Technical Report Computer Science
A tradeoff analysis between data accessibility and inference control for row, column, and cell level security in relational databases
Azhar Rauf, D.CS. Lecturer of Computer Science University of Peshawar
[email protected] Carol Keene, Ph.D. Professor of Computer Science Colorado Technical University
[email protected] Bo I. Sandén, Ph.D. Professor of Computer Science Colorado Technical University
[email protected] Elaine Waybright, Ph.D. Professor of Computer Science Colorado Technical University
[email protected] Technical Report Number CTU-CS-2007-001
ABSTRACT There is a need to protect data in relational databases from unauthorized access at finer levels of granularity and thereby make as much data available to the user as possible. Current state-of-the-art security techniques offer elegant ways to protect data at the column, row and cell levels. But for some patterns of secret cells, these techniques mask innocent data along with the secret data thus reducing data accessibility of the database. This study compares the current security techniques in terms of data accessibility for typical patterns of secret cells. Another aspect of the current techniques is the possibility of inference based on data that appears to be absent in the database. This is a problem with cell-level security, because the absence of a value returned from a query indicates that a certain cell must contain secret data. This research studies the inference problem associated with these security techniques. A new technique is proposed that suppresses some innocent data in addition to the secret cells. This not only achieves better results in terms of data accessibility for typical patterns of secret cells than row or column level security but also controls data-suppression based inference to a reasonable degree. The research is a step towards building an add-on tool that measures data accessibility and security from making inferences. A database administrator will input the total number of secret cells in the database and the tool will measure data accessibility and security with all security techniques. The tool will offer a choice to the DBA to pick a security technique based on the requirements for data accessibility versus security.
Fine Grained Security in Relational Databases
2
1. Introduction Fine grained security is becoming more and more popular in relational databases by the increasing demand for sharing the data in multiple departments of an organization and reducing the maintenance cost by managing security at the applications or views level. Organizations are stepping in to maintain the data security policies at the instance level for better management and cost effectiveness. Relational database vendors offer techniques such as Row, Column and Cell Level Security to mask data at finer levels of granularity. These techniques are cost efficient and helpful in managing the complex security policies of an organization, but they significantly reduce data accessibility in some cases and open the likelihood of allowing inferences by an intruder. A new technique is introduced in this research that offers greater data accessibility over Row and Column Level security and better inference control than Cell Level Security. The approach is based on the suppression of some innocent cells along with the true secret cells of a table.
2. Labeling Techniques in Relational Databases In relational databases, there are three state-of-the-art security techniques that can be implemented at the data instance level: 2.1. Column Level Security Column suppression is one of the commonly used techniques to secure secret data of a column. Views are primarily used to implement this kind of security labeling. The Virtual Private Database (VPD) feature of Oracle 10g implements ‘Column Relevance’ and ‘Column Filtering’ types of granular security [Oracle 2005].
Fine Grained Security in Relational Databases
3
2.2. Row Level Security This technique suppresses entire rows from a user whose clearance level is less than the label of the record. The database automatically attaches the WHERE predicate to the query made by any user to check his/her clearance against the label attribute associated with each record. Microsoft’s consultants claim that views and encryption features of MS SQL Server 2005 can be used to implement Row and Cell Level Security techniques [Rask 2005]. 2.3. Cell Level Security In this technique, only individual cells carrying secret data are suppressed. Darryl has offered a toolkit that includes a utility to implement Cell and Row Level Security in SQL Server 2005 [Darryl 2006]. There are good and bad aspects of these security techniques in terms of data accessibility and security. For example, Cell Level Security offers good data accessibility but sacrifices security because a user can safely assume that a suppressed cell contains secret data. On the other hand, Column and Row Level Security offer better security but sacrifice data accessibility. This research investigated the tradeoff between data accessibility and inference control among these labeling techniques for typical patterns of secret cells in a database.
3. Research Issues and Problem Statement The labeling techniques discussed above provide security at finer levels of granularity, but problems arise when secret cells are randomly distributed in a table. Column and Row Level Security techniques suppress a large number of innocent cells along with the secret cells; this reduces data accessibility of the database. Cell Level Security does not suppress innocent data but as each suppressed cell is a secret cell, an intruder may make an inference from the non-
Fine Grained Security in Relational Databases
4
secret data related to that particular record. These research issues initiate the following problem statements: “How much Data Accessibility is achieved from Column / Row / Cell Level Security techniques for typical patterns of secret cells in a table?” “How can the ‘data absence’ type of inference be controlled or the vulnerability of this inference be reduced in Cell Level Security Techniques?” “Is there a technique that achieves greater data accessibility over Row / Column Level Security techniques and better security from inference than Cell Level Security technique?” This study was focused on finding the solutions for the above three research questions.
4. Research Hypothesis and Proof Methodology The hypothesis for this research was: Cell Level Security with the suppression of a reasonable number of innocent cells, achieves on average 20% greater data accessibility as compared to Row Level and Column Level Security for typical types of queries and varying numbers and distributions of secret cells in a table. In the hypothesis, the statement “Cell Level Security with the suppression of a reasonable number of innocent cells” refers to the proposed Cell + Innocent Security technique. Amounts of innocent cells equal to 1/4, ½, 3/4, and 1 (all) of the total number of secret cells were suppressed for the purpose of proving the hypothesis. Data Accessibility and Inference were selected as dependent variables against ‘Total Number of Secret Suppressed Cells’, as an independent variable, to empirically compare the Cell + Innocent Security technique with Cell, Row and Column Level Security techniques. A suite of eight (8) queries (4 TPC-H Benchmark and 4 other
Fine Grained Security in Relational Databases
5
queries) were selected to measure data accessibility and inference. The TPC benchmark schema was selected for the experiment [TPC-H 2005]. 4.1. Data Accessibility Data accessibility measures the proportion of readable cells available to a user after issuing queries from the suite ‘Q’1 to the database. It is a ratio between the total number of readable cells and the total number of fetched cells (readable and suppressed cells) returned by a query to the database. Data accessibility (D.A) of a query ‘q1’ is:
Data Accessibility q = 1
Uq
1
Nq
…………………….equation 1
1
In the above equation ‘Uq1’ represents the total number of readable cells and ‘Nq1’ represents the total number of cells (readable and suppressed cells) fetched by the query. ‘q1’ is one of the queries from the queries suite ‘Q’. Different patterns of randomly distributed secret cells were generated. Once a pattern of secret cells was generated, different security techniques were applied on the pattern and Data Accessibility was measured for each security technique. Data Accessibility for ‘n’ queries in the suite ‘Q’ for a single pattern is:
1 n { D.A.q } p=1 = ∑ U qi N qi …………………….equation 2 n n i =1 Data Accessibility is equal to 1 if there are no suppressed cells in the database.
1
Suite ‘Q’ consists of four TPC-H and four other queries that are selected for this research.
Fine Grained Security in Relational Databases
6
Equation 2 shows the measure of Data Accessibility of a specific security technique for a single pattern only. This equation was generalized for ‘k’ patterns, and average Data Accessibility of a security technique was calculated as follows:
k { Average D.A.q } p=k = 1 ∑ {D. A.q } p n n k p=1 Or
{
}
k n 1 1 ∑ ∑U N qi { Average D.A.q } p=k = n k p=1 n i =1 qi p …equation 3 where ‘k’ represents the total number of sample patterns and ‘n’ the total number of queries in suite ‘Q’.
4.2. Inference Cell Level Security leaves suppressed cells suspicious. An adversary could relate the unclassified data with other public information and generate useful results. The new technique of Cell + Innocent Security suppresses innocent cells in addition to the secret cells, which reduces the proportion of suspicious cells (True Secret Cells) among the suppressed cells. The adversary can no longer assume that a suppressed cell contains secret data. This research took the ‘Proportion of True Secret Cells’ (ProbTSC) as a dependent variable against ‘Total Number of Suppressed Cells’, as an independent variable, to empirically measure the ‘Inference’ between Cell Level Security and Cell + Innocent Security techniques.. The number of suppressed cells returned by a query is the total number of cells returned minus the readable cells. So, the proportion of suppressed cells returned by ‘n’ queries for a single pattern can be computed from the data accessibility as follows:
Fine Grained Security in Relational Databases
7
{ ProbSupp q } p=1 = 1 − {D. A.q } p=1 n n Or
(
)
n { ProbSupp q } p=1 = 1 − 1 ∑ U qi N qi ………………equation 4 n n i =1 The above equation 4 is derived from equation 2. For cell-level security with no innocent cells suppressed, ProbSupp is the proportion of true secret cells returned by a query. “I=0” indicates that no innocent cells are suppressed.
The new technique suppresses ‘I’ innocent cells in the database such that I > 0. In that case, ProbSupp includes all suppressed cells including the innocent ones. The ratio of returned True Secret Cell (TSC) to the total number of returned, suppressed cells for ‘n’ number of queries for a single pattern becomes:
{ ProbTSC q } p =1 n
( { ProbSupp q ,I =0} p=1 * 1) n = { ProbSupp q ,I >0} p=1 n
………….equation 5
Equation 5 measures ‘Inference’ of a specific security technique for a single pattern only. For cell-level security, the inference in this sense is equal to 1 indicating that each suppressed cell carries a secret value. This equation was generalized for ‘k’ number of multiple patterns to calculate the Average Probability of True Secret Cells as follows:
Fine Grained Security in Relational Databases
8
{Avg ProbTSC q } p=k n
( { ProbSupp q ,I =0} p=k * 1) n = { ProbSupp q ,I >0} p=k n
……equation 6
In equation 6, ‘k’ represents the total number of sample patterns, ‘n’ the total number of queries in suite ‘Q’, and ‘I’ the total number of innocent suppressed cells in the database. The study proved that increasing the number of innocent cells decreased the inference measured as ProbTSC.
5. Assumptions In this research, it was assumed that visible data of a suspicious record leads to the derivation of inferences that causes a security threat. This research considered inference caused only from the suppression of data. In a typical organization, there are multiple security classes and users’ security levels. This research considered only two security classes: a) Classified and b) Unclassified. Accordingly, it was assumed that there are two users’ security levels: 1) Users who could view both the Unclassified and Classified data and 2) users who could view only the Unclassified data. The accuracy and the integrity constraints of a relational database were maintained and the research did not consider the addition of noise to the database (data perturbation). Only the ‘SELECT’ statement of the SQL DML was considered for the research purposes; the ‘WHERE’ clause of the ‘SELECT’ statement was not considered in this research. This research intended to show the true difference among different security techniques in terms of data accessibility. The true difference could not be achieved with the ‘WHERE’ clause; as encountering a single suppressed cell in the ‘WHERE’ clause would leave no difference between Cell and Row Level Security techniques. The aggregate functions were not considered in the Fine Grained Security in Relational Databases
9
queries. The research assumed that once we get all cells as results of a query, we can do any operation with the data that we want including the aggregate operations. Secret cells were randomly distributed in the tables of the database during the creation of patterns. Innocent cells were suppressed randomly as well from the tables as per the percentage of secret cells in each table.
6. Research Results Sample data of 10000, 100000, and 500000 rows was generated and the experiment was run on each dataset individually to prove the hypothesis. Rows inside the eight (8) tables were distributed as per the TPC-H standard for the grain of rows for each table. Random patterns of secret cells were created in the database and labeling techniques were implemented one by one. Data accessibility and inference were recorded with each labeling technique. The experiment was repeated for 30 samples of secret cells with a varying number of secret cells and average values of data accessibility and inference were measured. The current and new security techniques were compared and ranked based on data accessibility and inference. It took four months on two computers running day and night to collect results from the experiment. The experiment proved for all three sizes of the sample data (10000, 100000, and 500000 rows) that Cell Level Security offers the greatest data accessibility as only the true secret cells are suppressed and no innocent cells are suppressed in this technique. Column Level Security offers the lowest data accessibility as a large number of innocent cells are suppressed along with the true secret cells because of the requirement of the labeling technique to suppress the entire column if it had one or more secret cells. Cell + Innocent Security techniques achieve greater data accessibility over Row and Column Level Security as the number of suppressed innocent
Fine Grained Security in Relational Databases
10
cells along with the true secret cells was quite in our control. Please refer to the results of the experiment in tables 1, 2, and 3 that rank security techniques on data accessibility for three sizes of the sample data. SECURITY TECHNIQUES AVG D.A. CELL LEVEL SECURITY 0.78226727 CELL + INNOCENT ¼ 0.72728683 CELL + INNOCENT ½ 0.673868234 CELL + INNOCENT ¾ 0.619513913 CELL + INNOCENT 1 0.565360199 ROW LEVEL SECURITY 0.255164875 COLUMN LEVEL SECURITY 0.129572448 Table 1 – Ranking based on Data Accessibility for 10,000 rows database size SECURITY TECHNIQUES AVG D.A. CELL LEVEL SECURITY 0.87931618 CELL + INNOCENT ¼ 0.849441919 CELL + INNOCENT ½ 0.818747188 CELL + INNOCENT ¾ 0.788441383 CELL + INNOCENT 1 0.757637986 ROW LEVEL SECURITY 0.474929404 COLUMN LEVEL SECURITY 0.302000661 Table 2 - Ranking based on Data Accessibility for 100,000 rows database size SECURITY TECHNIQUES AVG D.A. CELL LEVEL SECURITY 0.959125876 CELL + INNOCENT ¼ 0.949611247 CELL + INNOCENT ½ 0.939044939 CELL + INNOCENT ¾ 0.929693502 CELL + INNOCENT 1 0.920592667 ROW LEVEL SECURITY 0.733531436 COLUMN LEVEL SECURITY 0.311259921 Table 3 – Ranking based on Data Accessibility for 500,000 rows database size In the case of controlling inference, the study proved that Column Level Security remained on top as there are less chances of making inferences because a large number of innocent cells are suppressed along with the true secret cells. This reduces enormously the level of confidence of an intruder about secret cells in the database. Row Level Security remained on the 2nd position followed by Cell + Innocent Security technique for the 3rd position. Cell Level
Fine Grained Security in Relational Databases
11
Security showed the worst results in terms of allowing inferences. There is a 100% chance that an intruder could initiate an inference from a suppressed cell in the Cell Level Security as each suppressed cell carries true secret data. Please refer to the results of the experiment in tables 4, 5, and 6 that rank security techniques on inference for three sizes of the sample data. SECURITY TECHNIQUES AVG INFERENCE COLUMN LEVEL SECURITY 0.24609475 ROW LEVEL SECURITY 0.269248203 CELL + INNOCENT 1 0.501489969 CELL + INNOCENT ¾ 0.572973857 CELL + INNOCENT ½ 0.668749159 CELL + INNOCENT ¼ 0.80036507 CELL LEVEL SECURITY 1 Table 4 – Ranking based on Inference for 10,000 rows database size SECURITY TECHNIQUES AVG INFERENCE COLUMN LEVEL SECURITY 0.170807104 ROW LEVEL SECURITY 0.204344374 CELL + INNOCENT 1 0.496263963 CELL + INNOCENT ¾ 0.568978259 CELL + INNOCENT ½ 0.66569787 CELL + INNOCENT ¼ 0.803688038 CELL LEVEL SECURITY 1 Table 5 – Ranking based on Inference for 100,000 rows database size SECURITY TECHNIQUES AVG INFERENCE COLUMN LEVEL SECURITY 0.058893237 ROW LEVEL SECURITY 0.151233948 CELL + INNOCENT 1 0.510065561 CELL + INNOCENT ¾ 0.578542856 CELL + INNOCENT ½ 0.668511551 CELL + INNOCENT ¼ 0.807885992 CELL LEVEL SECURITY 1 Table 6 – Ranking based on Inference for 500,000 rows database size This study proved that this new technique offers greater data accessibility as compared to Row / Column Level Security techniques. The reason is that the amount of innocent suppressed cells is pretty much under our control and we can increase or decrease data accessibility accordingly. On the other hand, the amount of innocent suppressed cells in Row / Column Level
Fine Grained Security in Relational Databases
12
Security techniques is not under our control as the innocent cells are suppressed because of the requirement of the labeling technique to suppress an entire row or column having secret cell(s). The study revealed that the Cell + Innocent Level Security technique offers better security over the Cell Level Security technique from data suppression type inferences. Suppressing innocent cells along with secret cells adds an amount of uncertainty that a suppressed cell may not necessarily be a secret cell. We can add as much uncertainty to a table, in the form of suppressing innocent cells, as we want to achieve greater security from making inferences by reducing the level of confidence of an adversary about suspicious cells.
Fine Grained Security in Relational Databases
13
6.1. Graphical Representation Graph 1 shows the average data accessibility of different labeling techniques against the percentage of true suppressed cells in the database for 10,000 rows of sample data. There is a smooth decrease in data accessibility with the increasing number of suppressed cells for Cell and Cell + Innocent Level Security techniques. For Cell Level Security, the reason is that no innocent cells are added and only true secret cells are suppressed from the database. As the number of true secret cells increases, data accessibility decreases with the same proportion. Cell + Innocent Level Security techniques showed the same kind of effect: As the innocent cells were suppressed, data accessibility dropped in the same proportion. With the Row Level Security the data accessibility falls rapidly with the increasing number of suppressed cells leaving an evident gap of data accessibility with Cell and Cell + Innocent Security techniques. The reason for the sudden drop in data accessibility is the large number of innocent cells that are suppressed from the rows to hide true secret cells in tables. Column Level Security starts with offering much less data accessibility as compared to other labeling techniques. The curve remains constant for most of the time for the reason that most true secret cells are falling in the same columns and labeling those columns does not make a big difference in data accessibility.
Graph 1 – Average Data Accessibility for 10,000 row sample data 1.2
1
CELL LEVEL
0.8
CELL + INNOCENT 1/4 D.A.
CELL + INNOCENT 1/2 CELL + INNOCENT 3/4
0.6
CELL + INNOCENT 1 ROW LEVEL 0.4
COLUMN LEVEL
0.2
4. 00 % 8. 00 % 12 .0 0% 16 .0 0% 20 .0 0% 24 .0 0% 28 .0 0% 32 .0 0% 36 .0 0% 40 .0 0% 44 .0 0% 48 .0 0%
0
%age of Cells Suppressed
Graph 2 shows the measures of inference for different labeling techniques. Column and Row Level Security techniques enormously reduce the chances of inference. But as the number of true secret cells increases the probability of finding true secret cells in the database increases which increases the chances of inferences. Cell + Innocent Security techniques show constant curves for inference as innocent cells are added in the same ratio by increasing the percentage of true secret cells. Cell Level Security shows the worst result as the probability of true secret cells is 1 for all data points and there is a 100% chance of making an inference by the intruder.
Fine Grained Security in Relational Databases
15
Graph 2 - Average Inference for 10,000 row sample data 1.2
1
Prob of TSC cell
0.8 Inference
Prob of TSC 1/4 Prob of TSC 1/2 0.6
Prob of TSC 3/4 Prob of TSC 1/1 Prob of TSC row
0.4
Prob of TSC column
0.2
4. 00 % 8. 00 % 12 .0 0% 16 .0 0% 20 .0 0% 24 .0 0% 28 .0 0% 32 .0 0% 36 .0 0% 40 .0 0% 44 .0 0% 48 .0 0%
0
%age of Cell Suppressed
Trend lines were drawn on curves and mathematical equations were derived. A tool can be built based on the derived mathematical equations that would measure data accessibility and inference for different security techniques. Results of the experiment were analyzed by the Standard Deviation and Analysis of Variance (ANOVA) test. Tests proved that data was normalized and results were statistically significant for all three sizes of the database.
Fine Grained Security in Relational Databases
16
7. Conclusion This research presents a new approach of hiding the secret data and un-hiding the nonsecret data in such a way that we can easily control the balance between the two sides of the equations, independent of the limitations of the security techniques to sacrifice for the suppression of innocent data over security or vice versa. This research presents a tradeoff analysis of data accessibility and security for different security techniques and ranks them accordingly. It is a step towards building an add-on tool that would provide information about data accessibility and inference for the fine-grained security techniques once the information of secret cells in the database is fed to the tool. The tradeoff analysis between data accessibility and inference for the current and the new security techniques is an original idea and has not been addressed in research literature. The new approach presented in this paper makes the maximum data available with a good degree of security from making inferences. The technique offers a way to balance the two variables of indirect proportions.
8. Future Research A number of research opportunities were identified while performing this research. The opportunities for future research include building an add-on tool that calculates data accessibility and inference for all security techniques by analyzing the pattern of secret cells in the database. In this research, one assumption was that the secret cells were randomly distributed across the tables. In many cases most secret cells might appear only in columns or in rows. In such cases, the Column or Row Level Security technique might be the best to apply. This research can be extended to create patterns of secret cells where most of the secret cells are
Fine Grained Security in Relational Databases
17
column wise or row wise distributed in a table. Data accessibility and inference for different security techniques need to be measured for such patterns of secret cells. Another assumption in this research was that the ‘WHERE’ clause of the ‘SELECT’ statement was not taken into account during the calculation of data accessibility and inference. The experiment used in this research can be modified to include the ‘WHERE’ clause of the ‘SELECT’ statement as well. The ‘INSERT’, ‘UPDATE’, and ‘DELETE’ statements of the DML needs to be considered for the same kind of research. One other assumption in this research was the application of only two security classes, which were ‘Classified’ and ‘Unclassified’. More security classes can be added to the experiment and results can be analyzed. Another challenge in this research was the calculation of data accessibility. The queries selected for this research to measure data accessibility covered a vast variety of business questions; however, some aspects of the ‘SELECT’ queries were not considered. For example, Outer join, Self join, Non-equi join, Relational and Logical operators, and Aggregate functions. More experiments need to be designed by taking them into account in the ‘SELECT’ queries and results need to be carefully analyzed. In this research, the data suppression type of inference was only considered. Other types of inferences associated with Row Level Security (e.g., “Suppressed Foreign Keys in the Child Table” and “Secret Primary Keys Generated from Foreign Keys of the Child Table”) that are identified in this paper were not considered. They could be analyzed for future research. One of the main objectives of this research was building an add-on tool that could calculate data accessibility and inference for different labeling techniques given the information of the pattern of secret cells in the database. More statistics need to be generated for different sizes of databases on all possible patterns of secret cells. Once extensive analysis is performed
Fine Grained Security in Relational Databases
18
for all possible variations of secret patterns, generalized mathematical equations can be derived for the security techniques to accurately measure data accessibility and inference for any given pattern of secret cells. A tool can be generated that would work on the basis of these mathematical equations. A database administrator would identify the secret cells in the entire database and the tool would present him measures of data accessibility and inference for all security techniques. A DBA would pick a security technique as per the data accessibility and security requirements of his organization.
Fine Grained Security in Relational Databases
19
BIBLIOGRAPHY [Ashby, Jajodia, May 1996]: NCSC (National Computer Security Center) Technical Report, Volume 1/5, Library No. S-243,039, May 1996 [Buczkowski 89b]: L. J. Buczkowski, and E.L. Perry. Database Inference Controller Draft Top-Level Design. Ford Aerospace, July 1989 [Cannady 2000]: James Cannady. Security Models for Object-Oriented Databases, CRC Press LLC, 2000 [Chapple]: Mike Chapple URL: http://databases.about.com/od/security/1/aainference.htm [Cox 1986]: L. S. Cox, S. McDonald, and D. Nelson. Confidentiality Issues at the United States Bureau of the Census. In Journal of Official Statistics, Vol 2, No. 2, pp. 135-160, 1986 [Cox 1987]: L. S. Cox. Practices of the Bureau of the Census with the Disclosure of Anonymized Microdata. In Forum der Bundesstatistik, pp. 26-42, 1987 [Cox 1988]: L. S. Cox. Modeling and Controlling User Interface. In Database Security: Status and Prospects, ed. Carl E. Landwehr, North-Holland, Amsterdam, pp. 167-171, 1988 [Darryl 2006]; Darryl (on behalf of Art Rask) SQL Server 2005 Label Security Toolkit, Published November 16, 2006. URL: http://blogs.msdn.com/publicsector/archive/2006/11/16/sql-server-2005-labelsecurity-toolkit.aspx [Denning 1982]: D. E. Denning. Cryptography and Data Security, Addison-Wesley, Reading, MA, 1982
Fine Grained Security in Relational Databases
20
[Denning 86a]: D. E. Denning. A Preliminary Note on the Inference Problem in Multilevel Database Management Systems. In Proceedings of the National Computer Security Center Invitational Workshop on Database Security, June 1986 [Denning 87]: D. E. Denning, S. G. Akl, M. Heckman, T. F.Lunt, M. Morgenstern, P.G. Neumann, and R.R. Schell. Views for Multilevel Database Security. In IEEE Transactions on Software Engineering, Vol. 13, No. 2, pp. 129-140, February 1987 [Gollmann 1999]: Dieter Gollmann. Computer Security, Copyright 1999 by John Wiley and Sons Ltd., ISBN 0 471 97844 2 [Haigh 90]: J. T. Haigh, R.C. O’Brien, P. D. Stachour, and D. L. Toups. The LDV Approach to Security. In Database Security, III: Status and Prospects, ed. D.L. Spooner and C. Landwehr, North-Holland, Amsterdam, pp. 323-339, 1990 [Haigh 91]: J.T. Haigh, R. C. O’Brien, and D. J. Thompson. The LDV secure relational DBMS model. In S. Jajodia and C. Landwehr, editors, Database Security IV: Status and Prospects, pages 265-279. North Holland, 1991 [Hinke 88a]: T. H. Hinke. Inference Aggregation Detection in Database Management Systems. In Proceedings of the IEEE Symposium on Research in Security and Privacy, pp. 96-106, April 1988 [Jajodia 92]: S. Jajodia. Aggregation and Inference Problems in Multilevel Secure Systems. In Proceedings of the 5th Rome Laboratory Database Security Workshop, June 1992 [Keefe 89]: T. F. Keefe, M. B. Thuraisingham, and W.T. Tsai. Secure Query Processing Strategies. In IEEE Computer. Vo. 22, #3, pages 63-70, March 1989 [Meadows 1988a]: C. Meadows and S. Jajodia. Integrity versus Security in Multi-Level Secure Databases. In Database Security: Status and Prospects, ed. Carl E. Landwehr, NorthHolland, Amsterdam, pp. 89-101, 1988 [Morgenstern 1987]: Mathew Morgenstern, Security and Inference in Multilevel Database and Knowledge-Base Systems, ACM 1987
Fine Grained Security in Relational Databases
21
[Oracle 2005]: Oracle Virtual Private Database. An Oracle Database 10g Release 2 White Paper, June 2005 [Rask 2005]: Art Rask, Don Rubin, Bill Neumann. Implementing Row and Cell Level Security in Classified Databases Using SQL Server 2005, MS SQL Server Technical Center, April 2005 [Su 1986]: T. Su. Inferences in Database. Ph.D. Dissertation, Department of Computer Engineering and Science, Case Western Reserve University, August 1986 [Su 1987]: T. Su and G. Ozsoyoglu. Data Dependencies and Inference Control in Multilevel Relational Database Systems. In Proceedings of the IEEE Symposium on Security and Privacy, pp. 202-211, April 1987 [Su 1990]: T. Su and G. Ozsoyoglu. Multivalued Dependency Inferences in Multilevel Relational Database Systems. In Database Security III: Status and Prospects, eds. D.L. Spooner and C. Landwehr, pp. 293-300, NorthHolland, Amsterdam, 1990 [Thuraisingham 1987]: M. B. Thuraisingham. Security Checking in Relational Database Management Systems Augmented with Inference Engines. In Computers and Security, Vol. 6, pp. 479-492, 1987 [Thuraisingham 1988]: M. B. Thuraisingham, W. Tsai, and T. Keefe. Secure Query Processing Using AI Techniques. In Proceedings of the Hawaii International Conference on Systems Sciences. January 1988 [Thuraisingham 1990a]: M. B. Thuraisingham. Towards the Design of a Secure Data/Knowledgebase Management System. In Data and Knowledge Engineering Journal. Vol. 5, #1, March 1990 [TPC-H 2005]: Transaction Processing Performance Council (TPC) Benchmark TM –H, Decision Support Standard Specification Revision 2.3.0, 1993-2005 4/20/2007
Fine Grained Security in Relational Databases
22
