doeacc notes

8/8/2019 DOEACC NOTES

1/52

DOEACC NOTES

Wednesday, February 18, 2009

ODBMS - Security Authorization

5.c) Discuss briefly about the implementation aspects of security. [6]Database security is thesystem, processes, and procedures that protect a database from unintended activity. Unintendedactivity can be categorized as authenticated misuse, malicious attacks or inadvertent mistakesmade by authorized individuals or processes. Database security is also a specialty within thebroader discipline of computer security.Databases provide many layers and types of information security, typically specified in the datadictionary, including:

Access control Auditing Authentication Encryption Integrity controls Database security can begin with the process of creation and publishing of appropriate securitystandards for the database environment. The standards may include specific controls for thevarious relevant database platforms; a set of best practices that cross over the platforms; andlinkages of the standards to higher level polices and governmental regulations. An important procedure when evaluating database security is performing vulnerabilityassessments against the database

The results of the scans should be used to harden the database in order to mitigate the threat ofcompromise by intruders. vulnerability assessment is a preliminary procedure to determine riskwhere a compliance program is the process of on-going risk assessmentTwo crucial aspects of database security compliance include patch management and the reviewand management of permissions (especially public) granted to objects within the database.Database objects may include table or other objects listed in the Table link. The permissionsgranted for SQL language commands on objects are considered in this process.Application level authentication and authorization mechanisms should be considered as aneffective means of providing abstraction from the database layer. The primary benefit ofabstraction is that of a single sign-on capability across multiple databases and databaseplatforms. A Single sign-on system should store the database user's credentials (login id and

password), and authenticate to the database on behalf of the userAnother security layer of a more sophisticated nature includes the real-time monitoring ofdatabase protocol traffic (SQL) over the network, and/or local monitoring of database activityusing software agents. Analysis can be performed on the traffic for known exploits or networktraffic baselines can be captured overtime to build a normal pattern used for detection ofanomalous activity that could be indicative of intrusion. These systems can provide acomprehensive Database audit trail in addition to the intrusion detection (and potentiallyprotection) mechanisms


2/52

After an incident occurs, the usage of Database Forensics can be employed to determine thescope.A database security program should include the regular review of permissions granted toindividually owned accounts and accounts used by automated processes. The accounts used byautomated processes should have appropriate controls around password storage such as sufficient

encryption and access controls to reduce the risk of compromise. For individual accounts, a two-factor authentication system should be considered in a database environment where the risk iscommensurate with the expenditure for such an authentication system

1.g) List out the main types of threat that could affect a database system. [4]Database Vulnerabilities (The many fronts of the security war!)Basically database security can be broken down into the following key points of interest.

Server Security Database Connections

Table Access Control Restricting Database AccessServer SecurityServer security is the process of limiting actual access to the database server itself, and in myhumble opinion it is the most important angle of security and should be carefully planned.The basic idea is this, "You can't access what you can't see". Why in the name of the Almighty(or whoever else you believe in, or if you are an Atheist, substitute your own name here) wouldyou let your database server be visible to the world. This is not a web server here, there shouldbe no such thing as an anonymous connection. Now some people would say, "Well, what if yourdatabase server is supplying information to dynamic web pages?", well I'll turn that around andsay, "Your database back end should never be on the same machine as your web server, not justfor security, but for performance!" If your database server is supplying information to a webserver then it should be configure to allow connections only from that web server. Now thatbring mes to the next point of discussion:Here Trusted IP Access haslimited the database serverto only answering informationrequests from the known IP ofthe web server.

Trusted IP addressesEvery server, should be configured to only allow trusted IP addresses. You don't allow justanyone to come into your house and talk to your children. In the same respect you should knowexactly who should be allowed to "talk" to your database server.If it's a back end for a web server., then only that web server's address should be allowed toaccess that database server. If the database server is supplying information to a homegrownapplication that is running on the internal network, then it should only answer to addresses fromwithin the internal network.Also please none of this cheap mentality of hosting your web databases on the same server that


3/52

houses internal database information. Why would you have internal information out in the DMZ,its not called the DMZ for nothing.Database ConnectionsThese days with the number of Dynamic Applications it becomes tempting to allow immediateunauthenticated updates to a database. I say, "Ney!" to such laziness. If you are going to allow

users to make updates to a database via a web page, ensure that you validate all updates to ensurethat all updates are warranted and safe. For example ensure that you are removing any possibleSQL code from a user supplied input. If a normal user should never be inputting it don't allowthe data to ever be submitted.If you are one of those administrators that feels the need to use ODBC connections ensure thatevery connection uses it's own unique user to access the shared data. It personally makes my skincrawl when I see the user account "sa" used for every connection and data source on the server.Does every employee in your company have keys to every room in the building? I'll let youaddress that problem quietly if they do.Table Access ControlTable access control is probably one of the most overlooked forms of database security because

of the inherent difficult in applying it. Properly using Table access control will require thecollaboration of both system administrator and database developer, and we all know that"collaboration" is a foreign word in the IT industry.An example would be allowing read access to user imputed information to the public. If a userjust imputed the information whey would they have to look at it within the same session. Or, if atable is just used for system reference why should it have any other permissions beside readavailable?

Unfortunately table structure and proper relational database structure and development is a littleout of the scope of this article. But, keep a look out for it in my upcoming articles.Restricting Database AccessNow being that we have completed a basic overview of database security I want to dive a littlefurther into the specifics of server security. Mainly into the network access of the system.Specifically targeting Internet based databases, since they have been the most recent targets ofattacks. All web-enabled applications have ports that they listen to ( I know this is pretty basic tomost of you but, it needs to be said for the beginners!).Most cyber criminals ( I always refrain from the media sensationalized term "Hackers" or"Crackers") are going to do a simple "port scan" to look for ports that are open that populardatabase systems use by default. Now I say by default, because you can change the ports aservice listens on, which I personally feel is a great way to throw off a criminal.First they will attempt to determine if a machine is even at a specific address. They will do thisby pinging the system. (If you don't know what ping is quietly close this article, you need to dosome studying first!) This is done by simply opening up a command line and typing "ping".C:\ ping 127.0.0.1orroot@localhost: ~$: ping 127.0.0.1The response should look like this:Pinging 127.0.0.1 with 32 bytes of data:Reply from 127.0.0.1: bytes=32 time


4/52

Reply from 127.0.0.1: bytes=32 time


5/52

Threats to database security can come from many sources. People are a substantial source ofdatabase threats. Different types of people can pose different threats. Users can gainunauthorised access through the use of another person's account. Some users may act as hackersand/or create viruses to adversely affect the performance of the system. Programmers can also

pose similar threats. The Database Administrator can also cause problems by not imposing anadequate security policy.

Some threats related to the hardware of the system are as follows:

- Equipment failure- Deliberate equipment damage (e.g. arson, bombs)- Accidental / unforeseen equipment damage (e.g. fire, flood)- Power failure- Equipment theft

Threats can exist over the communication networks that an organisation uses. Techniques suchas wire tapping, cable disruption (cutting / disconnecting), and electronic interference can all beused to disrupt services or reveal private information.Countermeasures

Some countermeasures that can be employed are outlined below:

- Access Controls (can be Discretionary or Mandatory)- Authorisation (granting legitimate access rights)- Authentication (determining whether a user is who they claim to be)- Backup- Journaling (maintaining a log file - enables easy recovery of changes)- Encryption (encoding data using an encryption algorithm)- RAID (Redundant Array of Independent Disks - protects against data loss due to disk failure)- Polyinstantiation (data objects that appear to have different values to users with different accessrights / clearance)- Views (virtual relations which can limit the data viewable by certain users)Threats to Databases Loss of confidentiality Protection of data from improper disclosure Loss of integrity Information be protected from improper modification Loss of availability Making data available to a user with a legitimate right

Introduction to Database SecurityDatabase security begins with physical security for the computer systems that host the DBMS.No DBMS is safe from intrusion, corruption, or destruction by people who have physical accessto the computers. After physical security has been established, database administrators mustprotect the data from unauthorized user and from unauthorized access by authorized users.There


6/52

are three main objects when designing a secure database application, and anything prevents froma DBMS to achieve these goals would be consider a threat to Database Security.(1)Integrity

Database integrity refers to the requirement that information be protected from improper

modification. Modification of data includes creation, insertion, modification, changing the statusof data, and deletion.Integrity is lost if unauthorized changes are made to the data by eitherintentional or accidental acts.To prevent the loss of integrity from happening-->Only authorized users should be allowed tomodify data.e.g. Students may be allowed to see their grades, yet not allowed to modify it.(2)AvailabilityAuthorized user or program should not be denied access. For example, an instructor who wishesto change a grade should be allowed to do so.(3)Secrecy

Information should not be disclosed to unauthorized users. For example, a student should not beallowed to examine other students grades.To achieve these objectives, a clear and consistent security policy should be developed todescribe what security measures must be enforced. In particular, we must determine what part ofthe data is to be protected and which users get access to which portions of the data. Next, thesecurity mechanisms of the underlying DBMS and operating system, as well as externalmechanisms, such as securing access to buildings, must be utilized to enforce the policy. Weemphasize that security measures must be taken at several levels.Why is database security important?

If the loss of system or data integrity is not corrected, continued use of the contaminated systemor corrupted data could result in inaccuracy, fraud, or erroneous decisions. In addition,unauthorized, unanticipated, or unintentional disclosure could result in loss of public confidence,embarrassment, or legal action against the organization.Some database crime newsCredit card database hackedCops tap database to harass, intimidate

Countermeasures to database security threats(1) Inference control -->The corresponding countermeasure to statistical database security.

Statistical database is a database which contains specific information on individuals or events butis intended to permit only statistical queries. (e.g. averages, sums, counts, maximums, minimumsand standard deviations. However, it is possible to obtain confidential data on individuals byusing only statistical queries. Inference control technique are used to prevent this fromhappening. (e.g. we can prohibit sequences of queries that refer repeatedly to the samepopulation of tuples.(2) Flow Control


7/52

"Flow control regulates the distribution or flow of information among accessible objects. A flowbetween object X and object Y occurs when a program reads values from X and writes valuesinto Y. Flow controls check that information contained in some objects does not flow explicitlyor implicitly into less protected objects. Thus, S user cannot get indirectly in Y what he or shecannot get directly from X." Elmasri,Navathe(P747)

(3) Encryption"The idea behind encryption is to apply an encryption algorithm to the data, using a user-specified or DBA-specified encryption key. The output of the algorithm is the encrypted versionof the data. There is also a decryption algorithm, which takes the encrypted data and a decryptionkey as input and then returns the original data." Elmasri,Navathe(P709)(4) Access ControlA database for an enterprise contains a great deal of information and usually has several groupsof users. Most users need to access only a small part of the database to carry out their tasks.Allowing users unrestricted access to all the data can be undesirable, and a DBMS shouldprovide mechanisms to control access to data. The main idea behind access control is to protect

unauthorized persons from accessing the system.Traditional Ways(70s~80s)How it works?1:Discretionary Access ControlDiscretionary access control is based on the idea of access rights, or privileges, and mechanismsfor giving users such privileges. A privilege allows a user to access some data object in a certainmanner (e.g. to read or modify). A user who creates data object such as a table or a viewautomatically gets all applicable privileges on that object and the user can also propagateprivileges using "Grant Option". The DBMS subsequently keeps track of how these privilegesare granted to other users, and possibly revoked, and ensures that at all times only users with thenecessary privileges can access an object.SQL SyntaxSQL supports discretionary access control through the GRANT and REVOKE commands.The GRANT command gives users privileges to base tables and views.The REVOKE command cancels uses' privileges.For example: GRANT privilege1, privilege2, ... ROVOKE privilege1, privilege2, ...ON object_name ON object_nameTO user1, user2, ... ; FROM user1, user2, ... ;

GRANT SELECT, ALTER ROVOKE SELECT, ATLERON student ON studentTO db2_14 FROM db2_14Example from Textbook (R.Elmasri, S. B. Navathe, Fundamentals of Database Systems, Ed.4,Addison-Wesley, 2003.Chapter 23)Suppose that A1 creates the two base relations EMPLOYEE and DEPARTMENTEMPLOYEENAME SSN BDATE ADDRESS SEX SALARY DNODEPARTMENTDNUMBER DNAME MGRSSNA1 is then the owner of these two relations and hence has all the relation privileges on each of


8/52

them. A1 wants to grant to account A2 the privilege to insert and delete tuples in both of theserelationsGRANT INSERT, DELETE ON EMPLOYEE, DEPARTMENT TO A2;A2 cannot grant INSERT and DELETE privileges on the EMPLOYEE and DEPARTMENTtables, because A2 was not given the GRANT OPTION in the preceding command.

GRANT SELECT ON EMPLOYEE, DEPARTMENT TO A3 with GRANT OPTION;The clause WITH GRANT OPTION means that A3 can now propagate the privilege to otheraccounts by using GRANT. For example, A3 can grant the SELECT privilege on theEMPLOYEE relation to A4 by issuing the following command:GRANT SELECT ON EMPLOYEE TO A4;Now suppose that A1 decides to revoke the SELECT privilege on the EMPLOYEE relation fromA3; A1 then can issue this command:REVOKE SELECT ON EMPLOYEE FROM A3;The DBMS must now automatically revoke the SELECT privilege on EMPLOYEE from A4,too, because A3 granted that privileges to A4 and A3 does not have the privilege any more.

MySQL grant revoke syntaxLimits on propagation of privileges

The techniques to limit the propagation of privileges have been developed, but they have notbeen implemented in most DBMSs and are not a part of SQL.Horizontal propagation limits:An account B given the GRANT OPTION can grant the privilege to at most i other accounts.Vertical Propagation limits:It limits the depth to which an account can pass on the privilege in terms of levels.Pros and Cons of discretionary access controlAdvantages:Being flexible and suitable for various types of systems and application like commercial andindustrial environtments.Disadvantages:Not providing real assurance on the satisfaction of the protection requirements.Not imposing any restriction on the usage of information once it is obtained by a user and makessystem vulnerable to attacks.2:Mandatory Access controlMandatory access control are aimed at addressing such loopholes in discretionary access control.The popular model for mandatory access control called the Bell-LaPadula model, is described interms of objects, subjects, security classes, and clearances. Each database object is assigned asecurity class, and each subject is assigned clearance for a security class.The Bell-LaPadula model imposes two restrictions on all reads and writes of database objects:1: Simple Security Property: Subject S is allowed to read object O only if class(S) class(O). Forexample, a user with TS (topsecret) clearance can read a table with C (confidential) clearance, but a user with C(Confidential)clearance is not allowed toread a table with TS (top secret) classification.2. *-Property: Subject S is allowed to write object O only if class(S) class(O). For example, auser with S (secret) clearance can


9/52

write only objects with S (secret) or TS (top secret) classification.If discretionary access controls are also specified, these rules represent additional restrictions.Therefore, to read or write a database object, a user must have the necessary privileges and thesecurity classes of the user and the object must satisfy the preceding restrictions.Advantages: Mandatory policies ensure a high degree of protection.-->suitable for military types

of applications, which require ahigh degree of protection.Disadvantages: Applicable to very few environment for being too rigid.Current State and Future-->Role-Based Access ControlRole-Based Access Control emerged rapidly in the 1990s and it's adopted by most DBMS sincethen. Its basic concept is that privileges are associated with roles, and users are assigned toappropriate roles. Roles can then be granted to users and other roles. (Roles can be created anddestroyed using the CREATE ROLE and DROP ROLE commands.) RBAC appears to be aviable alternative to traditional discretionary and mandatory access controls; it ensures that onlyauthorized users given access to certain data or resources.Advantages of RBAC

A properly-administered RBAC system enables users to carry out a broad range of authorizedoperations, and provides great flexibility and breadth of application. System administrators cancontrol access at a level of abstraction that is natural to the way that enterprises typically conductbusiness. This is achieved by statically and dynamically regulating users' actions through theestablishment and definition of roles, role hierarchies, relationships, and constraints. Thus, oncean RBAC framework is established for an organization, the principal administrative actions arethe granting and revoking of users into and out of roles. Role associations can be establishedwhen new operations are instituted, and old operations can be deleted as organizational functionschange and evolve. This simplifies the administration and management of privileges; roles canbe updated without updating the privileges for every user on an individual basis. With theseoutstanding features and the easier deployment over the Internet, Role-Based Access Controlundoubtedly will continue to be dominant in the future.

1. f) Why does the need of encryption still require when a DBMS already supports discretionaryand mandatory access control? [4]

Database data can be encrypted by a key that is generated by DBMS. Access to this key isprotected by encryption and decryption keys that are provided by the client. This allows a clientto change (for example) the user password without requiring the entire database to be re-encrypted.It is not possible to turn a secure database into a plain-text database and vice-versathis canonly be done by copying the data from one database to anotherIt is important to note that encrypting a database has an impact on performance.The RDbStoreDatabase and RDbNamedDatabase classes provide variants of the Create() andOpen() functions that can create and open a secure database. The access key can be changedusing the ChangeSecurity() member function of the RDbDatabase base class.ENCRYPTION ISSUESWhile there are many good reasons to encrypt data, there are many bad reasons to encrypt data.Encryption does not solve all security problems, and may even make some problems worse. The


10/52

following section describes some of the misconceptions about encryption of stored data.Issue 1: Encryption is not access controlMost organizations need to limit access to data to those who have a need to know. Forexample, ahuman resources system may limit employees to reviewing only their own employment records,

whilemanagers of employees may see the employment records of those employees working for them.Humanresources specialists may also need to see employee records for multiple employees.This type of security policy limiting data access to those with a need to see it is typicallyaddressed by access control mechanisms. The Oracle database has provided strong,independently-evaluated access control mechanisms for many years. Recently, Oracle8i has added the ability toenforce access control to an extremely fine level of granularity, through its Virtual PrivateDatabasecapability.

Because human resources records are considered sensitive information, its tempting to think thatthisinformation should all be encrypted for better security. However, encryption cannot enforcethe typeof granular access control described above, and may actually hinder data access. In the humanresourcesexample, an employee, his manager, and the HR clerk all need to access the employees record.Ifemployee data is encrypted, then each person also has to be able to access the data inunencrypted form.Therefore, the employee, the manager and the HR clerk would have to share the same encryptionkey todecrypt the data. Encryption would therefore not provide any additional security in the sense ofbetteraccess control, and the encryption might actually hinder the proper functioning of theapplication. Thereis the additional issue that it is very difficult to securely transmit and share encryption keysamongmultiple users of a system.A basic principle behind encrypting stored data is that it must not interfere with access control.Forexample, a user who has SELECT privilege on EMP should not be limited by the encryptionmechanismfrom seeing all the data he is otherwise allowed to see. Similarly, there is little benefit toencrypting,(for example) part of a table with one key and part of a table with another key if users need to seeallencrypted data in the table; it merely adds to the overhead of decrypting data before users canread it.Provided that access controls are implemented well, there is little additional security provided


11/52

within thedatabase itself from encryption; any user who has privilege to access data within the database hasnomore nor less privilege as a result of encryption. Therefore, encryption should never be used tosolve

access control problems.Issue 2: DBAs can access all dataSome organizations are concerned that database administrators (DBAs), because they typicallyhave allprivileges, are able to see all data in the database. These organizations feel that the DBAs shouldmerely administer the database, but should not be able to see the data that the database contains.Someorganizations are also concerned about the concentration of privilege in one person, and wouldprefer topartition the DBA function, or enforce two-person rules.

Its tempting to think that encrypting all data (or significant amounts of data) will solve theaboveproblems, but there are better ways to accomplish these objectives. First of all, Oracle doessupportlimited partitioning of DBA privilege. Oracle9i provides native support for SYSDBA andSYSOPER________________________________________Page 5Database Encryption in Oracle9I3February 2001users. SYSDBA has all privileges, but SYSOPER has a limited privilege set (e.g. startup andshutdownof the database). Furthermore, an organization can create smaller roles encompassing a numberofsystem privileges. A JR_DBA role might not include all system privileges, but only thoseappropriate toa more junior database administrator (such as CREATE TABLE, CREATE USER, etc.) Oracledoesnot audit the actions taken by SYS (or SYS-privileged users) but does audit startup andshutdown of thedatabase in the operating system records.Furthermore, the DBA function by its nature is a trusted position. Even organizations with themostsensitive data such as intelligence agencies do not typically partition the DBA function.Instead,they vet their DBAs strongly, because it is a position of trust.Encryption of stored data must not interfere with the administration of the database, or largersecurityissues can result than you were attempting to address with encryption. For example, if by


12/52

encryptingdata, you corrupt the data, youve created a security problem: data is not meaningful and may notberecoverable.Encryption can be used to mitigate the ability of a DBA or other privileged user to see data

in thedatabase, but it is not a substitute for vetting a DBA properly, or for limiting the use of powerfulsystemprivileges. If an untrustworthy user has significant privilege, there are multiple threats he canpose to anorganization, which may be far more significant than viewing unencrypted credit card numbers.Issue 3: Encrypting everything does not make data secureIts a pervasive tendency to think that if storing some data encrypted strengthens security, thenencrypting everything makes all data secure.Weve already seen why encryption does not address access control issues well. Consider theimplications of encrypting an entire production database. All data must be decrypted to be read,

updated, or deleted, and, as discussed earlier, the encryption must not interfere with normalaccesscontrols. Encryption is innately a performance-intensive operation; encrypting all data willsignificantlyaffect performance. Availability is a key aspect of security and if, by encrypting data, you makedataunavailable, or the performance adversely affects availability, you have created a new securityproblem.Encryption keys must be changed regularly as part of good security practice, which necessitatesthat thedatabase be inaccessible while the data is being decrypted and reencrypted with a new key orkeys. Thisalso adversely affects availability.While encrypting all or most data in a production database is clearly a problem, there may beadvantages to encrypting data stored off-line. For example, an organization may store backupsfor aperiod of six months to a year off-line, in a remote location. Of course, the first line of protectionis tosecure the data in a facility to which access is controlled, a physical measure. However, theremay be abenefit to encrypting this data before it is stored, and since it is not being accessed on-line,performanceneed not be a consideration. While Oracle9i does not provide this facility, there are vendors whocanprovide such encryption services. Organizations considering this should thoroughly test that data(that isencrypted before off-line storage) can be decrypted and re-imported successfully beforeembarking onlarge-scale encryption of backup data.________________________________________


13/52

Page 6Database Encryption in Oracle9I4February 2001SOLUTIONS FOR STORED DATA ENCRYPTION IN ORACLE

Oracle9i Data Encryption CapabilitiesWhile there are many security threats that encryption cannot address well, it is clear that one canobtainan additional measure of security by selectively encrypting sensitive data before storage in thedatabase.Examples of such data could include: credit card numbers national identity numbers passwords for applications whose users are not database usersTo address the above needs, Oracle8i (release 8.1.6) introduced a PL/SQL package to encryptand

decrypt stored data. The package, DBMS_OBFUSCATION_TOOLKIT, is provided in bothStandardEdition and Enterprise Edition Oracle9i. The package is documented in the Oracle9i SuppliedPL/SQLPackages Reference Guide.The package currently supports bulk data encryption using the Data Encryption Standard (DES)algorithm, and includes procedures to encrypt (DESEncrypt) and decrypt (DESDecrypt) usingDES.The package does not currently support the Advanced Encryption Standard, the successoralgorithm toDES, though this is planned for a future release of Oracle9i.Key management is programmatic, that is, the application (or caller of the function) has tosupply theencryption key, which means that the application developer has to find a way of storing andretrievingkeys securely. The relative strengths and weaknesses of various key management techniques arediscussed later in this paper. The DBMS_OBFUSCATION_TOOLKIT package, which canhandle bothstring and raw data, requires the submission of a 64-bit key. The DES algorithm itself has aneffectivekey length of 56-bits. The DBMS_OBFUSCATION_TOOLKIT package is granted to PUBLICbydefault.Oracle has added support for triple DES (3DES) encryption in Oracle8i release 8.1.7. TheDBMS_OBFUSCATION_TOOLKIT package includes additional functions to encrypt anddecryptusing 2-key and 3-key 3DES, in outer cipher-block-chaining mode. They will require key lengthsof 128and 192 bits, respectively.Oracle8i release 8.17 also added support for cryptographic checksumming using the MD5


14/52

algorithm(using the MD5 procedure of the DBMS_OBFUSCATION_TOOLKIT package). Cryptographicchecksums can ensure data integrity; that is, that data has not been tampered with. For example,anorganization concerned that users not change salary values randomly could store a checksum of

salaryvalues in a separate table. Only users changing the salary through an application (e.g. throughexecutinga procedure) would also have the privileges to insert a checksum for the new salary into a salaryaudittable.Partner ApplicationsOrganizations seeking a more robust implementation of encrypting stored data in the Oracledatabasecan consider a product offering from Oracle partners such as Protegrity. Protegrity has provideddatabase encryption capabilities since Oracle8. In the Protegrity solution, key management is

automatic.There are multiple customers using it in production who are happy with the functionality.________________________________________Page 7Database Encryption in Oracle9I5February 2001Performance may be an issue in the Protegrity product, depending on how much data thecustomer wantsto encrypt. Since Protegrity has built their solution using the extensibility features of the server,theirdata cartridge does not run in the server address space, and thus does not perform as well as anativeimplementation of encryption in Oracle would. The tradeoff of more automatic key managementmaywell be worth it for Oracle customers, however.CHALLENGES OF ENCRYPTIONThis paper has already discussed why encryption should not be used to address threats betteraddressedby access control mechanisms, and some of the reasons why encryption is not a security cure-all.Evenin cases where encryption can provide additional security, it is not without technical challenges,asdescribed in the following sections.Encrypting Indexed DataSpecial difficulties arise in handling encrypted data which is indexed. For example, suppose acompanyuses national identity number (e.g. U.S. Social Security Number (SSN)) as the employee numberfor itsemployees. The company considers employee numbers to be very sensitive data, and the


15/52

companytherefore wants to encrypt data in the EMPLOYEE_NUMBER column of the EMPLOYEEStable.Since EMPLOYEE_NUMBER contains unique values, the database designers want to have anindex

on it for better performance.If the DBMS_OBFUSCATION_TOOLKIT (or another mechanism) is used to encrypt data in acolumn, then an index on that column will also contain encrypted values. While the index canstill beused for equality checking (i.e. SELECT * FROM emp WHERE employee_number =123245), theindex is essentially unusable for other purposes. Oracle therefore recommends that developersnotencrypt indexed data (and in fact, we do not support encrypting indexed data).In the above example, a company that wants to encrypt social security number (or nationalidentity

number) could create an alternate unique identifier for its employees, create an index on thisemployeenumber, but retain the employee number in clear text. The national identity number could be aseparatecolumn, and the values encrypted therein by an application, which would also handle decryptionappropriately. The national identity number could be obtained when necessary, but would not beused asa unique number to identify employees.Given the privacy issues associated with overuse of national identity numbers (for example,identitytheft), the fact that some allegedly unique national identity numbers have duplicates (US SocialSecurityNumbers), and the ease with which a sequence can generate a unique number, there are manygoodreasons to avoid using national identity numbers as unique IDs.Binary Large Objects (BLOBS)Certain datatypes require more work to encrypt. For example, Oracle supports storage of binarylargeobjects (BLOBs), which lets users store very large objects (e.g. gigabytes) in the database. ABLOBcan be either stored internally as a column, or stored in an external file.To use the DBMS_OBFUSCATION_TOOLKIT, the user would have to split the data into32767character chunks (the maximum that PL/SQL allows) and then would have to encrypt the chunkandappend it to the BLOB. To decrypt, the same procedure would have to be followed in reverse.________________________________________Page 8Database Encryption in Oracle9I6


16/52

February 2001Key ManagementKey management, including both generation of and secure storage of cryptographic keys, isarguablyone of the most important aspects of encryption. If keys are poorly-chosen or stored improperly,

then itmakes it far easier for an attacker to break the encryption. Rather than using a brute forceattack (thatis, cycling through all the possible keys in hopes of finding the correct decryption key),cryptanalystsoften seek weaknesses in the choice of keys, or the way in which keys are stored.Key generation is an important aspect of encryption. Typically, keys are generated automaticallythrough a random-number generator, from a cryptographic seed. Provided that the randomnumbergeneration is sufficiently strong, this can be a secure form of key generation. However, if randomnumbers are not well-formed, but have elements of predictability, the security of the encryption

may beeasily compromised. Netscape had a well-publicized vulnerability in their SSL implementationseveralyears ago when it was discovered that two of the three elements of their random numbergenerationwere not random (e.g. machine serial number and time of day). The encryption key for SSLsessions hadan effective key length of 9 bits, rather than the advertised 40 bits, because of the weakness ofthe keygeneration. An SSL session key could be easily broken, not because the encryption algorithmwasweak, but because the key was easily derived.To address the issue of secure cryptographic key generation, Oracle9i adds support for a securerandomnumber generation, the GetKey procedure of the DBMS_OBFUSCATION_TOOLKIT. TheGetKeyprocedure calls the secure random number generator (RNG) that has previously been certifiedagainstthe Federal Information Processing Standard (FIPS)-140 as part of the Oracle Advanced SecurityFIPS-140 evaluation.Developers should not use the DBMS_RANDOM package. The DBMS_RANDOM packagegeneratespseudo-random numbers; as RFC-1750 states, The use of pseudo-random processes to generatesecretquantities can result in pseudo-security.Key TransmissionIf the key is to be passed by the application to the database, then it must be encrypted. Otherwise,asnooper could grab the key as it is being transmitted. Use of network encryption, such as that


17/52

providedby Oracle Advanced Security, will protect all data in transit from modification or interception,includingcryptographic keys.Key Storage

Key storage is one of the most important, yet difficult, aspects of encryption. To recover dataencryptedwith a symmetric key, the key must be accessible to the application or user seeking to decryptdata. Thekey needs to be easy enough to retrieve that users can access encrypted data, without significantperformance degradation. The key needs to be secure enough that its not easily recoverable bysomeonetrying to maliciously access encrypted data he is not supposed to see.The three basic options available to a developer are:store the key in the database

store the key in the operating systemhave the user manage the key________________________________________Page 9Database Encryption in Oracle9I7February 2001Storing the keys in the database cannot always provide bullet-proof security if you are tryingtoprotect data against the DBA accessing encrypted data (since an all-privileged DBA could accesstablescontaining encryption keys), but it can often provide quite good security against the casualsnooper, oragainst someone compromising the database file on the operating system.As a trivial example, suppose you create a table (EMP) that contains employee data. You want toencrypt each employees Social Security Number (one of the columns). You could encrypt eachemployees SSN using a key which is stored in a separate column. However, anyone withSELECTaccess on the entire table could retrieve the encryption key and decrypt the matching SSN.While this encryption scheme seems easily defeatable, with a little more effort you can create asolutionthat is much harder to break. For example, you could encrypt the SSN using a technique thatperformssome additional data transformation on the employee_number before using it to encrypt the SSN,something as simple as XORing the employee_number with the employees birthdate, forexample.As additional protection, a PL/SQL package body performing encryption can be wrapped,(using the


18/52

wrap utility) which obfuscates the code so that the package body cannot be read. For example,puttingthe key into a PL/SQL package body and then wrapping it makes the package body includingtheembedded key unreadable to the DBA and others. A developer could wrap a package body

calledKEYMANAGE as follows:wrap iname=/mydir/keymanage.sqlA developer can then have a function in the package call theDBMS_OBFUSCATION_TOOLKIT withthe key contained in the wrapped package.While wrapping is not unbreakable, it makes it harder for a snooper to get the key. To make itevenharder, the key could be split up in the package and then have the procedure re-assemble it priorto use.Even in cases where a different key is supplied for each encrypted data value, so that the value of

thekey is not embedded within a package, wrapping the package that performs key management(i.e. datatransformation or padding) is recommended. Additional information about the Wrap Utility isavailablein the PL/SQL User's Guide and Reference.An alternative would be to have a separate table in which to store the encryption key, andenvelope thecall to the keys table with a procedure. The key table can be joined to the data table using aprimarykey-foreign key relationship; for example, EMPLOYEE_NUMBER is the primary key in theEMPLOYEES table, that stores employee information and the encrypted SSN.EMPLOYEE_NUMBER is a foreign key to the SSN_KEYS table, that stores the encryptionkeys foreach employees SSN. The key stored in the SSN_KEYS table can also be transformed beforeuse (i.e.through XORing), so the key itself is not stored unencrypted. The procedure itself should bewrapped, tohide the way in which keys are transformed before use.The strengths of this approach are: users who have direct table access cannot see the sensitive data unencrypted, nor can theyretrievethe keys to decrypt the data access to decrypted data can be controlled through a procedure that selects the (encrypted) data,retrieves the decryption key from the key table, and transforms it before it can be used to decryptthe data________________________________________Page 10Database Encryption in Oracle9I8


19/52

February 2001 the data transformation algorithm is hidden from casual snooping by wrapping the procedure,whichobfuscates the procedure code SELECT access to both the data table and the keys table does not guarantee that the user with

thisaccess can decrypt the data, because the key is transformed before useThe weakness in this approach is that a user who has SELECT access to both the key table andthe datatable, who can derive the key transformation algorithm, can break the encryption scheme.The above approach is not bullet-proof, but it is good enough to protect against easy retrieval ofsensitive information stored in clear (e.g. credit card numbers).Storing keys in the operating system (e.g. in a flat file) is another option. Oracle9i allows you tomakecallouts from PL/SQL, which you could use to retrieve encryption keys. However, if you storekeys in

the operating system (O/S) and make callouts to it, then your data is only as secure as theprotection onthe O/S. If your primary security concern driving you to encrypt data stored in the database isthat thedatabase can be broken into from the operating system, then storing the keys in the operatingsystemarguably makes it easier for a hacker to retrieve encrypted data than storing the keys in thedatabaseitself.Having the user supply the key, assumes the user will be responsible with the key. Consider that40%of help desk calls are from users who have forgotten passwords, and you can see the risks ofhavingusers manage encryption keys. In all likelihood, users will either forget an encryption key, orwrite thekey down, which then creates a security weakness. If a user forgets an encryption key or leavesthecompany, then your data is unrecoverable.If you do elect to have user-supplied or user-managed keys, then you need to make sure you areusingnetwork encryption so the key is not passed from client to server in the clear. You also mustdevelop keyarchive mechanisms, which is also a difficult security problem. Arguably, key archives orbackdoorscreate the security weaknesses that encryption is attempting to address in the first place.Changing Encryption KeysPrudent security practice dictates that you periodically change encryption keys. For stored data,thisrequires periodically unencrypting the data, and reencrypting it with another well-chosen key.This


20/52

would likely have to be done while the data is not being accessed, which creates anotherchallenge,especially so for a web-based application encrypting credit card numbers, since you do not wanttobring the entire application down while you switch encryption keys.

SUMMARYThe growth of e-business necessitates that some especially sensitive information be stored inencryptedform. While encryption cannot address all security threats, the selective encryption of stored datacanadd to the security of a well-implemented application that uses a well-configured Oracle9idatabase.Oracle9i provides native encryption capabilities that enable application developers to provideadditionalmeasures of data security through selective encryption of stored data.________________________________________

Page 11Database Encryption in Oracle9I9February 2001Appendix AENCRYPTION EXAMPLEFollowing is a sample PL/SQL program to encrypt data. Segments of the code are numbered andcontainnarrative text explaining portions of the code.DECLAREinput_string VARCHAR2(16) := tigertigertigert;key_string VARCHAR2(8) := scottsco;encrypted_string VARCHAR2(2048);decrypted_string VARCHAR2(2048);error_in_input_buffer_length EXCEPTION;PRAGMA EXCEPTION_INIT(error_in_input_buffer_length, -28232);INPUT_BUFFER_LENGTH_ERR_MSG VARCHAR2(100) :=*** DES INPUT BUFFER NOT A MULTIPLE OF 8 BYTES ***;1. Test string data encryption and decryption-- The interfacefor encrypting raw data is similar.BEGINdbms_output.put_line(> ========= BEGIN TEST =========);dbms_output.put_line(> Input String : ||input_string);BEGINdbms_obfuscation_toolkit. input_string => input_string,key_string => key_string, encrypted_string =>encrypted_string );dbms_output.put_line(> encrypted string :


21/52

||encrypted_string);dbms_obfuscation_toolkit.DESDecrypt(input_string =>encrypted_string,key => raw_key, decrypted_string =>

decrypted_string);dbms_output.put_line(> Decrypted output : ||decrypted_string);dbms_output.put_line(> );if input_string =decrypted_string THENdbms_output.put_line(> DES Encryption and Decryptionsuccessful);END if;EXCEPTION

WHEN error_in_input_buffer_length THENdbms_output.put_line(> ||INPUT_BUFFER_LENGTH_ERR_MSG);END;Posted by DOEACC NOTES at 2:39 AM0 comments

OODBMS - Object Oriented Analysis and Design(OOAD)

January-2004 [29]

1.c) State the difference between persistent and transient objects. How persistence is

handled In Object Oriented (OO) database systems? [4]

A) Transient Objects are temporary in nature. Object which is permanent in nature till the end ofthe program or remain active until the accidental termination of the program is called as apersistent object. On the otherhand rest nature of the object type is called an transient object2. Transient object:They can't be serialized, its value is not persistent and stored in heapPersistent Object:They can be serialized, its value is persistent as name implies and stored inmemory

3. A superclass PersistentObject encapsulates the mechanisms for an object of any class to storeitself in, or retrieve itself from a database. This superclass implements operations to get an object

by object identifier, store, delete and update objects and to iterate through a set of objects (writeand read operations).Each persistent class could be responsible for its own storageFor each business class that needs to be persistent, there will be an associated databasebrokerclass.The broker class provides the mechanisms to materialize objects from the database anddematerialize them back to the databaseThe database broker object is responsible for: materialising objects, dematerialising objects,


22/52

caching objects.Application classes are insulated from storage. Allows migration of storage sub-systems, e.g.,implement on existing relational system.Application programs unaffected by changeObjects can be cached for efficiency. The cache is a collection maintained by the database

broker.When an object is requested, the cache is searched first. If the object sought is not in the cache itis materialised by the database broker from the databaseTo manage transactions, we need to keep track of all changes made by a transaction, in case thetransaction is aborted before it completes execution (and commits all its changes.)Multiple caches can be used for transaction management:new clean cache: newly created objectsnew dirty cache: newly created objects that have been amendednew delete objects: newly created objects that have been deletedold clean cache: objects retrieved from the databaseold dirty cache: retrieved objects that have been ammended

old delete objects: retrieved objects that have been deletedd) How are relationships are represented in Object Oriented (OO) data model? Discuss

also the importance of inverse references in Object Oriented (OO) data model. [4]

``For data to be useful in providing information, they need to be organized so that they can beprocessed effectively. In data modelling we try to organize data so that:

they represent as closely as possible the real worldthey are amenable to representation by computers.''Components of a data modelData models (Figure 2.1) have been introduced to help software developers to achieve these twopotentially conflicting requirements. As stated by E.F. Codd in his 1981 Turing Award Lecture,``A data model is a combination of at least three components:

a set of data structure types,a collection of operators which can be applied to any instance of the data types, to retrieve,derive or modify data from any part of those structures in any combination desired,a set of integrity rules, which define the consistent database states - these rules are general in thesense that they apply to any database using the model.''Design advantageA data model provides the designer and the programmer with substantial advantages: the detaileddata design makes use of a few building blocks, and the manipulation of data is performed by afew operators that are the same for all data structures.The Entity-Relationship (ER) model views the world as consisting of entities and relationshipsbetween them, where

an entity is a ``thing'' that can be distinctly identified, e.g. a chamber, a wire, a point, a track, avertex, etc.,


23/52

a relationship is an association between entities, e.g. point belongs to track is an associationbetween a point and a track.Entity setsThe information about an entity is expressed by several (Attribute, Value) pairs. For example asingle point could be:

( X, 0.56 )( Y, 10.75 )( Z, 29.14 )

where X is the attribute and 0.569 is its value, etc. An Entity Set (ESet) is a set of entities definedby the same attributes. Figure 2.2 shows an example of an ESet called Point with four entitiesand with attributes X, Y, Z.The complete data model for a high energy physics experiment is large, containing many entitysets. In designing such a model it is useful to display it pictorially, particularly the entity sets andthe relationships between them. Such a picture is called an Entity Relationship Diagram.

Small ER diagramFigure 2.3 presents a small section of such an ER diagram showing the entity sets Point andTrack.The ESet Point is the same as in Figure 2.2. Track has 8 attributes: the 3 components ofthe momentum and their errors and the rank and file coordinates (Rhit and Fhit) of the point atwhich the track strikes the calorimeter.The relationship between these two ESets is expressed by the arrow joining the two entity sets:the double headed arrow shows a many-to-one relationship (many points may lie on one track),while the vertical bar shows that not all points are related to a track (some points may not lie on atrack).

Representing one-to-one relationships and partialityA one-to-one relationship is represented by a single-headed arrow. Partiality, i.e. having at leastone entity in an ESet not related to another entity via the relationship, is represented by a verticalbar on the end of the arrow corresponding to the ESet in question.

Types of relationshipsThe cardinality of an ESet with respect to a relationship is the range of the number of entities thata single entity in the ESet can be related to. The lower bound of the range is called the minimumcardinality and the upper bound is called the maximum cardinality. These will be referred to asCardMin and CardMax respectively.

Examples of cardinalitiesIn ER diagrams, only 3 cases are generally of interest: 0, 1 or * (many). Example: ConsiderESets Track and Cluster.

The cardinality of Track with respect to the relationship is [0,1]: CardMin is 0 because sometracks do not contribute to any cluster. CardMax is 1 because a given track may only contributeto one cluster.


24/52

The cardinality of Cluster with respect to the relationship is [0,*]: CardMin is 0 because someclusters are not associated to known tracks. CardMax is * because a cluster generally resultsfrom several tracks.Possible cardinality valuesThe possible cardinalities of an ESet with respect to a relationship are [0,1], [1,1], [0,*] and

[1,*]. Since ADAMO allows one-to-one and many-to-one but neither one-to-many nor many-to-many relationships only one of any two ESets may have CardMax = * with respect to the samerelationship. This implies 8 possible types of relationships, which are shown in Figure 2.4.

Many-to-many relationshipsBy symmetry, a one-to-many relationship may always be modelled as a many-to-onerelationship. Sometimes relationships can be many-to-many. An example would be if a singlepoint could lie on more than one track, e.g. in a region where tracks cross. Such many-to-manyrelationships are not explicitly supported in ADAMO but must be broken down into two many-to-one relationships and an intermediate entity set.

Intermediate ESetThe intermediate ESet need not have any attributes, its only purpose is to support the tworelationships.

ExampleFigure 2.8 shows the ER diagram and corresponding tables of a simple many-to-manyrelationship. The case modelled is that of having the point with ID 5 being also the intersectionpoint of tracks with ID 1 and 2. Note that since the point with ID 4 does not lie on any track thereis no reference to it in the table TrackPtA complete ER diagramShown in Figure 2.5 is the complete ER diagram of the example used in this guide. Included inthe model is a calorimeter consisting of cells that are capable of making energy measurements.An algorithm may group adjacent cells with energy deposits above given thresholds into clusters.Tracks may originate from secondary vertices. More than one track may hit a given cluster but atrack need not produce a cluster (it could miss the calorimeter). A track may not produce morethan one cluster and a cluster need not have a track pointing to it (a neutral cluster).

Attribute of a relationshipA further algorithm associates tracks and clusters according to the calculated quantity Chisqwhich is a measure of how well the two match. Thus Chisq is an attribute of the relationshipbetween Track and Cluster and not of either one individually: it is shown hanging from therelationship arrow.

Convenience considerationsThe attributes Rhit and Fhit of Track are really attributes of a relationship between Track andsome other ESet called perhaps Calorimeter. While this is strictly true it illustrates the point thatfrequently we produce a model that is convenient to use rather than one which is more logicallycorrect.

Representing a key of an entity set


25/52

Finally, the * character on the attributes Rank and File in the ESet Cell indicate that a key is tobe defined on these. ESet keys are used to identify individual entities in an ESet . The DataDefinition Language (DDL) description of a data structure is a number of plain text DDL fileswritten by the programmer. Experience suggests that it is wise to divide the model into sectionsknown as subschemas (Section 2.6) of approximately 10 ESets in each and to have a separate

DDL file for each subschema. This way, the ER diagram corresponding to a subschema will fitnicely on an A4 sheet of paper. The whole is known as the schema.

Calorimeter subschemaThe subschema corresponding to the ER diagram of Section 2.5 is stored in the file calori.ddl andis shown in its entirety in Figure 3.2 to Figure 3.4. It contains the definitions of the entity sets,attributes, relationship sets, and dataflows that constitute the model. The order of definition is notimportant.

Definition of ESetsEach box in the ER diagram corresponds to an entry in DEFINE ESET, e.g. Cluster. The

definition of Cluster's four attributes is local to Cluster. Note that, in addition to the informationcontained in the ER diagram, the DDL also specifies data types and ranges of validity and allowsthe inclusion of comments.

Definition of attributes typesAttribute types may also be defined globally in a DEFINE ATTRIBUTE section. In thisexample, Coord is such an attribute type. The attributes X, Y and Z in both ESets Point andVertex are then each defined as Coord.

Definition of identifier keysThe identifier Number in the ESet Cell is defined in the KEY ... END KEY block and itcorresponds to the *s on the attributes in the ER diagram. This enables any entity in Cell to beuniquely identified by the values of the two attributes Rank and File. The key Number is alsoused to create an index (Figure 7.9) on Rank and File which will allow the table Cell to beaccessed according to the values of these two attributes.

f) What Is versioning? Why Is It Important? [4]Information, in whatever form: documents, spreadsheets, web pages, or source code, changesover time. Tracking changes of a document over time is what a versioning system does.In particular a versioning system records who made a specific change, it allows backing-outundesirable changes, it gives the ability to record why a specific change was made and to knowwhat the document contents were at a specific point in time.Versioning a content is basically archiving important document versions, to have control onchanges over time.

4.c) A car rental company maintains a vehicle database for all vehicles in Its current fleet. For allvehicles, It Includes the vehicle identification number, license number, manufacturer, model,data of purchase and color. Special data are Included for certain types of vehicles;Trucks:


26/52

Sports car. Vans:Off-road vehicles:cargo capacity;horse power, rental age requirementnumber of passengers

ground clearance, drlvertraln (four or two wheel drive)Construct an object oriented database schema definition for this database. Use Inheritancewherever appropriate. [8]5.b) Discuss with an example Chen-Chen methodology for object-oriented design. [9]

Chen's original method is the basis for many writings on ERD's. While the traditional aspects ofentities and relationships are represented as boxes and lines (respectively), there are a number ofunique attributes to his present method:1. The cloud symbol represents aggregations of smaller ER diagrams, in the context of a logicaldesign (as opposed to a physical design).

2. The double-box represents a weak entity, which is dependent on its parent entity. Note: Visiodoes not support this feature.3. A diamond symbol represents a type of relationship.4. Relationship adornments are added adjacent to the lines to indicate connectivity (I, M, N) andcardinality, e.g. "(0,3)".5. The data-structure diagram (an alternate form of the ERD) uses arrows to show I:Mrelationships.6. Circles represent the attributes of an entity, although Visio labels this icon as value.7. A human figure represents a user icon.

July-2004 [32]1.a) Under what circumstances a relationship is its own inverse? Explain. [4]An inverse or negative relationship is a mathematical relationship in which one variabledecreases as another increases. For example, there is an inverse relationship between educationand unemployment that is, as education increases, the rate of unemployment decreases

f) Class diagrams developed using Booch's methodology can serve as the functional specificationof a system. Justify whether this statement is true or false. [4]

The Booch software engineering methodology [#!booch!#] provides an object-orienteddevelopment in the analysis and design phases. The analysis phase is split into steps. The firststep is to establish the requirements from the customer perspective. This analysis step generates ahigh-level description of the system's function and structure. The second step is a domainanalysis. The domain analysis is accomplished by defining object classes; their attributes,inheritance, and methods. State diagrams for the objects are then established. The analysis phaseis completed with a validation step. The analysis phase iterates between the customer'srequirements step, the domain analysis step, and the validation step until consistency is reached.


27/52

Once the analysis phase is completed, the Booch software engineering methodology develops thearchitecture in the design phase. The design phase is iterative. A logic design is mapped to aphysical design where details of execution threads, processes, performance, location, data types,data structures, visibility, and distribution are established. A prototype is created and tested. Theprocess iterates between the logical design, physical design, prototypes, and testing.

The Booch software engineering methodology is sequential in the sense that the analysis phase iscompleted and then the design phase is completed. The methodology is cyclical in the sense thateach phase is composed of smaller cyclical steps. There is no explicit priority setting nor a non-monotonic control mechanism. The Booch methodology concentrates on the analysis and designphase and does not consider the implementation or the testing phase in much detail.

5.b) Explain the differences between triggers and integrity constraints. [6]A declarative integrity constraint is a statement about the database that is always true. Aconstraint applies to existing data in the table and any statement that manipulates the table.

A trigger does not apply to data loaded before the definition of the trigger, therefore, it does notguarantee all data in a table conforms to the rules established by an associated trigger.

A trigger can be used to enforce transitional constraints where as a declarative integrityconstraint cannot be used.A trigger is a piece of code which gets automatically executed upon occurrence of an event. Itmay not be meant for enforcing integrity. For example you may want to save the user info assoon as he makes an entry into a particular table. This will be achieved by means of a trigger.

An integrity constraint defines basic rules for a table's columns. It will always be enforced, forall data which was there in the table before the rule was added and to the new data which will beadded to the table in futureAn integrity constraint defines a business rule for a tablecolumn which automatically takes care by Oracle internally.Intefrity Constraints are NOT NULL,UNIQUE,CHECK ,PRIMARYKEY,FOREIGN KEY.

A database trigger is a procedure written in PL/SQL andWill run implicitly when data is modified or when some useror system actions occur.Triggers are database objects whichgets stored in database and get fires when INSERT or UPDATEstatement attempts to violate the integrity rule, Oraclemust roll back the statement and return an error if triggerexists.Database triggers are BEFOR/AFTER/{BEFORE|AFTER}{row|statement etc.Intigrity constraints are Proactive-- Like they take the cols into consideration before sitting on itlike if U levy a PK on a col having duplicate or null values it will not obey to sit on that col

Triggers are reactive-- Triggres react only when a DML occurs. When it comes and sit on a table


28/52

then its starts working and never considers what happened before it arrival

Both are used to perform business rules

January-2005 [50]

1. Briefly explain the following:b) How do IS-A and HAS-A relationships help in developing object-oriented design? [4]In database design and object oriented program architecture, has-a is a relationship where oneobject (often called the composited object) "belongs" to (is a part or member of) another object(called the composite type), and behaves according to the rules of ownership. Multiple has-arelationships will combine to form a possessive hierarchy. This is contrasted with an Is-arelationship which constitutes a different kind of hierarchy (subtyping). The decision whether themost logical relationship for an object and its subordinate is not always clearly has-a or is-a.Confusion over such decisions have necessitated the creation of these metalinguistic terms. Agood example of the has-a relationship is containers in the C++ STL.

Inheritance defines a is-a relationshipLaptop is-a ComputerCircle is-a ShapeShape is-a ObjectOne misuse of inheritance is confusing the has-a relationship with the is-a relationshipThe has-a relationship means that one class has the second class as an attribute e.g. Circle classhas-a Point instance variable, center. Point is another class.

In knowledge representation and object-oriented programming and design, is-a is a relationshipwhere one class D is a subclass of another class B (and so B is a superclass of D).In other words "D is a B" usually means that concept D is a specialization of concept B, andconcept B is a generalization of concept D.

For instance, a "fruit" is a generalization of "apple", "orange", "mango" and many others. Onecan say that an apple is a fruit.

In object-oriented programming the is-a relationship arises in the context of inheritance concept.One can say that "apple" may inherit all the properties common to all fruits, such as being afleshy container for the seed of a plant.

The is-a relationship is contrasted with the has-a relationship which constitutes a different kindof hierarchy.

When designing a model (e.g., a computer program) of the real-world relationship between anobject and its subordinate a common error is confusing the relations has-a or is-a.

2.b) Declare a class for a Rational Number ADT. (A rational number is represented by P/Qwhere P and Q are integers). [6]

ADT: Rational Number


29/52

Concrete implementation II

typedef struct {

int ar[2] ;}RATIONAL;

RATIONAL makerational (int x, int y) {

RATIONAL r;

r.ar[0] = x;

r.ar[1] = y;return r;

}

RATIONAL reduce (RATIONAL r) {

int g;

g = gcd (r.numerator,r.denominator);

r.a[0] /= g;

r.a[1] /= g;

return r;

}

int numerator (RATIONAL r) {

return r.a[0];

}

int denominator (RATIONAL r) {


30/52

return r.a[1];

}

The List ADT

A list : of size N.Special list of size 0 : an empty listOperations:makenull () : returns an empty listmakelist (elem) : makes a list containing a single elementprintlist (list)search(elem, list) : searches whether a key is in the listinsert (elem, list)delete (elem, list)findKth (list)

Array Implementation of List

typedef int ETYPE;

typedef struct {

ETYPE elements[MAXS];

int size;

} LIST;

LIST makenull () ;

LIST makeList (ETYPE) ;

void printList (LIST) ;

int IsEmpty (LIST) ;

int search (ETYPE, LIST) ;

void delete (ETYPE, LIST * );

void insert (ETYPE, LIST * )

Complex Number ADT


31/52

typedef struct {

float real;

float imag;

} COMPLEX;

COMPLEX makecomplex (float, float) ;

COMPLEX addc (COMPLEX, COMPLEX);

COMPLEX subc (COMPLEX, COMPLEX);

COMPLEX multc (COMPLEX, COMPLEX);

COMPLEX divc (COMPLEX, COMPLEX);SET ADT

Interface functions (1):SET makenullset () ;

int member (ETYPE, SET) ;

SET adjoin (ETYPE, SET);

SET union (SET, SET) ;

SET intersection (SET, SET);

Void printset (SET) ;

Interface functions (2):

SET makenullset () ;

int member (ETYPE, SET) ;

void adjoin(ETYPE, SET *);

void union (SET, SET, SET*);

void intersection (SET, SET, SET*);


32/52

Void printset (SET) ;

Concrete implementation of SET ADT

typedef struct {ETYPE elem[MAX];

int size;

} SET;

Implementation 1 : sorted array

adjoin : Sorted insert

member : Binary search

delete : ?

union : merge 2 sorted arrays

intersection : ?

Concrete implementation of SET ADT

typedef struct {

ETYPE elem[MAX];

int size;

} SET;

Implementation 2 : unsorted array

keep the elements in the array unsorted.

adjoin : Insert at the end

member : Search till found or till the end

delete : Go through the array sequentially until


33/52

element is found, or reach the end.

Then left shift the array.

union , intersection ?

3. Consider the following details of a Library Management system (LMS), which is required byan academic institute to automate book/periodical issuing activities. Carry-out the jobs (a) (b)listed below: -- Library books and periodicals are issued o three types of members faculty, student and staffmembers.- All members have a name (string), an address (string) and an Id (integer). In addition, faculty-members have a few research interests (an array of strings) and Office-telephone number(integer); student-numbers have an academic program number (integer) and staff-members havean employee-number (integer).- You may further assume that a faculty can issue a book for 4 months, a staff for 2 months and a

student for 15 days. The Issuing period for a periodical for a faculty-member is 7 days;periodicals are not issued to staff and students.

a) Identify classes and their relationships and represent them using notations of Booch methods.[9]HOW TO DRAW BOOCH DIAGRAMS

What is Booch?Grady Booch's Object-Oriented Design (OOD), also known as Object-Oriented Analysis andDesign(OOAD), is a precursor to the Unified Modeling (UML). The Booch method includes sixtypes of diagrams: class, object, state transition, interaction, module, and process.Booch's Static DiagramsBooch's class and object diagrams differentiate this methodology (at least in notation) fromsimilar object oriented systems.

A Booch class diagramBooch's Class and Object Diagram Notations

ClassesIllustrate classes using a cloud shape with a dashed border.You can find the Booch symbol libraries in SmartDraw under Software Design and OtherSymbologies. Simply drag and drop shapes to the page and edit them.Learn how to edit text on this symbol.

ObjectsDraw objects using a cloud shape with a solid border.Learn how to arrange objects on a page.


34/52

More Booch's Class and Object Diagram Notations

Class AdornmentsUse adornments to provide additional information about a class. You can create an adornment

notation using the basic triangle shape in SmartDraw. Place a letter inside the triangle torepresent the following:A - Abstract. An abstract class cannot be instantiated because it represents a wide variety ofobject classes and does not represent any one of them fully. For example, mammal could bethought of as an abstract class.F - Friend. A friend class allows access to the nonpublic functions of other classes.S - Static. A static class provides data.V - Virtual. A virtual class is a shared base class, the most generalized class in a system.

Metaclass

A metaclass is a class whose instances are also classes.Class CategoriesA class category represents a cluster of similar classes. Illustrate a class category by drawing arectangle with two compartments.

Class TemplatesDraw a template using the standard class symbol attached to a box with a dashed outline. Listtemplate parameters or formal arguments in this box. When you draw a class created from atemplate, replace the dashed border with a solid one.Learn how to resize grouped objects.

Class UtilitiesClass utilities describe a group of non-member functions or subprograms. Illustrate a class utilitywith a shadowed cloud.More Booch's Class and Object Diagram Notations

Class VisibilityVisibility markers signify who can access the information contained within a class. Publicvisibility allows an attribute or an operation to be viewed by any other class. Private visibilitymeans that the attribute or the operation is only accessible by the class itself and its friends.Protected visibility makes an attribute or operation visible only to friend classes and classes thatinherit it. Implementation restricts the accessibility of an attribute to the class only (not evenfriends have access to these attributes).Place visibility markers next to the attribute they refer to.


35/52

Object VisibilityDraw a visibility marker on a link to signify the relationship between the connected objects.These markers can be:G - GlobalP - Parameter

F - FieldL - Local

RelationshipsIndicate relationships between objects using lines and arrows. Learn how to connect two objects.

RelationshipMeaning

Aggregation (has)

Aggregation by value

Aggregation by reference

Uses

Instantiates - Compatible type

Instantiates - New type

Inherits - Compatible type

Inherits - New type

Metaclass

UndefinedBooch's Dynamic DiagramsUse state transition and interaction diagrams to illustrate the dynamic nature of an application.Below is a table that lists what each of the dynamic Booch diagrams corresponds to in UML.Booch (OOD) Unified Modeling Language (UML)State transition diagram Statechart diagram

Interaction diagram Sequence diagram

Booch's Dynamic Diagram Notations


36/52

StateStates represent situations during the life of an object. Draw a Booch state symbol using arectangle with rounded corners and two compartments. Use the oval-shaped H symbol to indicatethe most recently visited state.Learn how to edit text on this object.

For other dynamic diagram notations and symbols, visit our tutorial on UML statechart andsequence diagrams.Booch's Physical DiagramsDraw module and process diagrams to illustrate the physical design of your application. Modulediagrams correspond to UML's component diagrams and process diagrams correspond to UML'sdeployment diagrams.

ProcessorProcessors are hardware pieces that execute programs. Use devices and processors to drawprocess diagrams.Learn how to resize grouped objects.

DeviceUse a device notation to illustrate hardware that is not capable of executing programs.

ModulesA module is a unit of code that serves as a building block for the physical structure of a system.The specification module contains the declaration of entities and the body module contains thedefinition of entities. Learn how to resize grouped objects like modules in SmartDraw.

Main ModuleThis module is the main program from which the system is activated.

SubsystemA subsystem refers to a collection of related modules.Learn how to arrange objects on a page.

5.c) Describe the main strategies that can be used to create persistent objects? [6]

Working with persistent objects (Create, Update, Delete)

Working with persistent object stateTo work with persistent object state, a Genome Context has to be instantiated by the client. Apersistent object is represented by a Genome proxy, which is independent of the Context.Switching the Context means switching state for the Genome proxy. The proxy itself remainsvalid after a Context switch or even without any associated Context. However, as long as there isno Context instantiated, the proxy cannot retrieve any state of the referred object.A Genome proxy holds the object identity values (primary key values) of the referred persistentobject. The proxy implicitly looks up the current Context to set or retrieve object state. The


37/52

Context maintains an identity map to ensure that each object instance state is maintained onlyonce within the Context. The Context also performs automatic lazy loading when the object statedoes not exist yet. Finally, the Context tracks all updates to persistent objects and commits themto the database when the Context is committed.Current Context, Context Stack and Context Stack Binding

As previously mentioned, the Genome proxy locates the current Context to work with persistentstate in the AppDomain. Genome maintains a Context Stack for storing the current Context andall previously activated Contexts. The client can push and pop Contexts to the Context stack asneeded, but only the top element of the stack is used as the current Context by Genome proxies.Genome implements a strategy pattern to locate the Context Stack providing the current Contextto the Genome proxies. By default, Genome implements a context stack binding strategy thatassociates the Context stack with the current thread, providing an independent Context Stack(and so a separate current Context) for each thread. For other architectural scenarios, differentcontext stack binding strategies might be useful. For example, the Genome Extensions for WebApplications provide a strategy to bind the Context Stack to the HttpContext of the currentrequest that provides a Context Stack for every request. The NorthwindDataBinding sample

implements a simple strategy which binds the Context Stack to the AppDomain, providing asingle AppDomain-wide Context Stack.Creating and disposing a ContextThe Context might hold references to scarce resources, such as database transactions, and thusshould be explicitly disposed when no longer used; hence it implements the IDisposableinterface.Genome provides different factory methods for instantiating Contexts, which can configureContext behaviour for caching, locking and transactional consistency. A Context has to bepushed to the Context stack to become the current Context.After working with a Context, it has to be popped from the Context stack to make the previousContext current again. Although not mandatory, in most cases the Context is also disposed whenpopped from the Context stack. If it is to be reused later on (e.g. for caching state from thedatabase retrieved by the Context), it can be kept and pushed to the Context Stack again later.Since the Context is generally pushed to the Context stack when instantiated and disposed whenpopped from the Context stack, the Context.Push method returns a context stack cleaner objectthat implements IDisposable to pop the Context from the Context stack and optionally alsodisposes the Context. In C# the using statement can be utilised to ensure a Context is poppedfrom the stack and disposed after working with it:using(Context.Push(LocalContext.Create())){// work with Context here}Context creation and activation with the C# using statement and the context stack cleanerLocalContext.Create() is one of the Genome factory methods for creating a Context.Context.Push() is a static method of Context to push a given Genome Context to the Contextstack.The code above can also be expressed explicitly:Context ctx;ctx = LocalContext.Create();Context.Push(ctx);


38/52

try{// work with Context here}

finally{Context.Pop();ctx.Dispose();}Explicit context creation and disposal protected with a try/finally to ensure the Context is poppedof the stack and disposedCreating persistent objectsTo create persistent objects, a factory method of the DataDomain has to be used. The factorymethod takes an arbitrary list of parameters to call the appropriate constructor of the class.The previously implemented Product class specifies a constructor that takes a string for the name

of the product and a decimal for the price of the product. A new product can thus be instantiatedlike this:Product product;

//Createusing (Context.Push(LocalContext.Create())){product = dd.New("x", 12.00m);Context.CommitCurrent();}Code snippet showing how to create new persistent objectsThe product instance is not written to the database until the Context is committed. Disposing aContext that has not been committed discards all recorded changes to persistent objects.When the product is created, the constructor of the Product class is executed. Please note that theconstructor of Product is only executed when it is created in the DataDomain. When product isloaded from the DataDomain with a query, the OnLoad() event of the object is called instead, ifit implements the ILoadCallback interface.Updating persistent objectsPersistent objects can be updated by simply setting the desired property values of the objectproxy. When the Context is committed, the changes are written to the database. Otherwise, thechanges will be discarded.We will reuse the previously initialised Genome proxy pointing to the product instance we havecreated. As we have disposed the Context already, we now create a new Context to perform theupdate://Updateusing (Context.Push(LocalContext.Create())){p.Name = "y";Context.CommitCurrent();}


39/52

Code snippet showing how to update persistent objectsNote that when you set p.Name, the Genome proxy tries to look up the object state of p in thecurrent Context. As the Context was just instantiated, the state of p has not been loaded yet and alazy load of p occurs.When the Context is committed, an update statement that sets the Name property of the p is sent

to the database.Deleting persistent objectsPersistent objects can be deleted using the Context.DeleteCurrent() method (same asContext.Current.Delete()). We will again reuse the Genome proxy pointing to p together with anew Context.//Deleteusing (Context.Push(LocalContext.Create())){Context.DeleteCurrent(p);Context.CommitCurrent();}

Code snippet showing how to delete persistent objectsRunning Sample_CUD()After putting everything together, the sample looks like this:static void Sample_CUD(){Product p;

//Createusing (Context.Push(LocalContext.Create())){p = Helper.dd.New("x", 12.00m);Context.CommitCurrent();}

//Updateusing (Context.Push(LocalContext.Create())){p.Name = "y";Context.CommitCurrent();}

//Deleteusing (Context.Push(LocalContext.Create())){Context.DeleteCurrent(p);Context.CommitCurrent();}}Sample_CUD() of Client/Program.csAfter replacing the call to InitialiseDatabase() with Sample_CUD() in Main(), the Console shows


40/52

the following output:

Console output of Client running Sample_CUD()Note that the product has to be loaded up again for each new Context.Let us modify the sample to use a single Context for all operations that is only committed in the

end:static void Sample_CUD_SingleContext(){Product p;

using(Context.Push(LocalContext.Create())){

//Createp = Helper.dd.New("x", 12.00m);

//Updatep.Name = "y";

//DeleteContext.DeleteCurrent(p);

Context.CommitCurrent();}}Sample_CUD_SingleContext() of Client/Program.csBecause Genome tries to optimise updates sent by the Context to the database, runningSample_CUD_SingleContext() from Main() yields the following output on the Console:

Console output of Client running Sample_CUD_SingleContext()The Genome basics section, covered in Step1, ends here.

d) What is check pointing? Why is it needed? [4]Checkpointing modified buffers is a critical aspect of buffer management because it reducescrash recovery times.scenario: if a batch program reads an input file and updates/inserts/deletes from database intodb2 tables, if it abends before the end of the job, is it possible to tell how many records wereprocessed? do we need to start the job from beginning or are there any transactions happenedwith any of the records?Assume that commit logic was not coded for large batch jobs that process millions of records.ifan abend occurs all database updates will be rolled back and the job can be resubmitted from thebeginning.if an abend occurs near the end of the process, the rollback of all the updates is performed.also,db2 will maintain a large number of locks for a long period of time, reducing concurrency in thesystem.in fact, the program may abend if it tries to acquire more than the installation-defined


41/52

maximum number of locks.Program without commit logic causes excessive memory consumption. So this will not provideworkload balancing.These applications will cause the coupling facility to be over commited with large number oflocks and huge storage requirements. To avoid this difficulties, commit-restart logic is

recommended for all the batch programs performing transactions with database. This invlovessetting up batch-restart control table (checkpoint_restart) to be set up to store the last inputrecord processed and other control information.Checkpoint/restart logic: to allow the interrupted program to be restarted from the last unit ofrecovery (commit) or at a point other than the beginning of the program we should have acheckpoint/restart logic. Basically, we need: a place to store the details (checkpoint-commitrecord) pertaining to the current execution of the program, like various counts (number ofinserts/deletes/updates/selects), number of records processed, processing dates, and other detailswhich are needed in the program after a restart. a reliable file re-positioning logic with minimalchanges to the existing procjcl. flexibility, to modify the commit frequency without changingthe program code. Where we can store this checkpoint-commit record? we can store the

checkpoint-commit record, commit-frequency and other relevant information in a db2 table.Most conventional database systems (including Oracle) follow the no-force-at-commit policy fordata blocks [Haerder83] because of its significant performance benefits.The use of this policyimplies that a page modified inmemory may need recovery if there is a system crash. A databasecheckpoint is critical for ensuring quick crash recovery when the no-force-at-commit policy isemployed since it limits the amount of redo log that needs to be scanned and applied duringrecovery.As the amount of memory available to a database increases, it is possible to have database buffercaches as large as several million buffers. A large buffer cache imposes two requirements oncheckpointing. First, it requires that the algorithms be scalable with the size of the buffer cache.Second, it requires that the database checkpoint advance frequently to limit recovery time, sinceinfrequent checkpoints and large buffer caches can exacerbate crash-recovery times significantly.

Oracle supports a shared-disk architecture; the sharedmemory and group of Oracle processe

doeacc notes

Documents