Database Security DBMS Features Statistical Database Security

Database security CSCE Eastman/Farkas - Fall Security Concerns Data Integrity Data Confidentiality Access control Inference control Data Availability

Database security CSCE Eastman/Farkas - Fall Topics in Text What is a database? Basic definitions for relational DBs DBMS security functionality Inference attacks Multilevel secure databases

Database security CSCE Eastman/Farkas - Fall Security Concerns Data Integrity Information assurance Data Confidentiality Access control Inference control Data Availability

Database security CSCE Eastman/Farkas - Fall Security Requirements Physical database integrity Logical database integrity Element integrity Auditability Access control User authentication Availability

Database security CSCE Eastman/Farkas - Fall Some Techniques and Tools Two-phase commit Intent phase/commit phase Shadow values Backups Audit trails Concurrency management

Database security CSCE Eastman/Farkas - Fall Checking Data Element level Range checks Tuple/record level State constraints Transition constraints Relation/file level Duplicate key checks Database level

Database security CSCE Eastman/Farkas - Fall Indirect Information Flow Covert channels Inference channels

Database security CSCE Eastman/Farkas - Fall Communication Channels Overt Channel: designed into a system and documented in the user's manual Covert Channel: not documented. Covert channels may be deliberately inserted into a system, but most such channels are accidents of the system design.

Database security CSCE Eastman/Farkas - Fall Covert Channel Need: Two active participants Encoding schema Example: sender modulates the CPU utilization level with the data stream to be transmitted Sender: repeat get a bit to send if the bit is 1 wait one second (don't use CPU time) else busy wait one second (use CPU time) endif until done

Database security CSCE Eastman/Farkas - Fall Covert Channel Types Timing Channel: based on system times Storage channels: not time related communication Can be turned into each other

Database security CSCE Eastman/Farkas - Fall Covert Channel Protection Noise Synchronization Protection (user state, system state) Removal Slow down Audit

Database security CSCE Eastman/Farkas - Fall Inference Channels + Meta-data Sensitive Information Non-sensitive information =

Database security CSCE Eastman/Farkas - Fall Inference Channels Statistical Database Inferences General Purpose Database Inferences

Database security CSCE Eastman/Farkas - Fall Statistical Databases Goal: provide aggregate information about groups of individuals E.g., average GPA of students Security risk: specific information about a particular individual E.g., GPA of student John Smith Meta-data Working knowledge about the attributes Supplementary knowledge (not stored in database)

Database security CSCE Eastman/Farkas - Fall Types of Statistics Macro-statistics: collections of related statistics presented in 2- dimensional tables Micro-statistics: Individual data records used for statistics after identifying information is removed

Database security CSCE Eastman/Farkas - Fall Macro-statistics Sex\Year Sum Female415 Male Sum101424

Database security CSCE Eastman/Farkas - Fall Micro-statistics SexCourseGPAYear FCSCE M CSCE FCSCE

Database security CSCE Eastman/Farkas - Fall Statistical Compromise Exact compromise Find exact value of an attribute of an individual (e.g., John Smith’s GPA is 3.8) Partial compromise Find an estimate of an attribute value corresponding to an individual (e.g., John Smith’s GPA is between 3.5 and 4.0)

Database security CSCE Eastman/Farkas - Fall Small/Large Query Set Attack C: characteristic formula that identifies groups of individuals If C identifies a single individual I [ count(C) = 1] Find out existence of property If count(C and D)=1 means I has property D If count(C and D)=0 means I does not have D OR Find value of property Sum(C, D), gives value of D

Database security CSCE Eastman/Farkas - Fall Protection Protection from small/large query set attack: query-set-size control A query q(C) is permitted only if N-n  |C|  n, where n  0 is a parameter of the database and N is all the records in the database

Database security CSCE Eastman/Farkas - Fall Tracker Attack Tracker C C1 C2 C=C1 and C2 T=C1 and ~C2 q(C)=q(C1) – q(T) q(C) is disallowed

Database security CSCE Eastman/Farkas - Fall Tracker Attack Tracker C C1 C2 C=C1 and C2 T=C1 and ~C2 D C and D q(C and D)= q(T or C and D) – q(T) q(C and D) is disallowed

Database security CSCE Eastman/Farkas - Fall Query Overlap Attack C1 C2 John Kathy Max Fred Eve Paul Mitch Q(John)=q(C1)-q(C2) Protection: query-overlap control

Database security CSCE Eastman/Farkas - Fall Insertion/Deletion Attack Observing changes overtime q 1 =q(C) insert(i) q 2 =q(C) q(i)=q 2 -q 1 Protection: insertion/deletion performed as pairs

Database security CSCE Eastman/Farkas - Fall Summary of Controls Limited response suppression Combined results, including ranges Random sample Random data perturbation Query analysis

Database security CSCE Eastman/Farkas - Fall Statistical Inference Theory  Given an unlimited number of statistics and correct statistical answers, all statistical databases can be compromised (Ullman)

Database security CSCE Eastman/Farkas - Fall The Inference Problem General purpose DBs Usually transaction oriented Retrieve nonsensitive data and infer sensitive data Inference via database constraints Inference via updates

Database security CSCE Eastman/Farkas - Fall Database Constraints Integrity constraints Database dependencies Key integrity

Database security CSCE Eastman/Farkas - Fall Integrity Constraints C=A+B A=public, C=public, and B=secret B can be calculated from A and C, i.e., secret information can be calculated from public data

Database security CSCE Eastman/Farkas - Fall Database Dependencies Functional dependencies Multi-valued dependencies Join dependencies

Database security CSCE Eastman/Farkas - Fall Functional Dependency FD: A  B For any two tuples in the relation, if they have the same value for A, they must have the same value for B.

Database security CSCE Eastman/Farkas - Fall Example FD: Rank  Salary Secret information: Name and Salary together Query1: Name and Rank Query2: Rank and Salary Combine answers for Queries 1 and 2 to reveal Name and Salary together

Database security CSCE Eastman/Farkas - Fall Key Integrity Every tuple in the relation has a unique key Users at different levels see different versions of the database Users might attempt to update data that is not visible for them

Database security CSCE Eastman/Farkas - Fall Example Name (key)SalaryAddress Black P38,000 PColumbia S Red S42,000 SIrmo S Secret View Name (key)SalaryAddress Black P38,000 PNull P Public View

Database security CSCE Eastman/Farkas - Fall An Update Public User 1.Update Black’s address to Orlando 2.Add new tuple: (Red, 22,000, Manassas)

Database security CSCE Eastman/Farkas - Fall Update Results If Refuse update: covert channel Allow update: Overwrite high data – may be incorrect Create new tuple – which data is correct? (polyinstantiation) – violate key constraints

Database security CSCE Eastman/Farkas - Fall Another Update Name (key)SalaryAddress Black P38,000 PColumbia S Red S42,000 SIrmo S Secret user Update Black’s salary to 45,000

Database security CSCE Eastman/Farkas - Fall Update Results If Refuse update: covert channel Allow update: Overwrite low data – covert channel Create new tuple – which data is correct? (polyinstantiation) – violate key constraints

Database security CSCE Eastman/Farkas - Fall Inference Problem No general technique is available to solve the problem Need assurance of protection Hard to incorporate outside knowledge

Database security CSCE Eastman/Farkas - Fall Some Recent Work C. Farkas (and others) – keep history file for user to prevent access to data items that would allow inference – limited to static databases T. Toland (and others) – extend this work to handle dynamic databases with updates