Inference Problems in Multilevel Secure Database Management Systems

An inference channel in a database is a means by which one can infer data classified at a high level from data classified at a low level. The inference problem is the problem of detecting and removing inference channels. It is clear that inference problems are of vital interest to the designers and users of secure databases. Database management systems are intended to provide the means for efficient storage and retrieval of information. Their very power means that if they are not properly designed to prevent illegal inferences, they not only will not prevent such inferences, but will greatly assist users in forming them. Yet so far inference problems in multilevel databases have not been studied very deeply. This is partly due to the difficulty of the problem, and probably also due to the fact that one cannot implement any means of controlling inferences until one has solved the more fundamental problem of determining how one stores and retrieves multilevel data. This essay surveys the state of the art of the study of inference problems in multilevel databases. We describe particular strategies that have been developed for certain inference problems, as well as more general models of the inference problems and the tools that have been developed for handling them. We do not describe work on preventing inferences in statistical databases, which we consider a specialized problem not necessarily relevant to the inference problem in multilevel databases. However , we do note that the work on statistical databases shows that one can be successful in preventing inferences if one carefully limits the scope of the problem one is studying. Before beginning our survey, we should point out that all the models and techniques discussed here, and indeed all attempts to deal with inference control in database systems, have one limitation in common. An inference of sensitive data from nonsensitive data can only be repre