Download Martin

Auditing Compliance with a
Hippocratic Database
Javier Salinas Martín
Outline


Introduction
System architecture:
–
–
–

Logs
Audits
Audit queries
Performance
Introduction

Responsibly managing privacy sensitive data
is mandatory

Approaches:
–
–
Physically logging the results of each query
New system to audit whether the database
executed a query in the past that accessed
private data
System properties




Non-disruptive
Fast and precise
Fine-grained
Convenient
System architecture
Logs

Query log: timestamp, user ID

Temporal extensions: for each table T, a
backlog table Tb is created
–
–
Time stamped
Interval stamped
Time stamped organization

A tuple in Tb has two additional columns:
–
–


TS: time of storage
OP: operation {‘insert’, ‘delete’, ‘update’}
Triggers are used to capture updates
Recover state of T at time τ: take a snapshot
Interval stamped organization

Period of time for wich each tuple was alive:
–
–



TS: time of storage
TE: end time
Insert trigger adds t to Tb, setting TE to null
Update trigger searches for tuple b such that b.P=t.P
and b.TE=null and sets b.TE to the current time and
inserts new tuple t
Delete trigger searches for tuple b such that b.P=t.P
and b.TE=null and sets b.TE to the current time
Audit expressions





Identical to that of a select query
No disctinct in the select list
“Audit” replaces “Select”
U: cross product of all the base tables in the
database
Cells that satisfy the expression are marked in U
Schema used for examples
Example of audit expression

Audit if the disease information of anybody living in
the ZIP code 95120 was diclosed

Cells corresponding to the disease column of those
tuples in the Customer x Treatment table that have
c.cid=t.pcid and c.zip = 95120 are marked
Some definitions
Tuple t, Query Q, Audit A
 Indispensable tuple: omitting t makes a
difference on Q
 Candidate query: Q accesses all columns A
specifies in its audit list
 Suspicious query: Q and A share an
indispensable tuple
Example 1


Q is a candidate query with respect to A
Q is suspicious with respect to A if there is a
customer who lived in the ZIP code 95120
and was treated for diabetes
Example 2


Q is not suspicious with respect to A
Anyone who looks at the output of the query
will not learn that Alice has cancer
System architecture
Audit query generation

Full audit expression

Two steps:
–
–
Static analysis: select candidate queries from the query log
Audit query generation: augment every candidate query
with information from the audit expression and combine
them into an audit query that unions their output
Static analysis

Select candidate queries

Four steps:
–
–
–
–

Check whether Q is a candidate query
Check whether timestamp of Q is out of range
Check whether the purpose-recipient pair of Q matches any
of the purpose-recipient specified in the otherthan clause of A
Check for contradictions between predicates
Set of candidate queries Q= {Q1,…,Qn}
Audit Query Generation





Augment every Qi with A
Result is another query AQi, defined against the
backlog database at time τi
τi is the timestamp of Qi as recorded in the query log
All AQi are combined into one AQ audit query whose
output is the union of the output of the individual AQi
AQ is executed against the backlog database
Audit Query Generation example

Example:
Audit Query Generation example
Audit Query Generation example
Performance

Cost of maintaining backlog tables
Performance

Execution time of an audit query
Questions?