2,385 research outputs found
Securing Databases from Probabilistic Inference
Databases can leak confidential information when users combine query results
with probabilistic data dependencies and prior knowledge. Current research
offers mechanisms that either handle a limited class of dependencies or lack
tractable enforcement algorithms. We propose a foundation for Database
Inference Control based on ProbLog, a probabilistic logic programming language.
We leverage this foundation to develop Angerona, a provably secure enforcement
mechanism that prevents information leakage in the presence of probabilistic
dependencies. We then provide a tractable inference algorithm for a practically
relevant fragment of ProbLog. We empirically evaluate Angerona's performance
showing that it scales to relevant security-critical problems.Comment: A short version of this paper has been accepted at the 30th IEEE
Computer Security Foundations Symposium (CSF 2017
SoK: Cryptographically Protected Database Search
Protected database search systems cryptographically isolate the roles of
reading from, writing to, and administering the database. This separation
limits unnecessary administrator access and protects data in the case of system
breaches. Since protected search was introduced in 2000, the area has grown
rapidly; systems are offered by academia, start-ups, and established companies.
However, there is no best protected search system or set of techniques.
Design of such systems is a balancing act between security, functionality,
performance, and usability. This challenge is made more difficult by ongoing
database specialization, as some users will want the functionality of SQL,
NoSQL, or NewSQL databases. This database evolution will continue, and the
protected search community should be able to quickly provide functionality
consistent with newly invented databases.
At the same time, the community must accurately and clearly characterize the
tradeoffs between different approaches. To address these challenges, we provide
the following contributions:
1) An identification of the important primitive operations across database
paradigms. We find there are a small number of base operations that can be used
and combined to support a large number of database paradigms.
2) An evaluation of the current state of protected search systems in
implementing these base operations. This evaluation describes the main
approaches and tradeoffs for each base operation. Furthermore, it puts
protected search in the context of unprotected search, identifying key gaps in
functionality.
3) An analysis of attacks against protected search for different base
queries.
4) A roadmap and tools for transforming a protected search system into a
protected database, including an open-source performance evaluation platform
and initial user opinions of protected search.Comment: 20 pages, to appear to IEEE Security and Privac
On the security of NoSQL cloud database services
Processing a vast volume of data generated by web, mobile and Internet-enabled devices, necessitates a scalable and flexible data management system. Database-as-a-Service (DBaaS) is a new cloud computing paradigm, promising a cost-effective and scalable, fully-managed database functionality meeting the requirements of online data processing. Although DBaaS offers many benefits it also introduces new threats and vulnerabilities. While many traditional data processing threats remain, DBaaS introduces new challenges such as confidentiality violation and information leakage in the presence of privileged malicious insiders and adds new dimension to the data security. We address the problem of building a secure DBaaS for a public cloud infrastructure where, the Cloud Service Provider (CSP) is not completely trusted by the data owner. We present a high level description of several architectures combining modern cryptographic primitives for achieving this goal. A novel searchable security scheme is proposed to leverage secure query processing in presence of a malicious cloud insider without disclosing sensitive information. A holistic database security scheme comprised of data confidentiality and information leakage prevention is proposed in this dissertation. The main contributions of our work are: (i) A searchable security scheme for non-relational databases of the cloud DBaaS; (ii) Leakage minimization in the untrusted cloud. The analysis of experiments that employ a set of established cryptographic techniques to protect databases and minimize information leakage, proves that the performance of the proposed solution is bounded by communication cost rather than by the cryptographic computational effort
Data Security and Privacy in the Cloud
Relying on the cloud for storing data and performing computations has become a popular solution in today\u2019s society, which demands large data collections and/or analysis over them to be readily available, for example, to make knowledge-based decisions. While bringing undeniable benefits to both data owners and end users accessing the outsourced data, moving to the cloud raises a number of issues, ranging from choosing the most suitable cloud provider for outsourcing to effectively protecting data and computation results. In this paper, we discuss the main issues related to data protection arising when data and/or computations over them are moved to the cloud. We also illustrate possible solutions and approaches for addressing such issues
Building Context-Aware Access Control In Enterprise Ontologies
Knowledge centric management (KCM) has become a key strategy for competitive edge. As an essential of KCM, an enterprise ontology represents the knowledge of an organization. Thus, the need for securing enterprise ontologies (EO) becomes imperative. Adequate access control is a major component of ontology security. However, access control for EO is largely neglected in information systems (IS) literature. This paper presents the first research to fill this gap. I propose five requirements for good access-control solutions for EO. The proposed solution offers an architecture framework that meets the five requirements. Semantic Web technology is used to build context-aware access controls into EO. My proposal includes a novel resolution for policy conflicts. This study provides the first design of fine-grained and dynamically-adjusted access authorizations
- …