database security dbms features statistical database security

41
Database Security DBMS Features Statistical Database Security

Upload: beverly-brown

Post on 29-Dec-2015

278 views

Category:

Documents


2 download

TRANSCRIPT

Database Security

DBMS Features

Statistical Database Security

Database security CSCE 522 - Eastman/Farkas - Fall 2005 2

Security ConcernsData IntegrityData Confidentiality

Access controlInference control

Data Availability

Database security CSCE 522 - Eastman/Farkas - Fall 2005 3

Topics in TextWhat is a database?

Basic definitions for relational DBsDBMS security functionalityInference attacksMultilevel secure databases

Database security CSCE 522 - Eastman/Farkas - Fall 2005 4

Security ConcernsData Integrity

Information assuranceData Confidentiality

Access controlInference control

Data Availability

Database security CSCE 522 - Eastman/Farkas - Fall 2005 5

Security RequirementsPhysical database integrityLogical database integrityElement integrityAuditabilityAccess controlUser authenticationAvailability

Database security CSCE 522 - Eastman/Farkas - Fall 2005 6

Some Techniques and ToolsTwo-phase commit

Intent phase/commit phaseShadow valuesBackupsAudit trailsConcurrency management

Database security CSCE 522 - Eastman/Farkas - Fall 2005 7

Checking Data Element level

Range checks Tuple/record level

State constraints Transition constraints

Relation/file level Duplicate key checks

Database level

Database security CSCE 522 - Eastman/Farkas - Fall 2005 8

Indirect Information FlowCovert channelsInference channels

Database security CSCE 522 - Eastman/Farkas - Fall 2005 9

Communication Channels Overt Channel: designed into a

system and documented in the user's manual

Covert Channel: not documented. Covert channels may be deliberately inserted into a system, but most such channels are accidents of the system design.

Database security CSCE 522 - Eastman/Farkas - Fall 2005 10

Covert Channel Need:

Two active participants Encoding schema

Example: sender modulates the CPU utilization level with the data stream to be transmittedSender:

repeat get a bit to send if the bit is 1 wait one second (don't use CPU time) else busy wait one second (use CPU time)endif

until done

Database security CSCE 522 - Eastman/Farkas - Fall 2005 11

Covert Channel TypesTiming Channel: based on system

timesStorage channels: not time related

communicationCan be turned into each other

Database security CSCE 522 - Eastman/Farkas - Fall 2005 12

Covert Channel ProtectionNoiseSynchronizationProtection (user state, system state)

RemovalSlow downAudit

Database security CSCE 522 - Eastman/Farkas - Fall 2005 13

Inference Channels

+ Meta-data Sensitive Information

Non-sensitiveinformation =

Database security CSCE 522 - Eastman/Farkas - Fall 2005 14

Inference ChannelsStatistical Database InferencesGeneral Purpose Database

Inferences

Database security CSCE 522 - Eastman/Farkas - Fall 2005 15

Statistical Databases Goal: provide aggregate information about

groups of individuals E.g., average GPA of students

Security risk: specific information about a particular individual E.g., GPA of student John Smith

Meta-data Working knowledge about the attributes Supplementary knowledge (not stored in database)

Database security CSCE 522 - Eastman/Farkas - Fall 2005 16

Types of StatisticsMacro-statistics: collections of

related statistics presented in 2-dimensional tables

Micro-statistics: Individual data records used for statistics after identifying information is removed

Database security CSCE 522 - Eastman/Farkas - Fall 2005 17

Macro-statistics

Sex\Year 1997 1998 Sum

Female 4 1 5

Male 6 13 19

Sum 10 14 24

Database security CSCE 522 - Eastman/Farkas - Fall 2005 18

Micro-statistics

Sex Course GPA Year

F CSCE 590 3.5 2000

M CSCE 590 3.0 2000

F CSCE 790 4.0 2001

Database security CSCE 522 - Eastman/Farkas - Fall 2005 19

Statistical CompromiseExact compromise

Find exact value of an attribute of an individual (e.g., John Smith’s GPA is 3.8)

Partial compromise Find an estimate of an attribute value

corresponding to an individual (e.g., John Smith’s GPA is between 3.5 and 4.0)

Database security CSCE 522 - Eastman/Farkas - Fall 2005 20

Small/Large Query Set Attack C: characteristic formula that identifies groups of

individuals

If C identifies a single individual I [ count(C) = 1] Find out existence of property

If count(C and D)=1 means I has property D If count(C and D)=0 means I does not have D

OR Find value of property

Sum(C, D), gives value of D

Database security CSCE 522 - Eastman/Farkas - Fall 2005 21

ProtectionProtection from small/large query set

attack: query-set-size controlA query q(C) is permitted only if

N-n |C| n , where n 0 is a parameter of the database and N is all the records in the database

Database security CSCE 522 - Eastman/Farkas - Fall 2005 22

Tracker Attack

Tracker C

C1C2

C=C1 and C2T=C1 and ~C2

q(C)=q(C1) – q(T)

q(C) is disallowed

Database security CSCE 522 - Eastman/Farkas - Fall 2005 23

Tracker Attack

TrackerC

C1C2

C=C1 and C2T=C1 and ~C2

D

C and Dq(C and D)=q(T or C and D) – q(T)

q(C and D) is disallowed

Database security CSCE 522 - Eastman/Farkas - Fall 2005 24

Query Overlap Attack

C1 C2

JohnKathy

Max

Fred

EvePaul

Mitch

Q(John)=q(C1)-q(C2)

Protection: query-overlap control

Database security CSCE 522 - Eastman/Farkas - Fall 2005 25

Insertion/Deletion AttackObserving changes overtime

q1=q(C)

insert(i)q2=q(C)

q(i)=q2-q1

Protection: insertion/deletion performed as pairs

Database security CSCE 522 - Eastman/Farkas - Fall 2005 26

Summary of ControlsLimited response suppressionCombined results, including rangesRandom sampleRandom data perturbationQuery analysis

Database security CSCE 522 - Eastman/Farkas - Fall 2005 27

Statistical Inference TheoryGiven an unlimited number of

statistics and correct statistical answers, all statistical databases can be compromised (Ullman)

Database security CSCE 522 - Eastman/Farkas - Fall 2005 28

The Inference ProblemGeneral purpose DBs

Usually transaction oriented Retrieve nonsensitive data and

infer sensitive dataInference via database constraintsInference via updates

Database security CSCE 522 - Eastman/Farkas - Fall 2005 29

Database ConstraintsIntegrity constraintsDatabase dependenciesKey integrity

Database security CSCE 522 - Eastman/Farkas - Fall 2005 30

Integrity ConstraintsC=A+BA=public, C=public, and B=secretB can be calculated from A and C,

i.e., secret information can be calculated from public data

Database security CSCE 522 - Eastman/Farkas - Fall 2005 31

Database DependenciesFunctional dependenciesMulti-valued dependenciesJoin dependencies

Database security CSCE 522 - Eastman/Farkas - Fall 2005 32

Functional DependencyFD: A B For any two tuples in the relation,

if they have the same value for A, they must have the same value for B.

Database security CSCE 522 - Eastman/Farkas - Fall 2005 33

ExampleFD: Rank SalarySecret information: Name and Salary

togetherQuery1: Name and RankQuery2: Rank and SalaryCombine answers for Queries 1 and 2

to reveal Name and Salary together

Database security CSCE 522 - Eastman/Farkas - Fall 2005 34

Key IntegrityEvery tuple in the relation has a unique

keyUsers at different levels see different

versions of the databaseUsers might attempt to update data that

is not visible for them

Database security CSCE 522 - Eastman/Farkas - Fall 2005 35

Example

Name (key) Salary Address

Black P 38,000 P Columbia S

Red S 42,000 S Irmo S

Secret View

Name (key) Salary Address

Black P 38,000 P Null P

Public View

Database security CSCE 522 - Eastman/Farkas - Fall 2005 36

An Update

Public User

1. Update Black’s address to Orlando2. Add new tuple: (Red, 22,000,

Manassas)

Database security CSCE 522 - Eastman/Farkas - Fall 2005 37

Update ResultsIf Refuse update: covert channelAllow update: • Overwrite high data – may be

incorrect• Create new tuple – which data is

correct? (polyinstantiation) – violate key constraints

Database security CSCE 522 - Eastman/Farkas - Fall 2005 38

Another Update

Name (key) Salary Address

Black P 38,000 P Columbia S

Red S 42,000 S Irmo S

Secret user

Update Black’s salary to 45,000

Database security CSCE 522 - Eastman/Farkas - Fall 2005 39

Update ResultsIf Refuse update: covert channelAllow update: • Overwrite low data – covert channel• Create new tuple – which data is

correct? (polyinstantiation) – violate key constraints

Database security CSCE 522 - Eastman/Farkas - Fall 2005 40

Inference ProblemNo general technique is available

to solve the problemNeed assurance of protectionHard to incorporate outside

knowledge

Database security CSCE 522 - Eastman/Farkas - Fall 2005 41

Some Recent WorkC. Farkas (and others) – keep history

file for user to prevent access to data items that would allow inference – limited to static databases

T. Toland (and others) – extend this work to handle dynamic databases with updates