Database Security

Question 1

What are the two major security problems in Databases?

Answer 1

The two major problems are Integrity and secrecy.

Question 2

What is a query?

Answer 2

A command to interact with the database, the retrieves, modifies, adds, or deletes fields and records in the database.

Question 3

What are the advantages of a database?

Answer 3

Shared access
minimal redundancy, users don’t need to collect their own data
data consistency, change to data affects all users of that data
data integrity, values are protected against accidental or malicious change
Controlled Access, only authorized users can view or modify.

Question 4

What is auditabilty?

Answer 4

Ability to track all reads and writes. It is desirable to do this down to the element level.

Question 5

Access control

Answer 5

To limit the accessability of specific data.

Question 6

Dbms User Authentication?

Answer 6

A dbms might require a user to pass both a password and a time-of-day checks.

Question 7

What is availability

Answer 7

The database is an existential tool and must be available and not busy serving others.

Question 8

What is a two phase update

Answer 8

Intent and commit.

Question 9

How does a database maintain redundancy and internal consistency?

Answer 9

Additional information ranging from a few checkbits to shadow copies.,

Question 10

Shadow fields

Answer 10

Provide redundacny and back up, entire attributes can be duplicated, requiring storage space.

Question 11

What is a recovery method for DBMS.

Answer 11

In the event of failure the databsase is reloaded from a backup and all changes are applied from the audit/transaction log.

Question 12

How does the database handle concurrency.

Answer 12

The DBMS locks a record until a write is completed.

Question 13

What is a monitor responsible for?

Answer 13

A monitor is responsible for structural integrity.

Question 14

What is a state constraint?

Answer 14

State constraints describe the condition of the entire database, at no time should these values violate these constraints.

Question 15

What is a transition constraint?

Answer 15

They describe the state the database must be in before changes can be applied.

Question 16

What is an indirect attack .

Answer 16

Attacker tries to infer a final result based on one or more intermdiate statistical results.

Question 17

What is a direct attack?

Answer 17

User tries to determine values of sensitive fields by seeking them directly.

Question 18

What is the intersecting median attack?

Answer 18

When attacker uses slightly more complicated process to determine individual values from medians.

Question 19

What is a Tracker attack?

Answer 19

Modifying query to get around data rules and get specific information, by doing set differences.

Question 20

What is a Linear system vulenerability?

Answer 20

Using math and a bunch of queries one can solve the all the queires to find the unknown common value.

Question 21

What is Random data perturbation?

Answer 21

adding random seed values to the data to offset.

Question 22

How does a user expliot unique object collisions between security Domains in MLS Database.

Answer 22

When a low level user receives an error message that says the row cannot be inserted because the unique key exists. The low level user verifies the key does not exist at a dominated level, they then know the existence of the key at a higher leve.

Question 23

How do you realize and prevent the aggregation problem?

Answer 23

Requires tracking the history of prior accesses as well as publicly available information.

Question 24

How do we extend the trust from the security kernel to the trusted security base to the application space?

Answer 24

Assurance and trust in what is enforcing the policy? TCB Subsets

Question 25

What is a TCB subset?

Answer 25

It is a TCB which relies on the TCB of the underlying system for its own policy enforcement.
A TCB subset M is a set of Software, Firmware, and hardware, that mediates the access of a set S of subjects to a set O of Objects on the basis of a stated access control policy P.