Skip to content

Page122

Database Security

Databases present unique security challenges. The sheer amount of data that may be housed in a database requires special security consideration. As we will see shortly in the “Inference and Aggregation” section, the logical connections database users may make by creating, viewing, and comparing records may lead to inference and aggregation attacks, requiring database security precautions such as inference controls and polyinstantiation.

Polyinstantiation

Polyinstantiation allows two different objects to have the same name. The name is based on the Latin roots for multiple (poly) and instances (instantiation). Database polyinstantiation means two rows may have the same primary key, but different data.

Imagine you have a multilevel secure database table. Each tuple (a tuple is a row or an entry in a relational database) contains data with a security label of confidential, secret, or top secret. Subjects with the same three clearances can access the table. The system follows mandatory access control rules, including “no read up”: a secret subject cannot read an entry labeled top secret.

A manager with a secret clearance is preparing to lay off some staff, opens the “layoffs” table, and attempts to create an entry for employee John Doe, with a primary key of 123-45-6789. The secret subject does not know that an entry already exists for John Doe with the same primary key, labeled top secret. In fact, entries labeled top secret exist for the entire department, including the manager: the entire department is going to be laid off. This information is labeled top secret: the manager cannot read it.

Databases normally require that all rows in a table contain a unique primary key, so a normal database would generate an error like “duplicate entry” when the manager attempts to insert the new entry. The multilevel secure database cannot do that without allowing the manager to infer top secret information.

Polyinstantiation means the database will create two entries with the same primary key: one labeled secret and one labeled top secret.