Database Recovery

Joel Mtebe

Motivation
A database system like any computer system is subject to various types of failures. The database system must ensure the ACID properties (specifically durability and atomicity) in the possible presence of failures. We will categorize the various types of failures, and review algorithms for recovering from failures. The process of restoring the database to a consistent state after a failure is called recovery, and is performed by the recovery system.

Classification
According to the type of a failure, recovery procedures classify to:
Recovery from a catastrophic (like disk crash) failure, and Recovery from a non catastrophic failure

Recovery from catastrophic failure is based on restoring a database back_up copy by redoing operations of committed transactions (stored in an archived log file) up to the time of the failure

Non-Catastrophic Failures
A computer failure (system crush):
A hardware failure, A software failure, A network failure

A transaction error:
Integer overflow, Division by zero, Logical error, User interruption, Exception condition

Concurrency control enforcement:

Violated serializability (in PostgreSQL), Deadlock

Classification (continued)
If a database becomes inconsistent due to a non catastrophic failure, the strategy is to reverse only those changes that made database inconsistent It is accomplished by undoing (and sometimes also redoing) some operations. An in memory log file is used here From now on we consider only recovery from non disk crash failures (we suppose data on disk are safe) The recovery from non catastrophic failures can be based on many algorithms, as: Deferred update, Immediate update, and Shadow paging (not considered)

Why is Recoverability Needed?

Recoverability is needed because the database system can fail for many reasons during transaction processing:
Computer Failure - computer crash due to hardware, software, or network problems. Transaction Error - error in transaction (e.g. divide by 0) Exception Conditions - transaction detects exception condition (e.g. data not present, insufficient bank funds) Concurrency Control Enforcement - transaction can be forced to abort to resolve deadlock or for serializability. Disk Failure - disk fails to correctly read/write blocks Physical Problems/Catastrophes - external problems resulting in data loss or system destruction (e.g. earthquake)

Purpose of Database Recovery

To bring the database into the most recent consistent state that existed prior to the failure. To preserve transaction properties
Atomicity, Consistency, Isolation and Durability

Example:
If the system crashes before a fund transfer transaction completes its execution, then either one or both accounts may have incorrect value. Thus, the database must be restored to the state before the transaction modified any of the accounts.

Types of Failure
The database may become unavailable due to
Transaction failure: Transactions may fail because of incorrect input, deadlock, incorrect synchronization. System failure: System may fail because of addressing error, application error, operating system fault, RAM failure, etc. Media failure: Disk head crash, power disruption, etc.

 The various types of failures can be classified in three categories:

Transaction Failures:
Logical errors: Transaction cannot complete due to some internal error condition (bad input, data not found). System errors: The database system must terminate an active transaction due to an error condition (e.g. deadlock).

 Software Failures:
System crash: A failure causes the system to crash, but non-volatile storage contents are not corrupted. Examples: software design errors, bugs, buffer/stack overflows

Hardware Failures:
Disk failure: A head crash destroys all or part of disk storage. Examples: overutilization/overloading (used beyond its design), wearout failure, poor manufacturing

Recovery Techniques
Deferred update techniques
Database is not modified until after the transaction reaches its commit point.

Immediate update techniques

Database is updated as and when transaction progresses; however, the updates are logged before they are made in the database.

Transaction Log
Recovery from failures, may require
data values prior to modification: BFIM - BeFore Image new value after modification: AFIM AFter Image

These values and other information are stored in a sequential file called Transaction log. Sample log data:
T ID Back P Next P Operation Data item Begin T1 0 1 T1 1 4 Write X Begin T2 0 8 T1 2 5 W Y T1 4 7 R M T3 0 9 R N T1 5 nil End BFIM X = 100 AFIM X = 200

Y = 50 Y = 100 M = 200 M = 200 N = 400 N = 400

Data Update Options

Immediate Update: As soon as a data item is modified in cache, the disk copy is updated. Deferred Update: Modified data items in the cache are written to disk either after a transaction ends its execution, or after a fixed number of transactions have completed their execution.

Database Security
By Chathuranga Chandrasekara & Buddhika Karunarathne

Introduction
Threats to Databases Threats & Security Goals Counter Measures
Access Control Inference Control Flow Control Encryption

Threats to Databases
What is a Threat ?
A set of circumstances that has the potential to cause loss, misuse ( modify, delete etc.) or harm your system or data.

Threats to Databases (Contd..)

Results in the Loss or Degradation of some or all of the Security Goals.
Integrity Availability Confidentiality

Threats to Databases (Contd..)

Loss of Integrity
Refers to the requirement that information in a database be protected from improper modification. Ex : Modification of a database containing account information of a Bank

Threats to Databases (Contd..)

Loss of Availability
Refers to making objects available to Human user or a program to which they have a legimate right. Ex : You have an ATM card, but a threat can obstruct your withdrawals.

Threats to Databases (Contd..)

Loss of Confidentiality
Refers to protection of data from unauthorized disclosure. Ex : Credit Card information from a Bank. Your Medical Report from the Hospital.

Countermeasures
Access Control Inference Control Flow Control Encryption

Access Control
Restricting access to the Database system as a Whole.
1. 2. Discretionary Access Control Mandatory Access Control

Access Control Methods

Discretionary Access Control
Grants privileges to users, including the capability to access specific data files, records, or fields in a specific mode. (such as read, insert, delete, or update). Main Idea is to include statements in the Query Language that allows the DBA & Selected users to Grant & Revoke previleges.
Ex : User X can read the table Emp_Data etc.

Access Control Methods

Mandatory Access Control
Classifies users and data into multiple levels of security, and then enforces appropriate rules. Levels TS, S, C, U
Ex

Cargo

Contents

Classification

A
B C

Uniforms, Boots
Claymores Atomic Bomb

Unclassified
Confidential Top Secret

Chocolates, Butter

Unclassified

DAC Vs MAC
DAC
Higher Flexibility Vulnerable to Malicious Attacks

MAC
Higher Degree of Protection Requires a Rigid Classification

A Weakness in DAC
System (System, user1, SELECT ON EMPLOYEE WITH GRANT OPTION) user1 user2 Granted Privilege

user3

user4

Revoked Privilege

Countermeasures
Access Control Inference Control Flow Control Encryption By Buddhika Karunarathne

Implimenting Security
Legal & Ethical Issues. Policy Issues at the Governmental, Institutional or Corporate Level. System related issues Whether a security function should be handled as Hardware Level, OS Level, DBMS Level etc. The need in some organizations to identify multiple Security Levels

Inference Control
The security problem associated with databases is that of controlling the access to a statistical database The countermeasures to statistical database security problem is called inference control measures.

Statistical Databases?
Statistical databases are used to produce statistics on various populations. Features are: individual information is considered confidential. users may allow to access statistical information on the population i.e., applying statistic functions to a population of tuples.

Information Flow
Information flows from X to Y if a process reads from X and writes to Y Copying is the canonical example of information flow Aggregation is a form of information flow

Flow Control
Unauthorized flows are regulated Exclusionary/closed All others are allowed Admissible flows are regulated Inclusionary/open All others are denied Least privilege

Data Encryption
data encryption, is used to protect sensitive data that is being transmitted via some type communication network. eg., such as credit card numbers Two main methods Public Encryption Key Digital Signature