Current Trends in Data Security: Dan Suciu Joint Work With Gerome Miklau

You might also like

Download as ppt, pdf, or txt
Download as ppt, pdf, or txt
You are on page 1of 48

CurrentTrendsinDataSecurity

DanSuciu
JointworkwithGeromeMiklau

DataSecurity
DorothyDenning,1982:
DataSecurityisthescienceandstudyof
methodsofprotectingdata(...)from
unauthorizeddisclosureandmodification
DataSecurity=Confidentiality+Integrity

DataSecurity
Distinctfromsystemsandnetworksecurity
Assumesthesearealreadysecure

Tools:
Cryptography,informationtheory,statistics,

Applications:
Anenablingtechnology

Outline
Traditionaldatasecurity
Twoattacks
Datasecurityresearchtoday
Conclusions

TraditionalDataSecurity
SecurityinSQL=Accesscontrol+Views
Securityinstatisticaldatabases=Theory

[Griffith&Wade'76,Fagin'78]

AccessControlinSQL
GRANTprivilegesONobjectTOusers
GRANTprivilegesONobjectTOusers
[WITHGRANTOPTIONS]
[WITHGRANTOPTIONS]
privileges=SELECT|INSERT|DELETE|...
object=table|attribute

REVOKEprivilegesONobjectFROMusers
REVOKEprivilegesONobjectFROMusers
[CASCADE]
[CASCADE]

ViewsinSQL
ASQLView=(almost)anySQLquery
Typicallyusedas:
CREATEVIEWpmpStudentsAS
CREATEVIEWpmpStudentsAS
SELECT*FROMStudentsWHERE
SELECT*FROMStudentsWHERE
GRANTSELECTONpmpStudentsTODavidRispoli
GRANTSELECTONpmpStudentsTODavidRispoli

SummaryofSQLSecurity
Limitations:
Norowlevelaccesscontrol
Tablecreatorownsthedata:thatsunfair!
Accesscontrol=greatsuccessstoryoftheDBcommunity...
orspectacularfailure:
Only30%assignprivilegestousers/roles
Andthentoprotectentiretables,notcolumns

Summary(cont)
Mostpoliciesinmiddleware:slow,errorprone:

SAPhas10**4tables
GTEover10**5attributes
Abrokeragehousehas80,000applications
AUSgovernmententitythinksthatithas350K

Todaythedatabaseisnotatthecenterofthe
policyadministrationuniverse

9
[Rosenthal&Winslett2004]

[Adam&Wortmann89]

SecurityinStatisticalDBs
Goal:
AllowarbitraryaggregateSQLqueries
Hideconfidentialdata
SELECTname
SELECTname
FROMPatient
NotOK
FROMPatient
WHEREage=42
WHEREage=42
andsex=M
andsex=M
anddiagnostic=schizophrenia
anddiagnostic=schizophrenia

SELECTcount(*)
SELECTcount(*)
OK
FROMPatients
FROMPatients
WHEREage=42
WHEREage=42
andsex=M
andsex=M
anddiagnostic=schizophrenia
anddiagnostic=schizophrenia

10

[Adam&Wortmann89]

SecurityinStatisticalDBs
Whathasbeentried:
Queryrestriction
Querysizecontrol,querysetoverlapcontrol,querymonitoring
Noneispractical

Dataperturbation
Mostpopular:cellcombination,cellsuppression
Othermethods,forcontinuousattributes:mayintroducebias

Outputperturbation
Forcontinuousattributesonly

11

SummaryonSecurityin
StatisticalDB
Originalgoalseemsimpossibletoachieve
Cellcombination/suppressionarepopular,
butdonotallowarbitraryqueries

12

Outline
Traditionaldatasecurity
Twoattacks
Datasecurityresearchtoday
Conclusions

13

[ChrisAnley,AdvancedSQLInjectionInSQL]

SQLInjection
Yourhealthinsurancecompanyletsyouseetheclaimsonline:
Firstlogin:

User:

fred

********
Password:
Nowsearchthroughtheclaims:
Searchclaimsby:

Dr.Lee

SELECTFROMWHEREdoctor=Dr.LeeandpatientID=fred
SELECTFROMWHEREdoctor=Dr.LeeandpatientID=fred

14

SQLInjection
Nowtrythis:
Searchclaimsby: Dr.LeeORpatientID=suciu;
..WHEREdoctor=Dr.LeeORpatientID=suciu;andpatientID=fred
..WHEREdoctor=Dr.LeeORpatientID=suciu;andpatientID=fred

Better:
Searchclaimsby: Dr.LeeOR1=1;

15

SQLInjection
Whenyouredone,dothis:

Searchclaimsby: Dr.Lee;DROPTABLEPatients;

16

SQLInjection
TheDBMSworksperfectly.Sowhyis
SQLinjectionpossiblesooften?
Quickanswer:
Poorprogramming:usestoredprocedures!

Deeperanswer:
MovepolicyimplementationfromappstoDB

17

LatanyaSweeneysFinding
InMassachusetts,theGroupInsurance
Commission(GIC)isresponsiblefor
purchasinghealthinsuranceforstate
employees
GIChastopublishthedata:
GIC(zip,dob,sex,diagnosis,procedure,...)
GIC(zip,dob,sex,diagnosis,procedure,...)

18

LatanyaSweeneysFinding
Sweeneypaid$20andboughtthevoter
registrationlistforCambridge
Massachusetts:

GIC(zip,dob,sex,diagnosis,procedure,...)
GIC(zip,dob,sex,diagnosis,procedure,...)
VOTER(name,party,...,zip,dob,sex)
VOTER(name,party,...,zip,dob,sex)

19

LatanyaSweeneysFinding
zip,dob,sex
WilliamWeld(formergovernor)livesin
Cambridge,henceisinVOTER
6peopleinVOTERsharehisdob
only3ofthemwereman(samesex)
Weldwastheonlyoneinthatzip
SweeneylearnedWeldsmedicalrecords!

20

LatanyaSweeneysFinding
Allsystemsworkedasspecified,yetan
importantdatahasleaked

Howdoweprotectagainstthat?
Someoftodaysresearchindatasecurityaddressbreaches
thathappenevenifallsystemsworkcorrectly

21

SummaryonAttacks
SQLinjection:
Acorrectnessproblem:
Securitypolicyimplementedpoorlyintheapplication

Sweeneysfinding:
Beyondcorrectness:
Leakageoccurredwhenallsystemsworkasspecified

22

Outline
Traditionaldatasecurity
Twoattacks
Datasecurityresearchtoday
Conclusions

23

ResearchTopicsinDataSecurity
Restofthetalk:
InformationLeakage
Privacy
Finegrainedaccesscontrol
Dataencryption
Securesharedcomputation

24

[Samarati&Sweeney98,Meyerson&Williams04]

InformationLeakage:
kAnonymity

Definition:eachtupleisequaltoatleastk1others

Anonymizing:throughsuppressionandgeneralization

First
Harry
*
John
Beatrice
*
John

Last
Stone
Reyser
R*
Stone
Ramos
R*

Age
3050
34
2040
36
3050
47
2040
22

Hard:NPcompleteforsupressiononly
Approximationsexists

Race
AfrAm
Cauc
*
Afram
Hisp
*

25

[Miklau&S04,Miklau&Dalvi&S05,Yang&Li04]

InformationLeakage:
QueryviewSecurity
Havedata:

TABLEEmployee(name,dept,phone)
TABLEEmployee(name,dept,phone)

SecretQuery
S(name)

View(s)
Disclosure?
V(name,phone)
total
V1(name,dept)
big
S(name,phone)
V2(dept,phone)
S(name)
V(dept)
tiny
S(name)
V(name)
none
wheredept=HR wheredept=RD

26

SummaryonInformation
Disclosure
Thetheoreticalresearch:
Excitingnewconnectionsbetweendatabases
andinformationtheory,probabilitytheory,
cryptography
[Abadi&Warinschi05]

Theapplications:
manyyearsaway

27

Privacy
Istherightofindividualstodeterminefor
themselveswhen,howandtowhatextent
informationaboutthemiscommunicatedto
[Agrawal03]
others
Morecomplexthanconfidentiality

28

Privacy
Involves:
Data
Owner
Requester
Purpose
Consent

Example:Alicegivesheremail
toawebservice

alice@a.b.com

Privacypolicy:P3P

29

HippocraticDatabases
DBsupportforimplementingprivacypolicies.
Purposespecification
HippocraticDB
Consent
Limiteduse
alice@a.b.com
Limitedretention

Protectionagainst:
Sloppyorganizations

Maliciousorganizations

Privacypolicy:P3P

[Agrawal03,LeFevrey04]

30

PrivacyforParanoids
Idea:relyontrustedagents
aly1@agenthost.com

alice@a.b.com

Agent
Protectionagainst:
Sloppyorganizations
Maliciousattackers

lice27@agenthost.com

foreignkeys?

31
[Aggarwal04]

SummaryonPrivacy
Majorconcerninindustry
Legislation
Consumerdemand

Challenge:
Howtoenforceanorganizationsstated
policies

32

FinegrainedAccessControl
Controlaccessatthetuplelevel.
Policyspecificationlanguages
Implementation

33

PolicySpecificationLanguage
Nostandard,butusuallybasedonparameterizedviews.
CREATEAUTHORIZATIONVIEWPatientsForDoctorsAS
CREATEAUTHORIZATIONVIEWPatientsForDoctorsAS
SELECTPatient.*
SELECTPatient.*
FROMPatient,Doctor
FROMPatient,Doctor
WHEREPatient.doctorID=Doctor.ID
WHEREPatient.doctorID=Doctor.ID
andDoctor.login=%currentUser
andDoctor.login=%currentUser

Context
parameters

34

Implementation
SELECTPatient.name,Patient.age
SELECTPatient.name,Patient.age
FROMPatient
FROMPatient
WHEREPatient.disease=flu
WHEREPatient.disease=flu

SELECTPatient.name,Patient.age
SELECTPatient.name,Patient.age
FROMPatient,Doctor
FROMPatient,Doctor
WHEREPatient.disease=flu
WHEREPatient.disease=flu
andPatient.doctorID=Doctor.ID
andPatient.doctorID=Doctor.ID
andPatient.login=%currentUser
andPatient.login=%currentUser

e.g.Oracle

35

TwoSemantics
TheTrumanModel=filtersemantics

transformreality
ACCEPTallqueries
REWRITEqueries
Sometimesmisleadingresults

SELECTcount(*)
SELECTcount(*)
FROMPatients
FROMPatients
WHEREdisease=flu
WHEREdisease=flu

ThenonTrumanmodel=denysemantics

rejectqueries
ACCEPTorREJECTqueries
ExecutequeryUNCHANGED
Maydefinemultiplesecurityviewsforauser

36
[Rizvi04]

SummaryofFineGrainedAccess
Control
Trendinindustry:labelbasedsecurity
Killerapp:applicationhosting
Independentfranchisesshareasingletableat
headquarters(e.g.,HolidayInn)
Applicationrunsunderrequesterslabel,cannot
seeotherlabels
HeadquartersrunsReadqueriesoverthem

OraclesVirtualPrivateDatabase

37

[Rosenthal&Winslett2004]

DataEncryptionforPublishing
Scientistwantstopublish
medicalresearchdataontheWeb
Usersandtheirkeys:

Allauthorizedusers:K
Allauthorizedusers:Kuser
user
Patient:K
Patient:Kpat
pat
Doctor:K
Doctor:Kdrdr
Nurse:K
Nurse:Knunu
Administrator:K
Administrator:Kadmin

admin

ComplexPolicies:

Doctorresearchersmayaccesstrials
Doctorresearchersmayaccesstrials
Nursesmayaccessdiagnostic
Nursesmayaccessdiagnostic
Etc
Etc

Whatistheencryptiongranularity?

38

[Miklau&S.03]

DataEncryptionforPublishing
Doctor:
Kdr
Doctor:K
Kuser,
user,Kdr

AnXMLtreeprotection:

Nurse:
Knu
Nurse:K
Kuser,
user,Knu
Nurse+admin:
Knu,Kadm
Nurse+admin:K
Kuser,
user,Knu,Kadm

<patient>

Kpat(KnuKadm)

<privateData>

Kuser
Kdr

KnuKdr

<diagnostic>
flu

Kpat
<name>

<age>

JoeDoe

28

<address>
Seattle

Kmaster
<drug>

Tylenol

<trial>

Kmaster
<placebo>
Candy
39

SummaryonDataEncryption
Industry:
Supportedbyallvendors:
Oracle,DB2,SQLServer
Efficiencyissuesstilllargelyunresolved

Research:
Hardtheoreticalsecurityanalysis
[Abadi&Warinschi05]

40

SecureSharedProcessing
AlicehasadatabaseDBA
BobhasadatabaseDBB
HowcantheycomputeQ(DBA,DBB),without
revealingtheirdata?
Longhistoryincryptography
Somedatabasequeriesareeasierthangeneralcase

41

[Agrawal03]

SecureSharedProcessing
Alice
abcd

Task:findintersection
withoutrevealingtherest

Bob
cde

Computeonewayhash
h(a)h(b)h(c)h(d)

Exchange

h(c)h(d)h(e)

h(c)h(d)h(e)
h(a)h(b)h(c)h(d)

Whatswrong?

42

[Agrawal03]

SecureSharedProcessing
Alice
abcd

commutativeencryption:
h(x)=EA(EB(x))=EB(EA(x))

EA

Bob
cde
EB
EB(c)EB(d)EB(e)

EA(a)EA(b)EA(c)EA(d)
EB(c)EB(d)EB(e)

EA(a)EA(b)EA(c)EA(d)
EB

h(c)h(d)h(e)

h(a)h(b)h(c)h(d)

EA
h(a)h(b)h(c)h(d)

h(c)h(d)h(e)
43

SummaryonSecureShared
Processing
Secureintersection,joins,datamining
Butarethereotherexamples?

44

Outline
Traditionaldatasecurity
Twoattacks
Datasecurityresearchtoday
Conclusions

45

Conclusions
Traditionaldatasecurityconfinedtooneserver
SecurityinSQL
Securityinstatisticaldatabases

Attackspossibledueto:
Poorimplementationofsecuritypolicies:SQL
injection
Unintendedinformationleakageinpublisheddata

46

Conclusions
Stateoftheindustry:
Datasecuritypolicies:scatteredthroughoutapplications
Databasenolongercenterofthesecurityuniverse
Needed:automaticmeanstotranslatecomplexpoliciesinto
physicalimplementations

Stateofresearch:datasecurityinglobaldatasharing
Informationleakage,privacy,securecomputations,etc.
Databaseresearchcommunityhasanincreasedappetitefor
cryptographictechniques

47

Questions?

48

You might also like