Erik Jonsson School of Engineering and Computer Science Distinguished Lecture Series 2017-2018 Secure Data Management: Foundations, Systems and Applications My Journey 1985-Present Dr. Bhavani Thuraisingham The University of Texas at Dallas April 27, 2018
How Did I Get Here?* I am of Sri-Lankan Tamil Origin; Married at 20 in 1975 while finishing my B.Sc. in Mathematics and Physics at the University of Ceylon. My husband, also of Tamil origin, was finishing his PhD at the University of Cambridge, England. Moved to the University of Bristol, England soon after for my graduate education and then moved to the US in 1980 for better opportunities. Was offered tenure track Assistant Professor position at New Mexico Tech, but declined as my son was a baby, so took visiting faculty positions in Socorro, NM and later Minneapolis, MN for 3 years and then joined Control Data Corp. as a Senior Software Developer in Computer Networks and Distributed Systems. My lucky break came in 1985 Fall when I received my US Citizenship, Honeywell won the USAF contract to design a high assurance secure database, and Honeywell interviewed me and wanted to hire me; all three had to come together. Have been working in Cyber Security and Data Science at Honeywell, MITRE, NSF and UT Dallas for 32+ years. * https://www.youtube.com/watch?v=xfBie2oVzkA 2
Summary of My Research in Secure Data: 1985 - Present 3
Multilevel Secure Data Management: Lock Data Views (LDV)* - (Air Force AFRL) LOCK operating system type enforcement mechanism encapsulates applications such as database management systems (DBMS) in a protected subsystem as objects of special types are only accessible to subjects executing in the DBMS domain. Restrict the subjects which are allowed to execute in this domain; it is this approach that makes LDV a unique design. The underlying LOCK security mechanisms are available within the DBMS domain and we extend the underlying security policy to meet database requirements. The LOCK type enforcement mechanism supports assured pipelines for passing data securely between the DBMS and user domains. Proved that the pipelines are both unbypassable and tamper-proof. Developed a multilevel data model, relational database theory, security architecture and formal security model. Technology transferred to every secure commercial database system product from Oracle, Sybase, Informix, and Ingres in the early 1990s. * Bhavani M. Thuraisingham: Security checking in relational database management systems augmented with inference engines. Computers & Security 6(6): 479-492 (1987) (Landmark paper that spawned research on the inference problem) Paul D. Stachour, Bhavani M. Thuraisingham: Design of LDV: A Multilevel Secure Relational Database Management System. IEEE T rans. Knowl. Data Eng. 2(2): 190-209 (1990) 4
Multilevel Secure Data Management: LDV Assured Pipelines* Update Pipeline Response Pipeline Metadata Pipeline * This research had a significant impact on the National Computer Security Center’s Purple Book in 1991 – Evaluation Criteria for Secure Database Systems 5
Inference Problem: Security Architecture* (Army-CECOM) • Problem if posing multiple queries and deducing unauthorized information User Interface Manager • Query rewriting according to the policies • Release database is examined as to what has been released Security Policy • Query is processed and response assembled Database Design Tool • Release database is examined to determine whether Policies Manager the response should be released Policies during • Portions of the query processor are trusted database design Update operation Query Processor: Processor: • Certain policies are examined during update operation Policies during Policies during • Example: Content-based policies query and release update • The security level of the data is computed operations operation • Data is entered at the appropriate level • Certain parts of the Update Processor are trusted MLS • Certain policies are examined during the database MLS/DBMS design time Database • Example: simple, association and logical policies • Schema are assigned security levels * Bhavani M. Thuraisingham, William R. Ford, Marie Collins, J. O'Keeffe: • Database is partitioned accordingly Design and Implementation of a Database Inference Controller. Data Knowl. Eng. 11(3): 271-297 (1993) • Technology patented and implemented in Army’s Bhavani M. Thuraisingham, William R. Ford: Security Constraints in a Multilevel Maneuver Control System in a distributed environment Secure Distributed Database Management System. IEEE Trans. Knowl. Data Eng. connecting systems in MA, VA, and NJ. 7(2): 274-293 (1995) 6
Inference/Privacy Problem: Complexity* (Navy SPAWAR) Dr. John Campbell of the NSA stated that the Unsolvability Proof of the Inference Problem was a significant result in database security in 1990 (Proceedings National Computer Security Conference, 1990) Some of the work has been adapted for data privacy • Given a recursively enumerable degree, can you find an instance of the privacy problem that is • one-one equivalent? YES To what extent is the privacy problem unsolvable? • Challenges posed by Thuraisingham in the 1990s Can we measure security and privacy? • Question answered in 2002 by Prof. Latanya Sweeney with respect to Data Privacy with her • formulation of K-Anonymity (followed by L-Diversity and Differential Privacy) What is the computational complexity of the inference and privacy problems? • Some initial directions provided by Thuraisingham, recent work by Harvard Data Privacy Group - * Bhavani Thuraisingham, Recursion Theoretic Properties of the Inference Problem, IEEE Computer Security Foundations Franconia, NH, June 1990 (also available as MTP Technical Report, MTP 291) Bhavani Thuraisingham. On the Complexity of the Privacy Problem in Databases, Data Mining: Theory and Practice, Springer, Editors: TY Lin et al, 2005. First work to integrate computability theory with secure data 7
Inference/Privacy Problem: Complexity Multilevel Database : A multilevel deductive database is a quadruple <B, F, C, A> where B is a database, F is a privacy function, C is a recursive set of privacy policies and A is an algorithm (i.e. an effective procedure) which assigns privacy levels to the data based on C. (Note that since C is recursive, one can effectively decide whether a privacy constraint belongs to C.) Privacy problem : The privacy problem with respect to privacy level L is the set of all quadruples <B, F, C, A> such that there is some x belongs to Cn F(B) and the privacy level of x dominates L. Note that we assume that the set of privacy levels form a lattice. Formally stated the privacy problem at level L is the set: PP [L] = {<B, F, C, A> | Level (B) ≤ L and x (x Cn F(B) and Level(x) > L)} where is the “there exists” symbol . Theorem I (i) For each privacy level L, PP [L] is recursively enumerable (ii) For each privacy level L, PP [L] is either recursive or nonsimple (iii) If all privacy functions which model the rules in deductive databases are deterministic, then for each privacy level L, PP [L] is either recursive or a cylinder (iv) If the privacy level L1 dominates the privacy level L2, then PP [L1] PP [L2]where is the subset function Theorem 2 (i) There is a situation where PP [Public] is not recursive. (ii) Assuming that the privacy functions are deterministic, there is a situation where PP [Public] is not creative. (iii) There is a situation where PP [Public] is neither recursive nor a cylinder. 8
Inference/Privacy Problem: Complexity We first show that given a recursively enumerable set W, there is a situation S such that W m Graphical Representation of the Privacy Function f PP [Public]. Note that m is the many-one equivalence relationship . The result is then immediate from the following reasoning. * It has been shown that there is set K which is creative. K is the set {x: the xth partial recursive function halts on input x} (u,v+2) (u,v+2) (0,u+v+2) (0,u+v+2) * The situation S that is constructed from the recursively enumerable set K will guarantee that PP [Public] is creative. This is because if the two sets A and B are many one equivalent and A is (u,v+1) (u,v+1) (0,u+v+1) (0,u+v+1) creative, then so is B. Therefore, if PP [Public] is creative then it cannot be recursive. (u,v) (u,v) (0,u+v) (0,u+v) T(e,u,v) T(e,u,v) Given a recursively enumerable set W, we create a situation S by defining a set of privacy constraints and a privacy function. Let the set of privacy constraints be {(0,0)}. That is, the only element that is assigned the private level is the pair (0,0). We consider pairs of natural numbers. This does not cause any problem due to the existence of the pairing function from NxN onto N where N is the set of all natural numbers. The set of privacy constraints is recursive (note that in this case it is also finite) and does not depend on W. We define a privacy function, which depends on W as follows. We assume that e is the index of W. The (0,2) (0,2) (u,2) (u,2) privacy function f for a pair (u,v) is defined as follows: (0,1) (0,1) {(u, v+1)} if u 0 AND NOT T(e, u, v) (u,1) (u,1) {(0, u+v) if u 0 AND T(e, u, v) f(u,v) = {(u, v-1) if u = 0 AND v 0 (u,0) (u,0) (0,0) (0,0) (the empty set) if u = 0 AND v = 0 Note that T is the Kleene’s T Predicate PP [Public] = {(u,v): there is a path via f from (u,v) to (0,0)} We have shown that We m PP[Public] where We is the eth recursively enumerable set. Note that m is many-one equivalence. 9
Recommend
More recommend
