Transcript Document 7787071
Database Security
DBMS Features Statistical Database Security
Security Concerns
Data Integrity Data Confidentiality Access control Inference control Data Availability CSCE 522 - Eastman/Farkas - Fall 2005 Database security 2
Topics in Text
What is a database?
Basic definitions for relational DBs DBMS security functionality Inference attacks Multilevel secure databases CSCE 522 - Eastman/Farkas - Fall 2005 Database security 3
Security Concerns
Data Integrity Information assurance Data Confidentiality Access control Inference control Data Availability CSCE 522 - Eastman/Farkas - Fall 2005 Database security 4
Security Requirements
Physical database integrity Logical database integrity Element integrity Auditability Access control User authentication Availability CSCE 522 - Eastman/Farkas - Fall 2005 Database security 5
Some Techniques and Tools
Two-phase commit Intent phase/commit phase Shadow values Backups Audit trails Concurrency management CSCE 522 - Eastman/Farkas - Fall 2005 Database security 6
Checking Data
Element level Range checks Tuple/record level State constraints Transition constraints Relation/file level Duplicate key checks Database level CSCE 522 - Eastman/Farkas - Fall 2005 Database security 7
Indirect Information Flow
Covert channels Inference channels Database security CSCE 522 - Eastman/Farkas - Fall 2005 8
Communication Channels
Overt Channel
: designed into a system and documented in the user's manual
Covert Channel
: not documented. Covert channels may be deliberately inserted into a system, but most such channels are accidents of the system design. CSCE 522 - Eastman/Farkas - Fall 2005 Database security 9
Covert Channel
Need: Two active participants Encoding schema Example: sender modulates the CPU utilization level with the data stream to be transmitted Sender: repeat get a bit to send if the bit is 1 wait one second (don't use CPU time) else busy wait one second (use CPU time) endif until done CSCE 522 - Eastman/Farkas - Fall 2005 Database security 10
Covert Channel Types
Timing Channel: based on system times Storage channels: not time related communication Can be turned into each other CSCE 522 - Eastman/Farkas - Fall 2005 Database security 11
Covert Channel Protection
Noise Synchronization Protection (user state, system state) Removal Slow down Audit CSCE 522 - Eastman/Farkas - Fall 2005 Database security 12
Inference Channels
Non-sensitive information + Meta-data = Sensitive Information 13 Database security CSCE 522 - Eastman/Farkas - Fall 2005
Inference Channels
Statistical Database Inferences General Purpose Database Inferences Database security CSCE 522 - Eastman/Farkas - Fall 2005 14
Statistical Databases
Goal: provide aggregate information about groups of individuals E.g., average GPA of students Security risk: specific information about a particular individual E.g., GPA of student John Smith Meta-data Working knowledge about the attributes Supplementary knowledge (not stored in database) CSCE 522 - Eastman/Farkas - Fall 2005 Database security 15
Types of Statistics
Macro-statistics: collections of related statistics presented in 2 dimensional tables Micro-statistics: Individual data records used for statistics after identifying information is removed CSCE 522 - Eastman/Farkas - Fall 2005 16 Database security
Macro-statistics
Sex\Year Female Male Sum 1997 4 6 10 1998 1 13 14 Sum 5 19 24 Database security CSCE 522 - Eastman/Farkas - Fall 2005 17
Micro-statistics
Sex F M F Course CSCE 590 CSCE 590 CSCE 790 GPA 3.5
3.0
4.0
Year 2000 2000 2001 Database security CSCE 522 - Eastman/Farkas - Fall 2005 18
Statistical Compromise
Exact compromise Find exact value of an attribute of an individual (e.g., John Smith’s GPA is 3.8) Partial compromise Find an estimate of an attribute value corresponding to an individual (e.g., John Smith’s GPA is between 3.5 and 4.0) CSCE 522 - Eastman/Farkas - Fall 2005 Database security 19
Small/Large Query Set Attack
C: characteristic formula that identifies groups of individuals If
C identifies a single individual
I [ count(C) = 1] Find out existence of property If count(C and D)=1 means I has property D If count(C and D)=0 means I does not have D OR Find value of property Sum(C, D), gives value of D CSCE 522 - Eastman/Farkas - Fall 2005 Database security 20
Protection
Protection from small/large query set attack: query-set-size control A query q(C) is permitted only if N-n |C| n , where n 0 is a parameter of the database and N is all the records in the database CSCE 522 - Eastman/Farkas - Fall 2005 Database security 21
Tracker Attack
q(C) is disallowed
C=C1 and C2 T=C1 and ~C2 Tracker C C1 Database security q(C)=q(C1) – q(T) CSCE 522 - Eastman/Farkas - Fall 2005 C2 22
Tracker Attack
q(C and D) is disallowed
C=C1 and C2 T=C1 and ~C2 C Tracker C2 C1 q(C and D)= q(T or C and D) – q(T) Database security D CSCE 522 - Eastman/Farkas - Fall 2005 C and D 23
Query Overlap Attack
C1 Q(John)=q(C1)-q(C2) C2 John Max Kathy Eve Paul Fred Mitch
Protection:
query-overlap control CSCE 522 - Eastman/Farkas - Fall 2005 24 Database security
Insertion/Deletion Attack
Observing changes overtime q 1 =q(C) insert(i) q 2 =q(C) q(i)=q 2 -q 1 Protection: insertion/deletion performed as pairs CSCE 522 - Eastman/Farkas - Fall 2005 Database security 25
Summary of Controls
Limited response suppression Combined results, including ranges Random sample Random data perturbation Query analysis CSCE 522 - Eastman/Farkas - Fall 2005 Database security 26
Statistical Inference Theory
Given an unlimited number of statistics and correct statistical answers, all statistical databases can be compromised (Ullman) 27 Database security CSCE 522 - Eastman/Farkas - Fall 2005
The Inference Problem
General purpose DBs Usually transaction oriented Retrieve nonsensitive data and infer sensitive data Inference via database constraints Inference via updates CSCE 522 - Eastman/Farkas - Fall 2005 Database security 28
Database Constraints
Integrity constraints Database dependencies Key integrity Database security CSCE 522 - Eastman/Farkas - Fall 2005 29
Integrity Constraints
C=A+B A=public, C=public, and B=secret B can be calculated from A and C, i.e., secret information can be calculated from public data CSCE 522 - Eastman/Farkas - Fall 2005 Database security 30
Database Dependencies
Functional dependencies Multi-valued dependencies Join dependencies Database security CSCE 522 - Eastman/Farkas - Fall 2005 31
Functional Dependency
FD: A B For any two tuples in the relation, if they have the same value for A, they must have the same value for B.
CSCE 522 - Eastman/Farkas - Fall 2005 Database security 32
Example
FD: Rank Salary Secret information: Name and Salary together Query1: Name and Rank Query2: Rank and Salary Combine answers for Queries 1 and 2 to reveal Name and Salary together CSCE 522 - Eastman/Farkas - Fall 2005 Database security 33
Key Integrity
Every tuple in the relation has a unique key Users at different levels see different versions of the database Users might attempt to update data that is not visible for them CSCE 522 - Eastman/Farkas - Fall 2005 34 Database security
Example
Secret View
Name (key) Salary
Black P Red S 38,000 P 42,000 S Public View
Name (key)
Black P Database security
Salary
38,000 P
Address
Columbia S Irmo S
Address
Null P CSCE 522 - Eastman/Farkas - Fall 2005 35
An Update
Public User 1. Update Black’s address to Orlando 2. Add new tuple: (Red, 22,000, Manassas) CSCE 522 - Eastman/Farkas - Fall 2005 Database security 36
Update Results
If
Refuse update
: covert channel
Allow update
: • Overwrite high data – may be incorrect • Create new tuple – which data is correct?
(polyinstantiation) – violate key constraints CSCE 522 - Eastman/Farkas - Fall 2005 Database security 37
Another Update
Secret user
Name (key) Salary Address
Black P Red S 38,000 P 42,000 S Columbia S Irmo S Update Black’s salary to 45,000 CSCE 522 - Eastman/Farkas - Fall 2005 Database security 38
Update Results
If
Refuse update
: covert channel
Allow update
: • Overwrite low data – covert channel • Create new tuple – which data is correct?
(polyinstantiation) – violate key constraints CSCE 522 - Eastman/Farkas - Fall 2005 Database security 39
Inference Problem
No general technique is available to solve the problem Need assurance of protection Hard to incorporate outside knowledge CSCE 522 - Eastman/Farkas - Fall 2005 Database security 40
Some Recent Work
C. Farkas (and others) – keep history file for user to prevent access to data items that would allow inference – limited to static databases T. Toland (and others) – extend this work to handle dynamic databases with updates CSCE 522 - Eastman/Farkas - Fall 2005 41 Database security