Benchmarking Untrustworthiness in DBMS Configurations

Database Management Systems (DBMS) are usually immersed in a so complex environment that assessing the security impact of any particular configuration choice is an extremely hard task. DBMS configuration untrustworthiness can be defined as a measure of how much one should distrust a given configuration to be able to prevent the manifestation of the most common security threats as real attacks. In this paper we propose an approach to benchmark untrustworthiness in DBMS configurations. This benchmark allows database administrators to compare the trustworthiness of individual configuration choices from several perspectives and taking into account the threats that are meaningful for a particular environment. The paper discusses the characteristics of this type of tools and presents a preliminary untrustworthiness comparison of four real database installations (based on four different DBMS engines). Results show that untrustworthiness benchmarking can easily be used to compare and enhance the security of database systems.