Homework 2
CSCE 824 – Spring 2019
Due: Febr.
19, 11:55 pm 2019 via Dropbox
Name:
15 points
You may use any
materials to answer the questions but I am interested in YOUR answer. There is
a 2 pages limit (single spaced, 11-12 point).
Answer
ONLY ONE of the questions below:
Question
1: access control
You have decided to
implement Role-Based Access Control (RBAC) in your database using
encryption. You have decided to encode
data items using symmetric key encryption and distribute the keys to the
authorized users.
- Show
how to implement static separation of duties using cryptographic
techniques.
- Assume,
that currently the granularity of the access control is relation-level.
That is, each privilege is associated with a relation. Explain the difficulties of implementing
a database access control model that supports least-privileges discipline.
Question
2: secure distributed processing
Assume that your
database is fragmented according to the sensitivity of the data items. Let each data item be classified as
Top-Secret > Secret > Confidential.
Each fragment is stored at a different host that provides the support to
the sensitivity level of the data item.
For example, data item with sensitivity level Top-Secret is stored at a
Top-Secret host.
- Explain
how the correctness criteria of data fragmentation need to be modified to
support both correctness of the fragmentation and the satisfaction of the security
requirements.
- Assume
that you need to perform vertical fragmentation of a relation, and the key
attributes are classified TS. How can we support correct fragmentation
without violating the security requirement?
Question
3: database transactions and intrusion detection
- In
Sweeney L, Abu A, and Winn J. Identifying Participants in the Personal
Genome Project by Name. Harvard University. Data Privacy Lab. White Paper
1021-1. April 24, 2013. http://dataprivacylab.org/projects/pgp/1021-1.pdf , the author demonstrate privacy
violations that occur from combining publicly available data and genomic
information. Explain the
similarities and differences between statistical database inferences and
the problems described in this paper.
- Recommend
an approach to prevent the unauthorized disclosure described in the above
paper.
Question
4: application security
- Most
databases are accessed via applications.
Describe the database security consequences of exploiting
application vulnerabilities, such as the one studied in Sruthi Bandhakavi, Prithvi Bisht, P.
Madhusudan, and V. N. Venkatakrishnan. 2007.
CANDID: preventing sql injection attacks using
dynamic candidate evaluations. In Proceedings of the 14th ACM conference
on Computer and communications security (CCS
'07). ACM, New York, NY, USA, 12-24. http://dl.acm.org/citation.cfm?id=1315245.1315249&coll=DL&dl=ACM&CFID=666881048&CFTOKEN=58782820
- Software
vulnerabilities, such as SQL injection, are generally handled outside the
context of database systems. For
example by encouraging secure software development approaches, using
static analysis tools, etc.
Consider the option of handling some of these vulnerabilities by
the DBMS. What are the limitations
of using the DBMS to protect against software-level vulnerabilities?