DB-Inferences

1. DB-Inferences

2. DB-Inferences Definition Inference problem Examples

3. Definition Inferring prohibited information from results of queries is known as the inference problem Inference problem uses an inference channel Goal of inference problem is to detect and remove inference channels Inference channel in a database provides a facility to infer data with a higher classification from a data with a lower classification

4. Definition Inference involves indirect access Example: User has privilege to view data X but not data Y. Both these data are in table T. If the query SELECT X FROM T WHERE Y = value produces any result, then user has inferred something about Y If user attempts an insert and it is denied, then it leads to inference

5. Definition Inference could also result from correlated data, meaning that visible data is related to invisible data Knowing the values t and k and able to guess an unknown value z = t * k is inference Estimating value of z requires reducing the degree of uncertainty for z. Reducing the uncertainty degree using results of authorized queries is also inference

6. Definition Inference could also result from missing data A channel of missing data is an inference channel Missing data usually comes from having null values for fields such as salary when an employee has a name and department identified

7. Inference Problem Inference from queries based on sensitive data To overcome this problem polyinstantiation is used Inference due to dependencies Example: Employees are aware that salary is the same for each rank. An employee without the right permission for salary can query the rank which is not sensitive and determine the salary because of dependency on rank

8. Inference Problem Inference could also result from value constraints Example: Assume that attribute �A� is Unclassified but attribute �B� is Secret with the constraint A + B ? 20. B does not impact A but in a query, because of the constraint, it may only pick up certain values of A, thus creating an inference channel

9. Inference Problem Goguen and Meseguer in 1984 first identified the inference problem Denning and Morgenstern in 1986 refined it and gave a formal quantitative value similar to probability Denning-Morgenstern formula: Let x and y be two items Let H(y) denote uncertainty of y Let Hx(y) denote uncertainty of y given x

10. Inference Problem Formula: H(y) � Hx(y) INFER(x y) = H(y) Function INFER takes on values from 0 to 1 Value 0 corresponds to no inference Value 1 corresponds to full inference

11. Inference Problem Another approach to preventing this problem is to identify relationships between attributes, objects and abstract classes. Any of these relationships can be classified. In the previous example, to hide the relationship between employee and salary, one needs to classify that relationship

12. Inference Problem Teresa Lunt points out that even with classification of relationships, inference could happen Example: If the user knows that the system would preserve the data order in the database and separately queries the employee names first and then the employee salaries, then an inference channel is present

13. Inference Problem It is good to keep this problem in mind for developing security policy rather than for classifying data Mazumdar, Stemple and Sheard developed in 1988 a theorem prover approach to check for inference channels Mazumdar et al use a method to see if a set of predefined secrets can be derived from the database integrity constraints

14. Inference Problem Lock Data Views (LDV) model uses classification constraints to prevent inference problem In LDV model, classification constraints are defined on sets of data according to the level of information that can be inferred from the data Given a query, the result is upgraded to the appropriate level according to the classification constraints

15. Inference Problem Another approach to preventing the inference problem is to maintain a history of past data accesses Use the history when evaluating security level of a query Another approach is to check updates before committing them to see if they would lead to illegal inferences

16. Inference Problem In Sea View system, data is stored high and selectively downgraded according to requester�s past access history In LDV system, data is stored low and access to it is selectively restricted based on its access by low users Another type of inference problem is �data association.� Two separate pieces of data may not be sensitive, but combined they are sensitive

17. Inference Problem Example: Employee name and salary are independently not sensitive but when they are associated, then it becomes sensitive Inference problem is closely related to statistical database security

18. Example

19. Example

20. Example

21. Example

22. Example

23. Example

24. Example Consider a query set X(C) where C is a cluster in a database. Let q1 = Count(C). The expression [(Dept-Code=�Dept1�) ? (Sex = �F�) ? (Birth-Year = 1951)] uniquely identifies an individual, say, Brown. Assume that Count (C) is not permitted for the user Define a characteristic A = (Sex = �F�) and B = [(Dept-Code = �Dept1�) ? (Birth-Year = 1951)] and a third characteristic T = (A ? � B) �A� is called an individual tracker

25. Example Count(C) which is not permitted can now be calculated as follows: Count(C) = Count[(Dept-Code = �Dept1�) ? (Sex = �F�) ? (Birth-Year = 1951)] = Count(A) � Count(T) In the above expression the values on the right hand side are known and so Count(C) can be calculated indirectly

26. Example Additional information can also be inferred as follows: Count(C ? Salary ? 20) = Count(T ? A ? Salary ? 20) � Count(T) If the result of the query is 1, the user infers that Brown�s salary is over $20,000