School of Computing

Department of Computer Science

CS5322:   Database Security  

 

[Announcements]  [Instructor] [Course Objectives] [Lecture Schedule] [Reference Texts and Materials] [Assignment] [Project] [Assessment]

Text, Reference Books, Materials, and Sites

1.            Overview

·         Elisa Bertino, Ravi S. Sandhu: Database Security-Concepts, Approaches, and Challenges. IEEE Trans. Dependable Sec. Comput. 2(1): 2-19 (2005)

2.            Access Control

·         Discretionary Access Control

a.       Patricia P. Griffiths and Bradford W. Wade. An Authorization Mechanism for a Relational Database System.  ACM Trans. Database Syst. 1, 3 (Sep. 1976), Pages 242 - 255.

b.      R.Fagin. On an Authorization Mechanism. ACM Trans. Database Syst. 3, 3 (Sep. 1978), Pages 310-319.

·         Mandatory Access Control

a.       S. Jajodia, R. S. Sandhu. Toward a Multilevel Secure Relational Data Model.  Proc 1991 ACM Int'l. Conf. on Management of Data (SIGMOD), 50-59.

b.      S. Jajodia, R. S. Sandhu, and B. T. Blaustein. Solutions to the Polyinstantiation Problem. Information Security: An Integrated Collection of Essays, IEEE Computer Society Press, 1995.

c.       (Additional reading) Bell, David Elliott. Looking Back at the Bell-LaPadula Model. Proceedings of the 21st Annual Computer Security Applications Conference. Tucson, Arizona, USA. pp. 337–351. December 2005.

·         Role-based Access Control

a.       R.S. Sandhu, E.J. Coyne, H.L. Feinstein, and C.E. Youman. Role-Based Access Control Models. IEEE Computer, 29(2):38--47, February 1996.

b.      S. Osborn, R. Sandhu and Q. Munawer. Configuring Role-Based Access Control to Enforce Mandatory and Discretionary Access Control Policies. ACM Trans. Information and Systems Security. 3, 2 (May 2000), Pages 85-106.

c.       (Additional reading) ANSI Standard on Role-Based Access Control

d.      (Additional reading) N. Li, J. Byun, and E. Bertino: A Critique of the ANSI Standard on Role Based Access Control, IEEE Security & Privacy. 

e.       (Additional reading) N. Li, Z. Bizri, and M.V.Tripunitara: On Mutually-Exclusive Roles and Separation of Duty. Conference version appeared in CCS'2004.

3.            Virtual Private Databases

·         Oracle Virtual Private Database (White Paper)

4.            Oracle Label Security

·         White Paper (Oracle 10g)

5.            Database-as-a-Service Model

·         Encryption Methods

a.       H. Hacigumus, B. R. Iyer, C. Li, S. Mehrotra: Executing SQL over encrypted data in the database-service-provider model. 2002 International Conference on Management of Data (SIGMOD'2002), 216-227

b.      H. Hacigumus, B. R. Iyer, C. Li, S. Mehrotra: Efficient Execution of Aggregation Queries over Encrypted Relational Databases. DASFAA04, 125-136

c.       L. Bouganim, Y. Guo: Database Encryption. Encyclopedia of Cryptography and Security (2nd Ed.) 2011: 307-312

d.      Transparent_Data_Encryption

1.      Oracle TDE (White Paper)

·         Query authentication (Answer Assurance)

a.       P. T. Devanbu, M. Gertz, C. U. Martel, S. G. Stubblebine: Authentic Data Publication Over the Internet. Journal of Computer Security 11(3): 291-314 (2003)

b.      H.H. Pang, A. Jain, K. Ramamritham, K.L. Tan: Verifying Completeness of Relational Query Results in Data Publishing. 2005 International Conference on Management of Data (SIGMOD'2005), Baltimore, Maryland, June 2005, pp. 407-418.

c.       (Additional reading) W. Cheng, H. Pang, K.L. Tan: Authenticating Multi-Dimensional Query Results in Data Publishing. Proceedings of the 20th Annual IFIP WG 11.3 Working Conference on Data and Applications Security (DBSec'2006), pp. 60-73,  2006.

d.      (Additional reading) H. Pang, K.L. Tan: Authenticating Query Results in Edge Computing. Proceedings of the 20th International Conference on Data Engineering, Boston, MA, March/April 2004, pp. 560-571.

6.            Data Privacy

·         k-anonymity

a.       L. Sweeney: k-anonymity: a model for protecting privacy. Int. Journal on Uncertainty, Fuzziness and Knowledge-based Systems, 10 (5):557-570, 2002.

b.      L. Sweeney: Achieving k-anonymity privacy protection using generalization and suppression. Int. Journal on Uncertainty, Fuzziness and Knowledge-based Systems, 10 (5):571-588, 2002.

c.       K. LeFevre, D.J. DeWitt, R. Ramakrishnan. Mondrian Multidimensional K-Anonymity. In Proc. of ICDE, 2006.

d.      (Additional Reading) K. LeFevre, D.J. DeWitt, R. Ramakrishnan: Incognito: Efficient Full-Domain K-Anonymity. In Proc. of SIGMOD, 49-60, 2005.

·         l-diversity

a.       X. Xiao, Y. Tao: Anatomy: Simple and Effective Privacy Preservation. In Proc. of VLDB, 139-150, 2006.

b.      (Additional Reading) A. Machanavajjhala, J. Gehrke, D. Kifer, M. Venkitasubramaniam: l-Diversity: Privacy Beyond k-Anonymity. In Proc. of ICDE, 2006.

·         t-closeness

a.       (Additional Reading) Ni. Li, T. Li, S. Venkatasubramanian: t-Closeness: Privacy Beyond k-Anonymity and l-Diversity. ICDE 2007: 106-115.

·         Differential privacy

a.       C. Dwork: Differential Privacy. ICALP 2006: 1-12.

7.            Privacy in Location Based Services

·         M. Mokbel, C-Y. Chow, W.G. Aref: The New Casper: Query Processing for Location Services without Compromising Privacy. In Proc of VLDB 2006.

·         Man Lung Yiu, Christian S. Jensen, Xuegang Huang, Hua Lu: SpaceTwist: Managing the Trade-Offs Among Location Privacy, Query Performance, and Query Accuracy in Mobile Services. In Proc of ICDE 2008.

·         G. Ghinita, P. Kalnis, A. Khoshgozaran, C. Shahabi, K.L. Tan: Private Queries in Location Based Services: Anonymizers are not Necessary. 2008 International Conference on Management of Data (SIGMOD'2008), Vancouver, Canada, June 2008, pp. 121-132.

8.            Secure Indexing, Search and Deletion in Compliance Storage

·         Q. Zhu, W. W. Hsu: Fossilized Index: The Linchpin of Trustworthy Non-Alterable Electronic Records. SIGMOD’2006,  395-406, 2006.

·         S. Mitra, W. W. Hsu, M. Winslett: Trustworthy Keyword Search for Regulatory-Compliant Record Retention.VLDB’2006,  1001-1012, 2006

·         S.Mitra, M. Winslett: Secure Deletion from Inverted Indexes on Compliance Storage. Proceedings of the 2006 ACM Workshop On Storage Security And Survivability, StorageSS 2006, Alexandria, VA, USA, October 30, 2006, pp. 67-72.

·         (Additional Reading) S.Mitra, N. Borisov, M. Winslett: Deleting index entries from compliance storage. EDBT’2008, 109-120.

9.            Insider Threat (Anomaly detection and response)

·         A. Kamra, E. Terzi, E. Bertino: Detecting anomalous access patterns in relational databases. VLDB J. 17(5): 1063-1077 (2008)

·         A. Kamra, E. Bertino: Design and Implementation of an Intrusion Response System for Relational Databases. IEEE TKDE 23(6): 875-888 (June 2011)

·         A. Kamra, E. Bertino: Privilege States Based Access Control for Fine-Grained Intrusion Response. RAID 2010: 402-421

·         (Additional Reading) S. Mathew, M. Petropoulos, H.Q. Ngo, S. Upadhyaya: A Data-Centric Approach to Insider Attack Detection in Database Systems. RAID 2010: 382-401.

10.        Steganographic File Systems

·         H. Pang, K.L. Tan, X. Zhou: Steganographic Schemes for File System and B-Tree. IEEE Trans. Knowl. Data Eng. 16(6): 701-713 (2004)

·         X. Zhou, H. Pang, K.L. Tan: Hiding Data Accesses in Steganographic File System. ICDE 2004: 572-583

11.        Query Auditing

·         Krishnaram Kenthapadi, Nina Mishra, Kobbi Nissim: Simulatable auditing. PODS 2005: 118-127

·         Shubha U. Nabar, Bhaskara Marthi, Krishnaram Kenthapadi, Nina Mishra, Rajeev Motwani: Towards Robustness in Query Auditing. VLDB 2006: 151-162

·         Rajeev Motwani, Shubha U. Nabar, Dilys Thomas: Auditing SQL Queries. ICDE 2008: 287-296

·         (Additional Reading) Shubha U. Nabar, Krishnaram Kenthapadi, Nina Mishra, Rajeev Motwani: A Survey of Query Auditing Techniques for Data Privacy. Privacy-Preserving Data Mining 2008: 415-431

·         Rajeev Motwani, Shubha U. Nabar, Dilys Thomas: Auditing a Batch of SQL Queries. ICDE Workshops 2007: 186-191

12.        SQL Injection Attack

·         Oracle SQL injection attack tutorial

 

 

 

Information Security

 

1.            Information Security on Wikipedia

2.            Cryptography

·         Cryptography on Wikipedia

·         Stallings, W. Cryptography and Network Security, Fourth Edition. Upper Saddle River, NJ: Prentice Hall 2006.

a.       Student and Instructor Resource Site

·         NIST Computer Security Resource Center: Cryptographic Toolkit

3.            Entity Authentication

·         R. Morris and K. Thompson: Password Security: A Case History

·         Password Salt

·         One-time password

·         NIST FIPS 112 PASSWORD USAGE (and guidelines)

·         NIST FIPS PUB 113 COMPUTER DATA AUTHENTICATION

·         NIST FIPS 196 Entity Authentication Using Public Key Cryptography

·         RFC 3290 Internet X.508 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile

4.            Integrity Protection

·         Biba Model

·         Clark-Wilson Model

·         Chinese Wall Model

5.            Design Principles for Security

a.       J. H. Saltzer and M. D. Schroeder: The Protection of Information in Computer Systems. (also appear in 4^th ACM Symposium on Operating System Principles, October 1973; and Communications of the ACM, 17:7, July 1974).

b.      S. Barnum and M. Gegick: Economy of Mechanism. 2005.

 

 

Textbooks (References)

 

Security

·         Charles P. Pfleeger and Shari L. Pfleeger: Security in Computing, 4^th Edition, Prentice Hall, 2006.

·         William Stallings:  Cryptography and Network Security, 4^th Edition, Prentice Hall, 2006.

·         David C. Knox: Effective Oracle Database 10g Security by Design, McGraw-Hill, 2004.

 

Databases

·         Raghu Ramakrishnan and Johannes Gehrke: Database Management Systems 3rd Edition, McGraw-Hill, 2002.

·         Hector Garcia-Molina, Jeffrey D. Ullman, and Jennifer Widom: Database Systems -- The Complete Book. Prentice Hall, 2001.

·         A. Silberschatz, H. Korth, S. Sudarshan: Database System Concepts, 4th Edition 2002

 

---