Database Security DBMS Features Statistical Database Security.
-
Upload
beverly-brown -
Category
Documents
-
view
278 -
download
2
Transcript of Database Security DBMS Features Statistical Database Security.
Database security CSCE 522 - Eastman/Farkas - Fall 2005 2
Security ConcernsData IntegrityData Confidentiality
Access controlInference control
Data Availability
Database security CSCE 522 - Eastman/Farkas - Fall 2005 3
Topics in TextWhat is a database?
Basic definitions for relational DBsDBMS security functionalityInference attacksMultilevel secure databases
Database security CSCE 522 - Eastman/Farkas - Fall 2005 4
Security ConcernsData Integrity
Information assuranceData Confidentiality
Access controlInference control
Data Availability
Database security CSCE 522 - Eastman/Farkas - Fall 2005 5
Security RequirementsPhysical database integrityLogical database integrityElement integrityAuditabilityAccess controlUser authenticationAvailability
Database security CSCE 522 - Eastman/Farkas - Fall 2005 6
Some Techniques and ToolsTwo-phase commit
Intent phase/commit phaseShadow valuesBackupsAudit trailsConcurrency management
Database security CSCE 522 - Eastman/Farkas - Fall 2005 7
Checking Data Element level
Range checks Tuple/record level
State constraints Transition constraints
Relation/file level Duplicate key checks
Database level
Database security CSCE 522 - Eastman/Farkas - Fall 2005 8
Indirect Information FlowCovert channelsInference channels
Database security CSCE 522 - Eastman/Farkas - Fall 2005 9
Communication Channels Overt Channel: designed into a
system and documented in the user's manual
Covert Channel: not documented. Covert channels may be deliberately inserted into a system, but most such channels are accidents of the system design.
Database security CSCE 522 - Eastman/Farkas - Fall 2005 10
Covert Channel Need:
Two active participants Encoding schema
Example: sender modulates the CPU utilization level with the data stream to be transmittedSender:
repeat get a bit to send if the bit is 1 wait one second (don't use CPU time) else busy wait one second (use CPU time)endif
until done
Database security CSCE 522 - Eastman/Farkas - Fall 2005 11
Covert Channel TypesTiming Channel: based on system
timesStorage channels: not time related
communicationCan be turned into each other
Database security CSCE 522 - Eastman/Farkas - Fall 2005 12
Covert Channel ProtectionNoiseSynchronizationProtection (user state, system state)
RemovalSlow downAudit
Database security CSCE 522 - Eastman/Farkas - Fall 2005 13
Inference Channels
+ Meta-data Sensitive Information
Non-sensitiveinformation =
Database security CSCE 522 - Eastman/Farkas - Fall 2005 14
Inference ChannelsStatistical Database InferencesGeneral Purpose Database
Inferences
Database security CSCE 522 - Eastman/Farkas - Fall 2005 15
Statistical Databases Goal: provide aggregate information about
groups of individuals E.g., average GPA of students
Security risk: specific information about a particular individual E.g., GPA of student John Smith
Meta-data Working knowledge about the attributes Supplementary knowledge (not stored in database)
Database security CSCE 522 - Eastman/Farkas - Fall 2005 16
Types of StatisticsMacro-statistics: collections of
related statistics presented in 2-dimensional tables
Micro-statistics: Individual data records used for statistics after identifying information is removed
Database security CSCE 522 - Eastman/Farkas - Fall 2005 17
Macro-statistics
Sex\Year 1997 1998 Sum
Female 4 1 5
Male 6 13 19
Sum 10 14 24
Database security CSCE 522 - Eastman/Farkas - Fall 2005 18
Micro-statistics
Sex Course GPA Year
F CSCE 590 3.5 2000
M CSCE 590 3.0 2000
F CSCE 790 4.0 2001
Database security CSCE 522 - Eastman/Farkas - Fall 2005 19
Statistical CompromiseExact compromise
Find exact value of an attribute of an individual (e.g., John Smith’s GPA is 3.8)
Partial compromise Find an estimate of an attribute value
corresponding to an individual (e.g., John Smith’s GPA is between 3.5 and 4.0)
Database security CSCE 522 - Eastman/Farkas - Fall 2005 20
Small/Large Query Set Attack C: characteristic formula that identifies groups of
individuals
If C identifies a single individual I [ count(C) = 1] Find out existence of property
If count(C and D)=1 means I has property D If count(C and D)=0 means I does not have D
OR Find value of property
Sum(C, D), gives value of D
Database security CSCE 522 - Eastman/Farkas - Fall 2005 21
ProtectionProtection from small/large query set
attack: query-set-size controlA query q(C) is permitted only if
N-n |C| n , where n 0 is a parameter of the database and N is all the records in the database
Database security CSCE 522 - Eastman/Farkas - Fall 2005 22
Tracker Attack
Tracker C
C1C2
C=C1 and C2T=C1 and ~C2
q(C)=q(C1) – q(T)
q(C) is disallowed
Database security CSCE 522 - Eastman/Farkas - Fall 2005 23
Tracker Attack
TrackerC
C1C2
C=C1 and C2T=C1 and ~C2
D
C and Dq(C and D)=q(T or C and D) – q(T)
q(C and D) is disallowed
Database security CSCE 522 - Eastman/Farkas - Fall 2005 24
Query Overlap Attack
C1 C2
JohnKathy
Max
Fred
EvePaul
Mitch
Q(John)=q(C1)-q(C2)
Protection: query-overlap control
Database security CSCE 522 - Eastman/Farkas - Fall 2005 25
Insertion/Deletion AttackObserving changes overtime
q1=q(C)
insert(i)q2=q(C)
q(i)=q2-q1
Protection: insertion/deletion performed as pairs
Database security CSCE 522 - Eastman/Farkas - Fall 2005 26
Summary of ControlsLimited response suppressionCombined results, including rangesRandom sampleRandom data perturbationQuery analysis
Database security CSCE 522 - Eastman/Farkas - Fall 2005 27
Statistical Inference TheoryGiven an unlimited number of
statistics and correct statistical answers, all statistical databases can be compromised (Ullman)
Database security CSCE 522 - Eastman/Farkas - Fall 2005 28
The Inference ProblemGeneral purpose DBs
Usually transaction oriented Retrieve nonsensitive data and
infer sensitive dataInference via database constraintsInference via updates
Database security CSCE 522 - Eastman/Farkas - Fall 2005 29
Database ConstraintsIntegrity constraintsDatabase dependenciesKey integrity
Database security CSCE 522 - Eastman/Farkas - Fall 2005 30
Integrity ConstraintsC=A+BA=public, C=public, and B=secretB can be calculated from A and C,
i.e., secret information can be calculated from public data
Database security CSCE 522 - Eastman/Farkas - Fall 2005 31
Database DependenciesFunctional dependenciesMulti-valued dependenciesJoin dependencies
Database security CSCE 522 - Eastman/Farkas - Fall 2005 32
Functional DependencyFD: A B For any two tuples in the relation,
if they have the same value for A, they must have the same value for B.
Database security CSCE 522 - Eastman/Farkas - Fall 2005 33
ExampleFD: Rank SalarySecret information: Name and Salary
togetherQuery1: Name and RankQuery2: Rank and SalaryCombine answers for Queries 1 and 2
to reveal Name and Salary together
Database security CSCE 522 - Eastman/Farkas - Fall 2005 34
Key IntegrityEvery tuple in the relation has a unique
keyUsers at different levels see different
versions of the databaseUsers might attempt to update data that
is not visible for them
Database security CSCE 522 - Eastman/Farkas - Fall 2005 35
Example
Name (key) Salary Address
Black P 38,000 P Columbia S
Red S 42,000 S Irmo S
Secret View
Name (key) Salary Address
Black P 38,000 P Null P
Public View
Database security CSCE 522 - Eastman/Farkas - Fall 2005 36
An Update
Public User
1. Update Black’s address to Orlando2. Add new tuple: (Red, 22,000,
Manassas)
Database security CSCE 522 - Eastman/Farkas - Fall 2005 37
Update ResultsIf Refuse update: covert channelAllow update: • Overwrite high data – may be
incorrect• Create new tuple – which data is
correct? (polyinstantiation) – violate key constraints
Database security CSCE 522 - Eastman/Farkas - Fall 2005 38
Another Update
Name (key) Salary Address
Black P 38,000 P Columbia S
Red S 42,000 S Irmo S
Secret user
Update Black’s salary to 45,000
Database security CSCE 522 - Eastman/Farkas - Fall 2005 39
Update ResultsIf Refuse update: covert channelAllow update: • Overwrite low data – covert channel• Create new tuple – which data is
correct? (polyinstantiation) – violate key constraints
Database security CSCE 522 - Eastman/Farkas - Fall 2005 40
Inference ProblemNo general technique is available
to solve the problemNeed assurance of protectionHard to incorporate outside
knowledge