recovery and security
TRANSCRIPT
-
8/3/2019 Recovery and Security
1/33
Database Recovery
Joel Mtebe
-
8/3/2019 Recovery and Security
2/33
Motivation
A database system like any computer system is subject tovarious types of failures.
The database system must ensure the ACID properties
(specifically durability and atomicity) in the possible presence
of failures.
We will categorize the various types of failures, and reviewalgorithms for recoveringfrom failures.
The process of restoring the database to a consistent state
after a failure is called recovery, and is performed by therecovery system.
-
8/3/2019 Recovery and Security
3/33
Classification
According to the type of a failure, recoveryprocedures classify to:
Recovery from a catastrophic (like disk crash) failure,and
Recovery from a non catastrophic failure
Recovery from catastrophicfailure is based on
restoring a database back_upcopy by redoingoperations of committed transactions (stored in anarchived log file) up to the time of the failure
-
8/3/2019 Recovery and Security
4/33
Non-Catastrophic Failures
A computer failure (system crush): A hardware failure,
A software failure,
A network failure
A transaction error: Integer overflow,
Division by zero,
Logical error,
User interruption, Exception condition
Concurrency control enforcement: Violated serializability (in PostgreSQL),
Deadlock
-
8/3/2019 Recovery and Security
5/33
Classification (continued)
If a database becomes inconsistent due to a non catastrophicfailure, the strategy is to reverse only those changes that madedatabase inconsistent
It is accomplished by undoing (and sometimes also redoing)some operations. An in memory log file is used here
From now on we consider only recovery from non disk crashfailures (we suppose data on disk are safe)
The recovery from non catastrophic failures can be based onmany algorithms, as:
Deferred update,
Immediate update, and
Shadow paging (not considered)
-
8/3/2019 Recovery and Security
6/33
Why is Recoverability Needed?
Recoverability is needed because the database system canfail for many reasons during transaction processing:
Computer Failure - computer crash due to hardware, software, ornetwork problems.
Transaction Error - error in transaction (e.g. divide by 0) Exception Conditions - transaction detects exception condition
(e.g. data not present, insufficient bank funds)
Concurrency Control Enforcement - transaction can be forced to
abort to resolve deadlock or for serializability.
Disk Failure - disk fails to correctly read/write blocks Physical Problems/Catastrophes - external problems resulting in
data loss or system destruction (e.g. earthquake)
-
8/3/2019 Recovery and Security
7/33
Purpose of Database Recovery
To bring the database into the most recentconsistent statethat existed prior to the failure.
To preserve transaction properties Atomicity, Consistency, Isolation and Durability
Example: If the system crashes before a fund transfer transaction
completes its execution, then either one or both accounts mayhave incorrect value. Thus, the database must be restored tothe state before the transaction modified any of the accounts.
-
8/3/2019 Recovery and Security
8/33
Types of Failure
The database may become unavailable due to Transaction failure: Transactions may fail because of
incorrect input, deadlock, incorrect synchronization.
System failure: System may fail because of addressingerror, application error, operating system fault, RAMfailure, etc.
Media failure: Disk head crash, power disruption, etc.
-
8/3/2019 Recovery and Security
9/33
The various types of failures can be classified inthree categories:
Transaction Failures:
Logical errors: Transaction cannot complete due to some
internal error condition (bad input, data not found).
System errors: The database system must terminate an activetransaction due to an error condition (e.g. deadlock).
-
8/3/2019 Recovery and Security
10/33
Software Failures: System crash: A failure causes the system to crash, but
non-volatile storage contents are not corrupted.
Examples: software design errors, bugs, buffer/stackoverflows
Hardware Failures:
Disk failure: A head crash destroys all or part of disk
storage. Examples: overutilization/overloading (used beyond its
design), wearout failure, poor manufacturing
-
8/3/2019 Recovery and Security
11/33
Recovery Techniques
Deferred update techniques Database is not modified until after the transaction
reaches its commit point.
Immediate update techniques
Database is updated as and when transactionprogresses; however, the updates are logged before
they are made in the database.
-
8/3/2019 Recovery and Security
12/33
Transaction Log
Recovery from failures, may require data values prior to modification: BFIM - BeFore Image
new value after modification: AFIM AFter Image
These values and other information are stored in asequential file called Transaction log.
Sample log data:
T ID Back P Next P Operation Data item BFIM AFIM
T1 0 1
T1 1 4
T2 0 8
T1 2 5
T1 4 7
T3 0 9
T1 5 nil
Begin
Write
W
R
R
End
BeginX
Y
M
N
X = 200
Y = 100
M = 200
N = 400
X = 100
Y = 50
M = 200
N = 400
-
8/3/2019 Recovery and Security
13/33
Data Update Options
Immediate Update: As soon as a data item ismodified in cache, the disk copy is updated.
Deferred Update: Modified data items in the
cache are written to disk eitherafter a transaction ends its execution, orafter a fixed number of transactions havecompleted their execution.
-
8/3/2019 Recovery and Security
14/33
Database
Security
By
Chathuranga Chandrasekara&Buddhika Karunarathne
-
8/3/2019 Recovery and Security
15/33
Introduction
Threats to Databases
Threats & Security Goals
Counter Measures
Access Control Inference Control
Flow Control
Encryption
-
8/3/2019 Recovery and Security
16/33
Threats to Databases
What is a Threat ?
A set of circumstances that has the potential tocause loss, misuse ( modify, delete etc.) or harmyour system or data.
-
8/3/2019 Recovery and Security
17/33
Threats to Databases (Contd..)
Results in the Loss or Degradation of some or allof the Security Goals.
Integrity Availability
Confidentiality
-
8/3/2019 Recovery and Security
18/33
Threats to Databases (Contd..)
Loss of Integrity
Refers to the requirement that information in a
database be protected from improper modification.
Ex : Modification of a database containing accountinformation of a Bank
-
8/3/2019 Recovery and Security
19/33
Threats to Databases (Contd..)
Loss of Availability
Refers to making objects available to Human user or a
program to which they have a legimate right.
Ex : You have an ATM card, but a threat can obstruct yourwithdrawals.
-
8/3/2019 Recovery and Security
20/33
Threats to Databases (Contd..)
Loss of Confidentiality
Refers to protection of data from unauthorized
disclosure.
Ex : Credit Card information from a Bank.
Your Medical Report from the Hospital.
-
8/3/2019 Recovery and Security
21/33
Countermeasures
Access Control
Inference Control
Flow Control
Encryption
-
8/3/2019 Recovery and Security
22/33
Access Control
Restricting access to the Database system as
a Whole.
1. Discretionary Access Control2. Mandatory Access Control
-
8/3/2019 Recovery and Security
23/33
Access Control Methods
Discretionary Access Control
Grants privileges to users, including the capability to access
specific data files, records, or fields in a specific mode. (such asread, insert, delete, or update).
Main Idea is to include statements in the Query Language thatallows the DBA & Selected users to Grant & Revoke previleges.
Ex : User X can read the table Emp_Data etc.
-
8/3/2019 Recovery and Security
24/33
Access Control Methods
Mandatory Access ControlClassifies users and data into multiple levels of security,and then enforces appropriate rules.
Levels TS, S, C, UEx
Cargo Contents Classification
A Uniforms, Boots Unclassified
B Claymores Confidential
C Atomic Bomb Top Secret
D Chocolates, Butter Unclassified
-
8/3/2019 Recovery and Security
25/33
DAC Vs MACDAC Higher Flexibility
Vulnerable to Malicious Attacks
MAC
Higher Degree of Protection
Requires a Rigid Classification
-
8/3/2019 Recovery and Security
26/33
A Weakness in DAC
Revoked
Privilege
System
user1 user2
user3 user4
(System, user1, SELECT ON
EMPLOYEE WITH GRANT
OPTION)
Granted
Privilege
-
8/3/2019 Recovery and Security
27/33
Countermeasures
Access Control Inference Control
Flow Control
Encryption
By
Buddhika Karunarathne
-
8/3/2019 Recovery and Security
28/33
Implimenting Security
Legal & Ethical Issues. Policy Issues at the Governmental, Institutional or
Corporate Level.
System related issues Whether a security function should
be handled as Hardware Level, OS Level, DBMS Level etc. The need in some organizations to identify multiple Security
Levels
-
8/3/2019 Recovery and Security
29/33
Inference Control
The security problem associated with databases isthat of controlling the access to a statisticaldatabase
The countermeasures to statistical databasesecurity problem is called inference controlmeasures.
-
8/3/2019 Recovery and Security
30/33
Statistical Databases?
Statistical databases are used to produce statistics onvarious populations.
Features are:
individual information is considered confidential.
users may allow to access statistical information on thepopulation
i.e., applying statistic functions to a population of tuples.
-
8/3/2019 Recovery and Security
31/33
Information Flow
Information flows from X to Y if a process readsfrom X and writes to Y
Copying is the canonical example of information
flow Aggregation is a form of information flow
-
8/3/2019 Recovery and Security
32/33
Flow Control
Unauthorized flows are regulated Exclusionary/closed
All others are allowed
Admissible flows are regulated Inclusionary/open
All others are denied
Least privilege
-
8/3/2019 Recovery and Security
33/33
Data Encryption
data encryption, is used to protect sensitive datathat is being transmitted via some typecommunication network.
eg., such as credit card numbers Two main methods
Public Encryption Key
Digital Signature