Database Security DBMS Features Statistical Database Security Database
Database Security DBMS Features Statistical Database Security Database security CSCE 522 - Eastman/Farkas - Fall 2005
Security Concerns n Data Integrity n Data Confidentiality n Access control n Inference control n Data Availability Database security CSCE 522 - Eastman/Farkas - Fall 2005 2
Topics in Text n What is a database? n Basic definitions for relational DBs n DBMS security functionality n Inference attacks n Multilevel secure databases Database security CSCE 522 - Eastman/Farkas - Fall 2005 3
Security Concerns n Data Integrity n Information assurance n Data Confidentiality n Access control n Inference control n Data Availability Database security CSCE 522 - Eastman/Farkas - Fall 2005 4
Security Requirements n Physical database integrity n Logical database integrity n Element integrity n Auditability n Access control n User authentication n Availability Database security CSCE 522 - Eastman/Farkas - Fall 2005 5
Some Techniques and Tools n Two-phase commit n Intent phase/commit phase n Shadow values n Backups n Audit trails n Concurrency management Database security CSCE 522 - Eastman/Farkas - Fall 2005 6
Checking Data n Element level n Range checks n Tuple/record level n State constraints n Transition constraints n Relation/file level n Duplicate key checks n Database level Database security CSCE 522 - Eastman/Farkas - Fall 2005 7
Indirect Information Flow n. Covert channels n. Inference channels Database security CSCE 522 - Eastman/Farkas - Fall 2005 8
Communication Channels n Overt Channel: designed into a system and documented in the user's manual n Covert Channel: not documented. Covert channels may be deliberately inserted into a system, but most such channels are accidents of the system design. Database security CSCE 522 - Eastman/Farkas - Fall 2005 9
Covert Channel n Need: Two active participants n Encoding schema n Example: sender modulates the CPU utilization level with the data stream to be transmitted n Sender: repeat get a bit to send if the bit is 1 wait one second (don't use CPU time) else busy wait one second (use CPU time) endif until done Database security CSCE 522 - Eastman/Farkas - Fall 2005 10
Covert Channel Types n. Timing Channel: based on system times n. Storage channels: not time related communication n. Can be turned into each other Database security CSCE 522 - Eastman/Farkas - Fall 2005 11
Covert Channel Protection n Noise n Synchronization n Protection (user state, system state) n Removal n Slow down n Audit Database security CSCE 522 - Eastman/Farkas - Fall 2005 12
Inference Channels Non-sensitive information Database security + Meta-data = CSCE 522 - Eastman/Farkas - Fall 2005 Sensitive Information 13
Inference Channels n. Statistical Database Inferences n. General Purpose Database Inferences Database security CSCE 522 - Eastman/Farkas - Fall 2005 14
Statistical Databases n Goal: provide aggregate information about groups of individuals n E. g. , average GPA of students n Security risk: specific information about a particular individual n E. g. , GPA of student John Smith n Meta-data n n Working knowledge about the attributes Supplementary knowledge (not stored in database) Database security CSCE 522 - Eastman/Farkas - Fall 2005 15
Types of Statistics n. Macro-statistics: collections of related statistics presented in 2 dimensional tables n. Micro-statistics: Individual data records used for statistics after identifying information is removed Database security CSCE 522 - Eastman/Farkas - Fall 2005 16
Macro-statistics SexYear 1997 1998 Sum Female 4 1 5 Male 6 13 19 Sum 10 14 24 Database security CSCE 522 - Eastman/Farkas - Fall 2005 17
Micro-statistics Sex Course GPA Year F CSCE 590 3. 5 2000 M CSCE 590 3. 0 2000 F CSCE 790 4. 0 2001 Database security CSCE 522 - Eastman/Farkas - Fall 2005 18
Statistical Compromise n Exact compromise n Find exact value of an attribute of an individual (e. g. , John Smith’s GPA is 3. 8) n Partial compromise n Find an estimate of an attribute value corresponding to an individual (e. g. , John Smith’s GPA is between 3. 5 and 4. 0) Database security CSCE 522 - Eastman/Farkas - Fall 2005 19
Small/Large Query Set Attack n C: characteristic formula that identifies groups of individuals If C identifies a single individual I [ count(C) = 1] n Find out existence of property n If count(C and D)=1 means I has property D n If count(C and D)=0 means I does not have D OR n Find value of property n Sum(C, D), gives value of D Database security CSCE 522 - Eastman/Farkas - Fall 2005 20
Protection n Protection from small/large query set attack: query-set-size control n A query q(C) is permitted only if N-n |C| n , where n 0 is a parameter of the database and N is all the records in the database Database security CSCE 522 - Eastman/Farkas - Fall 2005 21
Tracker Attack q(C) is disallowed C=C 1 and C 2 T=C 1 and ~C 2 Tracker C C 2 C 1 q(C)=q(C 1) – q(T) Database security CSCE 522 - Eastman/Farkas - Fall 2005 22
Tracker Attack q(C and D) is disallowed Tracker C=C 1 and C 2 T=C 1 and ~C 2 C 1 q(C and D)= q(T or C and D) – q(T) Database security C and D D CSCE 522 - Eastman/Farkas - Fall 2005 23
Query Overlap Attack Q(John)=q(C 1)-q(C 2) C 1 C 2 Kathy John Max Eve Fred Database security Paul Mitch Protection: query-overlap control CSCE 522 - Eastman/Farkas - Fall 2005 24
Insertion/Deletion Attack n Observing changes overtime n q 1=q(C) n insert(i) n q 2=q(C) n q(i)=q 2 -q 1 n Protection: insertion/deletion performed as pairs Database security CSCE 522 - Eastman/Farkas - Fall 2005 25
Summary of Controls n Limited response suppression n Combined results, including ranges n Random sample n Random data perturbation n Query analysis Database security CSCE 522 - Eastman/Farkas - Fall 2005 26
Statistical Inference Theory ØGiven an unlimited number of statistics and correct statistical answers, all statistical databases can be compromised (Ullman) Database security CSCE 522 - Eastman/Farkas - Fall 2005 27
The Inference Problem n. General purpose DBs n. Usually transaction oriented n Retrieve nonsensitive data and infer sensitive data n. Inference via database constraints n. Inference via updates Database security CSCE 522 - Eastman/Farkas - Fall 2005 28
Database Constraints n. Integrity constraints n. Database dependencies n. Key integrity Database security CSCE 522 - Eastman/Farkas - Fall 2005 29
Integrity Constraints n. C=A+B n. A=public, C=public, and B=secret n. B can be calculated from A and C, i. e. , secret information can be calculated from public data Database security CSCE 522 - Eastman/Farkas - Fall 2005 30
Database Dependencies n. Functional dependencies n. Multi-valued dependencies n. Join dependencies Database security CSCE 522 - Eastman/Farkas - Fall 2005 31
Functional Dependency n. FD: A B n. For any two tuples in the relation, if they have the same value for A, they must have the same value for B. Database security CSCE 522 - Eastman/Farkas - Fall 2005 32
Example n FD: Rank Salary n Secret information: Name and Salary together n Query 1: Name and Rank n Query 2: Rank and Salary n Combine answers for Queries 1 and 2 to reveal Name and Salary together Database security CSCE 522 - Eastman/Farkas - Fall 2005 33
Key Integrity n Every tuple in the relation has a unique key n Users at different levels see different versions of the database n Users might attempt to update data that is not visible for them Database security CSCE 522 - Eastman/Farkas - Fall 2005 34
Example Secret View Name (key) Salary Address Black P 38, 000 P Columbia S Red S 42, 000 S Irmo S Name (key) Salary Address Black P 38, 000 P Null P Public View Database security CSCE 522 - Eastman/Farkas - Fall 2005 35
An Update Public User 1. Update Black’s address to Orlando 2. Add new tuple: (Red, 22, 000, Manassas) Database security CSCE 522 - Eastman/Farkas - Fall 2005 36
Update Results If Refuse update: covert channel Allow update: • Overwrite high data – may be incorrect • Create new tuple – which data is correct? (polyinstantiation) – violate key constraints Database security CSCE 522 - Eastman/Farkas - Fall 2005 37
Another Update Secret user Name (key) Salary Address Black P 38, 000 P Columbia S Red S 42, 000 S Irmo S Update Black’s salary to 45, 000 Database security CSCE 522 - Eastman/Farkas - Fall 2005 38
Update Results If Refuse update: covert channel Allow update: • Overwrite low data – covert channel • Create new tuple – which data is correct? (polyinstantiation) – violate key constraints Database security CSCE 522 - Eastman/Farkas - Fall 2005 39
Inference Problem n. No general technique is available to solve the problem n. Need assurance of protection n. Hard to incorporate outside knowledge Database security CSCE 522 - Eastman/Farkas - Fall 2005 40
Some Recent Work n C. Farkas (and others) – keep history file for user to prevent access to data items that would allow inference – limited to static databases n T. Toland (and others) – extend this work to handle dynamic databases with updates Database security CSCE 522 - Eastman/Farkas - Fall 2005 41
- Slides: 41