Secure Databases: Constraints, Inference Channels and Data Disclosure

Abstract

Information security policies in databases aim to protect the confidentiality and the integrity of data, while ensuring data availability. Direct violations of data confidentiality in multilevel secure relational database management systems are prevented by mandatory access control mechanisms, such as those based on the Bell- LaPadula model. However, illegal data accesses via inference channels may occur even at the present of a properly functioning mandatory access control mechanism. The detection and removal of inference channels are vital steps in providing secure database systems. This research investigates the problem of inference channels that occur when constraints are combined with non-sensitive data to obtain sensitive information. An integrated security mechanism, called Disclosure Monitor, is presented that guarantees data confidentiality by extending a standard mandatory access control mechanism with a Disclosure Inference Engine. The Disclosure Inference Engine generates all the information that can be disclosed by a user based on the user's past and present queries and the constraints. The Disclosure Inference Engine operates in two modes: (1) data-dependent mode, when disclosure is established based on the actual data items, and (2) data-independent mode, when only queries are utilized to generate the disclosed information. The developed disclosure inference algorithms for both modes are characterized by the properties of soundness (i.e., everything that is generated by the algorithm is disclosed) and completeness (i.e., everything that can be disclosed is generated by the algorithm).