Transcript slides3

Inference Problem
Access Control Policies
Direct access
 Information flow
 Not addressed: indirect data access

Lecture 19
CSCE 522 - Farkas
2
Indirect Information Flow Channels
Covert channels
 Inference channels

Lecture 19
CSCE 522 - Farkas
3
Inference Channels
Non-sensitive
information
Lecture 19
+
Meta-data
CSCE 522 - Farkas
=
Sensitive
Information
4
Inference Channels
Statistical Database Inferences
 General Purpose Database Inferences

Lecture 19
CSCE 522 - Farkas
5
Statistical Databases

Goal: provide aggregate information about groups of
individuals
 E.g.,

Security risk: specific information about a particular
individual
 E.g.,

average grade point of students
grade point of student John Smith
Meta-data:
 Working
knowledge about the attributes
 Supplementary knowledge (not stored in database)
Lecture 19
CSCE 522 - Farkas
6
Types of Statistics


Macro-statistics: collections of related statistics presented in 2dimensional tables
Sex\Year
1997
1998
Sum
Female
4
1
5
Male
6
13
19
Sum
10
14
24
Micro-statistics: Individual data records used for statistics after
identifying information is removed
Lecture 19
Sex
Course
GPA
Year
F
CSCE 590
3.5
2000
M
CSCE 590
3.0
2000
F
CSCE 790
4.0
2001
CSCE 522 - Farkas
7
Statistical Compromise
Exact compromise: find exact value of an
attribute of an individual (e.g., John Smith’s
GPA is 3.8)
 Partial compromise: find an estimate of an
attribute value corresponding to an individual
(e.g., John Smith’s GPA is between 3.5 and
4.0)

Lecture 19
CSCE 522 - Farkas
8
Methods of Attacks and Protection

Small/Large Query Set Attack
 C:
characteristic formula that identifies groups of
individuals
If C identifies a single individual I, e.g., count(C) = 1
 Find out existence of property


If count(C and D)=1 means I has property D
If count(C and D)=0 means I does not have D
OR
 Find value of property

Lecture 19
Sum(C, D), gives value of D
CSCE 522 - Farkas
9
Small/Large Query Set Attack cont.
Protection from small/large query set attack:
query-set-size control
 A query q(C) is permitted only if
N-n  |C|  n , where n  0 is a parameter of
the database and N is all the records in the
database

Lecture 19
CSCE 522 - Farkas
10
Tracker attack
q(C) is disallowed
C=C1 and C2
T=C1 and ~C2
Tracker
C
C2
C1
q(C)=q(C1) – q(T)
Lecture 19
CSCE 522 - Farkas
11
Tracker attack
q(C and D) is disallowed
C=C1 and C2
T=C1 and ~C2
C
Tracker
C2
C1
C and D
q(C and D)=
q(T or C and D) – q(T)
Lecture 19
D
CSCE 522 - Farkas
12
Query overlap attack
Q(John)=q(C1)-q(C2)
C1
C2
Kathy
John
Paul
Eve
Max
Fred
Lecture 19
Mitch
CSCE 522 - Farkas
Protection:
query-overlap control
13
Insertion/Deletion Attack

Observing changes overtime
 q1=q(C)
 insert(i)
 q2=q(C)
 q(i)=q2-q1

Protection: insertion/deletion performed as
pairs
Lecture 19
CSCE 522 - Farkas
14
Statistical Inference Theory

Give unlimited number of statistics and correct
statistical answers, all statistical databases can
be compromised (Ullman)
Lecture 19
CSCE 522 - Farkas
15
Privacy Preserving Data Mining
Related to statistical DB privacy
 We will cover it later in the semester

Lecture 19
CSCE 522 - Farkas
16
Inferences in General-Purpose
Databases
Queries based on sensitive data
 Inference via database constraints
 Inferences via updates

Lecture 19
CSCE 522 - Farkas
17
Queries based on sensitive data
Sensitive information is used in selection
condition but not returned to the user.
 Example: Salary: secret, Name: public

NameSalary=$25,000

Protection: apply query of database views at
different security levels
Lecture 19
CSCE 522 - Farkas
18
How to mitigate this problem?
Time of evaluation
 Architecture

Lecture 19
CSCE 522 - Farkas
19
Database Constraints
Integrity constraints
 Database dependencies
 Key integrity

Lecture 19
CSCE 522 - Farkas
20
Integrity Constraints
C=A+B
 A=public, C=public, and B=secret
 B can be calculated from A and C, i.e., secret
information can be calculated from public data

Lecture 19
CSCE 522 - Farkas
21
Database Dependencies
Metadata:
 Functional dependencies
 Multi-valued dependencies
 Join dependencies
 etc.
Lecture 19
CSCE 522 - Farkas
22
Functional Dependency


FD: A  B, that is for any two tuples in the relation,
if they have the same value for A, they must have the
same value for B.
Example: FD: Rank  Salary
Secret information: Name and Salary together




Query1: Name and Rank
Query2: Rank and Salary
Combine answers for query1 and 2 to reveal Name and Salary together
See slides in dissertation-farkas-rotated.pdf
Lecture 19
CSCE 522 - Farkas
23
Key integrity
Every tuple in the relation have a unique key
 Users at different levels, see different versions
of the database
 Users might attempt to update data that is not
visible for them

Lecture 19
CSCE 522 - Farkas
24
Example
Secret View
Name (key)
Black P
Red S
Salary
38,000 P
42,000 S
Address
Columbia S
Irmo S
Name (key)
Salary
Address
Black P
38,000 P
Null P
Public View
Lecture 19
CSCE 522 - Farkas
25
Updates
Public User:
Name (key)
Black P
Salary
38,000 P
Address
Null P
1. Update Black’s address to Orlando
2. Add new tuple: (Red, 22,000, Manassas)
If
Refuse update: covert channel
Allow update:
• Overwrite high data – may be incorrect
• Create new tuple – which data it correct
(polyinstantiation) – violate key constraints
Lecture 19
CSCE 522 - Farkas
26
Updates
Secret user:
Name (key)
Salary
Address
Black P
38,000 P
Columbia S
Red S
42,000 S
Irmo S
1. Update Black’s salary to 45,000
If
Refuse update: denial of service
Allow update:
• Overwrite low data – covert channel
• Create new tuple
– which data it correct
(polyinstantiation) – violate key constraints
Lecture 19
CSCE 522 - Farkas
27
Inference Problem
No general technique is available to solve the
problem
 Need assurance of protection
 Hard to incorporate outside knowledge

Lecture 19
CSCE 522 - Farkas
28