Homework 2

CSCE 824 – Spring 2019

Due: Febr. 19, 11:55 pm 2019 via Dropbox

Name:

 

15 points

 

You may use any materials to answer the questions but I am interested in YOUR answer. There is a 2 pages limit (single spaced, 11-12 point). 

 

Answer ONLY ONE of the questions below:

 

Question 1: access control

You have decided to implement Role-Based Access Control (RBAC) in your database using encryption.  You have decided to encode data items using symmetric key encryption and distribute the keys to the authorized users. 

1. Show how to implement static separation of duties using cryptographic techniques.
2. Assume, that currently the granularity of the access control is relation-level. That is, each privilege is associated with a relation.  Explain the difficulties of implementing a database access control model that supports least-privileges discipline.

 

Question 2: secure distributed processing

Assume that your database is fragmented according to the sensitivity of the data items.  Let each data item be classified as Top-Secret > Secret > Confidential.  Each fragment is stored at a different host that provides the support to the sensitivity level of the data item.  For example, data item with sensitivity level Top-Secret is stored at a Top-Secret host.   

1. Explain how the correctness criteria of data fragmentation need to be modified to support both correctness of the fragmentation and the satisfaction of the security requirements.
2. Assume that you need to perform vertical fragmentation of a relation, and the key attributes are classified TS. How can we support correct fragmentation without violating the security requirement?

 

Question 3: database transactions and intrusion detection

• In Sweeney L, Abu A, and Winn J. Identifying Participants in the Personal Genome Project by Name. Harvard University. Data Privacy Lab. White Paper 1021-1. April 24, 2013. http://dataprivacylab.org/projects/pgp/1021-1.pdf , the author demonstrate privacy violations that occur from combining publicly available data and genomic information.  Explain the similarities and differences between statistical database inferences and the problems described in this paper.
• Recommend an approach to prevent the unauthorized disclosure described in the above paper.

 

Question 4: application security

• Most databases are accessed via applications.  Describe the database security consequences of exploiting application vulnerabilities, such as the one studied in Sruthi Bandhakavi, Prithvi Bisht, P. Madhusudan, and V. N. Venkatakrishnan. 2007. CANDID: preventing sql injection attacks using dynamic candidate evaluations. In Proceedings of the 14th ACM conference on Computer and communications security (CCS '07). ACM, New York, NY, USA, 12-24. http://dl.acm.org/citation.cfm?id=1315245.1315249&coll=DL&dl=ACM&CFID=666881048&CFTOKEN=58782820
• Software vulnerabilities, such as SQL injection, are generally handled outside the context of database systems.  For example by encouraging secure software development approaches, using static analysis tools, etc.  Consider the option of handling some of these vulnerabilities by the DBMS.  What are the limitations of using the DBMS to protect against software-level vulnerabilities?