Towards Database Firewalls

Authentication based access control and integrity constraints are the major approaches applied in commercial database systems to guarantee information and data integrity. However, due to operational mistakes, malicious intent of insiders or identity fraud exploited by outsiders, data secured in a database can still be corrupted. Once attacked, database systems using current survivability technologies cannot continue providing satisfactory services according to differentiated information assurance requirements. In this paper, we present the innovative idea of a database firewall, which can not only serve differentiated information assurance requirements in the face of attacks, but also guarantee the availability and the integrity of data objects based on user requirements. Our approach provides a new strategy of integrity-aware data access based on an on-the-fly iterative estimation of the integrity level of data objects. Accordingly, a policy of transaction filtering will be dynamically enforced to significantly slow down damage propagation with minimum availability loss.

[1]  Sushil Jajodia,et al.  Multi-phase damage confinement in database systems for intrusion tolerance , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[2]  Simon L. Peyton Jones,et al.  Imperative functional programming , 1993, POPL '93.

[3]  Richard A. Kemmerer,et al.  State Transition Analysis: A Rule-Based Intrusion Detection Approach , 1995, IEEE Trans. Software Eng..

[4]  George C. Necula,et al.  Proof-carrying code , 1997, POPL '97.

[5]  Peng Liu,et al.  Delivering Services with Integrity Guarantees in Survivable Database Systems , 2003, DBSec.

[6]  Zhong Shao,et al.  A type system for certi .ed binaries , 2002, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[7]  Harold S. Javitz,et al.  The SRI IDES statistical anomaly detector , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[8]  Sean W. Smith,et al.  Using a High-Performance, Programmable Secure Coprocessor , 1998, Financial Cryptography.

[9]  Paul W. P. J. Grefen,et al.  Integrity Control in Relational Database Systems - An Overview , 1993, Data Knowl. Eng..

[10]  Sushil Jajodia,et al.  Recovery from Malicious Transactions , 2002, IEEE Trans. Knowl. Data Eng..

[11]  Sushil Jajodia,et al.  Using Checksums to Detect Data Corruption , 2000, EDBT.

[12]  John P. McDermott,et al.  Towards a model of storage jamming , 1996, Proceedings 9th IEEE Computer Security Foundations Workshop.

[13]  Peng Liu Architectures for intrusion tolerant database systems , 2003, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].