Abstract
Inference attacks mean that a user derives information on the execution results of unauthorized queries from the execution results of authorized queries. Although many studies so far focus on only inference of positive information (i.e., which object is the execution result of a given unauthorized query), negative information (i.e., which object is never the execution result of a given unauthorized query) is also sensitive. In this paper, we define the following two types of security problems against inference attacks on given negative information: (1) Is the information secure under a given database instance? (2) Is it secure under any database instance of a given database schema? It is shown that the first problem is decidable in polynomial time in the description size of the database instance while the second one is undecidable. A decidable sufficient condition for given negative information to be secure under any database instance of a given database schema is also proposed.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
S. Abiteboul, P. Kanellakis, S. Ramaswamy, and E. Waller, “Method schemas,” Journal of Computer and System Sciences, Vol. 51, No. 3, pp. 433–455, 1995.
E. Bertino and P. Samarati, “Research issues in discretionary authorizations for object bases,” Proceedings of OOPSLA-93 Conference Workshop on Security for Object-Oriented Systems, pp. 183–199, 1994.
L. Chang and I.S. Moskowitz, “Bayesian methods applied to the database inference problem,” Database Security XII, pp. 237–251, Kluwer, 1999.
D.E. Denning and P.J. Denning, “Data security,” ACM Computing Surveys, Vol. 11, No. 3, pp. 227–249, 1979.
P.J. Downey, R. Sethi, and R.E. Tarjan, “Variations on the common subexpression problem,” Journal of the ACM, Vol. 27, No. 4, pp. 758–771, 1980.
C. Farkas, T.S. Toland, and C.M. Eastman, “The inference problem and updates in relational databases,” Databases and Application Security XV, pp. 181–194, Kluwer, 2002.
E.B. Fernandez, M.M. Larronodo-Peritrie, and E. Gudes, “A method-based authorization model for object-oriented databases,” Proceedings of OOPSLA-93 Conference Workshop on Security for Object-Oriented Systems, pp. 135–150, 1993.
Y. Ishihara, T. Morita, and M. Ito, “The security problem against inference attacks on object-oriented databases,” Research Advances in Database and Information Systems Security, pp. 303–316, Kluwer, 2000; A full version can be found at http://www-infosec.ist.osaka-u.ac.jp/~ishihara/papers/dbsec99.pdf.
T Morita, Y. Ishihara, H. Seki, and M. Ito, “A formal approach to detecting security flaws in object-oriented databases,” IEICE Transactions on Information and Systems, Vol. E82-D, No. 1, pp. 89–98, 1999.
M. Morgenstern, “Security and inference in multilevel database and knowledge-base systems,” Proceedings of the 1987 ACM SIGMOD International Conference on Management of Data, pp. 357–373, 1987.
E. Paul, “On solving the equality problem in theories defined by Horn clauses,” Theoretical Computer Science, Vol. 44, pp. 127–153, 1986.
H. Seki, Y. Ishihara and H. Dodo, “Testing type consistency of method schemas,” IEICE Transactions on Information and Systems, Vol. E81-D, No. 3, 1998.
H. Seki, Y. Ishihara, and M. Ito, “Authorization analysis of queries in object-oriented databases,” Proceedings of the Fourth International Conference on Deductive and Object-Oriented Databases, LNCS 1013, pp. 521–538, 1995.
K. Tajima, “Static detection of security flaws in object-oriented databases,” Proceedings of the 1996 ACM SIGMOD International Conference on Management of Data, pp. 341–352, 1996.
K. Zhang, “IRI: A quantitative approach to inference analysis in relational databases,” Database Security XI, pp. 279–290, 1997.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2002 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Ishihara, Y., Ako, S., Fujiwara, T. (2002). Security against Inference Attacks on Negative Information in Object-Oriented Databases. In: Deng, R., Bao, F., Zhou, J., Qing, S. (eds) Information and Communications Security. ICICS 2002. Lecture Notes in Computer Science, vol 2513. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-36159-6_5
Download citation
DOI: https://doi.org/10.1007/3-540-36159-6_5
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-00164-5
Online ISBN: 978-3-540-36159-6
eBook Packages: Springer Book Archive