Section 6: Database Security - Computer Science
Download
Report
Transcript Section 6: Database Security - Computer Science
CS 5950/6030 –
Computer Security and Information Assurance
Section 6: Database Security
Dr. Leszek Lilien
Department of Computer Science
Western Michigan University
Slides based on Security in Computing. Third Edition by Pfleeger and Pfleeger.
Using some slides courtesy of:
Prof. Barbara Endicott-Popovsky and Prof. Deborah Frincke (U. Idaho) — taught at U. Washington
Prof. Csilla Farkas— course taught at U. of South Carolina
Slides not created by the above authors are © 2006 by Leszek T. Lilien
Requests to use original slides for non-profit purposes will be gladly granted upon a written request.
6. Database Security – Outline - 1
Section 6 – Computer Security and Information Assurance – Spring 2006
6.1. Introduction - a DB refresher –
6.2. Security Requirements
a. Physical database integrity requirements
b. Logical database integrity requirements
c. Element integrity requirements
d. Auditability requirements
e. Access control requirements
f. User authentication requirements
g. Availability requirements
6.3. Reliability and Integrity
6.4. Sensitive Data
2
Section 6 – Computer Security and Information Assurance – Spring 2006
6. Database Security – Outline -2
6.5. Inference (Inference Problems)
Direct attacks / Indirect attacks
Inferences in statistical DBs (incl. small/large query set
attacks, tracker attacks, query overlap attacks,
insertion/deletion attacks)
Inferences in general-purpose DBs (incl. inferences via
queries based on sensitive data, inferences via DB
constraints, inferences via updates)
6.6. Multilevel Databases
6.7. Proposals for Multilevel Security
3
6.1. Introduction – DB „Refresher”
- STUDY 6.1 ON YOUR OWN IF NEEDED -
Section 6 – Computer Security and Information Assurance – Spring 2006
Terms you know from database courses:
a) Database
b) Database management system (front end)
c) Records
d) Fields (elements)
e) Schema (logical design)
f) Subschema (user view)
g) Entity
h) Attributes
i) Relation
j) Queries (results in subschema)
4
Courtesy of: Prof. Barbara Endicott-Popovsky
Section 6 – Computer Security and Information Assurance – Spring 2006
Management Challenges
Traditional data file environment
Creating database environment
Challenges exisiting structure — requires restructure
Large initial costs, delayed benefits
Source: Laudon & Laudonr
5
Courtesy of: Prof. Barbara Endicott-Popovsky
Section 6 – Computer Security and Information Assurance – Spring 2006
File Organization
BIT: Binary Digit (0,1; Y,N; On,Off)
BYTE:
Combination of BITS representing a CHARACTER
FIELD:
Collection of BYTES representing a DATUM or Fact
RECORD:
Collection of FIELDS reflecting a TRANSACTION
Source: Laudon & Laudonr
6
Courtesy of: Prof. Barbara Endicott-Popovsky
Section 6 – Computer Security and Information Assurance – Spring 2006
File Organization
FILE:
Collection of similar RECORDS
DATABASE:
Organization’s Electronic Library of FILES
Organized to serve business applications
Source: Laudon & Laudonr
7
Courtesy of: Prof. Barbara Endicott-Popovsky
Section 6 – Computer Security and Information Assurance – Spring 2006
File Organization
ENTITY:
Person, place, thing, event about which data must be
kept
ATTRIBUTE:
Description of a particular ENTITY
KEY FIELD:
Field used to retrieve, update, sort RECORD
Source: Laudon & Laudonr
8
Courtesy of: Prof. Barbara Endicott-Popovsky
Key Field
Section 6 – Computer Security and Information Assurance – Spring 2006
Field in Each Record
Uniquely Identifies THIS Record
For RETRIEVAL
UPDATING
SORTING
Source: Laudon & Laudonr
9
Courtesy of: Prof. Barbara Endicott-Popovsky
Problems With Traditional File
Environment
Section 6 – Computer Security and Information Assurance – Spring 2006
Data redundancy
Program / data dependency
Lack of flexibility
Poor security
Lack of data sharing & availability
Flat File
Source: Laudon & Laudonr
10
Courtesy of: Prof. Barbara Endicott-Popovsky
Section 6 – Computer Security and Information Assurance – Spring 2006
Sequential Vs. Direct File Organization
SEQUENTIAL:
Tape-oriented;
One file follows another--physical sequence
DIRECT:
Disk-oriented;
Accessible without regard to physical sequence
Source: Laudon & Laudonr
11
Courtesy of: Prof. Barbara Endicott-Popovsky
Section 6 – Computer Security and Information Assurance – Spring 2006
Filing Methods
Indexed sequential access method (ISAM) :
Each record identified by key
Grouped in blocks and cylinders
Keys in index
Virtual storage access method (VSAM) :
Memory divided into areas & intervals
Dynamic file space
VSAM widely used for relational DBs
Direct file access method (next)
Source: Laudon & Laudonr
12
Courtesy of: Prof. Barbara Endicott-Popovsky
Section 6 – Computer Security and Information Assurance – Spring 2006
Direct File Access Method
Each record has key field
Key field fed into transformation algorithm
Algorithm generates physical storage location of record
(record address)
Source: Laudon & Laudonr
13
Courtesy of: Prof. Barbara Endicott-Popovsky
Section 6 – Computer Security and Information Assurance – Spring 2006
Database Management System
(DBMS)
Software to create & maintain data
Enables business apps to extract data
Independent of specific computer programs
DBMS
Source: Laudon & Laudonr
14
Courtesy of: Prof. Barbara Endicott-Popovsky
Section 6 – Computer Security and Information Assurance – Spring 2006
Components of DBMSs
DATA DEFINITION LANGUAGE:
Defines data elements in database
DATA MANIPULATION LANGUAGE:
Manipulates data for applications
DATA DICTIONARY:
Formal definitions of all variables in database
Controls variety of database contents
Data elements
DBMS
Source: Laudon & Laudonr
15
Courtesy of: Prof. Barbara Endicott-Popovsky
Structured Query Language (SQL)
Section 6 – Computer Security and Information Assurance – Spring 2006
Emerging standard
Data manipulation language
For relational databases
DBMS
Source: Laudon & Laudonr
16
Courtesy of: Prof. Barbara Endicott-Popovsky
Section 6 – Computer Security and Information Assurance – Spring 2006
Elements Of SQL
SELECT:
List of columns from tables desired
FROM:
IDs tables from which columns will be selected
WHERE:
Includes conditions for selecting specific rows, conditions
for joining multiple tables
Example:
Source: Laudon & Laudon
DBMS
SELECT (name, phone)
FROM employees_table
WHERE employer = ‘MWU’ and city = ‘Kalamazoo’
17
Courtesy of: Prof. Barbara Endicott-Popovsky
Section 6 – Computer Security and Information Assurance – Spring 2006
Two Views Of Data
PHYSICAL VIEW: Where is data physically?
Drive, disk, surface, track, sector (block), record
Tape, block, record number (key)
LOGICAL VIEW: What data is needed by application?
Succession of facts needed by application
Name, type, length of field
DBMS
Source: Laudon & Laudonr
18
Section 6 – Computer Security and Information Assurance – Spring 2006
Courtesy of: Prof. Barbara Endicott-Popovsky
Storage Hierarchy
BIT
BYTE
FIELD
RECORD
FILE
DATABASE
Source: Laudon & Laudonr
19
Courtesy of: Prof. Barbara Endicott-Popovsky
Relational Data Model
Section 6 – Computer Security and Information Assurance – Spring 2006
Data in table format
RELATION: Table
TUPLE: Row (record) in table
FIELD: Column (attribute) in table
HOURS
ABLE
$ 40.50
BAXTER $ 38.00
CHEN
$ 42.70
DENVER $ 35.90
RATE
$ 10.35
$ 8.75
$ 9.25
$ 9.50
TOTAL
$ 419.18
$ 332.50
$ 394.98
$ 341.05
Source: Laudon & Laudonr
20
Courtesy of: Prof. Barbara Endicott-Popovsky
Types Of Relations
ONE-TO-ONE:
STUDENT
CLASS
Section 6 – Computer Security and Information Assurance – Spring 2006
ONE-TO-MANY:
STUDENT
A
MANY-TO-MANY:
ID
STUDENT
B
CLASS
1
STUDENT
A
STUDENT
C
CLASS
2
STUDENT
B
STUDENT
C
Source: Laudon & Laudonr
21
Courtesy of: Prof. Barbara Endicott-Popovsky
Section 6 – Computer Security and Information Assurance – Spring 2006
Hierarchical Data Model
ROOT
1st
Child
Employer
Compensation
2nd
Ratings
Child
Job
Assignments
Salary
Benefits
Pension Insurance Health
Source: Laudon & Laudonr
22
cf: Prof. Barbara Endicott-Popovsky
Network Data Model
Section 6 – Computer Security and Information Assurance – Spring 2006
Variation of hierarchical model
Best suited for many-to-many relationships
NETWORK
1
NETWORK
A
NETWORK
2
NETWORK
B
NETWORK
C
Source: Laudon & Laudon
23
Courtesy of: Prof. Barbara Endicott-Popovsky
Section 6 – Computer Security and Information Assurance – Spring 2006
Other Systems
LEGACY SYSTEM: older system
OBJECT - ORIENTED DBMS:
stores data & procedures as objects
OBJECT - RELATIONAL DBMS: hybrid
Source: Laudon & Laudonr
24
Section 6 – Computer Security and Information Assurance – Spring 2006
Courtesy of: Prof. Barbara Endicott-Popovsky
Creating a Database
Conceptual Design
Physical Design
Source: Laudon & Laudonr
25
Courtesy of: Prof. Barbara Endicott-Popovsky
Section 6 – Computer Security and Information Assurance – Spring 2006
Creating a Database —
Conceptual Design
Abstract model, business perspective
How will data be grouped?
Relationships among elements
Establish end-user needs
Source: Laudon & Laudonr
26
Courtesy of: Prof. Barbara Endicott-Popovsky
Section 6 – Computer Security and Information Assurance – Spring 2006
Creating a Database —
Physical Design
Detailed model by database specialists
Entity-relationship diagram
Normalization
Hardware / software specific
Source: Laudon & Laudonr
27
Courtesy of: Prof. Barbara Endicott-Popovsky
Elements Of Database Environment
DATA
DATABASE
TECHNOLOGY &
MANAGEMENT
Section 6 – Computer Security and Information Assurance – Spring 2006
ADMINISTRATION
DATABASE
MANAGEMENT
SYSTEM
DATA PLANNING
& MODELING
METHODOLOGY
USERS
Source: Laudon & Laudonr
28
Courtesy of: Prof. Barbara Endicott-Popovsky
Section 6 – Computer Security and Information Assurance – Spring 2006
Entity- Relationship Diagram
ORDER
ORDER: #, DATE, PART #, QUANTITY
1
CAN
HAVE
1
PART: #, DESCRIPTION, UNIT PRICE,
SUPPLIER #
PART
M
CAN
HAVE
1
SUPPLIER
SUPPLIER: #, NAME,
ADDRESS
Source: Laudon & Laudonr
29
Courtesy of: Prof. Barbara Endicott-Popovsky
Section 6 – Computer Security and Information Assurance – Spring 2006
Normalization
= Process of creating small data structures
from complex groups of data
EXAMPLES:
Accounts Receivable
Personnel Records
Payroll
Source: Laudon & Laudonr
30
Courtesy of: Prof. Barbara Endicott-Popovsky
Section 6 – Computer Security and Information Assurance – Spring 2006
Distributed Databases
PARTITIONED:
remote CPUs (connected to host) have files unique to
that site,
e.g., records on local customers
REPLICATED (DUPLICATED as a special case)
ea. remote CPU has copies of common files
e.g., layouts for standard reports and forms
Source: Laudon & Laudonr
31
cf: Prof. Barbara Endicott-Popovsky
Section 6 – Computer Security and Information Assurance – Spring 2006
Database Administration
A person or a group of people
Defines / organizes database structure and content
Develops security procedures
Develops database documentation
Maintains DBMS
E.g., software patches and updates
Source: Laudon & Laudonr
32
Courtesy of: Prof. Barbara Endicott-Popovsky
Database Trends - 1
Section 6 – Computer Security and Information Assurance – Spring 2006
Multidimensional Data Analysis:
3D (or higher dimension) groupings to store complex data
Hypermedia:
Nodes contain text, graphics, sound, video,
programs
Organizes data as nodes
Source: Laudon & Laudonr
33
Courtesy of: Prof. Barbara Endicott-Popovsky
Section 6 – Computer Security and Information Assurance – Spring 2006
Database Trends - 2
Data Warehouse:
Organization’s electronic library stores consolidated
current & historic data for management reporting &
analysis
On-Line Analytical Processing (OLAP):
Tools for multi-dimensional data analysis
Source: Laudon & Laudonr
34
Courtesy of: Prof. Barbara Endicott-Popovsky
Section 6 – Computer Security and Information Assurance – Spring 2006
Components of Data Warehouse
OPERATIONAL,
HISTORICAL DATA
INTERNAL
DATA
SOURCES
DATA WAREHOUSE
DATA
ACCESS &
ANALYSIS
EXTRACT,
TRANSFORM
INFORMATION
DIRECTORY
EXTERNAL
DATA
SOURCES
QUERIES &
REPORTS
OLAP
DATA MINING
Source: Laudon & Laudonr
35
cf: Prof. Barbara Endicott-Popovsky
Database Trends -3
DATA MART:
Small data warehouse for special function
Section 6 – Computer Security and Information Assurance – Spring 2006
E.g., focused marketing based on customer info
DATA MINING:
Tools for finding hidden patterns, relationships, for
predicting trends, etc.
Source: Laudon & Laudonr
36
Courtesy of: Prof. Barbara Endicott-Popovsky
Database Trends - 4
Linking Databases to The Web:
Web user connects to vendor database
Section 6 – Computer Security and Information Assurance – Spring 2006
Special software converts users query ‘in’ html to SQL
SQL finds data,
server converts result to HTML
Source: Laudon & Laudonr
37
cf: Prof. Barbara Endicott-Popovsky
6.2. Security Requirements
Security requirements for databases and DBMSs:
a. Physical database integrity requirements
b.
(e.g., power failure, flood)
Logical database integrity requirements
c.
Section 6 – Computer Security and Information Assurance – Spring 2006
DB immune to physical problems
DB structure preserved
(e.g., update of a field doen’t affect another)
Element integrity requirements
d.
Accuracy of values of elements
Auditability requirements
e.
Able to track who accessed (read, wrote) what
Access control requirements
f.
Restricts DB access (read, write) to legitinmate users
User authentication requirements
g.
Only authorized users can access DB
Availability requirements
DB info available to all authorized users 24/7
Source:
Pfleeger &
Pfleeger
38
Courtesy of: Prof. Barbara Endicott-Popovsky
Section 6 – Computer Security and Information Assurance – Spring 2006
--OPTIONAL– Confident. / Integrity / Availability
Requirements can be rephrased / sumarized as follows:
Data must be trusted
DBMS designed to manage trust
DBMS must reconstruct reality
Data must be accurate
Field checks
Access control (CRUD)
CRUD = Create, Read, Update, and Delete
Change log
Trade-offs
Audit vs. performance
Access vs. performance
Self-authentication
High availability
Source: Pfleeger & Pfleeger
39
Courtesy of: Prof. Barbara Endicott-Popovsky
Section 6 – Computer Security and Information Assurance – Spring 2006
6.3. Reliability and Integrity
Reliable software runs long time without failures
Reliable DBMS preserves:
DB Integrity / Element Integrity / Element Accuracy
Basic protection provided by OS underlying DBMS
a) File back ups
b) Access controls
c) Integrity checks
DBMS needs more CIA controls
a) E.g. two-phase commit protocols for updates
b) Redundancy/internal consistency controls
c) DB recovery
d) Concurrency/consistency control
e) Monitors to enforce DB constraints
Range, state, transition constraints
Control structural DB integrity
Source: Pfleeger & Pfleeger
40
Courtesy of: Prof. Barbara Endicott-Popovsky
Section 6 – Computer Security and Information Assurance – Spring 2006
--SKIP-- a) Two-Phase Update (2PC)
Intent Phase
Check value of COMMIT-FLAG
Gathers resources
Data
Dummy records
Open files
Lock out others
Calculate final answers
Write COMMIT-FLAG
Permanent Change Phase
Update made
Rollback ability at each phase
Source: Pfleeger & Pfleeger
41
Courtesy of: Prof. Barbara Endicott-Popovsky
--SKIP-- b)-e) Detecting Inconsistencies
b) Redundancy/internal consistency controls
Error detection / error correction
Section 6 – Computer Security and Information Assurance – Spring 2006
Hamming codes
Parity bits
Cyclic redundancy check
Shadow fields
c) DB recovery
Uses DBMS access log
d) Concurrency control
Checks/enforcement
e) Monitors for DB constraints
Range comparisons
State constraints
More sophisticated
Transition constraints
Source: Pfleeger & Pfleeger
42
Courtesy of: Prof. Barbara Endicott-Popovsky
--OPTIONAL-
Managing access
Hiding existence
Section 6 – Computer Security and Information Assurance – Spring 2006
6.4. Sensitive Data
Sharing vs. confidentiality
Security vs. precision
Perfect confidentiality
Maximum precision
Source: Pfleeger & Pfleeger
43
cf: Prof. Barbara Endicott-Popovsky
Section 6 – Computer Security and Information Assurance – Spring 2006
6.5. Inference (Inference Problems)
Inference attack - inferring sensitive data
from nonsensitive data
Types of inference attacks:
1) Direct attack
Infer sens. data from results of queries run by attacker
n-item k-percent rule:
Data withheld if n items represent > k percent of
the result reported
Most obvious case: 1-item 100-percent case: 1
person represents 100 % of results reported
2) Indirect attack
Infer sens. info from statistics (Sum, Count, Median)
also from info external to the attacked DB
Tracker attacks (intersection of sets)
Linear system vulnerability
Use algebra of multiple equations to infer
Source: Pfleeger & Pfleeger
44
cf: Prof. Csilla Farkas
Indirect Information Flow Channels
Indirect Information Flow Channels
1) Covert channels
Discussed earlier –
in the general context of program security
Section 6 – Computer Security and Information Assurance – Spring 2006
Recall:
Overt Channel: designed into a system and documented
Covert Channel: not documented
Covert channels may be deliberately inserted into a
system, but most are accidents of the system design.
2) Inference channels
Discussed next–
in the context of DBMS
45
Courtesy of: Prof. Barbara Endicott-Popovsky
Section 6 – Computer Security and Information Assurance – Spring 2006
Inference Controls - Outline
1) Query controls — applied to queries
Primarily against direct attacks
Query analysis to prevent inferences
Query inventory (history) per person
2) Data item controls —applied to individual DB items
Useful for indirect attacks
Two types:
a) Suppression — data not provided to querying user
Suppress combinations of rows and columns
Combine results (to hide actual answers)
b) Concealing — close answers, not exact given to
querying user
Rounding
Present range of results
Present random sample results
Perturb random data (generate small + and – error)
Source: Pfleeger & Pfleeger
46
Section 6 – Computer Security and Information Assurance – Spring 2006
cf: Prof. Csilla Farkas
Database Inference Problem & Types
DB inference problem:
Nonsensitive
information
+
Meta-data
=
Sensitive
information
where meta-data:
Working knowledge about the attributes
Supplementary knowledge (not stored in database)
DB inference types:
1) Statistical database inferences
2) General-purpose database inferences
47
Section 6 – Computer Security and Information Assurance – Spring 2006
cf: Prof. Csilla Farkas
1) Statistical Database Inference
Statistical database goal: provide aggregate information
about groups of individuals
E.g., average grade point of students
Security risk in statistical database:
disclosure of specific information about a particular individual
E.g., grade point of student John Smith
48
Section 6 – Computer Security and Information Assurance – Spring 2006
cf: Prof. Csilla Farkas
--OPTIONAL-
Types of Statistics
Macro-statistics: collections of related statistics presented
in 2-dimensional tables
Sex\Year
1997
1998
Sum
Female
4
1
5
Male
6
13
19
Sum
10
14
24
Micro-statistics: Individual data records used for statistics
after identifying information is removed
Sex
Course
GPA
Year
F
CSCE 590
3.5
2000
M
CSCE 590
3.0
2000
F
CSCE 790
4.0
2001
49
Section 6 – Computer Security and Information Assurance – Spring 2006
cf: Prof. Csilla Farkas
Statistical Compromise
Exact compromise:
Find exact value of an attribute of an individual
E.g., finding that John Smith’s GPA is 3.8
Partial compromise:
Find an estimate of an attribute value corresponding to an
individual
E.g., finding that John Smith’s GPA is between 3.5 and
4.0)
50
Section 6 – Computer Security and Information Assurance – Spring 2006
cf: Prof. Csilla Farkas
Methods of Attacks and Protection
Small/Large Query Set Attack
C: characteristic formula that identifies groups of
individuals
If C identifies a single individual I, e.g., count(C) = 1
Find out existence of another property D for I
If count(C and D)= 1 means I has property D
If count(C and D)= 0 means I does not have D
OR
Find value of property
Sum(C, D), gives value of D
If value of C known already
51
Prevention
Section 6 – Computer Security and Information Assurance – Spring 2006
cf: Prof. Csilla Farkas
Protection from small/large query set attack:
query-set-size control
A query q(C) is permitted only if
N-n |C| n
where:
n 0 is a parameter of the database, and
N is the number of records in the database
E.g. a query q(C) in a DB describing 100 individuals is
permitted only if
100 – 5 = 95 |C| 5
that is if it can’t give statistics on a group smaller than 5
individuals
(Note: If it gives statistics on C for e.g., 96 people, it
gives statistics on not-C for 4 people.)
52
Section 6 – Computer Security and Information Assurance – Spring 2006
cf: Prof. Csilla Farkas
Tracker Attack 1 (simple)
Query q(C) is disallowed
T - Tracker
C1
C = C1 and C2
T = C1 and ~C2
C
C2
Attacker runs instead 2 queries: q(C1) and q(T)
where q(C) = q(C1) – q(T)
=> infers q(C) from q(C1) and q(T)
53
Section 6 – Computer Security and Information Assurance – Spring 2006
cf: Prof. Csilla Farkas
--OPTIONAL--
Tracker Attack 2
(more complex)
Query q(C and D)
is disallowed
C
Tracker
C = C1 and C2
T = C1 and ~C2
C2
C1
C and D
D
Attacker runs instead 2 queries: q(T or C and D) and q(T)
where q(C and D) = q(T or C and D) – q(T)
=> infers q(C and D) from q(T or C and D) and q(T)
54
cf: Prof. Csilla Farkas
--OPTIONAL--
Query overlap attack
Q(John)=q(C1)-q(C2)
C1
C2
Section 6 – Computer Security and Information Assurance – Spring 2006
Kathy
John
Eve
Paul
Max
Fred
Mitch
Protection: need query-overlap control
55
Section 6 – Computer Security and Information Assurance – Spring 2006
cf: Prof. Csilla Farkas
--OPTIONAL--
Observing changes over time
q1=q(C)
Insert(i)
q2=q(C)
q(i) = q2 „-” q1
Insertion/Deletion Attack
where „-” means compensation for insertion that permist to infer
Protection: insertion/deletion performed as pairs
56
Section 6 – Computer Security and Information Assurance – Spring 2006
cf: Prof. Csilla Farkas
Statistical Inference Theory
Given unlimited number of statistics and correct statistical
answers, all statistical databases can be compromised
[Ullman]
Fortunately:
Number of statistics can be limited by statistical DB
controls
Statistical DB can give approximate rather than
‘correct’ statistical answers
57
cf: Prof. Csilla Farkas
Section 6 – Computer Security and Information Assurance – Spring 2006
2) Inferences in General-Purpose
Databases
Inference types:
a) Inference via queries based on sensitive data
b) Inference via DB constraints
c) Inference via updates
58
a) Inference via Queries Based on
Sensitive Data
Section 6 – Computer Security and Information Assurance – Spring 2006
cf: Prof. Csilla Farkas
Sensitive information is used in selection condition but not
returned to the user
Example: Salary: secret, Name: public
NameSalary=$25,000
(- projection, - selection)
NameSalary=$26,000
•••
NameSalary=$110,000
Sensitive info (salary) used in selection condition, but
not returned to the user
Returns only Name to user
“Infers” (quite mechanically – no intelligence needed) salary for
everybody making between $25,000 and $110,000
Protection: apply query of database views at different
security levels
59
Section 6 – Computer Security and Information Assurance – Spring 2006
cf: Prof. Csilla Farkas
b) Inference via DB Constraints
Database constraints:
b-1) Integrity constraints
b-2) DB dependencies
b-3) Key integrity
60
b-1) Infering via Integrity Constraints
Section 6 – Computer Security and Information Assurance – Spring 2006
C = A+B
A - public, C - public, and B - secret
B can be calculated from A and C
I.e., secret information can be calculated from public
data
61
Section 6 – Computer Security and Information Assurance – Spring 2006
cf: Prof. Csilla Farkas
b-2) Infering via DB Dependencies
DB dependencies (metadata):
Functional dependencies
Multi-valued dependencies
Join dependencies
etc.
62
cf: Prof. Csilla Farkas
Functional Dependencies
Section 6 – Computer Security and Information Assurance – Spring 2006
Functional dependency (FD) for attributes A B:
For any two tuples in the relation, if they have the same
value for A, they must have the same value for B
Example: Exploiting the FD: Rank Salary to infer secret
info
Secret information: Name and Salary together
Query1: Name and Rank
Query2: Rank and Salary
Combined answers for Q1 and Q2 reveal Name and
Salary together
Only because we have Rank Salary
63
cf: Prof. Csilla Farkas
--OPTIONAL--b-3)
Section 6 – Computer Security and Information Assurance – Spring 2006
Infering via Key Integrity
Every tuple in the relation has a unique key
Users at different security levels see different versions of
the database
User with ‘top secret’ clearance sees more than one
with ‘secret’ clearance
Users might attempt to update data that is not visible for
them
64
Section 6 – Computer Security and Information Assurance – Spring 2006
cf: Prof. Csilla Farkas
--SKIP--Example – Infering via Key Integrity
Secret View
Name (key) Salary
Black P
38,000 P
Red S
42,000 S
Address
Columbia S
Irmo S
Public View
Name (key) Salary
Address
Black P
Null P
38,000 P
65
Section 6 – Computer Security and Information Assurance – Spring 2006
cf: Prof. Csilla Farkas
--SKIP--
Example (ctd) - Updates
Public User:
Name (key) Salary
Black P
38,000 P
Address
Null P
1. Update Black’s address to Orlando
2. Add new tuple: (Red, 22,000, Manassas)
If
Refuse update => covert channel
Allow update =>
• Overwrite high data – may be incorrect
• Create new tuple – which data it correct
(polyinstantiation) – violate key constraints
polyinstantiation – given record instantiated many times,
each time with different security level
66
Section 6 – Computer Security and Information Assurance – Spring 2006
cf: Prof. Csilla Farkas
--SKIP--
Example (ctd) - Updates
Secret user:
Name (key) Salary
Black P
38,000 P
Red S
42,000 S
Address
Columbia S
Irmo S
1. Update Black’s salary to 45,000
If
Refuse update => denial of service
Allow update =>
• Overwrite ‘low’ data – covert channel
• Create new tuple
– which data it corrects
(polyinstantiation)
– violate key constraints
polyinstantiation – given record instantiated many times, each
time with different security level
67
cf: Prof. C. Farkas and B. Endicott-Popovsky
Conclusions on Inference
Section 6 – Computer Security and Information Assurance – Spring 2006
No general technique is available to solve the inference
problems
Need assurance of protection
Hard to incorporate outside knowledge
Optimal plan:
Suppress obviously sensitive information
Track what user knows (expensive)
Disguise data
--OPTIONAL-- Aggregation—additional problem
Inferences from aggregating data
Data mining increases risks
Source: Pfleeger & Pfleeger
68
of: Prof. Barbara Endicott-Popovsky
6.6. Multilevel Databases
Multilevel databases - store data with different
sensitivity levels (e.g.: public, confidential, secret, top_secret)
Problems
Polyinstantiation – multiple (“poly”) instantiations of a record, each at a
different security level
Section 6 – Computer Security and Information Assurance – Spring 2006
Example:
[John, Kalamazoo-MI] -- Public level
[John, 19_Main_Ave-Kalamazoo-MI] -- Confidential level
…
[John, 19_Main_Ave-Kalamazoo-MI, …, SSN=123-45-6789] -Top_Secret level
-- OPTIONAL below -
Global actions (i.e., backup)
Small items controlled
Cost and performance
Consumer resistance to military model
Granularity
Access control policy
Guarantee values not changed by unauthorized person
Source: Pfleeger & Pfleeger
69
cf: Prof. Barbara Endicott-Popovsky
Section 6 – Computer Security and Information Assurance – Spring 2006
6.7. Proposals for Multilevel
Security - Separation Mechanisms
--OPTIONAL--
1) Partitioning
Redundancy
Accuracy (multiple field update)
2) Encryption per level
Cumbersome decrypting with queries
3) Integrity lock
Data item
Sensitivity level
Checksum (above 2)
Cryptographic checksums
4) Sensitivity lock
Unique identifier
Sensitivity level
Source: Pfleeger & Pfleeger
70
Courtesy of: Prof. Barbara Endicott-Popovsky
Section 6 – Computer Security and Information Assurance – Spring 2006
--OPTIONAL-- Implementations of Separation - 1
1) Integrity lock
Expands size of element
Processing time efficiency
Untrusted DBM subject to Trojan horse
2) Trusted front end
Guard ~ reference monitor
One-way filter—filters out reports
Inefficient—calls, then releases much data
3) Commutative filters
Interface between user and DB
Reformats query
Addresses inefficiencies (above)
Source: Pfleeger & Pfleeger
71
Courtesy of: Prof. Barbara Endicott-Popovsky
Section 6 – Computer Security and Information Assurance – Spring 2006
--OPTIONAL-- Implementations of Separation - 2
4) Distributed DB
Separate DB’s based on sensitivity
Front end sends query to right DB
5) Views
Logical / functional divisions
Source: Pfleeger & Pfleeger 72
Section 6 – Computer Security and Information Assurance – Spring 2006
End of Section 6 –
Database Security
73