Semester 4 / Operating Systems Security /Databases

Databases

3 min read Last updated Thu Jun 04 2026 05:37:58 GMT+0000 (Coordinated Universal Time)
Open in ChatGPT Open in Claude

Access Control

DB administrator (DBA) specifies policy on who accesses what. Can be granular.

Separate from the OS authentication, DBMS has its own authentication setup.

Database Integrity

Protection of the database as a whole against damage both physical and logical. Managed by DBMS.

Protection mechanisms:

  • Periodic full backups
  • Transaction logs
    Record all changes. Used to replay operations after failure.
  • Recovery procedure: restore backup → replay log → reach consistent state.

Two-phase update — atomic write protocol.

  • Phase 1 (Intent): prepare all data, lock records, write commit flag.
  • Phase 2 (Write): execute all writes, remove commit flag.
  • Failure in either phase is recoverable without data corruption.

Redundancy/internal consistency — shadow fields or check bits detect internal inconsistencies.

Element Accuracy

Only correct value is written to the database. Enforced by field checks.

Element integrity

Values written/changed only by authorized users. Enforced by access controls.

Auditability

Audit record of all database access. All changes must be logged. Enables post-hoc analysis of who accessed what and when.

Disclosure

Sensitive Data

Data not suitable for public disclosure.

Categories:

  • Inherently sensitive
    Passwords, weapon locations.
  • From a sensitive source
    Confidential informant data.
  • Declared sensitive
    Classified documents, anonymous donor names.
  • Sensitive by record
    Salary field in employment database.
  • Sensitive in relation to other data
    Encrypted file combined with its decryption key.

Types of Disclosure

Sensitive data can be disclosed through means beyond direct query:

  • Exact data
    Direct retrieval of a sensitive value.
  • Bounds
    Reveal that value yy satisfies LyHL \leq y \leq H.
  • Negative result
    Confirm what a value is not.
  • Existence
    Confirm a field or record exists without revealing its value.
  • Probable value
    State the probability that an element has a specific value.
  • Inference
    Derive sensitive data logically from permitted query results.
  • Inference by arithmetic
    Deduce individual values from aggregates: sums, averages, counts.
  • Aggregation
    Combine individually non-sensitive items to reveal sensitive information.
  • Hidden data attributes
    Metadata leakage via file tags, geotags, or timestamps.

Preventing Disclosure

No complete solution exists for inference and aggregation attacks.

Techniques:

  • Suppression
    Reject queries whose results would disclose sensitive data; correct data exists but is withheld.
  • Concealment
    Return approximate values instead of exact ones; trades precision for coverage.
  • Random perturbation
    Add or subtract a small random error to returned values.
  • Rounding
    Return values rounded to a fixed granularity.
  • Swapping
    Exchange values between records; preserves aggregate statistics but breaks individual accuracy.
  • Limited response suppression
    Omit low-frequency categories from results.
  • Blocking small sample sizes
    Refuse queries whose population falls below a minimum threshold.
  • Query analysis
    Evaluate query implications before returning results; reject queries that enable inference.

Security vs. precision tradeoff: maximizing concealment reduces data utility; maximizing precision increases disclosure risk.

Inference

Deriving protected values from unrestricted queries. System designers must anticipate inference possibilities while designing the system.

Tracking per-user query history partially addresses inference, but users may pool knowledge or bring external data. No tracking strategy is complete.

Was this helpful?
PreviousDenial of Service
NextPrivacy