Auditing Batches of SQL Queries Rajeev Motwani Shubha Nabar Dilys Thomas Stanford University

Database Query Auditing Auditing Aggregate (Sum, Max, Median) queries Perfect Privacy Auditing SQL Queries Auditing a Batch of SQL Queries

Aggregate Queries [C86] Chin: Security problems on inference control for sum, max and min queries. JACM 1986 [CO82] Chin, Ozsoyglu: Auditing and inference control in statistical databases. TSE 1982 [DJL79] Dobkin, Jones, Lipton: Secure Databases: Protection against user influence. TODS 1979 [KMN05] Kenthapadi, Mishra, Nissim: Simulatable auditing. PODS 2005 [KPR00] Kleinberg, Papadimitriou, Raghavan: Auditing Boolean Attributes. PODS 2000 [R79] S. P. Reiss. Security in databases: A combinatorial study. JACM 1979

Aggregate Queries How many aggregate queries: sum / max / median queries can you pose to a database of numbers before you find out the value of an element Some amount of work in the 80’s Theoretically interesting and basis of more practical schemes today

Perfect Privacy [MS04] Miklau, Suciu: A formal analysis of information disclosure in data exchange. SIGMOD 2004 [MG06] Machanavajhala, Gehrke: On the efficiency of checking perfect privacy. PODS 2006

Perfect Privacy[MS04,MG06] Table Patient(Name, Phone number) Want to keep secret: All phone-numbers in the database Query: select name from Patient Perfect Privacy violation! Reveals some information --- the phone database is not empty. Too strong

SQL Auditing: Single Table Audit for address, SSN and phone numbers of all patients with diabetes Say Alice has diabetes Then any query that returns the address, SSN and phone number of Alice is suspicious wrt to the audit expression [ABFKRS04] Agrawal, Bayardo, Faloutsos, Kiernan, Rantzau, Srikant: Auditing compliance with a Hippocratic Database VLDB2004

Auditing SQL Queries[ABFKRS04] An audit expression is like a SQL Query AUDIT audit list FROM table list WHERE condition list

Example SELECT zipcode FROM Patients p WHERE p.disease = ‘diabetes’ AUDIT zipcode FROM Patients p WHERE p.disease = ‘high blood pressure’ AUDIT disease FROM Patients p WHERE p.zipcode = Suspicious if someone in has diabetes Not Suspicious wrt this

Formally, SQL Auditing Query Q=  C OQ  P Q (T £ R)) Audit expression A=  C OA (  P A ( T £ S)) Where, T =T 1 £ T 2 £ T 2 …. T n R=R 1 £ R 2 £ R 2 …. R n S=S 1 £ S 2 £ S 2 …. S n

SQL Auditing: Q suspicious wrt A £ £  T (T)  R (R)  S (S) (1) 9 v 2 T : (a)  R Æ T (R £ {v} )   (b)  S Æ T ({v} £ S )   (2) All audited columns are projected by the query Requires execution of queries on the database v

Auditing a Batch of SQL Queries Previous work for (1)Batch of queries like sum, max and median --can answers be stitched together to reveal more than what a single query can reveal? (2)Singleton SQL queries We introduce the notion of auditing a batch of SQL queries

SQL Auditing Batch of SQL queries, each of form Project col 1 col 2 col 3 …. col k From R Where C 1 and C 2 and C 3 and … C j Each C i : (col m = value), (col m <= value), (col m >= value), (value 1 <= col m <= value 2 ) col 1, col 2,.. col k includes primary key so that result of query can be joined with other results

Semantically Suspicious A query batch Q 1, Q 2,.. Q n is said to be suspicious wrt to an audit expression A if an expression combining the results of these queries as base tables is suspicious wrt A Natural extension of a suspicious query to a query batch

Syntactically Suspicious A query batch is said to be syntactically suspicious with respect to an audit expression A if there exists an instantiation of the database tables for which it is suspicious wrt A Does not require execution of the queries against the table

SQL Batch Auditing Query 1 Query 2 Query 3 Audited tuple columns are covered Query 4 Audit expression Query batch suspicious wrt audit expression iff queries together cover all audited columns of at least audited tuple syntacticallysemantically on table Ton some table T

Syntactic and Semantic Auditing Syntactially suspicious implies semantically suspicious To check semantic suspiciousness check for syntactic suspiciousness first and then execute the queries on tables to verify How to check syntactic suspiciousness covered next

Compatible Queries A batch of queries is compatible if the conjunction of their selection conditions is satisfiable. To test compatibility of a set of queries you only need to check pairwise compatibility [Helley’s Theorem]

Syntactic Auditing: Graph Problem Query 1 Query 2 Query 3 Query 4=AuditExp { } Suspicious iff there exists an independent set, including audit expression that covers all audited colors

Syntactic Auditing Query batch suspicious iff there is a subset of queries compatible with the audit expression and they cover all audited columns. Need not consider hyperedges as due to Helley’s Theorem you only need to check pairwise compatibility Independent set implies the query batch is compatible Has all audited colors implies that all audited columns are covered

Syntactic Auditing is NP complete Reduction from 3-SAT X1X1 X1X1 X2X2 X3X3 X4X4 X2X2 X3X3 X4X4 X1X1 X2X2 X4X4 ÇÇ X2X2 X3X3 X4X4 ÇÇ

Semantic Auditing If table given an implicit representation then NP complete Explicitly mentioned table, polynomial time algorithm

THANK YOU! Questions?