Security and Auditing
Database security has a great impact on the design
of today's information systems. This course will provide an overview of
database security concepts and techniques and discuss new directions of
database security in the context of Internet information management. The topics
will cover database application security models, database and data auditing,
XML access control, trust management and privacy protection.
Purpose and Objectives:
The expected results from this course are:
Master security architecture
Master the databases security models
Master multilevel secure relational model
Master auditing in relational databases
XML access control and enforcement.
Sam Afyouni, Database
Security and Auditing: Protecting Data Integrity and Accessibility. Thomson.
ISBN: 0-619-21559-3, 2005.
Marshall D. Abrams, Sushil
Jajodia, and Harold J. Podell,
eds. Information Security: An Integrated Collection of Essays, IEEE
Computer Society Press, 1995.
Available on line at http://www.acsac.org/secshelf/book001/book001.html
We will also draw material from the literature in
the relevant journals and conferences (e.g., SIGMOD, VLDB, IEEE S&P, CCS). Students will read and present the selected
papers and to complete a term project. Matt Bishop. Computer Security: Art
and Science. Addison Wesley Professional, 2002, ISBN: 0201440997
Week 1: Course Description and Security
Architecture, Database Basics, SQL
Week 2: Operating System Security
Week 3: Administration of Users, Profiles, password policies, privileges, and roles
Week 4: Database Application Security
Week 5: Multilevel Secure
Relational Model, polyinstantiation
Week 6: Access
Control Models: MAC, DAC, RBAC
Week 7: Stored
Procedures and Functions: PL/SQL I, PL/SQL
Week 8: Virtual Private
Databases, SQL Injection
Week 9: Database Vault
Week 10Auditing Database Activities
Week 11: XML Access Control
Week 12: Watermarking in Relational Database
Week 13: Regulations, Compliance and
Week 14: Selected advanced topics
such as Trust Management, Digital Right Management
Project #1 Database Installation and Basics, chapter4.zip
Project #7 SQL Injection
This book is
about database security and auditing. You will learn many methods and
techniques that will be helpful in securing, monitoring and auditing database
environments. It covers diverse topics that include all aspects of database security
and auditing - including network security for databases, authentication and
authorization issues, links and replication, database Trojans, etc.
Oracle 10g Programming: A Primer by Rajshekhar Sunderraman, Addison
www.petefinnigan.com: Pete Finigan is one of the world's foremost Oracle security
experts, and he posts a lot of useful information on his website.
Pete Finigan's Oracle security blog.
Many good articles on Oracle and some on Oracle security published by Don
Burleson www.linuxexposed.com: A good resource for
security includes an excellent paper "Exploiting and Protecting
Application security Inc.'s whitepaper page, including a white paper titled
"Protecting Oracle databases".
articles, resources and tips on Oracle.
Oracle Security Handbook by Marlene Theriault and Aaron Newman
Effective Oracle Database 10g Security by Design by
Oracle Privacy Security Auditing by Arup Nanda and
www.sqlsecurity.com: Web site dedicated to
SQL server security
http://www.sqlmag.com/: SQL server magazine's security page
http://vyaskn.tripod.com/sql_server-security_best_practices.htm: Overview of SQL Server security model and best
Application security Inc.'s white paper page, including a white paper titled
"Hunting Flaws in Microsoft SQL Server White Paper"
SQL Server Security by Chip Andrews, David
Litchfield, Bill Grindlay, and Next Generation
http://www.databasejournal.com/features/db2/: Database Journal for DB2
www.db2mag.com: DB2 Magazine
Presentations on various topics, including "Hacker-proofing DB2"
www.isug.com/ISUG3/Index.html: Sybase user
www.nextgenss.com/papers.htm: papers on
various topics, including MySQL security (e.g., "Hacker-proofing
Security section from MySQL manual
Presentations on various topics including "Hacker-proofing MySQL".
by John Terpstra, et al
by James Turnbull
Hardening Windows Systems by Roberta Bragg
Hardening Windows by Jonathan Hasell
A great IBM whitepaper is available at: http://www-03.ibm.com/systems/p/os/aix/whitepapers/aix_security.html
AIX Security: A System-Hardening Approach
HP-UX 11 Operating System Hardening Guideline
More IA Study