Introduction To Security and Privacy Einführung in die IT-Sicherheit I

Transcription

1 Introduction To Security and Privacy Einführung in die IT-Sicherheit I Prof. Dr. rer. nat. Doğan Kesdoğan Institut für Wirtschaftsinformatik kesdogan@fb5.uni-siegen.de Source: William Stallings and Lawrie Brown 1

2 Summary Introduction to database and DBMS Statistical Database Inference Limit of Inference Protection Database encryption 2

3 Introduction to Database and DBMS 3

4 Database Security Database structured collection of data stored contains the relationships between data items Database man. system programs for constructing and maintaining database use database description tables to manage physical database interface to the database is through a file/transaction manager Data manipulation/query language uniform interface to the database Database definition lang. define logical structure and procedural properties represented by a set of database description tables 4

5 Relational Databases Constructed from tables of data each column holds a particular type of data each row contains a specific value these ideally has one column where all values are unique, forming an identifier/key for that row Have multiple tables linked by identifiers Use a query language to access data items meeting specified criteria 5

6 Relational Database Example Flat file one entry for each subscriber single two-dimensional data Query language allows user to request selected items of data from all records that fit a given set of criteria 6

7 Relational Database Elements Relation / table / file tuple / row / record attribute / column / field primary key uniquely identifies a row consists of one or more attributes to create a relationship between two tables, the attributes of primary key must be in second table foreign key links one table to attributes in another view / virtual table result of a query that returns selected rows and columns from one or more tables 7

8 Relational Database Elements Department table Did is primary key Employee table contain Did as foreign key relationship between the employee table and the department table View includes employee name, ID, phone number and department name 8

9 Structured Query Language Structure Query Language (SQL) originally developed by IBM in the mid-1970s standardized language to define, manipulate, and query data in a relational database several similar versions of ANSI/ISO standard CREATE TABLE department ( Did INTEGER PRIMARY KEY, Dname CHAR (30), Dacctno CHAR (6) ) CREATE VIEW newtable (Dname, Ename, Eid, Ephone) AS SELECT D.Dname E.Ename, E.Eid, E.Ephone FROM Department D Employee E WHERE E.Did = D.Did CREATE TABLE employee ( Ename CHAR (30), Did INTEGER, SalaryCode INTEGER, Eid INTEGER PRIMARY KEY, Ephone CHAR (10), FOREIGN KEY (Did) REFERENCES department (Did) ) 9

10 Database Access Control DBMS provide access control for database Assume have authenticated user DBMS provides specific access rights to portions of the database e.g. create, insert, delete, update, read, write to entire database, tables, selected rows or columns possibly dependent on contents of a table entry Can support a range of policies: centralized administration small number of privileged users may grant and revoke access rights ownership-based administration owner (creator) of a table may grant and revoke access rights to the table decentralized administration owner of the table may grant and revoke authorization to other users Allow users to grant and revoke access rights to the table 10

11 SQL Access Controls Managing access rights: GRANT { privileges role } [ON table] TO { user role PUBLIC } [IDENTIFIED BY password] [WITH GRANT OPTION] e.g. GRANT SELECT ON ANY TABLE TO ricflair REVOKE { privileges role } [ON table] FROM { user role PUBLIC } e.g. REVOKE SELECT ON ANY TABLE FROM ricflair Typical access rights: SELECT: Grantee may read entire database; individual tables; or specific columns INSERT: Grantee may insert rows in a table DELETE: Grantee may delete rows from a table. UPDATE, DELETE, REFERENCES 11

12 Cascading Authorizations Ann grants the access right to Bob at time t = 10 and to Chris at time t = 20 Bob is able to grant the access right to David at t = 30 Chris redundantly grants the access right to David at t = 50 Ann revokes the access right to Bob and Chris than access right is also revoked to David, Ellen, Jim, and Frank User receives access right multiple times Suppose that Bob revokes the privilege from David David still has the access right because it was granted by Chris at t = 50 Ellen removed, because when David granted the access right to Ellen, David only had the grant option to do this from Bob 12

13 Convention for Cascading Authorizations When a user A revokes an access right, any cascaded access right is also revoked unless that access right would exists even if the original grant from A had never occurred 13

14 Role-Based Access Control Role-based access control work well for DBMS eases admin burden, improves security Categories of database users: application owner end user administrator DB RBAC must manage roles and their users cf. RBAC on Microsoft s SQL Server 14

15 Statistical Database 15

16 Statistical Databases Provides data of a statistical nature e.g. counts, averages Two types: pure statistical database only stores statistical data ordinary database with statistical access some users have normal access, others statistical Access control objective to allow statistical use without revealing individual entries Security problem is one of inference prevent, or at least detect, the statistical user who attempts to gain individual information through one or a series of statistical queries 16

17 Statistical Database Security Characteristic formula C logical formula over the values of attributes e.g. (Sex=Male) AND ((Major=CS) OR (Major=EE)) Abbreviated Boolean operator: AND: OR: NOT: ~ Query set X(C) of characteristic formula C set of records (rows) matching C Statistical query query that produces a value calculated over a query set Example: count(c) = X(C) sum(c, A j ) = i X (C) xij : sum of attribute A j over records in X(C), where x ij is entry at i-th row and j-th column of view represented by X(C) max(c, A j ), min(c, A j ), avg(c, A j ), 17

18 Statistical Database: Query Statistical query: C = Female CS, X(C) consists of records 1 and 4 count(female CS) = 2 sum(female CS, SAT) =

19 Inference 19

20 Inference Inference process of performing authorized queries and deducing unauthorized information from the legitimate responses received arises when combination of a number of data items is more sensitive than the individual items Additional information Functional dependencies between attributes merging views with the same constraints 20

21 Inference: Example No functional relationship between Name and Salary E.g. knowing Name and perhaps other information is sufficient to deduce Salary Access constraint that Name and Salary cannot be access together Knowledge of structure view tables have same row order as Employee table thus able to merge the two views to construct the table (c) 21

22 Inference: Small & Large Query Set Attack Assume: Attacker knows some characteristics of a target (Baker) C = female EE Small size: count(c D) = 1, target has char. D count(c D) = 0, target does not have char. D Large size: count(~(c D))= N, target does not has characteris. D count(~(c D))= N-1, target Example (small size): count(ee Female) = 1, Baker uniquely identified by C sum(ee Female, GP) = 2.5, Baker s grade Example (large size): count(~(c SAT 500))=13, Baker does not have SAT

23 Inference: Small & Large Query Set Attack Query size restriction: Rejects a query that can lead to a compromise by small set or large query set attack Query q(c) is permitted if number records of X(C) satisfies: k X(C) N-k, where k is a fixed integer 23

24 Inference: Tracker Attack Circumventing query restriction Idea: Divide forbidden query into authorised parts Given any query X(C), where requesting characteristic C is forbidden C = C 1 C 2 = C 1 ~(C 1 ~C 2 ) = C 1 ~T, where X(C 1 ) and X(T) are authorised queries Usage: Learning if target has characteristic C count(c) = count(c 1 ) count(t) count(c) = 1 then target uniquely identified by C Can use C to learn other characteristics of target, i.e. D by query count(c D) Tracker: Combination of parts that can be used to track down characteristics Individual tracker: (C 1, T) 24

25 Inference: Tracker Attack Tracking additional characteristics Given: Characteristic of target C = C 1 C 2 = C 1 ~(C 1 ~C 2 ) = C 1 ~T Count(C 1 ), count(t) fulfils query size restriction count(c) = 1 Tracking characteristic D: count(c D) = count(t C 1 D) count(t) If count(c D) = 0 then target does not have characteristic D, else count(c D)=count(C) C 1 T C 1 D C C 2 C 1 T C C 1 D C 2 D D 25

26 Inference: Tracker Attack - Example Tracker (database with statistical access, N=13): Let k = 3 and C = EE Female, T=EE ~Female (Baker s characteristic) k X(EE) = 4 N-k and k X(T) = 3 N-k, thus EE and T are valid queries count(c) = count(ee) count(ee ~Female) = count(ee) count(t) = 1, i.e. Bakers uniquely identified by individual tracker (EE, T) C= EE ᴧ Female Tracking additional characteristics SAT: count(c SAT>600) = count(t EE SAT>600) count(t) = 0 GP: sum(c, GP) = sum(ee, GP) sum(count(t, GP) =

27 Inference: Tracker Attack Note: Tracker attack is possible because of overlapping of C 1 and T=(C 1 ~C 2 ) Query set overlap control: Limit overlap between new & previous queries Issue: Need to keep track of all user s queries is not practical Statistics for query set and its subset cannot be released, which is a restriction for the usability of the data Cannot prevent cooperated query of several users Query denial: Deny query, if it can leak sensitive information Issue: denials can leak information themselves Example: Allowed query: sum(x 1, x 2, x 3 )=15 Denied query: max(x 1, x 2, x 3 ), because max(x 1, x 2, x 3 )=5 would disclose value of each individual variable to be 5 However attack could conclude the same reason for denial by the denial itself 27

28 Inference: Perturbation Provides approximate answers to all queries Data perturbation: Data in SDB are modified (perturbed) to produce statistics that avoids the inference of values for individual records Example: data swapping Output perturbation: Generate statistics that are modified from those that the original database would provide Example: random-sample query, i.e. sample a subset X (C) of query set X(C) and provide statistic on X (C) Issue: Tradeoff between amount of errors and protection against inference 28

29 Inference: Real World Case (Sweeny 2002) Background knowledge: William Weld, governor of Massachusetts Live in Cambridge Massachusetts, 5-digti ZIP code Has records in medical database Inference on released database: Voter list (publicly released database): six people with his birth date; 3 were men; 1 with 5-digit ZIP code Medical data (publicly released database): Linkable by {birth date, Sex, ZIP} {birth date, Sex, ZIP} are called quasiidentifier 87% of US citizen uniquely identifiable by these 3 attributes 29

30 Inference Protection Protection by k-anonymity (Sweeney 2002): Assume all quasiidentifiers a-priori known to release of database Modify data, such that each quasiidentifier applies to at least k records in released database Note: All protection strategies provide are best practice approaches 30

31 Limit of Inference Protection 31

32 Limit of Inference Protection Perfect database security (Dalenius 1977): Access to statistical database should not enable one to learn anything about an individual that could not be learned without access Remember: similar to definition of unconditional security in cryptography Impossibility of perfect database security (Dwork 2006): Given background information it is impossible to provide perfect database security Background information: information of attacker other then provided by database access cannot be avoided and are mostly unknown to database designer a- priori 32

33 Limit of Inference Protection Proof sketch: With database access: Assume attacker has background information that Alice is 10 cm shorter than the average British woman can access statistical database about body size of British woman Thus learns exact height of Alice Without database access: Attacker would not be able to learn Alice s height, in spite of his background information Note: Attack applies regardless whether Alice is in database or not Perfect security cannot be provided for databases when background information is available 33

34 Database Encryption 34

35 Database Encryption Databases typical a valuable info resource protected by multiple layers of security: firewalls, authentication, O/S access control systems, DB access control systems, and database encryption Can encrypt entire database - very inflexible and inefficient individual fields - simple but inflexible records (rows) or columns (attributes) - best also need attribute indexes to help data retrieval Varying trade-offs 35

36 Database Encryption 1. User issues SQL query for fields with a specific value of the primary key. 2. Query processor at client encrypts the primary key, modifies the SQL query accordingly, and transmits the query to the server. 3. Server processes query using the encrypted value of the primary key and returns appropriate records. 4. Query processor decrypts the data and returns the results. 36

37 Literatur Sweeney. k-anonymity: A Model for Protecting Privacy. IJUFKS Volume: 10, Issue: 5(2002) pp Dwork. Differential Privacy. LNCS Volume 4052/2006, pp