Scribd Logo
Upload

Welcome to Scribd!

  • Current Trends in Data Security: Dan Suciu Joint Work With Gerome Miklau

    Uploaded by

    navisingla
    7 views48 pages

    Original Title

    Current Trends

    Copyright

    © © All Rights Reserved

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    7 views48 pages

    Current Trends in Data Security: Dan Suciu Joint Work With Gerome Miklau

    Uploaded by

    navisingla

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 48

    CurrentTrendsinDataSecurity

    DanSuciu
    JointworkwithGeromeMiklau

    DataSecurity
    DorothyDenning,1982:
    DataSecurityisthescienceandstudyof
    methodsofprotectingdata(...)from
    unauthorizeddisclosureandmodification
    DataSecurity=Confidentiality+Integrity

    DataSecurity
    Distinctfromsystemsandnetworksecurity
    Assumesthesearealreadysecure

    Tools:
    Cryptography,informationtheory,statistics,

    Applications:
    Anenablingtechnology

    Outline
    Traditionaldatasecurity
    Twoattacks
    Datasecurityresearchtoday
    Conclusions

    TraditionalDataSecurity
    SecurityinSQL=Accesscontrol+Views
    Securityinstatisticaldatabases=Theory

    [Griffith&Wade'76,Fagin'78]

    AccessControlinSQL
    GRANTprivilegesONobjectTOusers
    GRANTprivilegesONobjectTOusers
    [WITHGRANTOPTIONS]
    [WITHGRANTOPTIONS]
    privileges=SELECT|INSERT|DELETE|...
    object=table|attribute

    REVOKEprivilegesONobjectFROMusers
    REVOKEprivilegesONobjectFROMusers
    [CASCADE]
    [CASCADE]

    ViewsinSQL
    ASQLView=(almost)anySQLquery
    Typicallyusedas:
    CREATEVIEWpmpStudentsAS
    CREATEVIEWpmpStudentsAS
    SELECT*FROMStudentsWHERE
    SELECT*FROMStudentsWHERE
    GRANTSELECTONpmpStudentsTODavidRispoli
    GRANTSELECTONpmpStudentsTODavidRispoli

    SummaryofSQLSecurity
    Limitations:
    Norowlevelaccesscontrol
    Tablecreatorownsthedata:thatsunfair!
    Accesscontrol=greatsuccessstoryoftheDBcommunity...
    orspectacularfailure:
    Only30%assignprivilegestousers/roles
    Andthentoprotectentiretables,notcolumns

    Summary(cont)
    Mostpoliciesinmiddleware:slow,errorprone:

    SAPhas10**4tables
    GTEover10**5attributes
    Abrokeragehousehas80,000applications
    AUSgovernmententitythinksthatithas350K

    Todaythedatabaseisnotatthecenterofthe
    policyadministrationuniverse

    9
    [Rosenthal&Winslett2004]

    [Adam&Wortmann89]

    SecurityinStatisticalDBs
    Goal:
    AllowarbitraryaggregateSQLqueries
    Hideconfidentialdata
    SELECTname
    SELECTname
    FROMPatient
    NotOK
    FROMPatient
    WHEREage=42
    WHEREage=42
    andsex=M
    andsex=M
    anddiagnostic=schizophrenia
    anddiagnostic=schizophrenia

    SELECTcount(*)
    SELECTcount(*)
    OK
    FROMPatients
    FROMPatients
    WHEREage=42
    WHEREage=42
    andsex=M
    andsex=M
    anddiagnostic=schizophrenia
    anddiagnostic=schizophrenia

    10

    [Adam&Wortmann89]

    SecurityinStatisticalDBs
    Whathasbeentried:
    Queryrestriction
    Querysizecontrol,querysetoverlapcontrol,querymonitoring
    Noneispractical

    Dataperturbation
    Mostpopular:cellcombination,cellsuppression
    Othermethods,forcontinuousattributes:mayintroducebias

    Outputperturbation
    Forcontinuousattributesonly

    11

    SummaryonSecurityin
    StatisticalDB
    Originalgoalseemsimpossibletoachieve
    Cellcombination/suppressionarepopular,
    butdonotallowarbitraryqueries

    12

    Outline
    Traditionaldatasecurity
    Twoattacks
    Datasecurityresearchtoday
    Conclusions

    13

    [ChrisAnley,AdvancedSQLInjectionInSQL]

    SQLInjection
    Yourhealthinsurancecompanyletsyouseetheclaimsonline:
    Firstlogin:

    User:

    fred

    ********
    Password:
    Nowsearchthroughtheclaims:
    Searchclaimsby:

    Dr.Lee

    SELECTFROMWHEREdoctor=Dr.LeeandpatientID=fred
    SELECTFROMWHEREdoctor=Dr.LeeandpatientID=fred

    14

    SQLInjection
    Nowtrythis:
    Searchclaimsby: Dr.LeeORpatientID=suciu;
    ..WHEREdoctor=Dr.LeeORpatientID=suciu;andpatientID=fred
    ..WHEREdoctor=Dr.LeeORpatientID=suciu;andpatientID=fred

    Better:
    Searchclaimsby: Dr.LeeOR1=1;

    15

    SQLInjection
    Whenyouredone,dothis:

    Searchclaimsby: Dr.Lee;DROPTABLEPatients;

    16

    SQLInjection
    TheDBMSworksperfectly.Sowhyis
    SQLinjectionpossiblesooften?
    Quickanswer:
    Poorprogramming:usestoredprocedures!

    Deeperanswer:
    MovepolicyimplementationfromappstoDB

    17

    LatanyaSweeneysFinding
    InMassachusetts,theGroupInsurance
    Commission(GIC)isresponsiblefor
    purchasinghealthinsuranceforstate
    employees
    GIChastopublishthedata:
    GIC(zip,dob,sex,diagnosis,procedure,...)
    GIC(zip,dob,sex,diagnosis,procedure,...)

    18

    LatanyaSweeneysFinding
    Sweeneypaid$20andboughtthevoter
    registrationlistforCambridge
    Massachusetts:

    GIC(zip,dob,sex,diagnosis,procedure,...)
    GIC(zip,dob,sex,diagnosis,procedure,...)
    VOTER(name,party,...,zip,dob,sex)
    VOTER(name,party,...,zip,dob,sex)

    19

    LatanyaSweeneysFinding
    zip,dob,sex
    WilliamWeld(formergovernor)livesin
    Cambridge,henceisinVOTER
    6peopleinVOTERsharehisdob
    only3ofthemwereman(samesex)
    Weldwastheonlyoneinthatzip
    SweeneylearnedWeldsmedicalrecords!

    20

    LatanyaSweeneysFinding
    Allsystemsworkedasspecified,yetan
    importantdatahasleaked

    Howdoweprotectagainstthat?
    Someoftodaysresearchindatasecurityaddressbreaches
    thathappenevenifallsystemsworkcorrectly

    21

    SummaryonAttacks
    SQLinjection:
    Acorrectnessproblem:
    Securitypolicyimplementedpoorlyintheapplication

    Sweeneysfinding:
    Beyondcorrectness:
    Leakageoccurredwhenallsystemsworkasspecified

    22

    Outline
    Traditionaldatasecurity
    Twoattacks
    Datasecurityresearchtoday
    Conclusions

    23

    ResearchTopicsinDataSecurity
    Restofthetalk:
    InformationLeakage
    Privacy
    Finegrainedaccesscontrol
    Dataencryption
    Securesharedcomputation

    24

    [Samarati&Sweeney98,Meyerson&Williams04]

    InformationLeakage:
    kAnonymity

    Definition:eachtupleisequaltoatleastk1others

    Anonymizing:throughsuppressionandgeneralization

    First
    Harry
    *
    John
    Beatrice
    *
    John

    Last
    Stone
    Reyser
    R*
    Stone
    Ramos
    R*

    Age
    3050
    34
    2040
    36
    3050
    47
    2040
    22

    Hard:NPcompleteforsupressiononly
    Approximationsexists

    Race
    AfrAm
    Cauc
    *
    Afram
    Hisp
    *

    25

    [Miklau&S04,Miklau&Dalvi&S05,Yang&Li04]

    InformationLeakage:
    QueryviewSecurity
    Havedata:

    TABLEEmployee(name,dept,phone)
    TABLEEmployee(name,dept,phone)

    SecretQuery
    S(name)

    View(s)
    Disclosure?
    V(name,phone)
    total
    V1(name,dept)
    big
    S(name,phone)
    V2(dept,phone)
    S(name)
    V(dept)
    tiny
    S(name)
    V(name)
    none
    wheredept=HR wheredept=RD

    26

    SummaryonInformation
    Disclosure
    Thetheoreticalresearch:
    Excitingnewconnectionsbetweendatabases
    andinformationtheory,probabilitytheory,
    cryptography
    [Abadi&Warinschi05]

    Theapplications:
    manyyearsaway

    27

    Privacy
    Istherightofindividualstodeterminefor
    themselveswhen,howandtowhatextent
    informationaboutthemiscommunicatedto
    [Agrawal03]
    others
    Morecomplexthanconfidentiality

    28

    Privacy
    Involves:
    Data
    Owner
    Requester
    Purpose
    Consent

    Example:Alicegivesheremail
    toawebservice

    alice@a.b.com

    Privacypolicy:P3P

    29

    HippocraticDatabases
    DBsupportforimplementingprivacypolicies.
    Purposespecification
    HippocraticDB
    Consent
    Limiteduse
    alice@a.b.com
    Limitedretention

    Protectionagainst:
    Sloppyorganizations

    Maliciousorganizations

    Privacypolicy:P3P

    [Agrawal03,LeFevrey04]

    30

    PrivacyforParanoids
    Idea:relyontrustedagents
    aly1@agenthost.com

    alice@a.b.com

    Agent
    Protectionagainst:
    Sloppyorganizations
    Maliciousattackers

    lice27@agenthost.com

    foreignkeys?

    31
    [Aggarwal04]

    SummaryonPrivacy
    Majorconcerninindustry
    Legislation
    Consumerdemand

    Challenge:
    Howtoenforceanorganizationsstated
    policies

    32

    FinegrainedAccessControl
    Controlaccessatthetuplelevel.
    Policyspecificationlanguages
    Implementation

    33

    PolicySpecificationLanguage
    Nostandard,butusuallybasedonparameterizedviews.
    CREATEAUTHORIZATIONVIEWPatientsForDoctorsAS
    CREATEAUTHORIZATIONVIEWPatientsForDoctorsAS
    SELECTPatient.*
    SELECTPatient.*
    FROMPatient,Doctor
    FROMPatient,Doctor
    WHEREPatient.doctorID=Doctor.ID
    WHEREPatient.doctorID=Doctor.ID
    andDoctor.login=%currentUser
    andDoctor.login=%currentUser

    Context
    parameters

    34

    Implementation
    SELECTPatient.name,Patient.age
    SELECTPatient.name,Patient.age
    FROMPatient
    FROMPatient
    WHEREPatient.disease=flu
    WHEREPatient.disease=flu

    SELECTPatient.name,Patient.age
    SELECTPatient.name,Patient.age
    FROMPatient,Doctor
    FROMPatient,Doctor
    WHEREPatient.disease=flu
    WHEREPatient.disease=flu
    andPatient.doctorID=Doctor.ID
    andPatient.doctorID=Doctor.ID
    andPatient.login=%currentUser
    andPatient.login=%currentUser

    e.g.Oracle

    35

    TwoSemantics
    TheTrumanModel=filtersemantics

    transformreality
    ACCEPTallqueries
    REWRITEqueries
    Sometimesmisleadingresults

    SELECTcount(*)
    SELECTcount(*)
    FROMPatients
    FROMPatients
    WHEREdisease=flu
    WHEREdisease=flu

    ThenonTrumanmodel=denysemantics

    rejectqueries
    ACCEPTorREJECTqueries
    ExecutequeryUNCHANGED
    Maydefinemultiplesecurityviewsforauser

    36
    [Rizvi04]

    SummaryofFineGrainedAccess
    Control
    Trendinindustry:labelbasedsecurity
    Killerapp:applicationhosting
    Independentfranchisesshareasingletableat
    headquarters(e.g.,HolidayInn)
    Applicationrunsunderrequesterslabel,cannot
    seeotherlabels
    HeadquartersrunsReadqueriesoverthem

    OraclesVirtualPrivateDatabase

    37

    [Rosenthal&Winslett2004]

    DataEncryptionforPublishing
    Scientistwantstopublish
    medicalresearchdataontheWeb
    Usersandtheirkeys:

    Allauthorizedusers:K
    Allauthorizedusers:Kuser
    user
    Patient:K
    Patient:Kpat
    pat
    Doctor:K
    Doctor:Kdrdr
    Nurse:K
    Nurse:Knunu
    Administrator:K
    Administrator:Kadmin

    admin

    ComplexPolicies:

    Doctorresearchersmayaccesstrials
    Doctorresearchersmayaccesstrials
    Nursesmayaccessdiagnostic
    Nursesmayaccessdiagnostic
    Etc
    Etc

    Whatistheencryptiongranularity?

    38

    [Miklau&S.03]

    DataEncryptionforPublishing
    Doctor:
    Kdr
    Doctor:K
    Kuser,
    user,Kdr

    AnXMLtreeprotection:

    Nurse:
    Knu
    Nurse:K
    Kuser,
    user,Knu
    Nurse+admin:
    Knu,Kadm
    Nurse+admin:K
    Kuser,
    user,Knu,Kadm

    <patient>

    Kpat(KnuKadm)

    <privateData>

    Kuser
    Kdr

    KnuKdr

    <diagnostic>
    flu

    Kpat
    <name>

    <age>

    JoeDoe

    28

    <address>
    Seattle

    Kmaster
    <drug>

    Tylenol

    <trial>

    Kmaster
    <placebo>
    Candy
    39

    SummaryonDataEncryption
    Industry:
    Supportedbyallvendors:
    Oracle,DB2,SQLServer
    Efficiencyissuesstilllargelyunresolved

    Research:
    Hardtheoreticalsecurityanalysis
    [Abadi&Warinschi05]

    40

    SecureSharedProcessing
    AlicehasadatabaseDBA
    BobhasadatabaseDBB
    HowcantheycomputeQ(DBA,DBB),without
    revealingtheirdata?
    Longhistoryincryptography
    Somedatabasequeriesareeasierthangeneralcase

    41

    [Agrawal03]

    SecureSharedProcessing
    Alice
    abcd

    Task:findintersection
    withoutrevealingtherest

    Bob
    cde

    Computeonewayhash
    h(a)h(b)h(c)h(d)

    Exchange

    h(c)h(d)h(e)

    h(c)h(d)h(e)
    h(a)h(b)h(c)h(d)

    Whatswrong?

    42

    [Agrawal03]

    SecureSharedProcessing
    Alice
    abcd

    commutativeencryption:
    h(x)=EA(EB(x))=EB(EA(x))

    EA

    Bob
    cde
    EB
    EB(c)EB(d)EB(e)

    EA(a)EA(b)EA(c)EA(d)
    EB(c)EB(d)EB(e)

    EA(a)EA(b)EA(c)EA(d)
    EB

    h(c)h(d)h(e)

    h(a)h(b)h(c)h(d)

    EA
    h(a)h(b)h(c)h(d)

    h(c)h(d)h(e)
    43

    SummaryonSecureShared
    Processing
    Secureintersection,joins,datamining
    Butarethereotherexamples?

    44

    Outline
    Traditionaldatasecurity
    Twoattacks
    Datasecurityresearchtoday
    Conclusions

    45

    Conclusions
    Traditionaldatasecurityconfinedtooneserver
    SecurityinSQL
    Securityinstatisticaldatabases

    Attackspossibledueto:
    Poorimplementationofsecuritypolicies:SQL
    injection
    Unintendedinformationleakageinpublisheddata

    46

    Conclusions
    Stateoftheindustry:
    Datasecuritypolicies:scatteredthroughoutapplications
    Databasenolongercenterofthesecurityuniverse
    Needed:automaticmeanstotranslatecomplexpoliciesinto
    physicalimplementations

    Stateofresearch:datasecurityinglobaldatasharing
    Informationleakage,privacy,securecomputations,etc.
    Databaseresearchcommunityhasanincreasedappetitefor
    cryptographictechniques

    47

    Questions?

    48

    You might also like