Professional Documents
Culture Documents
Current Trends in Data Security: Dan Suciu Joint Work With Gerome Miklau
Current Trends in Data Security: Dan Suciu Joint Work With Gerome Miklau
DanSuciu
JointworkwithGeromeMiklau
DataSecurity
DorothyDenning,1982:
DataSecurityisthescienceandstudyof
methodsofprotectingdata(...)from
unauthorizeddisclosureandmodification
DataSecurity=Confidentiality+Integrity
DataSecurity
Distinctfromsystemsandnetworksecurity
Assumesthesearealreadysecure
Tools:
Cryptography,informationtheory,statistics,
Applications:
Anenablingtechnology
Outline
Traditionaldatasecurity
Twoattacks
Datasecurityresearchtoday
Conclusions
TraditionalDataSecurity
SecurityinSQL=Accesscontrol+Views
Securityinstatisticaldatabases=Theory
[Griffith&Wade'76,Fagin'78]
AccessControlinSQL
GRANTprivilegesONobjectTOusers
GRANTprivilegesONobjectTOusers
[WITHGRANTOPTIONS]
[WITHGRANTOPTIONS]
privileges=SELECT|INSERT|DELETE|...
object=table|attribute
REVOKEprivilegesONobjectFROMusers
REVOKEprivilegesONobjectFROMusers
[CASCADE]
[CASCADE]
ViewsinSQL
ASQLView=(almost)anySQLquery
Typicallyusedas:
CREATEVIEWpmpStudentsAS
CREATEVIEWpmpStudentsAS
SELECT*FROMStudentsWHERE
SELECT*FROMStudentsWHERE
GRANTSELECTONpmpStudentsTODavidRispoli
GRANTSELECTONpmpStudentsTODavidRispoli
SummaryofSQLSecurity
Limitations:
Norowlevelaccesscontrol
Tablecreatorownsthedata:thatsunfair!
Accesscontrol=greatsuccessstoryoftheDBcommunity...
orspectacularfailure:
Only30%assignprivilegestousers/roles
Andthentoprotectentiretables,notcolumns
Summary(cont)
Mostpoliciesinmiddleware:slow,errorprone:
SAPhas10**4tables
GTEover10**5attributes
Abrokeragehousehas80,000applications
AUSgovernmententitythinksthatithas350K
Todaythedatabaseisnotatthecenterofthe
policyadministrationuniverse
9
[Rosenthal&Winslett2004]
[Adam&Wortmann89]
SecurityinStatisticalDBs
Goal:
AllowarbitraryaggregateSQLqueries
Hideconfidentialdata
SELECTname
SELECTname
FROMPatient
NotOK
FROMPatient
WHEREage=42
WHEREage=42
andsex=M
andsex=M
anddiagnostic=schizophrenia
anddiagnostic=schizophrenia
SELECTcount(*)
SELECTcount(*)
OK
FROMPatients
FROMPatients
WHEREage=42
WHEREage=42
andsex=M
andsex=M
anddiagnostic=schizophrenia
anddiagnostic=schizophrenia
10
[Adam&Wortmann89]
SecurityinStatisticalDBs
Whathasbeentried:
Queryrestriction
Querysizecontrol,querysetoverlapcontrol,querymonitoring
Noneispractical
Dataperturbation
Mostpopular:cellcombination,cellsuppression
Othermethods,forcontinuousattributes:mayintroducebias
Outputperturbation
Forcontinuousattributesonly
11
SummaryonSecurityin
StatisticalDB
Originalgoalseemsimpossibletoachieve
Cellcombination/suppressionarepopular,
butdonotallowarbitraryqueries
12
Outline
Traditionaldatasecurity
Twoattacks
Datasecurityresearchtoday
Conclusions
13
[ChrisAnley,AdvancedSQLInjectionInSQL]
SQLInjection
Yourhealthinsurancecompanyletsyouseetheclaimsonline:
Firstlogin:
User:
fred
********
Password:
Nowsearchthroughtheclaims:
Searchclaimsby:
Dr.Lee
SELECTFROMWHEREdoctor=Dr.LeeandpatientID=fred
SELECTFROMWHEREdoctor=Dr.LeeandpatientID=fred
14
SQLInjection
Nowtrythis:
Searchclaimsby: Dr.LeeORpatientID=suciu;
..WHEREdoctor=Dr.LeeORpatientID=suciu;andpatientID=fred
..WHEREdoctor=Dr.LeeORpatientID=suciu;andpatientID=fred
Better:
Searchclaimsby: Dr.LeeOR1=1;
15
SQLInjection
Whenyouredone,dothis:
Searchclaimsby: Dr.Lee;DROPTABLEPatients;
16
SQLInjection
TheDBMSworksperfectly.Sowhyis
SQLinjectionpossiblesooften?
Quickanswer:
Poorprogramming:usestoredprocedures!
Deeperanswer:
MovepolicyimplementationfromappstoDB
17
LatanyaSweeneysFinding
InMassachusetts,theGroupInsurance
Commission(GIC)isresponsiblefor
purchasinghealthinsuranceforstate
employees
GIChastopublishthedata:
GIC(zip,dob,sex,diagnosis,procedure,...)
GIC(zip,dob,sex,diagnosis,procedure,...)
18
LatanyaSweeneysFinding
Sweeneypaid$20andboughtthevoter
registrationlistforCambridge
Massachusetts:
GIC(zip,dob,sex,diagnosis,procedure,...)
GIC(zip,dob,sex,diagnosis,procedure,...)
VOTER(name,party,...,zip,dob,sex)
VOTER(name,party,...,zip,dob,sex)
19
LatanyaSweeneysFinding
zip,dob,sex
WilliamWeld(formergovernor)livesin
Cambridge,henceisinVOTER
6peopleinVOTERsharehisdob
only3ofthemwereman(samesex)
Weldwastheonlyoneinthatzip
SweeneylearnedWeldsmedicalrecords!
20
LatanyaSweeneysFinding
Allsystemsworkedasspecified,yetan
importantdatahasleaked
Howdoweprotectagainstthat?
Someoftodaysresearchindatasecurityaddressbreaches
thathappenevenifallsystemsworkcorrectly
21
SummaryonAttacks
SQLinjection:
Acorrectnessproblem:
Securitypolicyimplementedpoorlyintheapplication
Sweeneysfinding:
Beyondcorrectness:
Leakageoccurredwhenallsystemsworkasspecified
22
Outline
Traditionaldatasecurity
Twoattacks
Datasecurityresearchtoday
Conclusions
23
ResearchTopicsinDataSecurity
Restofthetalk:
InformationLeakage
Privacy
Finegrainedaccesscontrol
Dataencryption
Securesharedcomputation
24
[Samarati&Sweeney98,Meyerson&Williams04]
InformationLeakage:
kAnonymity
Definition:eachtupleisequaltoatleastk1others
Anonymizing:throughsuppressionandgeneralization
First
Harry
*
John
Beatrice
*
John
Last
Stone
Reyser
R*
Stone
Ramos
R*
Age
3050
34
2040
36
3050
47
2040
22
Hard:NPcompleteforsupressiononly
Approximationsexists
Race
AfrAm
Cauc
*
Afram
Hisp
*
25
[Miklau&S04,Miklau&Dalvi&S05,Yang&Li04]
InformationLeakage:
QueryviewSecurity
Havedata:
TABLEEmployee(name,dept,phone)
TABLEEmployee(name,dept,phone)
SecretQuery
S(name)
View(s)
Disclosure?
V(name,phone)
total
V1(name,dept)
big
S(name,phone)
V2(dept,phone)
S(name)
V(dept)
tiny
S(name)
V(name)
none
wheredept=HR wheredept=RD
26
SummaryonInformation
Disclosure
Thetheoreticalresearch:
Excitingnewconnectionsbetweendatabases
andinformationtheory,probabilitytheory,
cryptography
[Abadi&Warinschi05]
Theapplications:
manyyearsaway
27
Privacy
Istherightofindividualstodeterminefor
themselveswhen,howandtowhatextent
informationaboutthemiscommunicatedto
[Agrawal03]
others
Morecomplexthanconfidentiality
28
Privacy
Involves:
Data
Owner
Requester
Purpose
Consent
Example:Alicegivesheremail
toawebservice
alice@a.b.com
Privacypolicy:P3P
29
HippocraticDatabases
DBsupportforimplementingprivacypolicies.
Purposespecification
HippocraticDB
Consent
Limiteduse
alice@a.b.com
Limitedretention
Protectionagainst:
Sloppyorganizations
Maliciousorganizations
Privacypolicy:P3P
[Agrawal03,LeFevrey04]
30
PrivacyforParanoids
Idea:relyontrustedagents
aly1@agenthost.com
alice@a.b.com
Agent
Protectionagainst:
Sloppyorganizations
Maliciousattackers
lice27@agenthost.com
foreignkeys?
31
[Aggarwal04]
SummaryonPrivacy
Majorconcerninindustry
Legislation
Consumerdemand
Challenge:
Howtoenforceanorganizationsstated
policies
32
FinegrainedAccessControl
Controlaccessatthetuplelevel.
Policyspecificationlanguages
Implementation
33
PolicySpecificationLanguage
Nostandard,butusuallybasedonparameterizedviews.
CREATEAUTHORIZATIONVIEWPatientsForDoctorsAS
CREATEAUTHORIZATIONVIEWPatientsForDoctorsAS
SELECTPatient.*
SELECTPatient.*
FROMPatient,Doctor
FROMPatient,Doctor
WHEREPatient.doctorID=Doctor.ID
WHEREPatient.doctorID=Doctor.ID
andDoctor.login=%currentUser
andDoctor.login=%currentUser
Context
parameters
34
Implementation
SELECTPatient.name,Patient.age
SELECTPatient.name,Patient.age
FROMPatient
FROMPatient
WHEREPatient.disease=flu
WHEREPatient.disease=flu
SELECTPatient.name,Patient.age
SELECTPatient.name,Patient.age
FROMPatient,Doctor
FROMPatient,Doctor
WHEREPatient.disease=flu
WHEREPatient.disease=flu
andPatient.doctorID=Doctor.ID
andPatient.doctorID=Doctor.ID
andPatient.login=%currentUser
andPatient.login=%currentUser
e.g.Oracle
35
TwoSemantics
TheTrumanModel=filtersemantics
transformreality
ACCEPTallqueries
REWRITEqueries
Sometimesmisleadingresults
SELECTcount(*)
SELECTcount(*)
FROMPatients
FROMPatients
WHEREdisease=flu
WHEREdisease=flu
ThenonTrumanmodel=denysemantics
rejectqueries
ACCEPTorREJECTqueries
ExecutequeryUNCHANGED
Maydefinemultiplesecurityviewsforauser
36
[Rizvi04]
SummaryofFineGrainedAccess
Control
Trendinindustry:labelbasedsecurity
Killerapp:applicationhosting
Independentfranchisesshareasingletableat
headquarters(e.g.,HolidayInn)
Applicationrunsunderrequesterslabel,cannot
seeotherlabels
HeadquartersrunsReadqueriesoverthem
OraclesVirtualPrivateDatabase
37
[Rosenthal&Winslett2004]
DataEncryptionforPublishing
Scientistwantstopublish
medicalresearchdataontheWeb
Usersandtheirkeys:
Allauthorizedusers:K
Allauthorizedusers:Kuser
user
Patient:K
Patient:Kpat
pat
Doctor:K
Doctor:Kdrdr
Nurse:K
Nurse:Knunu
Administrator:K
Administrator:Kadmin
admin
ComplexPolicies:
Doctorresearchersmayaccesstrials
Doctorresearchersmayaccesstrials
Nursesmayaccessdiagnostic
Nursesmayaccessdiagnostic
Etc
Etc
Whatistheencryptiongranularity?
38
[Miklau&S.03]
DataEncryptionforPublishing
Doctor:
Kdr
Doctor:K
Kuser,
user,Kdr
AnXMLtreeprotection:
Nurse:
Knu
Nurse:K
Kuser,
user,Knu
Nurse+admin:
Knu,Kadm
Nurse+admin:K
Kuser,
user,Knu,Kadm
<patient>
Kpat(KnuKadm)
<privateData>
Kuser
Kdr
KnuKdr
<diagnostic>
flu
Kpat
<name>
<age>
JoeDoe
28
<address>
Seattle
Kmaster
<drug>
Tylenol
<trial>
Kmaster
<placebo>
Candy
39
SummaryonDataEncryption
Industry:
Supportedbyallvendors:
Oracle,DB2,SQLServer
Efficiencyissuesstilllargelyunresolved
Research:
Hardtheoreticalsecurityanalysis
[Abadi&Warinschi05]
40
SecureSharedProcessing
AlicehasadatabaseDBA
BobhasadatabaseDBB
HowcantheycomputeQ(DBA,DBB),without
revealingtheirdata?
Longhistoryincryptography
Somedatabasequeriesareeasierthangeneralcase
41
[Agrawal03]
SecureSharedProcessing
Alice
abcd
Task:findintersection
withoutrevealingtherest
Bob
cde
Computeonewayhash
h(a)h(b)h(c)h(d)
Exchange
h(c)h(d)h(e)
h(c)h(d)h(e)
h(a)h(b)h(c)h(d)
Whatswrong?
42
[Agrawal03]
SecureSharedProcessing
Alice
abcd
commutativeencryption:
h(x)=EA(EB(x))=EB(EA(x))
EA
Bob
cde
EB
EB(c)EB(d)EB(e)
EA(a)EA(b)EA(c)EA(d)
EB(c)EB(d)EB(e)
EA(a)EA(b)EA(c)EA(d)
EB
h(c)h(d)h(e)
h(a)h(b)h(c)h(d)
EA
h(a)h(b)h(c)h(d)
h(c)h(d)h(e)
43
SummaryonSecureShared
Processing
Secureintersection,joins,datamining
Butarethereotherexamples?
44
Outline
Traditionaldatasecurity
Twoattacks
Datasecurityresearchtoday
Conclusions
45
Conclusions
Traditionaldatasecurityconfinedtooneserver
SecurityinSQL
Securityinstatisticaldatabases
Attackspossibledueto:
Poorimplementationofsecuritypolicies:SQL
injection
Unintendedinformationleakageinpublisheddata
46
Conclusions
Stateoftheindustry:
Datasecuritypolicies:scatteredthroughoutapplications
Databasenolongercenterofthesecurityuniverse
Needed:automaticmeanstotranslatecomplexpoliciesinto
physicalimplementations
Stateofresearch:datasecurityinglobaldatasharing
Informationleakage,privacy,securecomputations,etc.
Databaseresearchcommunityhasanincreasedappetitefor
cryptographictechniques
47
Questions?
48