Securing History: Privacy and Accountability in Database Systems - - PowerPoint PPT Presentation

securing history privacy and accountability in database
SMART_READER_LITE
LIVE PREVIEW

Securing History: Privacy and Accountability in Database Systems - - PowerPoint PPT Presentation

Mar 17, 2024 478 likes •782 views

Securing History: Privacy and Accountability in Database Systems Gerome Miklau (Joint work with Brian Levine & Patrick Stahlberg) University of Massachusetts, Amherst History a record of past data and operations performed on a system.

slide-1
SLIDE 1

Securing History: Privacy and Accountability in Database Systems

Gerome Miklau

(Joint work with Brian Levine & Patrick Stahlberg)

University of Massachusetts, Amherst

slide-2
SLIDE 2

Gerome Miklau UMass Amherst

History

a record of past data and operations performed on a system.

slide-3
SLIDE 3

Gerome Miklau UMass Amherst

History

  • Arguments for preserving history
  • Protection against loss
  • History is useful: accountability
  • Storage is cheap

a record of past data and operations performed on a system.

slide-4
SLIDE 4

Gerome Miklau UMass Amherst

History

  • Arguments for preserving history
  • Protection against loss
  • History is useful: accountability
  • Storage is cheap

a record of past data and operations performed on a system.

  • Arguments against preserving history
  • Threats to privacy and confidentiality
  • Deletion required for compliance with regulation
  • Increasingly, data destruction has real value!
slide-5
SLIDE 5

Gerome Miklau UMass Amherst

Vision: securing history

  • Balance privacy and accountability
  • Central issue: how and when historical data is retained in

systems, who can recover and analyze it.

  • For privacy
  • “memory-less” systems and applications
  • For accountability
  • preserve needed history efficiently, permit analysis, protect
slide-6
SLIDE 6

Gerome Miklau UMass Amherst

Plan for securing history in a DBMS

Forensic analysis of database systems

Step 1

Build transparency into database systems

Step 2

Build accountability into database systems

Step 3

slide-7
SLIDE 7

Gerome Miklau UMass Amherst

Securing history in a DBMS

Forensic analysis of database systems

Step 1

Build transparency into database systems

Step 2

Build accountability into database systems

Step 3

slide-8
SLIDE 8

Gerome Miklau UMass Amherst

Computer forensics

  • Analysis of system state to validate hypotheses about past

activities.

  • Threat model
  • Investigator has uncontrolled access to disk
  • Same capabilities as privileged insider or hacker
  • What does the disk image of DBMS reveal about history?
  • How much expired data is retained?
  • How long does it persist?
slide-9
SLIDE 9

Gerome Miklau UMass Amherst

Slack data

  • File system slack
  • Database slack

allocated file allocated file

slide-10
SLIDE 10

Gerome Miklau UMass Amherst

Slack data

  • File system slack
  • Database slack

allocated file allocated file expired data

slide-11
SLIDE 11

Gerome Miklau UMass Amherst

Slack data

  • File system slack
  • Database slack

allocated file allocated file expired data

slide-12
SLIDE 12

Gerome Miklau UMass Amherst

Slack data

  • File system slack
  • Database slack

allocated file allocated file expired data

slide-13
SLIDE 13

Gerome Miklau UMass Amherst

Forensic analysis of DBMS

slide-14
SLIDE 14

Gerome Miklau UMass Amherst

Forensic analysis of DBMS

  • Table storage
  • deletion is insecure (MySQL, Postgres, DB2, SQLite)
  • database and file system slack data generated in proportion to
  • workload, vacuum, clustering.
slide-15
SLIDE 15

Gerome Miklau UMass Amherst

Forensic analysis of DBMS

  • Table storage
  • deletion is insecure (MySQL, Postgres, DB2, SQLite)
  • database and file system slack data generated in proportion to
  • workload, vacuum, clustering.
  • Transaction log
  • no bounds on retention
slide-16
SLIDE 16

Gerome Miklau UMass Amherst

Forensic analysis of DBMS

  • Table storage
  • deletion is insecure (MySQL, Postgres, DB2, SQLite)
  • database and file system slack data generated in proportion to
  • workload, vacuum, clustering.
  • Transaction log
  • no bounds on retention
  • Temporary relations remain as file system slack.
slide-17
SLIDE 17

Gerome Miklau UMass Amherst

Forensic analysis of DBMS

  • Table storage
  • deletion is insecure (MySQL, Postgres, DB2, SQLite)
  • database and file system slack data generated in proportion to
  • workload, vacuum, clustering.
  • Transaction log
  • no bounds on retention
  • Temporary relations remain as file system slack.
  • Indexes may reveal history of operations.
slide-18
SLIDE 18

Gerome Miklau UMass Amherst

Securing history in a DBMS

Forensic analysis of database systems

Step 1

Build transparency into database systems

Step 2

Build accountability into database systems

Step 3

slide-19
SLIDE 19

Gerome Miklau UMass Amherst

Transparent systems

Complete deletion

  • Deleted data must be destroyed, including copies and derived

versions.

Purposeful retention

  • Data retained after deletion must have a legitimate purpose,

and data should be removed once that purpose is no longer valid.

Bounded lifetime

  • The system should provide users with clear, accurate bounds
  • n the persistence of data in the system.

Interfaces must reliably represent system internals.

slide-20
SLIDE 20

Gerome Miklau UMass Amherst

Secure deletion in DBMS

slide-21
SLIDE 21

Gerome Miklau UMass Amherst

Secure deletion in DBMS

  • Two basic strategies for secure deletion:
  • overwrite data with zeroes
  • store data in encrypted form, delete by disposing of keys.
slide-22
SLIDE 22

Gerome Miklau UMass Amherst

Secure deletion in DBMS

  • Two basic strategies for secure deletion:
  • overwrite data with zeroes
  • store data in encrypted form, delete by disposing of keys.
  • For table storage:
  • pages are read and written often
  • prefer secure deletion and vacuum using overwriting
slide-23
SLIDE 23

Gerome Miklau UMass Amherst

Secure deletion in DBMS

  • Two basic strategies for secure deletion:
  • overwrite data with zeroes
  • store data in encrypted form, delete by disposing of keys.
  • For table storage:
  • pages are read and written often
  • prefer secure deletion and vacuum using overwriting
  • For transaction log:
  • sequential writes, easily identifiable point of expiry
  • use encryption with key disposal
slide-24
SLIDE 24

Gerome Miklau UMass Amherst

Securing history in a DBMS

Forensic analysis of database systems

Step 1

Build transparency into database systems

Step 2

Build accountability into database systems

Step 3

slide-25
SLIDE 25

Gerome Miklau UMass Amherst

Accountability

  • Goals
  • Collection, Analysis, Protection
  • “Security provenance”
  • Existing capabilities
  • Logs and backups
  • Persistence in databases
  • Postgres, temporal DBs, transaction-time DBs

Who did what to the database, and when?

slide-26
SLIDE 26

Gerome Miklau UMass Amherst

Accountability challenges

  • Integrating and querying historical data
  • Accounting for “reads”
  • Protecting history
  • Access control model for persistent databases
  • Redaction and expunction operations
slide-27
SLIDE 27

Gerome Miklau UMass Amherst

Conclusion

  • History should be a “first-class” part of a DBMS
  • The safe, accurate configuration of the system’s historical

memory allows needed balance between privacy and accountability.

  • Transparency requirements:
  • Interface should faithfully represent stored contents.
  • Accountability techniques:
  • Collection, integration, protection
slide-28
SLIDE 28

Questions?

slide-29
SLIDE 29

Gerome Miklau UMass Amherst

Does encryption solve forensic threats?

  • Encrypted file system:
  • protects historical remnants -- does not destroy data.
  • performance penalty, key manangement
  • in some settings, users/stakeholders cannot choose whether

system provides encryption.

  • Overall,
  • Encryption has an important role to play, but must be used

judiciously.

  • Encryption for protection, destruction should be distinguished.