CSC437 Fall2013 Module 8 DatabaseSecurity
CSC437 Fall2013 Module 8 DatabaseSecurity
Source: Figure 5.2: W. Stallings: Computer Security: Principles and Practice, 2nd edition
Primary Key, Foreign Key and View
• To create a relationship between two tables, the
attributes that define the primary key in one table must
appear as attributes in another table, where they are
referred to as a foreign key.
• Whereas the value of a primary key must be unique for
each row of its table, a foreign key value can appear
multiple times in a table, so that there is a one-to-many
relationship.
• A “View” is a virtual table:
– Is the result of a query that returns selected rows and columns
from one or more tables.
– It is possible to construct a view from a single table.
– Views are often used for security purposes. A view can provide
restricted access to a relational database so that a user or
application only has access to certain rows or columns.
Relational Database Example
Example:
REVOKE SELECT ON ANY
TABLE FROM kenny
Source: Figure 5.4: W. Stallings: Computer Security: Principles and Practice, 2nd ed.
Inference
• Inference is the process of performing authorized
queries and deducing unauthorized information from the
legitimate responses received.
• The inference problem arises when a combination of a
number of data items is more sensitive than the
individual items, or when a combination of data items
can be used to infer data of a higher sensitivity.
• The attackers may use non-sensitive data and metadata
(knowledge about correlations or dependencies among
data items)
• The information transfer path by which unauthorized
data is obtained is referred to as an inference channel.
• Two techniques to derive additional information:
– Analyzing functional dependencies between attributes within a
table or across tables
– Merging views with the same constraints
Inference Example
Employee Table
View V1 View V2
• Interference Countermeasures
– At Design time: Alter the database structure. For example: split
the table into multiple tables with some common attribute(s)
among them and change the access control regime.
– At Query time: Monitor and alert or reject the query; An inference
detection algorithm is needed and is more difficult: on-going
research.
Inference Countermeasures
(implementation)
• Split the Employee Table into three tables: Employee Name Table,
Salary Table and Employee Name-ID Table
• Set the regular user for permissions to access only the Employee
Name and Salary Tables.
• Set the administrator to be the only one to have access to the
Employee Name - ID Table.
• Store each table (sorted) according to a particular attribute
Inference Countermeasures
(implementation… continued…)
Inference Countermeasures
(implementation… continued…)
Can Inference work?
Inferred Information
Partitioned Database
Note that the record for Kline has
to be omitted; because she is the
only female in the class of 1981.
Source: Table 5.5: W. Stallings: Computer
Security: Principles and Practice, 2nd ed.
Query Denial: Information Leakage
• With query restriction techniques (that either deny or return an exact
answer), the denial of a query may provide sufficient clues that an
attacker can deduce underlying information.
• Example: Assume a database has real-valued entries and that a query
is denied only if it would enable the requestor to deduce a value.
– Suppose the requestor poses the query for sum(x1, x2, x3) and the
response is 15.
– Then, the requestor queries max(x1, x2, x3) and the query is denied. What
can the requestor infer from this?
• If max(x1, x2, x3) < 5, then the sum(x1, x2, x3) has to be < 15.
• If max(x1, x2, x3) > 5, then revealing the maximum value would not
lead to the inference of any individual value.
• Hence, the query is denied only if max(x1, x2, x3) = 5. This implies that
x1 = x2 = x3 = 5.
The transformed statistics D’ has the same statistics as that of D for one or two
attributes. However, three-attribute statistics are not preserved.
Example: Count (EE * Male * 4.0) = 1 in D and it is 0 in D’. (statistics not preserved)
Average GPA of Biology majors (statistics is preserved).
Data Perturbation: Modify Data
based on Underlying Probability
Distribution of Attribute Values
• For each confidential or sensitive attribute, determine the
probability distribution function that best matches the
data and estimate the parameters of the distribution
function.
• Another approach:
– Calculate the statistic on the requested query set and
then adjust the answer up or down by a given amount
in some systematic or randomized fashion.
Limitations of Perturbation
Techniques
• It is difficult to add sufficient perturbation to hide
data without badly distorting the results.
Source: Figure 5.10: W. Stallings: Computer Security: Principles and Practice, 2nd ed.
A Simple DB Encryption Scheme
• Steps:
– The user issues a query for fields
from one or more records with a
specific value of the primary key.
– The query processor (stores the
query); encrypts the primary key and Unencrypted query
sends it to the server.
– The server obtains encrypted
records from the Data Owner using
the encrypted primary key as the
index.
Query with the value for
– The retrieved records (in their the primary key encrypted
encrypted form) are sent to the query
processor, which decrypts them Secret key for encryption is
using the secret key shared between stored as part of metadata.
the query processor and the data
owner.
Cannot search queries
– The values for the decrypted fields of
based on ranges of values
interest are sent to the user, who is
unaware of the database encryption. for attributes (Salary > 500)
Binary Encryption Scheme
• Treat each record as a contiguous block of bits (when
the attribute values are concatenated together).
• For some or all of the attributes, an index value is
created.
• For each row Bi of the unencrypted database, the
mapping is:
Source: Table 5.7: W. Stallings: Computer Security: Principles and Practice, 2nd ed.