Inference-usability confinement by maintaining inference-proof views of an information system

International Journal of Computational Science and Engineering

Volumn 7, Issue 1, 2012, Pages 17-37

  Biskup, Joachim ^a  

^a TU DORTMUND UNIVERSITY   (Germany)

Author keywords

Combined approach; Confidentiality policy; Control mechanism; Indistinguishability property; Inference proof view; Inference usability confinement; Information system; Interaction history; Lying approach; Refusal approach

Indexed keywords

ACCESS CONTROL; INFORMATION SYSTEMS; INFORMATION USE;

COMBINED APPROACH; CONTROL MECHANISM; INDISTINGUISHABILITY; INFERENCE-PROOF VIEW; INTERACTION HISTORY; LYING APPROACH; REFUSAL APPROACH;

USABILITY ENGINEERING;

EID: 84859376513     PISSN: 17427185     EISSN: 17427193     Source Type: Journal    
DOI: 10.1504/IJCSE.2012.046178     Document Type: Article

References (55)

1. Bertino, E., Ferrari, E. and Atluri, V. (1999) 'The specification and enforcement of authorization constraints in work flow management systems', ACM Trans. Inf. Syst. Secur., Vol. 2, No. 1, pp.65-104.
2. Bettini, C., Jajodia, S., Wang, X.S. and Wijesekera, D. (2002) 'Provisions and obligations in policy management and security applications', in Very Large Data Bases, VLDB, pp.502-513, Morgan Kaufmann.
3. Biskup, J. (2000) 'For unknown secrecies refusal is better than lying', Data Knowl. Eng., Vol. 33, No. 1, pp.1-23. (Pubitemid 30568314)
4. Biskup, J. (2009) Security in Computing Systems-Challenges, Approaches and Solutions, Springer, Berlin/Heidelberg.
5. Biskup, J. (2010) 'Usability confinement of server reactions: maintaining inference-proof client views by controlled interaction executions', in 6th International Workshop Databases in Networked Information Systems, DNIS, Vol. 5999 of Lecture Notes in Computer Science, pp.80-106, Springer.
6. Biskup, J. (2011) 'History-dependent inference control of queries by dynamic policy adaption', in 25th Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy, DBSec, Vol. 6818 of Lecture Notes in Computer Science, pp.108-123, IFIP/Springer.
7. Biskup, J. and Bonatti, P.A. (2001) 'Lying versus refusal for known potential secrets', Data Knowl. Eng., Vol. 38, No. 2, pp.199-222. (Pubitemid 32698732)
8. Biskup, J. and Bonatti, P.A. (2004a) 'Controlled query evaluation for enforcing confidentiality in complete information systems', Int. J. Inf. Sec., Vol. 3, No. 1, pp.14-27.
9. Biskup, J. and Bonatti, P.A. (2004b) 'Controlled query evaluation for known policies by combining lying and refusal', Ann. Math. Artif. Intell., Vol. 40, Nos. 1-2, pp.37-62. (Pubitemid 38103547)
10. Biskup, J. and Bonatti, P.A. (2007) 'Controlled query evaluation with open queries for a decidable relational submodel', Ann. Math. Artif. Intell., Vol. 50, Nos. 1-2, pp.39-77.
11. Biskup, J., Burgard, D.M., Weibert, T. and Wiese, L. (2007) 'Inference control in logic databases as a constraint satisfaction problem', in Third International Conference on Information Systems Security, ICISS, Vol. 4812 of Lecture Notes in Computer Science, pp.128-142, Springer.
12. Biskup, J., Embley, D.W. and Lochner, J-H. (2008) 'Reducing inference control to access control for normalized database schemas', Inf. Process. Lett., Vol. 106, No. 1, pp.8-12. (Pubitemid 351199847)
13. Biskup, J., Gogolin, C., Seiler, J. and Weibert, T. (2009a) 'Requirements and protocols for inference-proof interactions in information systems', in 14th European Symposium on Research in Computer Security, ESORICS, Vol. 5789 of Lecture Notes in Computer Science, pp.285-302, Springer.
14. Biskup, J., Lochner, J-H. and Sonntag, S. (2009b) 'Optimization of the controlled evaluation of closed relational queries', in Advances in Information and Communication Technology-Emerging Challenges for Security, Privacy and Trust, IFIP, Vol. 297 of IFIP Series, pp.214-225, Springer.
15. Biskup, J., Seiler, J. and Weibert, T. (2009c) 'Controlled query evaluation and inference-free view updates', in Data and Applications Security XXIII, DBSec, Vol. 5645 of Lecture Notes in Computer Science, pp.1-16, Springer.
16. Biskup, J., Hartmann, S., Link, S. and Lochner, J-H. (2010a) 'Chasing after secrets in relational databases', in 4th Alberto Mendelzon International Workshop on Foundations of Data Management, AMW, Vol. 619 of CEUR Workshop Proceedings, pp.13.1-13.12.
17. Biskup, J., Hartmann, S., Link, S. and Lochner, J-H. (2010b) 'Efficient inference control for open relational queries', in 24th Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy, DBSec, Vol. 6166 of Lecture Notes in Computer Science, pp.162-176, IFIP/Springer.
18. Biskup, J. and Lochner, J-H. (2007) 'Enforcing confidentiality in relational databases by reducing inference control to access control', in 10th International Conference on Information Security, ISC, Vol. 4779 of Lecture Notes in Computer Science, pp.407-422, Springer.
19. Biskup, J., Gogolin, C., Seiler, J. and Weibert, T. (2011a) 'Inference-proof view update transactions with forwarded refreshments', Journal of Computer Security, Vol. 19, pp.487-529.
20. Biskup, J., Preuss, M. and Wiese, L. (2011b) 'On the inferenceproofness of database fragmentation satisfying confidentiality constraints', in Lai, X., Zhou, J. and Li, H. (Eds.): Information Security, ISC 2011, Vol. 7001 of Lecture Notes in Computer Science, pp.246-261, Springer.
21. Biskup, J. and Tadros, C. (2010) 'Policy-based secrecy in the Runs & Systems Framework and controlled query evaluation', in 5th International Workshop on Security (short papers), IWSEC, pp.60-77, Information Processing Society of Japan.
22. Biskup, J. and Tadros, C. (2011) 'Inference-proof view update transactions with minimal refusals', in Garcia-Alfaro, J. and Navarro-Arribas, G., Cuppens-Boulahia, N. and De Capitani di Vimercati, S. (Eds.): DPM 2011/SETOP 2011, to appear, Vol. 7122 of Lecture Notes in Computer Science, Springer.
23. Biskup, J., Tadros, C. and Wiese, L. (2010) 'Towards controlled query evaluation for incomplete first-order databases', in Sixth International Symposium on Foundations of Information and Knowledge Systems, FOIKS, Vol. 5956 of Lecture Notes in Computer Science, pp.230-247, Springer.
24. Biskup, J. and Weibert, T. (2007) 'Confidentiality policies for controlled query evaluation', in Data and Applications Security XXI, DBSec, Vol. 4602 of Lecture Notes in Computer Science, pp.1-13, Springer.
25. Biskup, J. and Weibert, T. (2008) 'Keeping secrets in incomplete databases', Int. J. Inf. Sec., Vol. 7, No. 3, pp.199-217. (Pubitemid 351722211)
26. Biskup, J. and Wiese, L. (2008) 'Preprocessing for controlled query evaluation with availability policy', Journal of Computer Security, Vol. 16, No. 4, pp.477-494.
27. Biskup, J. and Wiese, L. (2009) 'Combining consistency and confidentiality requirements in first-order databases', in 12th International Conference on Information Security, ISC, Vol. 5735 of Lecture Notes in Computer Science, pp.121-134, Springer.
28. Biskup, J. and Wiese, L. (2011) 'A sound and complete model-generation procedure for consistent and confidentiality-preserving databases', Theoretical Computer Science, Vol. 412, pp.4044-4072.
29. Bonatti, P.A., Kraus, S. and Subrahmanian, V.S. (1995) 'Foundations of secure deductive databases', IEEE Trans. Knowl. Data Eng., Vol. 7, No. 3, pp.406-422.
30. Brodsky, A., Farkas, C. and Jajodia, S. (2000) 'Secure databases: constraints, inference channels, and monitoring disclosures', IEEE Trans. Knowl. Data Eng., Vol. 12, No. 6, pp.900-919. (Pubitemid 32130742)
31. Cuppens, F. and Gabillon, A. (2001) 'Cover story management', Data Knowl. Eng., Vol. 37, No. 2, pp.177-201. (Pubitemid 32287853)
32. Dawson, S., De Capitani di Vimercati, S. and Samarati, P. (1999) 'Specification and enforcement of classification and inference constraints', in IEEE Symposium on Security and Privacy, pp.181-195, IEEE.
33. De Capitani di Vimercati, S., Samarati, P. and Jajodia, S. (2005) 'Policies, models, and languages for access control', in Databases in Networked Information Systems, DNIS, Vol. 3433 of Lecture Notes in Computer Science, pp.225-237, Springer. (Pubitemid 41273881)
34. Du, W. and Atallah, M.J. (2001) 'Secure multi-party computation problems and their applications: a review and open problems', in New Security Paradigms Workshop, NSPW, pp.13-22, ACM.
35. Evfimievski, A.V., Fagin, R. and Woodruff, D.P. (2008) 'Epistemic privacy', in Principles of Database Systems, PODS, pp.171-180, ACM.
36. Farkas, C. and Jajodia, S. (2002) 'The inference problem: a survey', SIGKDD Explorations, Vol. 4, No. 2, pp.6-11.
37. Goldreich, O. (2004) Foundations of Cryptography II-Basic Applications, Cambridge University Press, Cambridge, UK.
38. Gollmann, D. (2006) Computer Security, 2nd ed., John Wiley and Sons, Chichester, UK.
39. Halpern, J.Y. and O'Neill, K.R. (2008) 'Secrecy in multiagent systems', ACM Trans. Inf. Syst. Secur., Vol. 12, No. 1, pp.5.1-5.47.
40. Ishihara, Y., Morita, T., Seki, H. and Ito, M. (2007) 'An equational logic based approach to the security problem against inference attacks on object-oriented databases', J. Comput. Syst. Sci., Vol. 73, No. 5, pp.788-817. (Pubitemid 46627661)
41. Lindgreen, E.R. and Herschberg, I.S. (1994) 'On the validity of the Bell-La Padula model', Computers & Security, Vol. 13, No. 4, pp.317-333.
42. Lorentz, D. et al. (2010) Oracle Database SQL Language Reference, 11g Release 1 (11.1), B28286-06, Oracle Corporation, available at http://download.oracle.com/docs/cd/B28359-01/server.111/b 28286/toc.htm (accessed on 19 December 2011).
43. Machanavajjhala, A., Kifer, D., Gehrke, J. and Venkitasubramaniam, M. (2007) 'l-diversity: privacy beyond k-anonymity', TKDD, Vol. 1, No. 1, Article 3.1-3.52.
44. McCune, W. (2005-2010) Prover9 and Mace4, University of New Mexico, available at http://www.cs.unm.edu/-mccune/prover9/(accessed on 19 December 2011).
45. Miklau, G. and Suciu, D. (2007) 'A formal analysis of information disclosure in data exchange', J. Comput. Syst. Sci., Vol. 73, No. 3, pp.507-534. (Pubitemid 46027076)
46. Pretschner, A., Hilty, M. and Basin, D.A. (2006) 'Distributed usage control', Commun. ACM, Vol. 49, No. 9, pp.39-44. (Pubitemid 44371759)
47. Pretschner, A., Hilty, M., Basin, D.A., Schaefer, C. and Walter, T. (2008) 'Mechanisms for usage control', in Information, Computer and Communications Security, ASIACCS, pp.240-244, ACM.
48. Sicherman, G.L., de Jonge, W. and van de Riet, R.P. (1983) 'Answering queries without revealing secrets', ACM Trans. Database Syst., Vol. 8, No. 1, pp.41-59. (Pubitemid 13503447)
49. Stonebraker, M. and Wong, E. (1974) 'Access control in a relational data base management system by query modification', in ACM/CSC-ER Annual Conference, pp.180-186, ACM.
50. Stouppa, P. and Studer, T. (2009) 'Data privacy for knowledge bases', in International Symposium on Logical Foundations of Computer Science, LFCS, Vol. 5407 of Lecture Notes in Computer Science, pp.409-421, Springer.
51. Tadros, C. and Wiese, L. (2010) 'Using SAT-solvers to compute inference-proof database instances', in DPM/SETOP 09, Vol. 5939 of Lecture Notes in Computer Science, pp.65-77, Springer.
52. Weibert, T. (2008) 'A framework for inference control in incomplete logic databases', PhD thesis, Technische Universität Dortmund, available at http://hdl.handle.net/2003/25116 (accessed on 19 December 2011).
53. Wiesȩ L. (2009) 'Preprocessing for controlled query evaluation in complete first-order databases', PhD thesis, Technische Universität Dortmund, available at http://hdl.handle.net/2003/26383 (accessed on 19 December 2011).
54. Winslett, M., Smith, K. and Qian, X. (1994) 'Formal query languages for secure relational databases', ACM Trans. Database Syst., Vol. 19, No. 4, pp.626-662.
55. Zhang, Z. and Mendelzon, A.O. (2005) 'Authorization views and conditional query containment', in 10th International Conference on Database Theory, ICDT, Vol. 3363 of Lecture Notes in Computer Science, pp.259-273, Springer.