Decentralized information flow control for databases

Privacy and integrity concerns have been mounting in recent years as sensitive data such asmedical records, social network records, and corporate and government secrets are increasingly being stored in online systems. The rate of high-profile breaches has illustrated that current techniques are inadequate for protecting sensitive information. Many of these breaches involve databases that handle information for a multitude of individuals, but databases don’t provide practical tools to protect those individuals from each other, so that task is relegated to the application.This dissertation describes a system that improves security in a principled way by extending the database system and the application platform to support information flow control. Information flow control has been gaining traction as a practical way to protect information in the contexts of programming languages and operating systems. Recent research advocates the decentralizedmodel for information flow control (difc), since it provides the necessary expressiveness to protect data for many individuals with varied security concerns.However, despite the fact thatmost applications implicated in breaches rely on relational databases, there havebeennoprior comprehensive attempts to extend difc to a database system. This dissertation introduces ifdb, which is a database management system that supports difc with minimal overhead. ifdb pioneers the Query by Label model, which provides applications with a simple way to delineate constraints on the confidentiality and integrity of the data they obtain from the database.This dissertation also defines new abstractions formanaging information flows in a database and proposes new ways to address covert channels. Finally, the ifdb implementation and case studies with real applications demonstrate that database support for difc improves security, is easy for developers to use, and has good performance. Thesis Supervisor: Barbara Liskov Title: Institute Professor

[1]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[2]  Stephen Smalley,et al.  Integrating Flexible Support for Security Policies into the Linux Operating System , 2001, USENIX Annual Technical Conference, FREENIX Track.

[3]  Dan S. Wallach,et al.  Extensible security architectures for Java , 1997, SOSP.

[4]  Michiharu Kudo,et al.  Dynamic Information Flow Control Architecture for Web Applications , 2007, ESORICS.

[5]  Danfeng Zhang,et al.  Predictive black-box mitigation of timing channels , 2010, CCS '10.

[6]  Jonathan K. Millen,et al.  Security for object-oriented database systems , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[7]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[8]  Michael J Grohn,et al.  A Model of a Protected Data Management System. , 1976 .

[9]  Steve Vandebogart,et al.  Make Least Privilege a Right (Not a Privilege) , 2005, HotOS.

[10]  J. T. Robinson,et al.  On optimistic methods for concurrency control , 1979, TODS.

[11]  Sang Hyuk Son,et al.  Multiversion Locking Protocol with Freezing for Secure Real-Time Database Systems , 2002, IEEE Trans. Knowl. Data Eng..

[12]  Sang-Won Lee,et al.  The semantics of an extended referential integrity for a multilevel secure relational data model , 2004, Data Knowl. Eng..

[13]  Winnie Cheng,et al.  Abstractions for Usable Information Flow Control in Aeolus , 2012, USENIX Annual Technical Conference.

[14]  Richard D. Graubart,et al.  The Integrity-Lock Approach to Secure Database Management , 1984, 1984 IEEE Symposium on Security and Privacy.

[15]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[16]  James R. Larus,et al.  Singularity: rethinking the software stack , 2007, OPSR.

[17]  B. Lampson,et al.  Authentication in distributed systems: theory and practice , 1991, TOCS.

[18]  Sushil Jajodia,et al.  Polyinstantiation integrity in multilevel relations , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[19]  Bernhard Debatin,et al.  Facebook and Online Privacy: Attitudes, Behaviors, and Unintended Consequences , 2009, J. Comput. Mediat. Commun..

[20]  Steven Feuerstein,et al.  Oracle PL/SQL Programming , 1993 .

[21]  Tadeusz Pietraszek,et al.  Defending Against Injection Attacks Through Context-Sensitive String Evaluation , 2005, RAID.

[22]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.

[23]  Adam Chlipala,et al.  Static Checking of Dynamically-Varying Security Policies in Database-Backed Applications , 2010, OSDI.

[24]  Bhavani M. Thuraisingham,et al.  Design of LDV: a multilevel secure relational database management system , 1990 .

[25]  Maxwell N. Krohn,et al.  Information flow control for secure web sites , 2008 .

[26]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[27]  Tom Caddy,et al.  Side-Channel Attacks , 2016 .

[28]  Irving L. Traiger,et al.  Granularity of Locks and Degrees of Consistency in a Shared Data Base , 1998, IFIP Working Conference on Modelling in Data Base Management Systems.

[29]  Winnie Wing-Yee Cheng Information flow for secure distributed applications , 2009 .

[30]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[31]  G. E. Gajnak Some results from the entity/relationship multilevel secure DBMS project , 1988, [Proceedings 1988] Fourth Aerospace Computer Security Applications.

[32]  Bhavani Thuraisingham,et al.  Query processing in LDV: a secure database system , 1988, [Proceedings 1988] Fourth Aerospace Computer Security Applications.

[33]  Dorothy E. Denning,et al.  The SeaView security model , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[34]  S. Sudarshan,et al.  Extending query rewriting techniques for fine-grained access control , 2004, SIGMOD '04.

[35]  Eddie Kohler,et al.  Information flow control for standard OS abstractions , 2007, SOSP.

[36]  Richard Graubart,et al.  A Preliminary Naval Surveillance DBMS Security Model. , 1982, S&P 1982.

[37]  Gillian Kirkby,et al.  The Reference Monitor Technique for Security in Data Base Management Systems , 1977, IEEE Database Eng. Bull..

[38]  Steve Vandebogart,et al.  Labels and event processes in the Asbestos operating system , 2005, TOCS.

[39]  Jonathan K. Millen 20 years of covert channel modeling and analysis , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[40]  Cynthia Dwork,et al.  Differential Privacy: A Survey of Results , 2008, TAMC.

[41]  Latanya Sweeney,et al.  k-Anonymity: A Model for Protecting Privacy , 2002, Int. J. Uncertain. Fuzziness Knowl. Based Syst..

[42]  Yang Zhang,et al.  CarTel: a distributed mobile sensor computing system , 2006, SenSys '06.

[43]  Paul A. Karger,et al.  Storage channels in disk arm optimization , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[44]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[45]  Andrew C. Myers,et al.  SIF: Enforcing Confidentiality and Integrity in Web Applications , 2007, USENIX Security Symposium.

[46]  尚弘 島影 National Institute of Standards and Technologyにおける超伝導研究及び生活 , 2001 .

[47]  Richard D. Graubart,et al.  Design Overview for Retrofitting Integrity-Lock Architecture onto a Commercial DBMS , 1985, 1985 IEEE Symposium on Security and Privacy.

[48]  Dorothy E. Denning,et al.  Secure statistical databases with random sample queries , 1980, TODS.

[49]  Peng Li,et al.  Practical information flow control in Web-based information systems , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[50]  Hari Balakrishnan,et al.  CryptDB: protecting confidentiality with encrypted query processing , 2011, SOSP.

[51]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[52]  James A. Reeds,et al.  Multilevel security in the UNIX tradition , 1992, Softw. Pract. Exp..

[53]  Hakan Hacigümüs,et al.  Executing SQL over encrypted data in the database-service-provider model , 2002, SIGMOD '02.

[54]  Stefan Katzenbeisser,et al.  Hide and Seek in Time - Robust Covert Timing Channels , 2009, ESORICS.

[55]  H SaltzerJerome Protection and the control of information sharing in multics , 1973 .

[56]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[57]  Dorothy E. Denning,et al.  Secure information flow in computer systems. , 1975 .

[58]  Jim Gray,et al.  A critique of ANSI SQL isolation levels , 1995, SIGMOD '95.

[59]  Andrew C. Myers,et al.  Security policies for downgrading , 2004, CCS '04.

[60]  Felix Klaedtke,et al.  Monitoring security policies with metric first-order temporal logic , 2010, SACMAT '10.

[61]  David P. Reed,et al.  Naming and synchronization in a decentralized computer system , 1978 .

[62]  E. F. Codd,et al.  The Relational Model for Database Management, Version 2 , 1990 .

[63]  Lynda L. McGhie,et al.  THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT , 2004 .

[64]  Rae K. Burns,et al.  A comparison of multilevel structured query language (SQL) implementations , 1996, Proceedings 12th Annual Computer Security Applications Conference.

[65]  S. Jajodia,et al.  A model of atomicity for multilevel transactions , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[66]  Joseph M. Hellerstein,et al.  THE RD-TREE: AN INDEX STRUCTURE FOR SETS , 1997 .

[67]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[68]  Brad Fitzpatrick,et al.  Distributed caching with memcached , 2004 .

[69]  Xi Wang,et al.  Improving application security with data flow assertions , 2009, SOSP '09.

[70]  Silas Boyd-Wickizer,et al.  Securing Distributed Systems with Information Flow Control , 2008, NSDI.

[71]  S. Pal,et al.  A locking protocol for multilevel secure databases using two committed versions , 1995, COMPASS '95 Proceedings of the Tenth Annual Conference on Computer Assurance Systems Integrity, Software Safety and Process Security'.

[72]  Fang Chen,et al.  The multilevel relational (MLR) data model , 1998, TSEC.

[73]  Oliver Costich,et al.  A practical approach to high assurance multilevel secure computing service , 1994, Tenth Annual Computer Security Applications Conference.

[74]  Catherine A. Meadows,et al.  Achieving a Trusted Database Management System Using Parallelism , 1988, DBSec.

[75]  C. J. Date Relational Database - Selected Writings , 1986 .

[76]  Wei-Tek Tsai,et al.  Multiversion concurrency control for multilevel secure database systems , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[77]  Donald E. Porter,et al.  Laminar: practical fine-grained decentralized information flow control , 2009, PLDI '09.

[78]  Thomas F. Keefe,et al.  The concurrency control and recovery problem for multilevel update transactions in MLS systems , 1993, [1993] Proceedings Computer Security Foundations Workshop VI.

[79]  Thomas F. Keefe,et al.  On Transaction Processing for Multilevel Secure Replicated Databases , 1992, ESORICS.

[80]  Sushil Jajodia,et al.  Referential Integrity In Multilevel Secure Databases , 1993 .

[81]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[82]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[83]  Gordon Smith,et al.  TCB subsets: the next step , 1989, [1989 Proceedings] Fifth Annual Computer Security Applications Conference.

[84]  Trent Jaeger,et al.  Implicit Flows: Can't Live with 'Em, Can't Live without 'Em , 2008, ICISS.

[85]  Sushil Jajodia,et al.  A single-level scheduler for the replicated architecture for multilevel-secure databases , 1991, Proceedings Seventh Annual Computer Security Applications Conference.

[86]  Alessandro Orso,et al.  AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks , 2005, ASE.

[87]  Ira B. Greenberg,et al.  Single-level multiversion schedulers for multilevel secure database systems , 1990, [1990] Proceedings of the Sixth Annual Computer Security Applications Conference.

[88]  Sushil Jajodia,et al.  Globally Consistent Event Ordering in One-Directional Distributed Environments , 1996, IEEE Trans. Parallel Distributed Syst..

[89]  Teresa F. Lunt,et al.  Security in database systems: A research perspective , 1992, Comput. Secur..

[90]  S. Reiss,et al.  Data-swapping: A technique for disclosure control , 1982 .

[91]  Ramaswamy Chandramouli,et al.  Role-Based Access Control Features in Commercial Database Management Systems , 1998 .

[92]  Dorothy E. Denning,et al.  A Multilevel Relational Data Model , 1987, 1987 IEEE Symposium on Security and Privacy.

[93]  Elisa Bertino,et al.  An advanced commit protocol for MLS distributed database systems , 1996, CCS '96.

[94]  Clark Weissman,et al.  Security controls in the ADEPT-50 time-sharing system , 1899, AFIPS '69 (Fall).

[95]  Tevfik Bultan,et al.  Analyzing singularity channel contracts , 2009, ISSTA.

[96]  Marvin Schaefer,et al.  Secure Data Management System. , 1975 .

[97]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[98]  Zhendong Su,et al.  The essence of command injection attacks in web applications , 2006, POPL '06.

[99]  Dan Suciu,et al.  Boosting the accuracy of differentially private histograms through consistency , 2009, Proc. VLDB Endow..

[100]  Sushil Jajodia,et al.  A two snapshot algorithm for concurrency control in multi-level secure databases , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[101]  Jerome H. Saltzer,et al.  Protection and the control of information sharing in multics , 1974, CACM.

[102]  Andrew C. Myers,et al.  Defining and Enforcing Referential Security , 2014, POST.

[103]  Elisa Bertino,et al.  Alternative Correctness Criteria for Concurrent Execution of Transactions in Multilevel Secure Databases , 1996, IEEE Trans. Knowl. Data Eng..

[104]  Moses Ohene Garuba,et al.  Performance study of a COTS distributed DBMS adapted for multilevel security , 2004 .

[105]  ASHWIN MACHANAVAJJHALA,et al.  L-diversity: privacy beyond k-anonymity , 2006, 22nd International Conference on Data Engineering (ICDE'06).

[106]  B. Dillaway,et al.  A practical design for a multilevel secure database management system , 1986 .

[107]  Peng Li,et al.  Downgrading policies and relaxed noninterference , 2005, POPL '05.

[108]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[109]  David J. DeWitt,et al.  Limiting Disclosure in Hippocratic Databases , 2004, VLDB.

[110]  F. E. A Relational Model of Data Large Shared Data Banks , 2000 .

[111]  R. Posner The Federal Trade Commission , 1969 .

[112]  Benjamin Livshits,et al.  Securing web applications with static and dynamic information flow tracking , 2008, PEPM '08.

[113]  Xin Qi,et al.  Fabric: a platform for secure distributed computation and storage , 2009, SOSP '09.

[114]  Helen Nissenbaum,et al.  Privacy and contextual integrity: framework and applications , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[115]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[116]  Armando Solar-Lezama,et al.  A language for automatically enforcing privacy policies , 2012, POPL '12.

[117]  Dorothy E. Denning Cryptographic Checksums for Multilevel Database Security , 1984, 1984 IEEE Symposium on Security and Privacy.

[118]  Ariel Waissbein,et al.  The ND2DB Attack: Database Content Extraction Using Timing Attacks on the Indexing Algorithms , 2007, WOOT.

[119]  Frank McSherry,et al.  Privacy integrated queries: an extensible platform for privacy-preserving data analysis , 2009, SIGMOD Conference.

[120]  Marianne Winslett,et al.  Entity Modeling in the MLS Relational Model , 1992, VLDB.

[121]  David Zhang,et al.  Secure program execution via dynamic information flow tracking , 2004, ASPLOS XI.

[122]  Christoforos E. Kozyrakis,et al.  Raksha: a flexible information flow architecture for software security , 2007, ISCA '07.

[123]  Oliver Costich Transaction Processing Using an Untrusted Scheduler in a Multilevel Database with Replicated Architecture , 1991, DBSec.

[124]  Sushil Jajodia,et al.  Correctness Criteria for Multilevel Secure Transactions , 1996, IEEE Trans. Knowl. Data Eng..

[125]  Benjamin C. M. Fung,et al.  Publishing set-valued data via differential privacy , 2011, Proc. VLDB Endow..

[126]  T. Hinke Secure database management system architectural analysis , 1986 .