Steven Dawson

Providing Security and Interoperation of HeterogeneousSystems

Interoperation and information sharing among databases independently developed and maintained by different organizations is today a pressing need, if not a practice. Governmental, military, financial, medical, and private institutions are more and more required to become part of a distributed infrastructure and selectively share their data with other organizations. This sharing process inevitably opens the local system to new vulnerabilities and enlarges the space of possible threats to the data and resources it maintains. As a complicating factor, in general, data sources are heterogeneous both in the data models they adopt and in the security models by which protection requirements are stated. We present a modeling and architectural solution to the problem of providing interoperation while preserving autonomy and security of the local sources based on the use of wrappers and a mediator. A wrapper associated with each source provides a uniform data interface and a mapping between the sources security lattice and other lattices. The mediator processes global access requests by interfacing applications and data sources. The combination of wrappers and mediator thus provides a uniform data model interface and allows the mapping between restrictions stated by the different security policies. We describe the practical application of these ideas to the problem of trusted interoperation of health care databases, targeted to enforcing security in distributed applications referring to independent heterogeneous sources protected by mandatory policy restrictions. We describe the architecture and operation of the system developed, and describe the tasks of the different components.

Modeling and analysis of interactions in virtual enterprises

Advances in computer networking technology and open system standards are making the creation and management of virtual enterprises feasible. A virtual enterprise is a temporary consortium of autonomous, diverse, and possibly geographically dispersed organizations that pool their resources to meet short-term objectives and exploit fast-changing market trends. For a virtual enterprise to succeed, its business processes must be automated, and its startup costs must be minimized. We describe a formal framework for modeling and reasoning about interactions in a virtual enterprise. Such a framework will form the basis for tools that provide automated support for creation and operation of virtual enterprises.

Specification and enforcement of classification and inference constraints

Although mandatory access control in database systems has been extensively studied in recent years, and several models and systems have been proposed, capabilities for enforcement of mandatory constraints remain limited. Lack of support for expressing and combating inference channels that improperly leak protected information remains a major limitation in todays multilevel systems. Moreover the working assumption that data are classified at insertion time makes previous approaches inapplicable to the classification of existing, possibly historical, data repositories that need to be classified for release. Such a capability would be of great benefit to, and appears to be in demand by, governmental, public and private institutions. We address the problem of classifying existing data repositories by taking into consideration explicit data classification as well as association and inference constraints. Constraints are expressed in a unified, DBMS- and model-independent framework, making the approach largely applicable. We introduce the concept of minimal classification as a labeling of data elements that while satisfying the constraints, ensures that no data element is classified at a level higher than necessary. We also describe a technique and present an algorithm for generating data classifications that are both minimal and preferred according to certain criteria. Our approach is based on preprocessing, or compiling, constraints to produce a set of simple classification assignments that can then be efficiently applied to classify any database instance.

Minimal data upgrading to prevent inference and association attacks

Despite advances in recent years in the area of mandatory access control in database systems, today’s information repositories remain vulnerable to inference and data association attacks that can result in serious information leakage. Such information leakage can be prevented by properly classifying information according to constraints that express relationships among the security levels of data objects. In this paper we address the problem of classifying information by enforcing explicit data classification as well as inference and association constraints. We formulate the problem of determining a classification that ensures satisfaction of the constraints, while at the same time guaranteeing that information will not be unnecessarily overclassified. We present an approach to the solution of this problem and give an algorithm implementing it which is linear in simple cases, and low-order polynomial (n) in the general case. We also analyze a variant of the problem that is NP-hard.

Maximizing Sharing of Protected Information

Despite advances in recent years in the area of mandatory access control in database systems, todays information repositories remain vulnerable to inference and data association attacks that can result in serious information leakage. Without support for coping against these attacks, sensitive information can be put at risk because of release of other (less sensitive) related information. The ability to protect information diclosure against such improper leakage would be of great benefit to governmental, public, and private institutions, which are, today more than ever, required to make portions of their data available for external release. In this paper we address the problem of classifying information by enforcing explicit data classification as well as inference and association constraints. We formulate the problem of determining a classification that ensures satisfaction of the constraints, while at the same time guaranteeing that information will not be overclassified. We present an approach to the solution of this problem and give an algorithm implementing it which is linear in simple cases, and quadratic in the general case. We also analyze a variant of the problem that is NP-complete.

Principles and practice of unification factoring

The efficiency of resolution-based logic programming languages, such as Prolog, depends critically on selecting and executing sets of applicable clause heads to resolve against subgoals. Traditional approaches to this problem have focused on using indexing to determine the smallest possible applicable set. Despite their usefulness, these approaches ignore the nondeterminism inherent in many programming languages to the extent that they do not attempt to optimize execution after the applicable set has been determined. Unification factoring seeks to rectify this omission by regarding the indexing and unification phases of clause resolution as a single process. This article formalizes that process through the construction of factoring automata. A polynomial-time algorithm is given for constructing optimal factoring automata that preserve the clause selection strategy of Prolog. More generally, when the clause selection strategy is not fixed, constructing such an optimal automaton is shown to be NP-complete, solving an open trie minimization problem. Unification factoring is implemented through a source code transformation that preserves the full semantics of Prolog. This transformation is specified in the article, and using it, several well-known programs show significant performance improvements across several different systems. A prototype of unification factoring is available by anonymous ftp.

Secure access wrapper: mediating security between heterogeneous databases

Organizations today are faced with an ever-increasing need to become more efficient in their methods for exchange of information with consumers, collaborators, and partners. Unfortunately existing mechanisms for such information exchange provide nowhere near the levels of both security and automation required to satisfy this need. Effective information sharing and dissemination can take place only if the data holders have assurance that access constraints on the information they own or manage will be respected and that, while releasing information, disclosure of sensitive information is not a risk. The Secure Access Wrapper (SAW) project is a collaborative effort between SRI International and Stanford University to develop techniques that provide substantially more automation and assurance than has previously been available for secure, selective information sharing. The SAW project is sponsored by DARPA ITO under the Wrappers and Composition focus area of the Information Survivability program.

Classifying Information for External Release

Organizations in the private, public, and governmental sectors are more and more required to make their data available on the Internet. This demand often involves archival data maintained at the organization, which must be disclosed selectively. We illustrate an approach to classifying information for external release that guarantees protection of sensitive data while maximizing information release.