Computer Science and Engineering Computer System Security CSE 5339/7339 Session 21 November 2, 2004

Computer Science and Engineering

Computer System SecurityComputer System Security

CSE 5339/7339CSE 5339/7339

Session 21Session 21

November 2, 2004November 2, 2004


ContentsContents

Introduction to DatabaseIntroduction to Database Database SecurityDatabase Security Group WorkGroup Work Kay’s presentationKay’s presentation


Introduction to Database

Consider an enterprise, airline, for example

Large amount of data kept for long period of time

Information about: passengers, flights, aircraft, and personnel

Queries

Operations


Four major Components

Data

Hardware

Software

Users – end user + application programmer + administrator


Levels of Abstraction in a DBMS

Physical DatabasePhysical Database

View 1View 1 View 2View 2 View nView n

Conceptual DatabaseConceptual Database


Important Concepts in Database

Data independence -- storage media; application Schema -- record definition Relation – table Indexing – B trees Entity/ Relationship model – entity, entity set, attributes, key,

relationship Relational Database – information for an enterprise entities

and relationships relational database SQL – Query language, programming language, embedded

vs. interactive


Recover and Concurrency

Transaction Transaction – single execution of a program – logical unit of work

Concurrency Problems Lost update problem Uncommitted dependency problem Inconsistent analysis problem

Solving the problem Solving the problem – the use of locks


Locks

Problems – live lock, deadlock

Serial schedule , serializable schedule

Transactions must have the ACID properties

Atomicity – all or nothing Consistency – only correct results are committed Isolation – events within a transaction are hidden Durability – committed results must be guaranteed


Transaction execution

***Failure***

Begin

Commit

Begin

***Abort***

Begin

** System Abort **

Begin

OkaySystem Crash

By the user

Time out or deadlock


Four Recovery Actions

Transaction UNDO

Global UNDO – all incomplete transactions must be rolled back

Partial REDO – results of complete transactions that may

have not been reflected in the DB

Global REDO – Archive recovery – old copy + archive log


Famous DiagramTime

T1

T2

T3

T4

T5

Checkpoint Failure


Group Work

Discuss the two-phase update technique. Why is it needed? Work a simple example with your group.


Sensitive Data Data that should not be made public Nothing sensitive and everything sensitive – can be handled by

access control to the database itself Some but not all are sensitive -- not only data elements but context

and meaning Factors that make data sensitive

Inherently sensitive From a sensitive source Declared sensitive Part of a sensitive attribute or a sensitive record Sensitive in relation to previously disclosed information


Types of Disclosures

Exact data -- most serious disclosure Bounds – sensitive data is between L and H Negative result -- a value that is not a zero Existence Probable value -- probability that a certain element has a

certain value

A successful security strategy must protect against both direct and indirect disclosures


Inference Problem

A way to infer or derive sensitive data from non-sensitive data

Consider the following database:

Name Sex Race Aid Fines Drugs Dorm


Direct Attack

Obvious

Select Name where

Sex = M and Drug = 1

Less Obvious

Select Name where

(Sex = M and Drug = 1) or

(Sex M and Sex F) or

(Dorm = Caruth)


Indirect AttackTo infer a final result based on one or more intermediate statistical results.

SUMExample: it might seem safe to report student aid total by sex and dorm

Holmes East West Total

M 5000 3000 4000 12000

F 7000 0 4000 11000

Total 12000 3000 8000 23000

We can infer that any female living in East such as Mary is not receiving AID


Indirect AttackTo infer a final result based on one or more intermediate statistical results.

CountExample: report the count of records for students by dorm and sex

Holmes East West Total

M 1 3 1 5

F 2 1 3 6

Total 3 4 4 11

Combined with the sum report, one can infer that the two males in Holmes

and West are receiving $5000 and $4000. Names can be found easily.


Indirect Attack Tracker attacks

Count (( Sex = F) and (RACE = White) and (DORM = Holmes)) If the result is one, the system may conceal it

count(a and b and c) = count (a) – count(a and not(b and c)

Count ( Sex = F)

Count (( Sex = F) and (RACE White) or (DORM Holmes))


Control for Statistical Inference attacks

Suppress obviously sensitive information

Track what the user knows – very costly, how about two people or user with multiple IDS

Disguise the data – statistical results are close but not exact


Group Work

Discuss a situation in which the sensitivity of an aggregate is greater than that of its constituent values. Discuss a situation in which the sensitivity of an aggregate is less than that of its constituent values

Documents

Computer Science and Engineering Computer System Security CSE 5339/7339 Session 21 November 2, 2004