631.txt
- Internet Control Message Protocol (ICMP): http://www.ietf.org/rfc/rfc792.txt
- Internet Routing Protocol Standardization Criteria: http://tools.ietf.org/html/rfc1264
- Session Initiation Protocol (SIP): http://www.ietf.org/rfc/rfc2543.txt
- Open Shortest Path First (OSPF): http://www.ietf.org/rfc/rfc2328.txt
- Border Gateway Protocol (BGP): http://www.ietf.org/rfc/rfc1772.txt
- RTSP: http://www.ietf.org/rfc/rfc2326.txt
- Ethernet
- Address Resolution Protocol (ARP): http://www.ietf.org/rfc/rfc826.txt
- The Point-to-Point Protocol (PPP): http://www.ietf.org/rfc/rfc1661.txt
- Asynchronous Transfer Mode (ATM): http://www.techfest.com/networking/atm/atm.htm
- CSMA/CA: http://www.science.uva.nl/research/air/projects/old_projects/wlan/simulations/Intro_-_WLAN/Intro_-_CSMA_CA/intro_-_csma_ca.html
- IEEE 802.11: http://www.ieee802.org/11/
- Extensible Authentication Protocol (EAP) Key Management Framework: http://tools.ietf.org/html/draft-ietf-eap-keying-11
- An Architecture for Differentiated Services (Diffserv): http://www.ietf.org/rfc/rfc2475.txt
- Multipurpose Internet Mail Extensions (MIME): http://www.ietf.org/rfc/rfc2045.txt
- Resource ReSerVation Protocol (RSVP): http://www.ietf.org/rfc/rfc2205.txt
- OpenPGP Message Format: http://www.ietf.org/rfc/rfc2440.txt
- TLS: http://www.ietf.org/rfc/rfc2246.txt
- Security Architecture for the Internet Protocol (IPSec): http://www.ietf.org/rfc/rfc2401.txt
- A Simple Network Management Protocol (SNMP): http://www.ietf.org/rfc/rfc1157.txt
- UNIX/sockets/C/C++/PERL/JAVA manuals
- Database Privacy from Microsoft Research: http://research.microsoft.com/research/sv/DatabasePrivacy/
IA Journals
- University of Tennessee at Chattanooga (UTC) library: http://www.lib.utc.edu/ Note many journals are available in UTC libraries, and some of them are accessible from any computers in UTC.
- ACM Transactions on Information and System Security (TISSEC): http://tissec.acm.org/ (On-line journal is accessible from any computer in UTC)
- IEEE security & privacy (available in UTC library): https://ieeexplore.ieee.org/xpl/RecentIssue.jsp?punumber=8013
- The Virus Bulletin: http://www.virusbtn.com/index
- IEEE Transactions on Dependable and Secure Computing (available in UTC library):
- IEEE communications magazine (available in UTC library)
- IEEE distributed systems online (available in UTC library)
- IEEE eTransactions on network and service management (available in UTC library)
- IEEE internet computing (available in UTC library)
- IEEE network (0890-8044)(available in UTC library)
- IEEE parallel & distributed technology (available in UTC library)
- IEEE personal communications (available in UTC library)
- Journal of Cryptography: http://www.springer.com/west/home/computer/lncs?SGWID=4-164-70-1009426-0&referer=www.springeronline.com&SHORTCUT=www.springer.com/sgw/cda/frontpage/0,11855,4-164-70-1009426-0,00.html
- International Journal of Information and Computer Security: http://www.inderscience.com/browse/index.php?journalCODE=ijics
- IEEE communications magazine (available in UTC library)
- IEEE distributed systems online (available in UTC library)
- IEEE eTransactions on network and service management (available in UTC library)
- IEEE internet computing (available in UTC library)
- IEEE network (0890-8044)(available in UTC library)
- IEEE parallel & distributed technology (available in UTC library)
- IEEE personal communications (available in UTC library)
Interesting books
- Where Wizards Stay Up Late: The Origins of the Internet History of how a group of computer scientists tackled and achieved the "impossible", and created the Internet; fun and non-technical reading of how the Internet as we know it today got started and developed.
Historical Documents
-
- Trust in Cyberspace: http://www.nap.edu/readingroom/books/trust/
- Access Control (Dictionary access control, The Bell-LaPadula Model, The Biba Model, Role-based Access Control) in paper
- Role-based Access Control
- XML security: X-GTRBAC
- Information Security: An Integrated Collection of Essays
- Essay 1. What Is There to Worry About? An Introduction to the Computer Security Problem
- Essay 2. Concepts and Terminology for Computer Security
- Essay 3. A Philosophy of Security Management
- Essay 4. Malicious Software
- Essay 5. Abstraction and Refinement of Layered Security Policy
- Essay 6. Evaluation Criteria for Trusted Systems
- Essay 7. Information Security Policy
- Essay 8. Formal Methods and Models
- Essay 9. Rule-Set Modeling of a Trusted Computer System
- Essay 10. Representative Organizations That Participate in Open Systems Security Standards Development
- Essay 11. Penetration Testing
- Essay 12. Evaluation Issues
- Essay 13. Supporting Policies and Functions
- Essay 14. Security Engineering
- Essay 15. Cryptography
- Essay 16. Local Area Networks
- Essay 17. Internet Privacy Enhanced Mail
- Essay 18. Electronic Data Interchange (EDI) Messaging Security
- Essay 19. Architectures for MLS Database Management Systems
- Essay 20. Toward a Multilevel Secure Relational Data Model
- Essay 21. Solutions to the Polyinstantiation Problem
- Essay 22. Integrity in Multilevel Secure Database Management Systems
- Essay 23. Multilevel Secure Database Management Prototypes
- Essay 24. Inference Problems in Multilevel Secure Database Management Systems
- Essay 25. Logical Design of Audit Information in Relational Databases
- Essay 26. A Multilevel Secure Object-Oriented Data Model
- Essay 27. Integrity Mechanisms in Database Management Systems