David Schultz
Barbara Liskov
ABSTRACT
Numerous sensitive databases are breached every year due to bugs in applications. These applications typically handle data for many users, and consequently, they have access to large amounts of confidential information.
This paper describes IFDB, a DBMS that secures databases by using decentralized information flow control (DIFC). We present the Query by Label model, which introduces new abstractions for managing information flows in a relational database. IFDB also addresses several challenges inherent in bringing DIFC to databases, including how to handle transactions and integrity constraints without introducing covert channels.
We implemented IFDB by modifying PostgreSQL, and extended two application environments, PHP and Python, to provide a DIFC platform. IFDB caught several security bugs and prevented information leaks in two web applications we ported to the platform. Our evaluation shows that IFDB's throughput is as good as PostgreSQL for a real web application, and about 1% lower for a database benchmark based on TPC-C.
- A. Askarov, D. Zhang, and A. Myers. Predictive black-box mitigation of timing channels. In Proc. CCS, New York, NY, 2010. ACM. Google Scholar
Digital Library
- D. Bell and L. LaPadula. Secure computer system: Unified exposition and Multics interpretation. Technical Report ESD-TR-75-306, MITRE Corp. MTR-2997, Bedford, MA, 1975.Google Scholar
- R. Bond, K. See, C. Wong, and Y.-K. Chan. Understanding DB2 9 Security, chapter 6. IBM Press, Indianopolis, IN, 1st edition.Google Scholar
- J. Bonneau. New Facebook photo hacks. In Light Blue Touchpaper. University of Cambridge Computer Laboratory, May 20, 2009. http://www.lightbluetouchpaper.org/2009/02/11/new-facebook-photo-hacks/.Google Scholar
- R. Chen, N. Mohammed, B. Fung, B. Desai, and L. Xiong. Publishing set-valued data via differential privacy. Proc. VLDB, 4(11), Aug. 2011.Google Scholar
- W. Cheng, D. Ports, D. Schultz, V. Popic, A. Blankstein, J. Cowling, D. Curtis, L. Shrira, and B. Liskov. Abstractions for usable information flow control in Aeolus. In Proc. USENIX ATC, Boston, MA, June 2012. Google ScholarDigital Library
- A. Chlipala. Static checking of dynamically-varying security policies in database-backed applications. In Proc. OSDI, Oct. 2010. Google ScholarDigital Library
- S. Chong, K. Vikram, and A. Myers. Sif: Enforcing confidentiality and integrity in web applications. In Proc. USENIX Security, Boston, MA, Aug. 2007. Google ScholarDigital Library
- D. Denning. A lattice model of secure information flow. Commun. ACM, 19, May 1976. Google ScholarDigital Library
- C. Dwork. Differential privacy: A survey of results. In Proc TAMC, Berlin, Heidelberg, 2008. Springer. Google ScholarDigital Library
- P. Efstathopoulos, M. Krohn, S. VanDeBogart, C. Frey, D. Ziegler, E. Kohler, D. Mazières, F. Kaashoek, and R. Morris. Labels and event processes in the Asbestos operating system. In Proc. SOSP, Brighton, UK, 2005. ACM. Google ScholarDigital Library
- A. Futoransky, D. Saura, and A. Waissbein. The ND2DB attack: Database content extraction using timing attacks on the indexing algorithms. In WOOT, Boston, MA, Aug. 2007. USENIX Association. Google ScholarDigital Library
- M. Hay, V. Rastogi, G. Miklau, and D. Suciu. Boosting the accuracy of differentially private histograms through consistency. Proc. VLDB, 3(1--2), Sept. 2010. Google ScholarDigital Library
- B. Hull, V. Bychkovsky, Y. Zhang, K. Chen, M. Goraczko, A. K. Miu, E. Shih, H. Balakrishnan, and S. Madden. CarTel: A distributed mobile sensor computing system. In SenSys, Boulder, CO, November 2006. ACM. Google ScholarDigital Library
- S. Jeloka et al. Oracle Label Security Administrator's Guide, 11g Release 2 (11.2). Oracle Corporation, 2009.Google Scholar
- P. Karger and J. Wray. Storage channels in disk arm optimization. In Proc. Security and Privacy. IEEE, May 1991.Google ScholarCross Ref
- E. Kohler. Hot crap! In Proc. WOWCS, Berkeley, CA, 2008. USENIX. Google ScholarDigital Library
- M. Krohn, A. Yip, M. Brodsky, N. Cliffer, F. Kaashoek, E. Kohler, and R. Morris. Information flow control for standard OS abstractions. In Proc. SOSP, New York, NY, 2007. ACM. Google ScholarDigital Library
- P. Li and S. Zdancewic. Practical information-flow control in web-based information systems. In Proc. CSFW. IEEE, 2005. Google ScholarDigital Library
- Y. Liu, D. Ghosal, F. Armknecht, A.-R. Sadeghi, S. Schulz, and S. Katzenbeisser. Hide and seek in time: Robust covert timing channels. In Proc. ESORICS, Berlin, Heidelberg, 2009. Springer. Google ScholarDigital Library
- T. F. Lunt, D. E. Denning, R. R. Schell, M. Heckman, and W. R. Shockley. The SeaView security model. IEEE Trans. Softw. Eng., 16, June 1990. Google ScholarDigital Library
- A. Machanavajjhala, D. Kifer, J. Gehrke, and M. Venkitasubramaniam. l-diversity: Privacy beyond k-anonymity. ACM Trans. Knowl. Discov. Data, 1, March 2007. Google ScholarDigital Library
- T. Murphy. Security glitch exposes WellPoint customers' financial, medical data. USA Today, June 29, 2010. URL http://www.usatoday.com/money/industries/health/2010-06-29-wellpoint-data-breach_N.htm.Google Scholar
- A. Myers. JFlow: practical mostly-static information flow control. In POPL 1999, San Antonio, TX, Jan. 1999. ACM. Google ScholarDigital Library
- A. Myers and B. Liskov. A decentralized model for information flow control. In Proc. SOSP, Saint-Malo, France, 1997. ACM. Google ScholarDigital Library
- PostgreSQL Global Development Group. PostgreSQL 9.1 Documentation, Sept. 2011. http://www.postgresql.org/docs/9.1/static/.Google Scholar
- J. Saltzer and M. Schroeder. The protection of information in computer systems. In Proc SOSP, Yorktown Heights, NY, Oct. 1973.Google Scholar
- R. Sandhu and S. Jajodia. Polyinstantation for cover stories. In Proc. ESORICS. Springer, 1992. Google ScholarDigital Library
- D. Schultz. Decentralized Information Flow Control for Databases. Ph.D., MIT, Cambridge, MA, Aug. 2012.Google Scholar
- N. Schwartz and E. Dash. Thieves found Citigroup site an easy entry. The New York Times, June 13, 2011. URL https://www.nytimes.com/2011/06/14/technology/14security.html.Google Scholar
- K. Smith and M. Winslett. Entity modeling in the MLS relational model. In Proc. VLDB, San Francisco, CA, 1992. Morgan Kaufmann. Google ScholarDigital Library
- L. Sweeney. k-anonymity: A model for protecting privacy. Int. J. Uncertain. Fuzziness Knowl.-Based Syst., 10, Oct. 2002. Google ScholarDigital Library
- Sybase, Inc. Final Evaluation Report: SQL Server Version 11.0.6 and Secure SQL Server Version 11.0.6, chapter 5: Security Architecture. National Computer Security Center, Ft. Meade, MD, Mar. 1997.Google Scholar
- TPC Benchmark W (Web Commerce) Specification. Transaction Processing Performance Council, San Jose, CA, 1.8 edition, February 2000.Google Scholar
- TPC Benchmark C Specification. Transaction Processing Performance Council, San Jose, CA, 5.11 edition, February 2010.Google Scholar
- N. Zeldovich, S. Boyd-Wickizer, E. Kohler, and D. Mazières. Making information flow explicit in HiStar. In Proc. OSDI, Berkeley, CA, 2006. USENIX. Google ScholarDigital Library
Index Terms
- IFDB: decentralized information flow control for databases
Recommendations
Information flow control for standard OS abstractions
SOSP '07Decentralized Information Flow Control (DIFC) is an approach to security that allows application writers to control how data flows between the pieces of an application and the outside world. As applied to privacy, DIFC allows untrusted software to ...
DIFC programs by automatic instrumentation
CCS '10: Proceedings of the 17th ACM conference on Computer and communications securityDecentralized information flow control (DIFC) operating systems provide applications with mechanisms for enforcing information flow policies for their data. However, significant obstacles keep such operating systems from achieving widespread adoption. ...
Realizing Information Flow Control in ABAC Mining
Cyberspace Safety and SecurityAbstractAttribute-Based Access Control (ABAC) is an emerging access control model. It is increasingly gaining popularity, mainly because of its flexible and fine-grained access control. As a result, many Role-Based Access Control (RBAC) systems are ...
Comments