Transcript Lecture 3
Analyzing and Securing
Social Networks
Dr. Bhavani Thuraisingham
The University of Texas at Dallas
Lecture #3
Introduction to Data and Applications Security
August 28, 2015
Outline
Data and Applications Security
-
Developments and Directions
Secure Semantic Web
-
XML Security; Other directions
Some Emerging Secure DAS Technologies
-
Secure Sensor Information Management; Secure Dependable
Information Management
Some Directions for Privacy Research
-
Data Mining for handling security problems; Privacy vs. National
Security; Privacy Constraint Processing; Foundations of the Privacy
Problem
What are the Challenges?
Developments in Data and Applications
Security: 1975 - Present
Access Control for Systems R and Ingres (mid 1970s)
Multilevel secure database systems (1980 – present)
- Relational database systems: research prototypes and products;
Distributed database systems: research prototypes and some
operational systems; Object data systems; Inference problem
and deductive database system; Transactions
Recent developments in Secure Data Management (1996 – Present)
- Secure data warehousing, Role-based access control (RBAC); Ecommerce; XML security and Secure Semantic Web; Data
mining for intrusion detection and national security; Privacy;
Dependable data management; Secure knowledge management
and collaboration
Developments in Data and Applications
Security: Multilevel Secure Databases - I
Air Force Summer Study in 1982
Early systems based on Integrity Lock approach
Systems in the mid to late 1980s, early 90s
- E.g., Seaview by SRI, Lock Data Views by Honeywell, ASD and
ASD Views by TRW
- Prototypes and commercial products
- Trusted Database Interpretation and Evaluation of Commercial
Products
Secure Distributed Databases (late 80s to mid 90s)
- Architectures; Algorithms and Prototype for distributed query
processing; Simulation of distributed transaction management
and concurrency control algorithms; Secure federated data
management
Developments in Data and Applications
Security: Multilevel Secure Databases - II
Inference Problem (mid 80s to mid 90s)
- Unsolvability of the inference problem; Security constraint
processing during query, update and database design
operations; Semantic models and conceptual structures
Secure Object Databases and Systems (late 80s to mid 90s)
- Secure object models; Distributed object systems security;
Object modeling for designing secure applications; Secure
multimedia data management
Secure Transactions (1990s)
- Single Level/ Multilevel Transactions; Secure recovery and
commit protocols
Some Directions and Challenges for Data and
Applications Security - I
Secure semantic web and Social Networks
- Security models
Secure Information Integration
- How do you securely integrate numerous and
heterogeneous data sources on the web and otherwise
Secure Sensor Information Management
- Fusing and managing data/information from distributed
and autonomous sensors
Secure Dependable Information Management
- Integrating Security, Real-time Processing and Fault
Tolerance
Data Sharing vs. Privacy
- Federated database architectures?
Some Directions and Challenges for Data and
Applications Security - II
Data mining and knowledge discovery for intrusion detection
- Need realistic models; real-time data mining
Secure knowledge management
- Protect the assets and intellectual rights of an organization
Information assurance, Infrastructure protection, Access
Control
- Insider cyber-threat analysis, Protecting national databases,
Role-based access control for emerging applications
Security for emerging applications
- Geospatial, Biomedical, E-Commerce, etc.
Other Directions
- Trust and Economics, Trust Management/Negotiation, Secure
Peer-to-peer computing,
Coalition Data and Policy Sharing
Data/Policy for Federation
Export
Data/Policy
Export
Data/Policy
Export
Data/Policy
Component
Data/Policy for
Agency A
Component
Data/Policy for
Agency C
Component
Data/Policy for
Agency B
Other topics of Interest
Secure Cloud Computing
Mobile code security
Vulnerability Analysis
Infrastructure security
- Power grid
Healthcare Security
Financial Security
Access Control
Discretionary Access Control in Relational Databases
Mandatory Access Control in Relational Databases
- Security Constraints
Types of Access Control
- Inference problem, Role-based, Temporal, Usage
Access Control in Other Databases
- Objects, Federated
Current Trends in Access Control
- Date Warehousing, Semantic Web, Privacy Control
Next Steps in Access Control
Access Control in Relational Databases:
1975 - Present
Access Control policies were developed initially for file systems
- E.g., Read/write policies for files
Access control in databases started with the work in System R and
Ingres Projects
- Access Control rules were defined for databases, relations,
tuples, attributes and elements
- SQL and QUEL languages were extended
GRANT and REVOKE Statements
Read access on EMP to User group A Where
EMP.Salary > 30K and EMP.Dept <> Security
- Query Modification:
Modify the query according to the access control rules
Retrieve all employee information where salary > 30K and
Dept is not Security
Query Modification Algorithm
Inputs: Query, Access Control Rules
Output: Modified Query
Algorithm:
- Given a query Q, examine all the access control rules relevant to
the query
- Introduce a Where Clause to the query that negates access to
the relevant attributes in the access control rules
Example: rules are John does not have access to Salary in
EMP and Budget in DEPT
EMP (E#, Ename, Salary, D#), DEPT (D#, Dname, Budg, Mgr)
Query is to join the EMP and DEPT relations on Dept #
Modify the query to Join EMP and DEPT on Dept # and
project on all attributes except Salary and Budget
- Output is the resulting query
Mandatory Access Control (MAC) in
Databases: 1982- Present
Bell and LaPadula Policy adapted for databases
-
Read at or below your level and Write at your level; Granularity of
classification: Databases, Relations, Tuples, Attributes, Elements (Note:
writing above your level is not a security problem)
Security Architectures
-
Operating system providing mandatory access control and DBMS is
untrusted with respect to MAC (e.g., SRI’s SeaView)
-
Trusted Subject Architecture where DBMS is trusted with respect to
MAC (e.g., TRW’s ASD and ASD Views)
-
Integrity Lock where Trusted front-end computes checksums (e.g.,
MITRE’s MISTRESS Prototype)
-
Distributed Architecture where data is distributed according to security
levels and access through trusted front-end (e.g., NRL’s SINTRA)
Extended Kernel for Security Policy Enforcement such as constraints
(e.g., Honeywell’s Lock Data Views)
Security Constraints / Access Control Rules
Simple Constraint: John cannot access the attribute Salary of
relation EMP
Content-based constraint: If relation MISS contains information
about missions in the Middle East, then John cannot access MISS
Association-based Constraint: Ship’s location and mission taken
together cannot be accessed by John; individually each attribute can
be accessed by John
Release constraint: After X is released Y cannot be accessed by
John
Aggregate Constraints: Ten or more tuples taken together cannot be
accessed by John
Dynamic Constraints: After the Mission, information about the
mission can be accessed by John
Enforcement of Security Constraints
User Interface Manager
Security
Constraints
Constraint
Manager
Query Processor:
Constraints during
query and release
operations
Update
Processor:
Database Design
Tool
Constraints during
database design
operation
Constraints
during
update
operation
Relational DBMS
Database
Other Developments in Access Control
Inference Problem and Access Control
- Inference problem occurs when users pose queries and deduce
unauthorized information from the legitimate responses
- Security constraint processing for controlling inferences
- More recently there is work on controlling release information
instead of controlling access to information
Temporal Access Control Models
- Incorporates time parameter into the access control models
Role-based access control
- Controlling access based on roles of people and the activities
they carry out; Implemented in commercial systems
Positive and Negative Authorizations
- Should negative authorizations be explicitly specified? How can
conflicts be resolved?
Some Examples
Temporal Access Control
- After 1/1/05, only doctors have access to medical records
Role-based Access Control
- Manager has access to salary information
- Project leader has access to project budgets, but he does not
have access to salary information
- What happens if the manager is also the project leader?
Positive and Negative Authorizations
- John has write access to EMP
- John does not have read access to DEPT
- John does not have write access to Salary attribute in EMP
- How are conflicts resolved?
Privacy Constraints / Access Control Rules
Privacy constraints processing
- Simple Constraint: an attribute of a document is private
- Content-based constraint: If document contains information
about X, then it is private
- Association-based Constraint: Two or more documents taken
together is private; individually each document is public
- Release constraint: After X is released Y becomes private
Augment a database system with a privacy controller for constraint
processing
Integrated Architecture for Privacy
Constraint Processing
User Interface Manager
Privacy
Constraints
Constraint
Manager
Query Processor:
Constraints during
query and release
operations
Update
Processor:
XML Database
Design Tool
Constraints during
database design
operation
Constraints
during
update
operation
Relational DBMS
Database
Other Policies
Trust Policies
- To what extent do you trust the source of the data
- How can trust be propagated
- Adding trust value to each piece of data
- A trusts B and B trusts C, does this mean A trusts C?
- A department head sends messages to all the faculty; however
he/she may not trust a particular person
- Developing a language to specify trust
Integrity Policies
- Maintaining the quality of the data
- Adding an attribute to each piece of data to specify the quality
- Quality also depends on how much you trust the source
- Algebra for data quality
Access Control in Databases: Next Steps
Access Control in Databases will continue to be very important
- We also need to examine alternatives
We need new kinds of access control models
- 1975 models may not be suitable for emerging applications
such as semantic web, e-commerce and stream data
management
- Role-based access control has become very popular and is
implemented now in commercial systems. What variations of
this model are appropriate for emerging applications?
End-to-end security is critical
- We cannot have secure databases and have insecure
networks and middleware; Composability
Flexible security policies
- Confidentiality, Authenticity, Completeness, Integrity, Trust,
Privacy, Data Quality, etc.
Policies
Need to Know to Need to Share
RBAC
UCON
ABAC
Dissemination
Risk based access control
Trust Management/Credential/Disclosure
Directions
Major conferences for Policy and Access Control:
- IEEE Policy Workshop
- ACM SACMAT
Need to Know to Need to Share
Need to know policies during the cold war; even if the user has
access, does the user have a need to know?
Post 9/11 the emphasis is on need to share
- User may not have access, but needs the data
Do we give the data to the user and then analyze the
consequences
Do we analyze the consequences and then determine the
actions to take
Do we simply not give the data to the user
What are risks involved?
RBAC
Access to information sources including structured and
unstructured data both within the organization and external to the
organization
Access based on roles
Hierarchy of roles: handling conflicts
Controlled dissemination and sharing of the data
RBAC (Sandhu)
UCON
RBAC model is incorporated into UCON and useful for
various applications
- Authorization component
Obligations
Obligations are actions required to be performed before
an access is permitted
- Obligations can be used to determine whether an
expensive knowledge search is required
Attribute Mutability
- Used to control the scope of the knowledge search
Condition
- Can be used for resource usage policies to be relaxed or
tightened
-
UCON (Sandhu)
Role-based Usage Control (RBUC)
RBAC with UCON extension
Role Hierachy(RH)
User-Role Assignment
(URA)
Users
(U)
Pemissions(P)
Pemission-Role
Assignment(PRA)
Operations
(OP)
Roles
(R)
Object Attributes (OA)
User Attributes (UA)
●
●
Sessions
(S)
●
Session Attributes (SA)
Objects
(O)
Usage
Decisions
Authori
zations
(A)
Obliga
tions
(B)
Condi
tions
(C)
Release and Dissemination Policies
Release policies will determine to whom to release the data
- What is the connection to access control
- Is access control sufficient
- Once the data is retrieved from the information source (e.g.,
database) should it be released to the user
Once the data is released, dissemination policies will determine who
the data can be given to
- Electronic music, etc.
ABAC: Attribute-based Access Control
User specifies his/her attributes (e.g., gender, citizenship)
Policies would specify access based on user credentials
Open environment
XACML
Risk Based Data Sharing/Access Control
What are the risks involved in releasing/disseminating the data
Risk modeling should be integrated with the access control model
Simple method: assign risk values
Higher the risk, lower the sharing
What is the cost of releasing the data?
Cost/Risk/Security closely related
Trust Management
Trust Services
- Identify services, authorization services, reputation
services
Trust negotiation (TN)
Digital credentials, Disclosure policies
TN Requirements
- Language requirements
Semantics, constraints, policies
System requirements
Credential ownership, validity, alternative negotiation
strategies, privacy
Example TN systems
KeyNote and Trust-X (U of Milan), TrustBuilder (UIUC)
-
-
Trust Management
The problem: establishing trust in open
systems
Interactions between strangers
- In conventional systems user identity is known in advance
and can be used for performing access control
- In open systems partecipants may have no pre-existing
relationship and may not share a common security domain
Mutual authentication
-
Assumption on the counterpart honesty no longer holds
Both participants need to authenticate each other
Trust Negotiation
model
A promising approach for open systems where most of the interactions
occur between strangers
The goal: establish trust between parties in order to exchange sensitive
information and services
The approach: establish trust by verifying properties of the other party
Trust negotiation: the approach
Interactions between strangers in open systems
are different from traditional access control models
Policies and mechanisms developed in conventional
systems need to be revised
USER ID’s
VS.
SUBJECT PROPERTIES
ACCESS CONTROL
POLICIES
VS.
DISCLOSURE POLICIES
Subject properties: digital credentials
Assertion about the credential owner issued and certified by a Certification
Authority.
Each entity has an associated set of credentials,
describing properties and attributes of the owner.
CA
CA
CA
CA
Use of Credentials
Digital Credentials
Issuer
-Julie
-3 kids
Alice
-Married
Check
-American
-Julie
- American
Credential
Check
-Julie
- Married
Company B
Want to know marital status
Company A
Want to know citizenship
Referenced from http://www.credentica.com/technology/overview.pdf
Credentials
Credentials can be expressed through the Security Assertion
Mark-up Language (SAML)
SAML allows a party to express security statements about a
given subject
Authentication statements
- Attribute statements
- Authorization decision statements
-
Disclosure policies
Disclosure policies govern:
Disclosure
policies
Access to protected resources
Access to sensitive information
Disclosure of sensitive credentials
Disclosure policies express trust requirements by means of credential
combinations that must be disclosed to obtain authorization
Disclosure policies - Example
Suppose NBG Bank offers loans to students
To check the eligibility of the requester, the Bank asks the
student to present the following credentials
The student card
- The ID card
- Social Security Card
- Financial information – either a copy of the Federal Income Tax
-
Return or a bank statement
Disclosure policies - Example
p1= ({}, Student_Loan Student_Card());
p2= ({p1}), Student_Loan Social_Security_Card());
p3= ({p2}, Student_Loan Federal_Income_Tax_Return());
p4= ({p2}, Student_Loan Bank_Statement());
P5=({p3,p4}, Student_Loan DELIV);
These policies result in two distinct “policy chains” that lead to disclosure
[p1, p2, p3, p5]
[p1, p2, p4, p5]
Trust Negotiation - definition
The gradual disclosure of credentials and requests for credentials between two
strangers, with the goal of establishing sufficient trust so that the parties can
exchange sensitive information and/or resources
Directions
Policies are of much interest to many organizations and
applications
- Financial, Medical, Retail, Manufacturing etc
Roles and responsibilities
Flexible policies
RBAC, UCON, RBUC, Trust Negotiation, Dissemination
Policies
Need to Know to Need to Share
IEEE POLICY and ACM SACMAT