Upload
peter-powell
View
218
Download
3
Tags:
Embed Size (px)
Citation preview
Sensitive DataSensitive Data
Data that should not be made publicData that should not be made public What if some but not all of the What if some but not all of the
elements of a DB are sensitiveelements of a DB are sensitive• Inherently sensitiveInherently sensitive• From a sensitive sourceFrom a sensitive source• Declared sensitiveDeclared sensitive• Part of a sensitive attribute or recordPart of a sensitive attribute or record• Sensitive in relation to previously Sensitive in relation to previously
disclosed informationdisclosed information
Access DecisionsAccess Decisions
Need an access policy (programmed Need an access policy (programmed into DBMS)into DBMS)
Availability – blocking; permanent Availability – blocking; permanent blockingblocking
Acceptability of Access (sensitive Acceptability of Access (sensitive data)data)
Assurance of AuthenticityAssurance of Authenticity
Types of DisclosuresTypes of Disclosures
Exact DataExact Data
BoundsBounds
Negative ResultsNegative Results
Existence of DataExistence of Data
Probable ValuesProbable Values
Security vs. PrecisionSecurity vs. Precision
Aim to protect all sensitive data Aim to protect all sensitive data while revealing as much nonsensitive while revealing as much nonsensitive data as possibledata as possible
Want to maintain perfect Want to maintain perfect confidentiality with maximum confidentiality with maximum precisionprecision
InferenceInference
Way to infer / derive sensitive data Way to infer / derive sensitive data from nonsensitive datafrom nonsensitive data
Direct AttackDirect Attack• List NAME where SEX=M ^ DRUGS=1List NAME where SEX=M ^ DRUGS=1• List NAME where (SEX=M ^ DRUGS=1) List NAME where (SEX=M ^ DRUGS=1)
v (SEX#M ^ SEX#F) v (DORM=AYRES)v (SEX#M ^ SEX#F) v (DORM=AYRES)
Indirect AttackIndirect Attack
SumSum• Show STUDENT-AID WHERE SEX=F ^ Show STUDENT-AID WHERE SEX=F ^
DORM=GreyDORM=Grey CountCount
• Show Count, STUDENT-AID WHERE SEX=M ^ Show Count, STUDENT-AID WHERE SEX=M ^ DORM=HolmesDORM=Holmes
• List NAME where (SEX=M ^ DORM=Holmes)List NAME where (SEX=M ^ DORM=Holmes) MedianMedian Tracker Attacks – using additional queries Tracker Attacks – using additional queries
that produce small resultsthat produce small results
ControlsControls
SuppressionSuppression – don’t provide – don’t provide sensitive datasensitive data
ConcealingConcealing – don’t provide actual – don’t provide actual values (“close to”)values (“close to”)
Limited Response SuppressionLimited Response Suppression• n-item k-percent rule eliminates low n-item k-percent rule eliminates low
frequency elements from being frequency elements from being displayed (may need to suppress displayed (may need to suppress additional rows/columns)additional rows/columns)
ControlsControls
Combined ResultsCombined Results• SumsSums• RangesRanges• RoundingRounding
Random SampleRandom Sample Random Data PerturbationRandom Data Perturbation Query Analysis – “should the result Query Analysis – “should the result
be provided”be provided”
Conclusion on the Inference Conclusion on the Inference ProblemProblem
Suppress obviously sensitive Suppress obviously sensitive informationinformation
Track what the user knowsTrack what the user knows
Disguise the dataDisguise the data
AggregationAggregation
Building sensitive results from less Building sensitive results from less sensitive inputssensitive inputs
Data miningData mining – process of sifting – process of sifting through multiple databases and through multiple databases and correlating multiple data elements to correlating multiple data elements to find useful informationfind useful information
Multilevel DatabasesMultilevel Databases
Differentiated SecurityDifferentiated Security• Security of single element may be Security of single element may be
different from security of other elementsdifferent from security of other elements• Two levels – sensitive and nonsensitive Two levels – sensitive and nonsensitive
are inadequate to represent some are inadequate to represent some security situationssecurity situations
• Security of an aggregate (sum, count,…) Security of an aggregate (sum, count,…) may be different from security of the may be different from security of the individual elementsindividual elements
GranularityGranularity
Security IssuesSecurity Issues
IntegrityIntegrity• *-property for access control*-property for access control• Either process cleared at a high level cannot Either process cleared at a high level cannot
write to a lower level or process must be a write to a lower level or process must be a “trusted process”“trusted process”
ConfidentialityConfidentiality• Different users at different levels may get Different users at different levels may get
different query resultsdifferent query results• PolyinstantiationPolyinstantiation – record can appear more – record can appear more
than once with different levels of than once with different levels of confidentialityconfidentiality
Proposals for Multilevel SecurityProposals for Multilevel Security
SeparationSeparation• Partitioning – divide DB into separate Partitioning – divide DB into separate
DBs with own level of sensitivityDBs with own level of sensitivity• Encryption (time consuming)Encryption (time consuming)• Integrity Lock – each data item contains Integrity Lock – each data item contains
a sensitivity label and a checksuma sensitivity label and a checksum Sensitivity label must be Sensitivity label must be unforgeable, unforgeable,
unique, concealedunique, concealed Checksum must be uniqueChecksum must be unique Sensitivity lockSensitivity lock
Design of Multilevel Secure Design of Multilevel Secure DatabasesDatabases
Integrity Lock – not efficient Integrity Lock – not efficient (space/time)(space/time)
Trusted Front-end (Guard) – does Trusted Front-end (Guard) – does authentication and filteringauthentication and filtering
Commutative Filters – Commutative Filters – • screen user’s requests, reformats, so screen user’s requests, reformats, so
that only appropriate data is returnedthat only appropriate data is returned
Design of Multilevel Secure Design of Multilevel Secure DatabasesDatabases
Distributed (federated) databaseDistributed (federated) database• Trusted front-end controls access to two Trusted front-end controls access to two
DBMSs – one for high-sensitivity data DBMSs – one for high-sensitivity data and one for low-sensitivity dataand one for low-sensitivity data
• Very complexVery complex Window/ViewWindow/View
• Subset of a database containing exactly Subset of a database containing exactly the information that the user is entitled the information that the user is entitled to accessto access