Sensitive DataSensitive Data

Data that should not be made publicData that should not be made public What if some but not all of the What if some but not all of the

elements of a DB are sensitiveelements of a DB are sensitive• Inherently sensitiveInherently sensitive• From a sensitive sourceFrom a sensitive source• Declared sensitiveDeclared sensitive• Part of a sensitive attribute or recordPart of a sensitive attribute or record• Sensitive in relation to previously Sensitive in relation to previously

disclosed informationdisclosed information

Access DecisionsAccess Decisions

Need an access policy (programmed Need an access policy (programmed into DBMS)into DBMS)

Availability – blocking; permanent Availability – blocking; permanent blockingblocking

Acceptability of Access (sensitive Acceptability of Access (sensitive data)data)

Assurance of AuthenticityAssurance of Authenticity

Types of DisclosuresTypes of Disclosures

Exact DataExact Data

BoundsBounds

Negative ResultsNegative Results

Existence of DataExistence of Data

Probable ValuesProbable Values

Security vs. PrecisionSecurity vs. Precision

Aim to protect all sensitive data Aim to protect all sensitive data while revealing as much nonsensitive while revealing as much nonsensitive data as possibledata as possible

Want to maintain perfect Want to maintain perfect confidentiality with maximum confidentiality with maximum precisionprecision

InferenceInference

Way to infer / derive sensitive data Way to infer / derive sensitive data from nonsensitive datafrom nonsensitive data

Direct AttackDirect Attack• List NAME where SEX=M ^ DRUGS=1List NAME where SEX=M ^ DRUGS=1• List NAME where (SEX=M ^ DRUGS=1) List NAME where (SEX=M ^ DRUGS=1)

v (SEX#M ^ SEX#F) v (DORM=AYRES)v (SEX#M ^ SEX#F) v (DORM=AYRES)

Indirect AttackIndirect Attack

SumSum• Show STUDENT-AID WHERE SEX=F ^ Show STUDENT-AID WHERE SEX=F ^

DORM=GreyDORM=Grey CountCount

• Show Count, STUDENT-AID WHERE SEX=M ^ Show Count, STUDENT-AID WHERE SEX=M ^ DORM=HolmesDORM=Holmes

• List NAME where (SEX=M ^ DORM=Holmes)List NAME where (SEX=M ^ DORM=Holmes) MedianMedian Tracker Attacks – using additional queries Tracker Attacks – using additional queries

that produce small resultsthat produce small results

ControlsControls

SuppressionSuppression – don’t provide – don’t provide sensitive datasensitive data

ConcealingConcealing – don’t provide actual – don’t provide actual values (“close to”)values (“close to”)

Limited Response SuppressionLimited Response Suppression• n-item k-percent rule eliminates low n-item k-percent rule eliminates low

frequency elements from being frequency elements from being displayed (may need to suppress displayed (may need to suppress additional rows/columns)additional rows/columns)

ControlsControls

Combined ResultsCombined Results• SumsSums• RangesRanges• RoundingRounding

Random SampleRandom Sample Random Data PerturbationRandom Data Perturbation Query Analysis – “should the result Query Analysis – “should the result

be provided”be provided”

Conclusion on the Inference Conclusion on the Inference ProblemProblem

Suppress obviously sensitive Suppress obviously sensitive informationinformation

Track what the user knowsTrack what the user knows

Disguise the dataDisguise the data

AggregationAggregation

Building sensitive results from less Building sensitive results from less sensitive inputssensitive inputs

Data miningData mining – process of sifting – process of sifting through multiple databases and through multiple databases and correlating multiple data elements to correlating multiple data elements to find useful informationfind useful information

Multilevel DatabasesMultilevel Databases

Differentiated SecurityDifferentiated Security• Security of single element may be Security of single element may be

different from security of other elementsdifferent from security of other elements• Two levels – sensitive and nonsensitive Two levels – sensitive and nonsensitive

are inadequate to represent some are inadequate to represent some security situationssecurity situations

• Security of an aggregate (sum, count,…) Security of an aggregate (sum, count,…) may be different from security of the may be different from security of the individual elementsindividual elements

GranularityGranularity

Security IssuesSecurity Issues

IntegrityIntegrity• *-property for access control*-property for access control• Either process cleared at a high level cannot Either process cleared at a high level cannot

write to a lower level or process must be a write to a lower level or process must be a “trusted process”“trusted process”

ConfidentialityConfidentiality• Different users at different levels may get Different users at different levels may get

different query resultsdifferent query results• PolyinstantiationPolyinstantiation – record can appear more – record can appear more

than once with different levels of than once with different levels of confidentialityconfidentiality

Proposals for Multilevel SecurityProposals for Multilevel Security

SeparationSeparation• Partitioning – divide DB into separate Partitioning – divide DB into separate

DBs with own level of sensitivityDBs with own level of sensitivity• Encryption (time consuming)Encryption (time consuming)• Integrity Lock – each data item contains Integrity Lock – each data item contains

a sensitivity label and a checksuma sensitivity label and a checksum Sensitivity label must be Sensitivity label must be unforgeable, unforgeable,

unique, concealedunique, concealed Checksum must be uniqueChecksum must be unique Sensitivity lockSensitivity lock

Design of Multilevel Secure Design of Multilevel Secure DatabasesDatabases

Integrity Lock – not efficient Integrity Lock – not efficient (space/time)(space/time)

Trusted Front-end (Guard) – does Trusted Front-end (Guard) – does authentication and filteringauthentication and filtering

Commutative Filters – Commutative Filters – • screen user’s requests, reformats, so screen user’s requests, reformats, so

that only appropriate data is returnedthat only appropriate data is returned

Design of Multilevel Secure Design of Multilevel Secure DatabasesDatabases

Distributed (federated) databaseDistributed (federated) database• Trusted front-end controls access to two Trusted front-end controls access to two

DBMSs – one for high-sensitivity data DBMSs – one for high-sensitivity data and one for low-sensitivity dataand one for low-sensitivity data

• Very complexVery complex Window/ViewWindow/View

• Subset of a database containing exactly Subset of a database containing exactly the information that the user is entitled the information that the user is entitled to accessto access