1 / 56

Lecture 15-16: Security

Lecture 15-16: Security. Wednesday, May 17, 2006. Outline. Traditional data security Two attacks Data security research today Conclusions. Data Security. Dorothy Denning, 1982:

nishi
Download Presentation

Lecture 15-16: Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 15-16:Security Wednesday, May 17, 2006

  2. Outline • Traditional data security • Two attacks • Data security research today • Conclusions

  3. Data Security Dorothy Denning, 1982: • Data Security is the science and study of methods of protecting data (...) from unauthorized disclosure and modification • Data Security = Confidentiality + Integrity

  4. Data Security • Distinct from systems and network security • Assumes these are already secure • Tools: • Cryptography, information theory, statistics, … • Applications: • An enabling technology

  5. Discretionary Access Control in SQL GRANT privileges ON object TO users [WITH GRANT OPTIONS] privileges = SELECT | INSERT(column-name) | UPDATE(column-name) | DELETE | REFERENCES(column-name)object = table | attribute

  6. Examples GRANT INSERT, DELETE ON Customers TO Yuppy WITH GRANT OPTIONS Queries allowed to Yuppy: INSERT INTO Customers(cid, name, address) VALUES(32940, ‘Joe Blow’, ‘Seattle’) DELETE Customers WHERE LastPurchaseDate < 1995 SELECT Customer.address FROM Customer WHERE name = ‘Joe Blow’ Queries denied to Yuppy:

  7. Examples GRANT SELECT ON Customers TO Michael Now Michael can SELECT, but not INSERT or DELETE

  8. Examples GRANT SELECT ON Customers TO Michael WITH GRANT OPTIONS Michael can say this: GRANT SELECT ON Customers TO Yuppi Now Yuppi can SELECT on Customers

  9. Examples GRANT UPDATE (price) ON Product TO Leah Leah can update, but only Product.price, but not Product.name

  10. Examples Customer(cid, name, address, balance)Orders(oid, cid, amount) cid= foreign key Bill has INSERT/UPDATE rights to Orders. BUT HE CAN’T INSERT ! (why ?) GRANT REFERENCES (cid) ON Customer TO Bill Now Bill can INSERT tuples into Orders

  11. David says CREATE VIEW PublicCustomers SELECT Name, Address FROM Customers GRANT SELECT ON PublicCustomers TO Fred Views and Security David owns Fred is notallowed tosee this Customers:

  12. David says CREATE VIEW BadCreditCustomers SELECT * FROM Customers WHERE Balance < 0 GRANT SELECT ON BadCreditCustomers TO John David owns Views and Security John isallowed tosee only <0balances Customers:

  13. David says Views and Security • Each customer should see only her/his record CREATE VIEW CustomerMary SELECT * FROM Customers WHERE name = ‘Mary’ GRANT SELECT ON CustomerMary TO Mary CREATE VIEW CustomerSue SELECT * FROM Customers WHERE name = ‘Sue’ GRANT SELECT ON CustomerSue TO Sue Doesn’t scale. Need row-level access control ! . . .

  14. Revocation REVOKE [GRANT OPTION FOR] privileges ON object FROM users { RESTRICT | CASCADE } Administrator says: REVOKE SELECT ON Customers FROM David CASCADE John loses SELECT privileges on BadCreditCustomers

  15. Revocation Same privilege,same object,GRANT OPTION Joe: GRANT [….] TO Art …Art: GRANT [….] TO Bob …Bob: GRANT [….] TO Art …Joe: GRANT [….] TO Cal …Cal: GRANT [….] TO Bob …Joe: REVOKE [….] FROM Art CASCADE What happens ??

  16. Revocation Admin Revoke 0 1 Joe Art 2 4 3 Cal Bob 5 According to SQL everyone keeps the privilege

  17. Limitations: No row level access control Table creator owns the data: that’s unfair ! … or spectacular failure: Only 30% assign privileges to users/roles And then to protect entire tables, not columns Summary of SQL Security Access control = great success story of the DB community...

  18. Summary (cont) • Most policies in middleware: slow, error prone: • SAP has 10**4 tables • GTE over 10**5 attributes • A brokerage house has 80,000 applications • A US government entity thinks that it has 350K • Today the database is not at the center of the policy administration universe [Rosenthal&Winslett’2004]

  19. Not OK SELECT name FROM Patient WHERE age=42 and sex=‘M’ and diagnostic=‘schizophrenia’ SELECT count(*) FROM Patients WHERE age=42 and sex=‘M’ and diagnostic=‘schizophrenia’ OK [Adam&Wortmann’89] Security in Statistical DBs Goal: • Allow arbitrary aggregate SQL queries • Hide confidential data

  20. [Adam&Wortmann’89] Security in Statistical DBs What has been tried: • Query restriction • Query-size control, query-set overlap control, query monitoring • None is practical • Data perturbation • Most popular: cell combination, cell suppression • Other methods, for continuous attributes: may introduce bias • Output perturbation • For continuous attributes only

  21. Summary on Security in Statistical DB • Original goal seems impossible to achieve • Cell combination/suppression are popular, but do not allow arbitrary queries

  22. Outline • Traditional data security • Two attacks • Data security research today • Conclusions

  23. User: Password: fred ******** Search claims by: [Chris Anley, Advanced SQL Injection In SQL] SQL Injection Your health insurance company lets you see the claims online: First login: Now search through the claims : Dr. Lee SELECT…FROM…WHERE doctor=‘Dr. Lee’ and patientID=‘fred’

  24. Better: Search claims by: Dr. Lee’ OR 1 = 1; -- SQL Injection Now try this: Search claims by: Dr. Lee’ OR patientID = ‘suciu’; -- …..WHERE doctor=‘Dr. Lee’ OR patientID=‘suciu’; --’ and patientID=‘fred’

  25. SQL Injection When you’re done, do this: Search claims by: Dr. Lee’; DROP TABLE Patients; --

  26. SQL Injection • The DBMS works perfectly. So why is SQL injection possible so often ? • Quick answer: • Poor programming: use stored procedures ! • Deeper answer: • Move policy implementation from apps to DB

  27. Latanya Sweeney’s Finding • In Massachusetts, the Group Insurance Commission (GIC) is responsible for purchasing health insurance for state employees • GIC has to publish the data: GIC(zip, dob, sex, diagnosis, procedure, ...)

  28. Latanya Sweeney’s Finding • Sweeney paid $20 and bought the voter registration list for Cambridge Massachusetts: GIC(zip, dob, sex, diagnosis, procedure, ...) VOTER(name, party, ..., zip, dob, sex)

  29. Latanya Sweeney’s Finding • William Weld (former governor) lives in Cambridge, hence is in VOTER • 6 people in VOTER share his dob • only 3 of them were man (same sex) • Weld was the only one in that zip • Sweeney learned Weld’s medical records ! zip, dob, sex

  30. Latanya Sweeney’s Finding • All systems worked as specified, yet an important data has leaked • How do we protect against that ? Some of today’s research in data security address breachesthat happen even if all systems work correctly

  31. Summary on Attacks SQL injection: • A correctness problem: • Security policy implemented poorly in the application Sweeney’s finding: • Beyond correctness: • Leakage occurred when all systems work as specified

  32. Outline • Traditional data security • Two attacks • Data security research today • Conclusions

  33. Research Topics in Data Security Rest of the talk: • Information Leakage • Privacy • Fine-grained access control • Data encryption • Secure shared computation

  34. [Samarati&Sweeney’98, Meyerson&Williams’04] Information Leakage:k-Anonymity Definition: each tuple is equal to at least k-1 others Anonymizing: through suppression and generalization Hard: NP-complete for supression only Approximations exists

  35. [Miklau&S’04, Miklau&Dalvi&S’05,Yang&Li’04] Information Leakage:Query-view Security Have data: TABLE Employee(name, dept, phone) total big tiny none

  36. Summary on Information Disclosure • The theoretical research: • Exciting new connections between databases and information theory, probability theory, cryptography • The applications: • many years away [Abadi&Warinschi’05]

  37. Privacy • “Is the right of individuals to determine for themselves when, how and to what extent information about them is communicated to others” • More complex than confidentiality [Agrawal’03]

  38. alice@a.b.com Privacy policy: P3P Privacy Example: Alice gives her email to a web service Involves: • Data • Owner • Requester • Purpose • Consent

  39. alice@a.b.com Privacy policy: P3P Hippocratic Databases DB support for implementing privacy policies. • Purpose specification • Consent • Limited use • Limited retention • … Hippocratic DB • Protection against: • Sloppy organizations • Malicious organizations [Agrawal’03, LeFevrey’04]

  40. lice27@agenthost.com foreign keys ? Privacy for Paranoids • Idea: rely on trusted agents aly1@agenthost.com alice@a.b.com Agent • Protection against: • Sloppy organizations • Malicious attackers [Aggarwal’04]

  41. Summary on Privacy • Major concern in industry • Legislation • Consumer demand • Challenge: • How to enforce an organization’s stated policies

  42. Fine-grained Access Control Control access at the tuple level. • Policy specification languages • Implementation

  43. Policy Specification Language No standard, but usually based on parameterized views. CREATE AUTHORIZATION VIEW PatientsForDoctors AS SELECT Patient.* FROM Patient, Doctor WHERE Patient.doctorID = Doctor.ID and Doctor.login = %currentUser Contextparameters

  44. Implementation SELECT Patient.name, Patient.age FROM Patient WHERE Patient.disease = ‘flu’ SELECT Patient.name, Patient.age FROM Patient, Doctor WHERE Patient.disease = ‘flu’ and Patient.doctorID = Doctor.ID and Patient.login = %currentUser e.g. Oracle

  45. Two Semantics • The Truman Model = filter semantics • transform reality • ACCEPT all queries • REWRITE queries • Sometimes misleading results • The non-Truman model = deny semantics • reject queries • ACCEPT or REJECT queries • Execute query UNCHANGED • May define multiple security views for a user SELECT count(*)FROM PatientsWHERE disease=‘flu’ [Rizvi’04]

  46. Summary of Fine Grained Access Control • Trend in industry: label-based security • Killer app: application hosting • Independent franchises share a single table at headquarters (e.g., Holiday Inn) • Application runs under requester’s label, cannot see other labels • Headquarters runs Read queries over them • Oracle’s Virtual Private Database [Rosenthal&Winslett’2004]

  47. Data Encryption for Publishing Scientist wants to publish medical research data on the Web • Users and their keys: • Complex Policies: All authorized users: Kuser Patient: Kpat Doctor: Kdr Nurse: Knu Administrator : Kadmin Doctor researchers may access trials Nurses may access diagnostic Etc… What is the encryption granularity ?

  48. An XML tree protection: Kuser Kdr Kpat (KnuKadm) Knu  Kdr Kpat Kmaster Kmaster [Miklau&S.’03] Data Encryption for Publishing Doctor: Kuser, Kdr Nurse: Kuser, Knu Nurse+admin: Kuser, Knu, Kadm <patient> <privateData> <diagnostic> <trial> flu <name> <age> <address> <drug> <placebo> 28 Seattle Tylenol Candy JoeDoe

  49. Summary on Data Encryption • Industry: • Supported by all vendors: Oracle, DB2, SQL-Server • Efficiency issues still largely unresolved • Research: • Hard theoretical security analysis [Abadi&Warinschi’05]

  50. Secure Shared Processing • Alice has a database DBA • Bob has a database DBB • How can they compute Q(DBA, DBB), without revealing their data ? • Long history in cryptography • Some database queries are easier than general case

More Related