S. Mazumdar, D. Stemple, and T. Sheard. Resolving the tension between integrity and security using a theorem prover. In Proc. ACM Int'l Conf. Management of Data, pages 233--242, 1988.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....by combining meta data with non confidential data to disclose confidential information. Since the beginning of 1980s, researchers, focusing on multi level secure relational databases, identified the problem of indirect access to confidential data via combining meta data with non confidential data [GM84,Mor88,SO87,Hin88,Smi90,Buc90,Den85,Thu87,MSS88,RJHS95,ST90]. However, these techniques often result in over classification of data and, therefore reduce data availability. Moreover, most authors, with the exception of [Den85,Hin88,SO91,DdVS99a,DdVS99b] do not consider the problem of actual inference for specific families of constraints; rather they ....

S. Mazumdar, D. Stemple, and T. Sheard. Resolving the tension between integrity and security using a theorem prover. In Proc. ACM Int'l Conf. Management of Data, pages 233--242, 1988.

....levels of some of the data items [2, 4 6, 7, 12, 17, 9, 13, 14, 16, 3, 4] These techniques often result in over classification of data and, therefore, reduce the availability of data. Techniques in the second category seek to eliminate inference channel violations during query time [5, 11, 15, 18]. If an inference channel is detected, the query is either refused or modified to avoid security violations. Each of the categories above requires either data dependent or data independent inference algorithms. However, none of the above works has the formal notion of soundness and completeness ....

....either data dependent or data independent inference algorithms. However, none of the above works has the formal notion of soundness and completeness for data dependent and data independent disclosure, and thus cannot establish these formal properties of disclosure inference. Also, most authors [2, 6, 13, 14, 11, 15, 18], with the exception of [5, 7, 16, 3, 4] do not consider the problem of actual inference for specific families of constraints (and its decidability, soundness, completeness, etc. rather they develop a framework, assuming that disclosure inference algorithms are readily available. It is our ....

S. Mazumdar, D. Stemple, and T. Sheard. Resolving the tension between integrity and security using a theorem prover. In Proc. ACM Int'l Conf. Management of Data, pages 233--242, 1988.

....the real world . Confidentiality limits access to specified information stored in the database. It has frequently been pointed out that these two functionalities could be considered to be contradictory. To be more explicit, the integrity checker may itself be used to unveil confidential data. [MAZU88] refers to this contradiction as tension. It stems from the fact that the integrity checker inevitably opens a covert channel between the user and the database since by responding Yes or No to updates it gives information (positive or negative) on the content of the database. Consider, e.g. ....

....property holds independently of any configuration. Therefore its computation has to be guaranteed to be feasible for a given configuration. On the other side, we have reduced the configuration to its essential skeleton. Information not stored in the database is excluded, which is not the case in [MAZU88]. Moreover, we have considered configurations with only binary integrity constraints, ignoring all others, particularly key constraints which are necessary in [DELA96b] They are only considered as a special case, improving a general result. The study is developed inside the relational framework ....

[Article contains additional citation context not shown here]

Mazumdar, S., Stemple, D., Shread, T., Resolving the Tension between Integrity and Security Using a Theorem Prover, ACM SIGMOD, 1988.

....QSK 93, Qia94] Those researches focus on whether users can know the existence of some entities or can make sensitive associations between entities or values in a database, while we focus on different aspect, i.e. whether a user can compute sensitive values from supplied values. Mor87, Row89, MSS88] propose frameworks to detect the possibility of user inference on sensitive values through the knowledge on semantic dependency or on the integrity constraints defined in the database. On the other hand, our mechanism deals with dependency between arguments or returned values of functions, and ....

....of a constraint because functions may have arguments, to which users can assign several values, and returned values can be any type. Arguments can be simulated by database values that the users can freely update. In [Mor87, Row89] however, they do not consider the effect of update by the user. MSS88] takes into consideration only limited kind of situations: situations where users can infer some data by monotonously updating some data. But their model does not analyze whether the user can actually realize needed update, and does not include other kind of cases where update affects on ....

Subhasish Mazumdar, David Stemple, and Tim Sheard. Resolving the tension between integrity and security using a theorem prover. In Proc. of ACM SIGMOD, pages 233--242, Sep. 1988.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC