Abstract
We present a control mechanism for preserving confidentiality in relational databases under open queries. This mechanism is based on a reduction of costly inference control to efficient access control that has recently been developed for closed database queries. Our approach guarantees that secrets being declared in form of a confidentiality policy are not disclosed to database users even if they utilize their a priori knowledge to draw inferences. It turns out that there is no straightforward transition from the approach for closed queries to open queries. We show, however, that hiding the confidentiality policy from database users is sufficient to preserve confidentiality. Moreover, we propose an algorithmic implementation of the control mechanism.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Abiteboul, S., Hull, R., Vianu, V.: Foundations of Databases. Addison-Wesley, Reading (1995)
Bertino, E., Sandhu, R.: Database security – concepts, approaches, and challenges. IEEE Trans. Dependable Sec. Comput. 2(1), 2–18 (2005)
Biskup, J.: Boyce-Codd normal form and object normal forms. Inf. Process. Lett. 32(1), 29–33 (1989)
Biskup, J., Bonatti, P.: Controlled query evaluation for enforcing confidentiality in complete information systems. Int. J. Inf. Sec. 3(1), 14–27 (2004)
Biskup, J., Bonatti, P.: Controlled query evaluation with open queries for a decidable relational submodel. Ann. Math. Artif. Intell. 50, 39–77 (2007)
Biskup, J., Bonatti, P.A.: Lying versus refusal for known potential secrets. Data Knowl. Eng. 38(2), 199–222 (2001)
Biskup, J., Bonatti, P.A.: Controlled query evaluation for known policies by combining lying and refusal. Ann. Math. Artif. Intell. 40, 37–62 (2004)
Biskup, J., Embley, D.W., Lochner, J.-H.: Reducing inference control to access control for normalized database schemas. Inf. Process. Lett. 106(1), 8–12 (2008)
Biskup, J., Lochner, J.-H.: Enforcing confidentiality in relational databases by reducing inference control to access control. In: Garay, J.A., Lenstra, A.K., Mambo, M., Peralta, R. (eds.) ISC 2007. LNCS, vol. 4779, pp. 407–422. Springer, Heidelberg (2007)
Biskup, J., Lochner, J.-H., Sonntag, S.: Optimization of the controlled evaluation of closed relational queries. In: Gritzalis, D., Lopez, J. (eds.) Proc. IFIP SEC. IFIP AICT, vol. 297, pp. 214–225. Springer, Heidelberg (2009)
Bonatti, P., Kraus, S., Subrahmanian, V.S.: Foundations of secure deductive databases. IEEE Trans. Knowl. Data Eng. 7(3), 406–422 (1995)
Brodsky, A., Farkas, C., Jajodia, S.: Secure databases: constraints, inference channels, and monitoring disclosures. IEEE Trans. Knowl. Data Eng. 12(6), 900–919 (2000)
Byun, J.-W., Bertino, E.: Micro-views, or on how to protect privacy while enhancing data usability—concepts and challenges. ACM SIGMOD Record 35(1), 9–13 (2006)
Cuppens, F., Gabillon, A.: Cover story management. Data Knowl. Eng. 37(2), 177–201 (2001)
Dawson, S., De Capitani di Vimercati, S., Samarati, P.: Specification and enforcement of classification and inference constraints. In: IEEE Symposium on Security and Privacy, pp. 181–195 (1999)
Delugach, H.S., Hinke, T.H.: Wizard: A database inference analysis and detection system. IEEE Trans. Knowl. Data Eng. 8(1), 56–66 (1996)
Farkas, C., Jajodia, S.: The inference problem: a survey. SIGKDD Explorations 4(2), 6–11 (2002)
Galinovic, A., Antoncic, V.: Polyinstantiation in relational databases with multilevel security. In: Proc. ITI, pp. 127–132. IEEE, Los Alamitos (2007)
Griffiths, P.P., Wade, B.W.: An authorization mechanism for a relational database system. ACM Trans. Database Syst. 1(3), 242–255 (1976)
Hale, J., Shenoi, S.: Analyzing FD inference in relational databases. Data Knowl. Eng. 18(2), 167–183 (1996)
Jajodia, S., Sandhu, R.S.: Toward a multilevel secure relational data model. In: Clifford, J., King, R. (eds.) SIGMOD Conference, pp. 50–59. ACM Press, New York (1991)
Lunt, T.F., Denning, D.E., Schell, R.R., Heckman, M., Shockley, W.R.: The Sea-View security model. IEEE Trans. Software Eng. 16(6), 593–607 (1990)
Rjaibi, W., Bird, P.: A multi-purpose implementation of mandatory access control in relational database management systems. In: Nascimento, M.A., Özsu, M.T., Kossmann, D., Miller, R.J., Blakeley, J.A., Schiefer, K.B. (eds.) Proc. VLDB, pp. 1010–1020 (2004)
Sandhu, R.: Lattice-based access control models. Computer 26(11), 9–19 (1993)
Sicherman, G.L., de Jonge, W., van de Riet, R.P.: Answering queries without revealing secrets. ACM Trans. Database Syst. 8(1), 41–59 (1983)
Stonebraker, M., Wong, E.: Access control in a relational data base management system by query modification. In: Proc. ACM/CSC-ER Annual Conference, pp. 180–186. ACM Press, New York (1974)
Su, T.-A., Özsoyoglu, G.: Controlling FD and MVD inferences in multilevel relational database systems. IEEE Trans. Knowl. Data Eng. 3(4), 474–485 (1991)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Biskup, J., Hartmann, S., Link, S., Lochner, JH. (2010). Efficient Inference Control for Open Relational Queries. In: Foresti, S., Jajodia, S. (eds) Data and Applications Security and Privacy XXIV. DBSec 2010. Lecture Notes in Computer Science, vol 6166. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-13739-6_11
Download citation
DOI: https://doi.org/10.1007/978-3-642-13739-6_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-13738-9
Online ISBN: 978-3-642-13739-6
eBook Packages: Computer ScienceComputer Science (R0)