Data Security -- Dennings and Dennings, 1979 ============= A survey paper characterizing internal security requirements, mechanisms and policies into four categories: access, flow, inference and cryptography. Access control -------------- Key Ideas: - "Ownership" and "privileges" for objects. - For Database systems, data access control (ownership and privileges on a per data item (tuple) basis) is satisfactory. Commercial DB systems have REVOKE and GRANT (SQL). - For general programs, object access control is required. Object access can be controlled by strong type-checking by compilers or by hardware at run-time. - The paper illustrates how hardware can control access at run-time by using segments, protection-bits per segment and a per-process segment descriptor table. Users "own" segments and can specify privilege information per segment by using access control lists. - Some systems allow revocation of privileges. If privileges are maintained in a central table, revocation easy. If scattered all over the place, it's hard. Limitations: - There is high overhead in managing small segments. Therefore, users are forced to pack data and subprograms into larger segments, thereby not being able to control these small segments from each other. - The OS has excessive privileges. This violates the principle of least privilege. However, one partial remedy is use of multiple protection rings. - It is difficult to reason about systems that implement access control lists. For instance, "proving" that authorizations are continually consistent with owner's intentions, is hard as it requires ideas from formal verification, which is hard. - One alternative to verification of the entire system, is splitting the system into two parts: a small "security kernel" that can be provably correct and therefore, trusted. The correct operation of the kernel is assumed to be the guarantee that the whole system is secure. Flow control ------------ Key ideas: - A flow policy specifies 'channels' along which information is allowed to pass. It typically entails classifying data into "classes", e.g. Confidential, Restricted etc. - Simple flow control can be enforced by an extended access control mechanism. Not only data, but users/programs are assigned the same "classes". And there are rules governing which class can access which data. In practice, information tends to flow "up" the ladder. To allow for downward flow, the class of a program can be allowed to increase at run-time. In general, such flow control schemes tend to "overclassify" data. - A more comprehensive flow control scheme is to control information at a finer granularity: at statement level in a program (study how data flows through variable assignments). This is again, hard, as it involves code analysis and program verification techniques. Limitations: - Overclassification of information. - Information flow via covert channels (run time, energy). Inference control ----------------- Key Ideas: - How can a database system be designed so that aggregates (statistics) can be revealed without revealing specific information pertaining to individual members of the databas? The idea is to make the cost of extracting specific information high (in terms of #queries or time). - The basic idea of extracting information is isolating the desired record at the intersection of a set of interlocking queries. Solutions: (a) Disallow queries that result in very few tuples. However, there are theoreticalk results showing how such schemes can be attacked. (b) Distort the data on which queries are issued, e.g. by adding a pseudo random number to the values, or by perturbing the values or by swapping values of fields of different records. These schemes have their own pros and cons. (c) Allow queries only on a random sample of your data. This solution works well in practice when used in conjunction with minimum-query-set-control. However, it can be used only when the original database is large enough to make sampling meaningful. - A related technique is to "monitor" the system for suspicious activity (somebody trying to acquire specific info). Limitation - It is important to see that u cannot allow queries on a database without revealing *any* information. The objective of inference control is to make the cost of acquiring specific information high. Cryptography ------------ Key Ideas: - Useful to prevent accidental or malicious disclosure of data. It guards against eavesdropping or accidental spills. - Symmetric key vs public key cryptography. - Key management is essential. Discussion: Pg 233, last paragraph, "Most security flaws ...