Joachim Biskup

Computer Security – ESORICS 2007

Invited Lecture.- Trustworthy Services and the Biological Analogy.- Security Architecture and Secure Components I.- Security of Multithreaded Programs by Compilation.- Efficient Proving for Practical Distributed Access-Control Systems.- Maintaining High Performance Communication Under Least Privilege Using Dynamic Perimeter Control.- Access Control I.- Pragmatic XML Access Control Using Off-the-Shelf RDBMS.- Conditional Privacy-Aware Role Based Access Control.- Satisfiability and Resiliency in Workflow Systems.- Applied Cryptography I.- Completeness of the Authentication Tests.- SilentKnock: Practical, Provably Undetectable Authentication.- Generalized Key Delegation for Hierarchical Identity-Based Encryption.- Change-Impact Analysis of Firewall Policies.- Fragmentation and Encryption to Enforce Privacy in Data Storage.- Information Confinement, Privacy, and Security in RFID Systems.- Formal Methods in Security I.- A Logic for State-Modifying Authorization Policies.- Inductive Proofs of Computational Secrecy.- What, Indeed, Is Intransitive Noninterference?.- Traceability and Integrity of Execution in Distributed Workflow Management Systems.- Dynamic Information Flow Control Architecture for Web Applications.- Cloak: A Ten-Fold Way for Reliable Covert Communications.- Applied Cryptography II.- Efficient Password-Based Authenticated Key Exchange Without Public Information.- Improved Anonymous Timed-Release Encryption.- Encryption Techniques for Secure Database Outsourcing.- Access Control II.- Click Passwords Under Investigation.- Graphical Password Authentication Using Cued Click Points.- Obligations and Their Interaction with Programs.- Applied Cryptography III.- On the Privacy of Concealed Data Aggregation.- Synthesizing Secure Protocols.- A Cryptographic Model for Branching Time Security Properties - The Case of Contract Signing Protocols.- Security Architecture and Secure Components II.- Security Evaluation of Scenarios Based on the TCGs TPM Specification.- Analyzing Side Channel Leakage of Masked Implementations with Stochastic Methods.- Insider Attacks Enabling Data Broadcasting on Crypto-Enforced Unicast Links.- Towards Modeling Trust Based Decisions: A Game Theoretic Approach.- Extending the Common Services of eduGAIN with a Credential Conversion Service.- Incorporating Temporal Capabilities in Existing Key Management Schemes.- A Policy Language for Distributed Usage Control.- Countering Statistical Disclosure with Receiver-Bound Cover Traffic.- Renewable Traitor Tracing: A Trace-Revoke-Trace System For Anonymous Attack.- Formal Methods in Security III.- Modular Access Control Via Strategic Rewriting.- On the Automated Correction of Security Protocols Susceptible to a Replay Attack.- Adaptive Soundness of Static Equivalence.

Synthesizing independent database schemas

We study the following database design problem. Given a universal relation scheme 〈U, <i>F</i>〉 where <i>F</i> is a set of functional dependencies, find an in some way normalized database schema <i>D</i> = {〈X<inf>1</inf>, <i>F</i><inf>1</inf>〉,..., 〈X<inf>n</inf>, <i>F</i><inf>n</inf>〉} where X<inf>i</inf> ⊂ U and <i>F</i><inf>i</inf> is inherited from <i>F</i>, such that <i>D</i> is an independent representation of the universal scheme 〈U, <i>F</i>〉. This means that <i>D</i> has both the lossless join property and the faithful closure property, (***** <i>F</i><inf>i</inf>)⁺ = <i>F</i>⁺, where ⁺ denotes the closure of a set of functional dependencies. We show that this goal can easily be achieved by an extension of the well-known synthetic approach of Bernstein and others to database design. We merely have to check whether the usual synthesis procedure has produced a key component 〈X<inf>i</inf>, <i>F</i><inf>i</inf>〉 such that X<inf>i</inf> → U ε <i>F</i>⁺; in case this is true the output of the synthesis procedure is actually an independent (and not only faithful) representation, otherwise we only have to add one further component, namely just a key. These claims are proved by a careful inspection of the Aho/Beeri/Ullman algorithm to test for losslessness. Finally, we show how to use our method to synthesize minimal independent third normal form schemas.

A formal view integration method

The design of an appropriate conceptual database scheme is one of the most difficult tasks in usual database applications. Especially, the design of a common global database scheme for many different user groups requires a great amount of effort and skill, because the desired scheme should fit a great variety of requirements and expectations. Here, view integration is a natural method that should help to manage the complexity of such a design problem. For each user group the requirements and expectations are separately collected and specified as views, that are subsequently integrated into a global scheme supporting all those different views. In this paper, we carefully develop a formal model, clarifying many notions and concepts, related to the view integration method. This formal model serves as a theoretical basis of our integration approach that uses equivalence preserving, local scheme transformations as the main integration operations.

Controlled query evaluation for enforcing confidentiality in complete information systems

An important goal of security in information systems is confidentiality. A confidentiality policy specifies which users should be forbidden to acquire what kind of information. A controlled query evaluation should enforce such a policy even if users are able to reason about a priori knowledge and the answers to previous queries. The following aspects are considered: formal models of confidentiality policies based on potential secrets or secrecies, user awareness of the policy instance, and enforcement methods applying either lying or refusal, or a combination thereof. Reconsidering previous work and filling the gaps, we comprehensively treat and compare the resulting 12 cases. Thereby, the assumed completeness of the information system is essentially used.

Lying versus refusal for known potential secrets

Abstract Security policies and the corresponding enforcement mechanisms may have to deal with the logical consequences of the data encoded in information systems. Users may apply background knowledge about the application domain and about the system to infer more information than what is explicitly returned as answers to their queries. Some of the approaches to dealing with such a scenario are dynamic . For each query, the correct answer is first judged by some censor and then – if necessary – appropriately modified to preserve security. In this paper we contribute to the formal study of such approaches by extending to the case of known potential secrets the comparison of the two possible answer modifications, namely, lying and refusal . First, we explicitly define the security requirements. Second, we extend to such requirements a previous results on security preservation using lies. Then we introduce a variant of the refusal-based approach, suitable for potential secrets. Finally, we extensively analyze and compare the two approaches. We prove formally that, in general, they are incomparable in many respects, but, under fairly natural assumptions, lies and refusals lead to surprisingly similar behaviors and convey exactly the same information to the user. The latter result leads to a fundamental new insight on the relative benefits of the two approaches.

Controlled Query Evaluation for Known Policies by Combining Lying and Refusal

Controlled query evaluation enforces security policies for confidentiality in information systems. It deals with users who may apply background knowledge to infer additional information from the answers to their queries. For each query the correct answer is first judged by some censor and then – if necessary – appropriately modified to preserve security. In previous approaches, modification has been done uniformly, either by lying or by refusal. A drawback of lying is that all disjunctions of secrets must always be protected. On the other hand, refusal may hide an answer even when the correct answer does not immediately reveal a secret. In this paper we introduce a hybrid answer modification method that appropriately combines lying and refusal. We prove that the new method is secure under the models of known potential secrets and of known secrecies, respectively. Furthermore, we demonstrate that the combined approach can be more cooperative than uniform lying and uniform refusal, and enjoys the advantages of both.

Achievements of Relational Database Schema Design Theory Revisited

Database schema design is seen as to decide on formats for time-varying instances, on rules for supporting inferences and on semantic constraints. Schema design aims at both faithful formalization of the application and optimization at design time. It is guided by four heuristics: Separation of Aspects, Separation of Specializations, Inferential Completeness and Unique Flavor. A theory of schema design is to investigate these heuristics and to provide insight into how syntactic properties of schemas are related to worthwhile semantic properties, how desirable syntactic properties can be decided or achieved algorithmically, and how the syntactic properties determine costs of storage, queries and updates. Some well-known achievements of design theory for relational databases are reviewed: normal forms, view support, deciding implications of semantic constraints, acyclicity, design algorithms removing forbidden substructures.

Keeping secrets in incomplete databases

Controlled query evaluation (CQE) preserves confidentiality in information systems at runtime. A confidentiality policy specifies the information a certain user is not allowed to know. At each query, a censor checks whether the answer would enable the user to learn any classified information. In that case, the answer is distorted, either by lying or by refusal. We introduce a framework in which CQE can be analyzed wrt. possibly incomplete logic databases. For each distortion method, lying and refusal, a class of confidentiality-preserving mechanisms is presented. Furthermore, we specify a third approach that combines lying and refusal and compensates the disadvantages of the respective uniform methods. The enforcement methods are compared to the existing methods for complete databases.

Reducing inference control to access control for normalized database schemas

Considering relational databases, controlled query evaluation preserves confidentiality even under inferences but at the expense of efficiency. Access control, however, enables efficiently computable access decisions but cannot automatically assure confidentiality because of missing inference control. In this paper we investigate constraints sufficient to eliminate (nontrivial) inferences in relational databases with the objective of replacing controlled query evaluation by access control mechanisms under preservation of confidentiality.

Extracting information from heterogeneous information sources using ontologically specified target views

Being deluged by exploding volumes of structured and unstructured data contained in databases, data warehouses, and the global Internet, people have an increasing need for critical information that is expertly extracted and integrated in personalized views. Allowing for the collective efforts of many data and knowledge workers, we offer in this paper a framework for addressing the issues involved. In our proposed framework we assume that a target view is specified ontologically and independently of any of the sources, and we model both the target and all the sources in the same modeling language. Then, for a given target and source we generate a target-to-source mapping, that has the necessary properties to enable us to load target facts from source facts. The mapping generator raises specific issues for a users consideration, but is endowed with defaults to allow it to run to completion with or without user input. The framework is based on a formal foundation, and we are able to prove that when a source has a valid interpretation, the generated mapping produces a valid interpretation for the part of the target loaded from the source.