Database Security

1
Database Security

• DBMS Features
• Statistical Database Security

2
Security Concerns

• Data Integrity
• Data Confidentiality
• Access control
• Inference control
• Data Availability

3
Topics in Text

• What is a database?
• Basic definitions for relational DBs
• DBMS security functionality
• Inference attacks
• Multilevel secure databases

4
Security Concerns

• Data Integrity
• Information assurance
• Data Confidentiality
• Access control
• Inference control
• Data Availability

5
Security Requirements

• Physical database integrity
• Logical database integrity
• Element integrity
• Auditability
• Access control
• User authentication
• Availability

6
Some Techniques and Tools

• Two-phase commit
• Intent phase/commit phase
• Shadow values
• Backups
• Audit trails
• Concurrency management

7
Checking Data

• Element level
• Range checks
• Tuple/record level
• State constraints
• Transition constraints
• Relation/file level
• Duplicate key checks
• Database level

8
Indirect Information Flow

• Covert channels
• Inference channels

9
Communication Channels

• Overt Channel designed into a system and
  documented in the user's manual
• Covert Channel not documented. Covert channels
  may be deliberately inserted into a system, but
  most such channels are accidents of the system
  design.

10
Covert Channel

• Need
• Two active participants
• Encoding schema
• Example sender modulates the CPU utilization
  level with the data stream to be transmitted
• Sender
• repeat get a bit to send
• if the bit is 1 wait one second (don't use CPU
  time)
• else busy wait one second (use CPU time)
• endif
• until done

11
Covert Channel Types

• Timing Channel based on system times
• Storage channels not time related communication
• Can be turned into each other

12
Covert Channel Protection

• Noise
• Synchronization
• Protection (user state, system state)
• Removal
• Slow down
• Audit

13
Inference Channels

• Non-sensitive
• information

Sensitive Information

Meta-data

14
Inference Channels

• Statistical Database Inferences
• General Purpose Database Inferences

15
Statistical Databases

• Goal provide aggregate information about groups
  of individuals
• E.g., average GPA of students
• Security risk specific information about a
  particular individual
• E.g., GPA of student John Smith
• Meta-data
• Working knowledge about the attributes
• Supplementary knowledge (not stored in database)

16
Types of Statistics

• Macro-statistics collections of related
  statistics presented in 2-dimensional tables
• Micro-statistics Individual data records used
  for statistics after identifying information is
  removed

17
Macro-statistics
Sex\Year 1997 1998 Sum
Female 4 1 5
Male 6 13 19
Sum 10 14 24
18
Micro-statistics
Sex Course GPA Year
F CSCE 590 3.5 2000
M CSCE 590 3.0 2000
F CSCE 790 4.0 2001
19
Statistical Compromise

• Exact compromise
• Find exact value of an attribute of an individual
  (e.g., John Smiths GPA is 3.8)
• Partial compromise
• Find an estimate of an attribute value
  corresponding to an individual (e.g., John
  Smiths GPA is between 3.5 and 4.0)

20
Small/Large Query Set Attack

• C characteristic formula that identifies groups
  of individuals
• If C identifies a single individual I count(C)
  1
• Find out existence of property
• If count(C and D)1 means I has property D
• If count(C and D)0 means I does not have D
• OR
• Find value of property
• Sum(C, D), gives value of D

21
Protection

• Protection from small/large query set attack
  query-set-size control
• A query q(C) is permitted only if
• N-n ? C ? n , where n ? 0 is a parameter of
  the database and N is all the records in the
  database

22
Tracker Attack
q(C) is disallowed
CC1 and C2 TC1 and C2
C
Tracker
C2
C1
q(C)q(C1) q(T)
23
Tracker Attack
q(C and D) is disallowed
CC1 and C2 TC1 and C2
C
Tracker
C2
C1
C and D
q(C and D) q(T or C and D) q(T)
D
24
Query Overlap Attack
Q(John)q(C1)-q(C2)
C1
C2
Kathy
Paul
John
Eve
Max
Fred
Mitch
Protection query-overlap control
25
Insertion/Deletion Attack

• Observing changes overtime
• q1q(C)
• insert(i)
• q2q(C)
• q(i)q2-q1
• Protection insertion/deletion performed as pairs

26
Summary of Controls

• Limited response suppression
• Combined results, including ranges
• Random sample
• Random data perturbation
• Query analysis

27
Statistical Inference Theory

• Given an unlimited number of statistics and
  correct statistical answers, all statistical
  databases can be compromised (Ullman)

28
The Inference Problem

• General purpose DBs
• Usually transaction oriented
• Retrieve nonsensitive data and infer sensitive
  data
• Inference via database constraints
• Inference via updates

29
Database Constraints

• Integrity constraints
• Database dependencies
• Key integrity

30
Integrity Constraints

• CAB
• Apublic, Cpublic, and Bsecret
• B can be calculated from A and C, i.e., secret
  information can be calculated from public data

31
Database Dependencies

• Functional dependencies
• Multi-valued dependencies
• Join dependencies

32
Functional Dependency

• FD A ? B
• For any two tuples in the relation, if they have
  the same value for A, they must have the same
  value for B.

33
Example

• FD Rank ? Salary
• Secret information Name and Salary together
• Query1 Name and Rank
• Query2 Rank and Salary
• Combine answers for Queries 1 and 2 to reveal
  Name and Salary together

34
Key Integrity

• Every tuple in the relation has a unique key
• Users at different levels see different versions
  of the database
• Users might attempt to update data that is not
  visible for them

35
Example
Secret View
Name (key) Salary Address
Black P 38,000 P Columbia S
Red S 42,000 S Irmo S
Public View
Name (key) Salary Address
Black P 38,000 P Null P
36
An Update
Public User

• Update Blacks address to Orlando
• Add new tuple (Red, 22,000, Manassas)

37
Update Results

• If Refuse update covert channel
• Allow update
• Overwrite high data may be incorrect
• Create new tuple which data is correct?
• (polyinstantiation) violate key constraints

38
Another Update
Secret user
Name (key) Salary Address
Black P 38,000 P Columbia S
Red S 42,000 S Irmo S
Update Blacks salary to 45,000
39
Update Results

• If Refuse update covert channel
• Allow update
• Overwrite low data covert channel
• Create new tuple which data is correct?
• (polyinstantiation) violate key constraints

40
Inference Problem

• No general technique is available to solve the
  problem
• Need assurance of protection
• Hard to incorporate outside knowledge

41
Some Recent Work

• C. Farkas (and others) keep history file for
  user to prevent access to data items that would
  allow inference limited to static databases
• T. Toland (and others) extend this work to
  handle dynamic databases with updates