Presentation is loading. Please wait.

Presentation is loading. Please wait.

Inference and Flow Control

Published byΔιάβολος Λειβαδάς Modified over 5 years ago

Similar presentations

Presentation on theme: "Inference and Flow Control"— Presentation transcript:

1 Inference and Flow Control

2 Inference Control Often databases contain information that is sensitive as individual rows, but not sensitive as a group. Example: Salary data across the company, individuals want their salary private, but knowing the average salary for each department is fine. Statistical database security involves allowing aggregate functions (count, sum, min, max, avg, std_dev) to be run on subsets of the data, but not allowing individual records. However, it is possible to infer the state of particular rows if you are allowed to do repeated statistics on small subsets of rows. Example: If a department only has 2 people (and you are one of them), you can infer the salary of the other.

3 How could you protect against inference?
1. Disallow queries that involve a small number of rows. 2. Add noise to the results returned. 3. Track which queries are being performed and determine if they can reveal additional information. 4. Lobby for the reduction of statistics education in the US to reduce the problem.

4 Flow Control Some databases have only parts of themselves that contain sensitive information. In such cases, it is important that the sensitive information is not allowed to move from the protected regions (tables) into the less protected regions. A flow policy specifies the channels along which information is allowed to move. Even if an authorized user is allowed to access and write to both sides of a database, flow control prevents the authorized movement of information.

5 Covert Channels A covert channel allows information to pass from a protected level to a less protected level though improper means. Tracking the SELECT and modification queries stops the easy attacks, but there are more subtle mechanisms. A timing channel relies on timing how long a query takes to respond. The time a query takes can be indicative of what rows exist in a table, even if a query doesn't yield any data. Example: I can query the "Bad Reviews" table for a particular student, and longer response times means the student wrote a bad review of me. A storage channel uses information conveyed by system information or other means to determine information about a protected region. Example: A query on the table "Bad Reviews" uses up more memory if a row exists than if it doesn't.

Download ppt "Inference and Flow Control"

Similar presentations

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
CMPT 354 Views and Indexes Spring 2012 Instructor: Hassan Khosravi.

CMPT 354 Views and Indexes Spring 2012 Instructor: Hassan Khosravi.
Group functions cannot be used in the WHERE clause: SELECT type_code FROM d_songs WHERE SUM (duration) = 100; (this will give an error)

Group functions cannot be used in the WHERE clause: SELECT type_code FROM d_songs WHERE SUM (duration) = 100; (this will give an error)
Exploring Microsoft Access

Exploring Microsoft Access
Database Security CS461/ECE422 Spring 2012. Overview Database model – Relational Databases Access Control Inference and Statistical Databases Database.

Database Security CS461/ECE422 Spring Overview Database model – Relational Databases Access Control Inference and Statistical Databases Database.
Database Programming Sections 5 & 6 – Group functions, COUNT, DISTINCT, NVL, GROUP BY, HAVING clauses, Subqueries.

Database Programming Sections 5 & 6 – Group functions, COUNT, DISTINCT, NVL, GROUP BY, HAVING clauses, Subqueries.
4 Copyright © 2004, Oracle. All rights reserved. Reporting Aggregated Data Using the Group Functions.

4 Copyright © 2004, Oracle. All rights reserved. Reporting Aggregated Data Using the Group Functions.
5 Copyright © 2007, Oracle. All rights reserved. Reporting Aggregated Data Using the Group Functions.

5 Copyright © 2007, Oracle. All rights reserved. Reporting Aggregated Data Using the Group Functions.
4 การใช้ SQL Functions. Copyright © 2007, Oracle. All rights reserved. 4 - 2 What Are Group Functions? Group functions operate on sets of rows to give.

4 การใช้ SQL Functions. Copyright © 2007, Oracle. All rights reserved What Are Group Functions? Group functions operate on sets of rows to give.
Chapter 11 Group Functions

Chapter 11 Group Functions
Structure Query Language (SQL) COMSATS INSTITUTE OF INFORMATION TECHNOLOGY, VEHARI.

Structure Query Language (SQL) COMSATS INSTITUTE OF INFORMATION TECHNOLOGY, VEHARI.
Database Management System

Database Management System
Information Security Principles & Applications

Information Security Principles & Applications
Monday, 08 June 2015Dr. Mohamed Osman1 What is Database Administration A high level function (technical Function) that is responsible for ► physical DB.

Monday, 08 June 2015Dr. Mohamed Osman1 What is Database Administration A high level function (technical Function) that is responsible for ► physical DB.
The University of Akron Dept of Business Technology Computer Information Systems The Relational Model: Query-By-Example (QBE) 2440: 180 Database Concepts.

The University of Akron Dept of Business Technology Computer Information Systems The Relational Model: Query-By-Example (QBE) 2440: 180 Database Concepts.
Security in Databases. 2 Srini & Nandita (CSE2500)DB Security Outline review of databases reliability & integrity protection of sensitive data protection.

Security in Databases. 2 Srini & Nandita (CSE2500)DB Security Outline review of databases reliability & integrity protection of sensitive data protection.
Introduction to Oracle9i: SQL1 SQL Group Functions.

Introduction to Oracle9i: SQL1 SQL Group Functions.
SQL SQL stands for Structured Query Language SQL allows you to access a database SQL is an ANSI standard computer language SQL can execute queries against.

SQL SQL stands for Structured Query Language SQL allows you to access a database SQL is an ANSI standard computer language SQL can execute queries against.
Structured Query Language Part I Chapter Three CIS 218.

Structured Query Language Part I Chapter Three CIS 218.
Security in Databases. 2 Outline review of databases reliability & integrity protection of sensitive data protection against inference multi-level security.

Security in Databases. 2 Outline review of databases reliability & integrity protection of sensitive data protection against inference multi-level security.

Similar presentations

Ads by Google