160 likes | 301 Vues
PACT Database-Level Auditing Solution: Technical Overview. 3/24/04. Goals. Provide a powerful auditing capability for relational databases (e.g., DB2) with the following features: Security:
E N D
PACT Database-Level Auditing Solution: Technical Overview 3/24/04
Goals • Provide a powerful auditing capability for relational databases (e.g., DB2) with the following features: • Security: • For various compliance purposes, be able to determine if certain data was disclosed even if it doesn’t appear in the actual query output. • Efficiency: • Minimal performance impact on normal database operation. • Leverage existing power of the database system as much as possible. • Ease of use: • Turn-key-solution to audit-enable existing databases. • Auditing proxy to transparently intercept JDBC-issued queries for minimal application impact. • Complement Privacy and Security Policy Enforcement PACT: A Technical Overview | 25-Sep-14
Logical Logging • PACT performs “logical” logging to support audits. • Logs the queries, not the query results. • Effects of database inserts, deletes, and updates are maintained within “backlog” tables. • Backlog tables are maintained entirely by PACT-installed database triggers. • Backlog tables allow reconstructing the state of the database at any previous point in time (up to the desired retention period). • No significant cost incurred on read queries. • Logical logging of PACT provides all necessary information to precisely determine which queries (if any) disclosed specified data. • At audit time, auditor can declaratively (e.g. through SQL queries) specify what data is to be audited. • E.g. Give me all queries that disclosed any of the following data: • Select * from Patient where FirstName = ‘Jane’ PACT: A Technical Overview | 25-Sep-14
Overview of logical logging in PACT Applications SQL Statements(JDBC/ODBC) Purpose Specification Tool Privacy Information (user, purpose, and recipient) PACT Proxy Logged SQL with Privacy Information Passed Through SQL Statements Backlog Tables Query Log DB2 Triggers PACT: A Technical Overview | 25-Sep-14
The Case for Logical Logging: Efficiency • Logical logging requires only one insert into the query log table per read query. • Update/insert/delete queries require roughly 3x more overhead to update backlog tables. • We have developed analytical model of “Total Audit Overhead” that incorporates cost of maintaining logs and of performing audits. • Results show that overall cost of logical logging approaches is almost always significantly less than output result logging approaches. (Next slide…) PACT: A Technical Overview | 25-Sep-14
Performance results • N=1M records • Q=1M queries • A=1K audits • tcpu = 0.2sec per query • uniform distributions total resource consumption Source: Christos Faloutsos PACT: A Technical Overview | 25-Sep-14
Actual Implementation Results (Backlog Overhead) • Cost in seconds of 10,000 insert, delete, update operations with and without backlogging. • TPC-H suppler table. PACT: A Technical Overview | 25-Sep-14
Actual Implementation Results (Audit Performance) • Time required to check whether a query disclosed specified data • TPC-H database supplier table • Tested query of form: select * from tpch.supplier where s suppkey = l PACT: A Technical Overview | 25-Sep-14
The Case for Logical Logging: Security • Query output often does not reflect the precise data disclosed by a query. • Queries can be formulated that return nonsense values (e.g. “1”) whenever the presence of sensitive data is detected. E.g. “Select the value 1 if Patient ‘Jane’ has diagnosis ‘Cancer’ • How do you determine whose information has been disclosed by the result of an aggregate query? • HIPAA alllows users to opt-out of aggregate computations in certain circumstances. • Logical logging records all information necessary to determine precisely what information was disclosed. PACT: A Technical Overview | 25-Sep-14
Overview of auditing Logs Backlog Tables JDBC and SQL Log Retrieval Layer SQL Rewrite Engine Request Processor Result Processor Log Retrieval API Audit Application Audit Result Browsing and Report Generation Audit Specification and Searching PACT: A Technical Overview | 25-Sep-14
Auditing Specifics • How do we tell if a given query accessed a given piece of data? • Use backlogged records to reconstruct the state of the database at the time the query was issued. • Select the records from the backlog with a time earlier than the timestamp of the query. • From that set, select the records with the most recent timestamp. • Select from this set only records which may have contained the data. • Rerun query formed using conditions from original query on this data. • PACT uses a SQL Rewrite Engine which combines an audit expression with a logged query into a new query whose result is non-empty if and only if that query disclosed some data in the audit expression. • For each query found to disclose specified data, PACT produces the user, purpose, recipient, query date, and exact (cell-level) information disclosed. PACT: A Technical Overview | 25-Sep-14
Difficult cases • Aggregations (with HAVING.) • Example logged query: Compute the average treatment duration grouped by disease and the doctor performing the treatment for treatments which were between 01/01/2001 and 31/12/2003 having a minimum duration < 100. • (Self) Joins • Example logged query:Find all customers who have paid for treatments by doctor Phil. • select c.name, c.address, t.disease from Customer c, Treatment t, Doctor d where c.cid = t.rcid and t.did = d.did and d.name = ’Phil’ • Audit expressions with joins: • Example audit query: Find queries that have disclosed the name of any customer who has diabetes. PACT: A Technical Overview | 25-Sep-14
‘Q1’ Join Query Rewrite audit expression := x.c=t.p and t.s=diabetes x t c.c,c.z,t.p select := c.c=t.r and t.i=d.d and d.m=‘Phil’ c t d d,m c,n,a,h,z,o p,r,i,s,u,t Doctor Customer Treatment PACT: A Technical Overview | 25-Sep-14
‘Q1’ Aggregate Query Rewrite B select := q1.m=q2.m and q1.s=q2.s q1 m,s,adr select := mdr < 30 q2 q m,s,avg(u) as adr ,min(u) as mdr x.m,x.s group :=m,s audit expression := c.c=x.p and c.z=‘95120’ and x.s=‘diabetes’ q x d.m,t.p,t.s,t.u select := t.d between ’01/01/01’ and ’31/12/03’ and d.d=t.i c c,n,a,h,z,o d t Customer p,r,i,s,u,t d,m Treatment Doctor PACT: A Technical Overview | 25-Sep-14
Ease of Use PACT is transparent to existing database applications • Administrator configures system through a simple wizard which sets up a small set of tables and triggers on the database. • Applications connect to the database proxy, instead of directly to the database. Continue to use the same SQL statements as before. • Audit component allows detecting disclosures without having to understand the applications that access the database. PACT: A Technical Overview | 25-Sep-14
Summary Features • Two main components: Logical Logging & Audit Retrieval. • Logical logging tool records all queries and changes to the database. • Retrieval tool reconstructs which queries disclosed declaratively specified data. Benefits • Mostly transparent to existing DB applications. • Reliably determines information disclosure. • Does not materially degrade system performance. PACT: A Technical Overview | 25-Sep-14