auditing compliance with a hippocratic database
DESCRIPTION
Auditing Compliance with a Hippocratic Database. Javier Salinas Martín. Outline. Introduction System architecture: Logs Audits Audit queries Performance. Introduction. Responsibly managing privacy sensitive data is mandatory Approaches: Physically logging the results of each query - PowerPoint PPT PresentationTRANSCRIPT
Auditing Compliance with a Hippocratic Database
Javier Salinas Martín
Outline
Introduction System architecture:
– Logs– Audits– Audit queries
Performance
Introduction
Responsibly managing privacy sensitive data is mandatory
Approaches:– Physically logging the results of each query– New system to audit whether the database
executed a query in the past that accessed private data
System properties
Non-disruptive Fast and precise Fine-grained Convenient
System architecture
Logs
Query log: timestamp, user ID
Temporal extensions: for each table T, a backlog table Tb is created– Time stamped– Interval stamped
Time stamped organization
A tuple in Tb has two additional columns:– TS: time of storage– OP: operation {‘insert’, ‘delete’, ‘update’}
Triggers are used to capture updates Recover state of T at time τ: take a snapshot
Interval stamped organization
Period of time for wich each tuple was alive:– TS: time of storage– TE: end time
Insert trigger adds t to Tb, setting TE to null Update trigger searches for tuple b such that b.P=t.P
and b.TE=null and sets b.TE to the current time and inserts new tuple t
Delete trigger searches for tuple b such that b.P=t.P and b.TE=null and sets b.TE to the current time
Audit expressions
Identical to that of a select query No disctinct in the select list “Audit” replaces “Select”
U: cross product of all the base tables in the database
Cells that satisfy the expression are marked in U
Schema used for examples
Example of audit expression
Audit if the disease information of anybody living in the ZIP code 95120 was diclosed
Cells corresponding to the disease column of those tuples in the Customer x Treatment table that have c.cid=t.pcid and c.zip = 95120 are marked
Some definitions
Tuple t, Query Q, Audit A Indispensable tuple: omitting t makes a
difference on Q Candidate query: Q accesses all columns A
specifies in its audit list Suspicious query: Q and A share an
indispensable tuple
Example 1
Q is a candidate query with respect to A Q is suspicious with respect to A if there is a
customer who lived in the ZIP code 95120 and was treated for diabetes
Example 2
Q is not suspicious with respect to A Anyone who looks at the output of the query
will not learn that Alice has cancer
System architecture
Audit query generation
Full audit expression
Two steps:– Static analysis: select candidate queries from the query log– Audit query generation: augment every candidate query
with information from the audit expression and combine them into an audit query that unions their output
Static analysis
Select candidate queries
Four steps:– Check whether Q is a candidate query– Check whether timestamp of Q is out of range– Check whether the purpose-recipient pair of Q matches any
of the purpose-recipient specified in the otherthan clause of A
– Check for contradictions between predicates
Set of candidate queries Q= {Q1,…,Qn}
Audit Query Generation
Augment every Qi with A
Result is another query AQi, defined against the backlog database at time τi
τi is the timestamp of Qi as recorded in the query log
All AQi are combined into one AQ audit query whose output is the union of the output of the individual AQi
AQ is executed against the backlog database
Audit Query Generation example
Example:
Audit Query Generation example
Audit Query Generation example
Performance
Cost of maintaining backlog tables
Performance
Execution time of an audit query
Questions?