Abstract
We extend Controlled Query Evaluation (CQE), an inference control method to enforce confidentiality in static information systems under queries, to updatable databases. Within the framework of the lying approach to CQE, we study user update requests that have to be translated into a new database state. In order to avoid dangerous inferences, some such updates have to be denied even though the new database instance would be compatible with a set of integrity constraints. In contrast, some other updates leading to an incompatible instance should not be denied. We design a control method to resolve this seemingly paradoxical situation and then prove that the general security definitions of CQE and other properties linked to user updates hold.
Chapter PDF
Similar content being viewed by others
References
Bancilhon, F., Spyratos, N.: Update semantics of relational views. ACM Trans. Database Syst. 6(4), 557–575 (1981)
Biskup, J., Bonatti, P.A.: Lying versus refusal for known potential secrets. Data Knowl. Eng. 38(2), 199–222 (2001)
Biskup, J., Bonatti, P.A.: Controlled query evaluation for enforcing confidentiality in complete information systems. Int. J. Inf. Sec. 3, 14–27 (2004)
Biskup, J., Bonatti, P.A.: Controlled query evaluation for known policies by combining lying and refusal. Ann. Math. Art. Intell. 40, 37–62 (2004)
Biskup, J., Bonatti, P.A.: Controlled query evaluation with open queries for a decidable relational submodel. Ann. Math. Art. Intell. 50, 39–77 (2007)
Biskup, J., Weibert, T.: Keeping secrets in incomplete databases. Int. J. Inf. Sec. 7, 199–217 (2008)
Bohannon, A., Pierce, B.C., Vaughan, J.A.: Relational lenses: a language for updatable views. In: PODS 2006, pp. 338–347. ACM, New York (2006)
Bonatti, P.A., Kraus, S., Subrahmanian, V.S.: Foundations of secure deductive databases. IEEE Trans. Knowledge and Data Engineering 7(3), 406–422 (1995)
Cuppens, F., Gabillon, A.: Logical foundation of multilevel databases. Data Knowl. Eng. 29, 259–291 (1999)
Cuppens, F., Gabillon, A.: Cover story management. Data Knowl. Eng. 37, 177–201 (2001)
Dayal, U., Bernstein, P.A.: On correct translation of update operations on relational views. ACM Trans. Database Systems 8, 381–416 (1982)
Denning, D.E., Akl, S., Heckman, M., Lunt, T., Morgenstern, M., Neumann, P., Schell, R.: Views for multilevel database security. IEEE Trans. Software Eng. 13(2), 129–140 (1987)
Farkas, C., Jajodia, S.: The inference problem: a survey. SIGKDD Explor. Newsl. 4(2), 6–11 (2002)
Hegner, S.J.: An order-based theory of updates for relational views. Ann. Math. Art. Intell. 40, 63–125 (2004)
Jajodia, S., Sandhu, R.S.: Towards a multilevel secure relational data model. In: Proc. ACM SIGMOD Int. Conf. on Management of Data, May 1991, pp. 50–59 (1991)
Langerak, R.: View updates in relational databases with an independent scheme. ACM Trans. Database Systems 15, 40–66 (1990)
Lunt, T.F., Denning, D.E., Schell, R.R., Heckman, M., Shockley, W.R.: The SeaView security model. IEEE Trans. Software Eng. 16(6), 593–607 (1990)
Sandhu, R.S., Jajodia, S.: Polyinstantiation for cover stories. In: Deswarte, Y., Quisquater, J.-J., Eizenberg, G. (eds.) ESORICS 1992. LNCS, vol. 648, pp. 307–328. Springer, Heidelberg (1992)
Sicherman, G.L., de Jonge, W., van de Riet, R.P.: Answering queries without revealing secrets. ACM Trans. Database Systems 8(1), 41–59 (1983)
Winslett, M., Smith, K., Qian, X.: Formal query languages for secure relational databases. ACM Trans. Database Systems 19(4), 626–662 (1994)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 IFIP International Federation for Information Processing
About this paper
Cite this paper
Biskup, J., Seiler, J., Weibert, T. (2009). Controlled Query Evaluation and Inference-Free View Updates. In: Gudes, E., Vaidya, J. (eds) Data and Applications Security XXIII. DBSec 2009. Lecture Notes in Computer Science, vol 5645. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-03007-9_1
Download citation
DOI: https://doi.org/10.1007/978-3-642-03007-9_1
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-03006-2
Online ISBN: 978-3-642-03007-9
eBook Packages: Computer ScienceComputer Science (R0)