Download Honey, I got the wrong DLL A REUSE Nightmare.

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
page
49
page
50
page
51
page
52
page
53
page
54
Document related concepts

Entity–attribute–value model wikipedia , lookup

Extensible Storage Engine wikipedia , lookup

Big data wikipedia , lookup

Relational model wikipedia , lookup

Clusterpoint wikipedia , lookup

Functional Database Model wikipedia , lookup

Database model wikipedia , lookup

Transcript 
Authentic Publication
The TRUTHSAYER Project
Chip Martel
Premkumar Devanbu
Michael Gertz
April Kwong
Glen Nuckolls
Stuart Stubblebine
Department of Computer Science,
University of California, Davis
http://truthsayer.cs.ucdavis.edu
Databases Play a Vital Role
1) Commerce: credit card data, find goods
2) Financial: Investment sites
3) Health: treatments, doctors/credentials, drugs
4) Many more
Answering queries
Server Integrity?
Correct Query processing?
Performance? Reliability?
Data Query
User
Answers
Database
Goals
• Correct and complete answers
(with assurance)
• Efficient Protocols
Example Queries
• Is Credit card number 5543… Valid?
• List all Hong Kong to San Francisco flights.
• Find Digital cameras with 3-5 Mega-pixels, and
cost < $200
• List all bars within one mile of HKU
What is a Correct Answer?
• We assume a trusted Data Owner with the
official copy of the Database: Defines the
“correct answer”
What is a Correct Answer?
• We assume a trusted Data Owner with the official
copy of the Database: Defines the “correct
answer”
• Problems with a single Data Owner:
1) May not want/be able to answer queries
2) Hard to keep online DB secure
3) Scalability
Solution: Third-Party Servers
• Third party sites (Publishers) get
information from the Data Owner and
answer queries
• Example: Travel sites (Expedia,
Travelocity, Orbitz) answer using
government airline Data (FAA)
Server Replication
Can I
Trust
This
Server?
Travelocity
FAA
Data
Orbitz
Expedia
Trust Issues
• Sites have left out cheaper flights from
non-preferred airlines (deliberate)
• Sites may be corrupted: outside hacker or
insider
• Errors
Authentic Publication:
The TRUTHSAYER project.
Initially: for RDB (DBSEC 2000, Jnl. Comp. Sec.)
General Model for a Variety of Data (Algorithmica,
2004)
Owner
Data +
Digest of
Data
Query
Answer +
Verification Object
Publisher
Talk Outline
•
•
•
•
Introduction
Background--- Merkle Trees
Range Queries (Multi-attribute Queries)
A General Model for Authenticated Data
Structures
• Conclusion
Authentic Publication
1)
A trusted Owner digests the Data Set, and signs it.
2)
Untrusted Publishers receive the data & signature.
3)
Clients submit queries to untrusted Publishers.
4)
Publishers return Answers (A), and Verification Objects
(A+ VO)
5)
Clients use A + VO to Prove the answer is
correct/complete.
Protocol is correct, and secure.
Verifying answers
•
•
•
•
Protocol provides:
Correctness: Returns exact elements
matching the query.
Completeness: Returns all elements
matching query.
Security: Cheating is infeasible.
Efficiency: Overhead is low.
Recall: No signatures!!
Merkle hashing a data set.
h* (Root Hash)
h(h1 || h2 )
h1
h(d1)
h2
• Leaves: data in some lexical order.
• One way hash function h; h1= h(d1)
• Bottom-up hashing, starting with data
• Root hash value = the digest of the data set.
Merkle Trees
• Classic use: prove that data value d is in
the data set
• Solves: Is Credit card number 5543…
Valid?
• But also can verify all items in a range:
e.g. camcorders from $400 to $900
Verifying a Range
1
3
5
6
8
10
11
15
q
To Show that q =(5,6,8) is the Answer to 4<d <10:
Used Lower Bound 3, Upper Bound 10 and starred hash
values to compute/verify root hash.
Verifying a Range
1
3
5
6
8
10
11
q
Query: 4<d <10:
Answer: 5,6,8 (in practice, key + data)
Verification Object: [( (h(1),3), (5,6) ) ( (8,10), *) ]
15
Authentic Publication
Hash Digest
Merkle Tree
Security Property
• If the Answer and VO are correct, user
accepts
Security Property
• User accepts an Invalid answer only if a
specific collision in h is found (provable):
h(x,y)= z in a correct VO (x,y, z are the
hash values of tree nodes),
VO uses different x’, y’ with h(x’,y’)=z
Good Features
• Proofs are short (size proportional to tree
height and answer size).
• Use hashes, a fast cryptographic
operation
• Proofs as easy to compute as finding the
answer
• No secret keys: hash function and digests
all are public (no insider attack once data
set is digested).
Extensions
• Want to handle more complex queries
• Find Digital cameras with 3-5 Mega pixels,
and
cost < $200
• List all bars within one mile of HKU
Multi-Attribute Queries
• Model as a 2-D
Range query
• Find points (x,y) with
a<x<b
 c<y<d
(a,d)
(b,d)
Pixels
(a,c)
Cost
(b,c)
2-Dimensional range tree
• Leaves are 2D points, or 2 attributes (cost, pixels).
Sorted by x-value in X-tree
• A Y-tree for each internal node
Searching a 2D-range Tree
• Find (x,y) with 4 < x <50 AND 4 < y < 10
• All in Associated Y-trees Match x-range
Searching a 2D-range Tree
• Find pairs (x,y) with 4 < x <50 AND 4 < y < 10
• In X-tree: subtrees rooted at 5 and 13
• Search in Associated Y-trees
Searching a 2D-range Tree
• Find (x,y) with 4 < x <50 AND 4 < y < 10
• Answer: (12,5) and (23,8) AND values in 5’s Y-tree
Digesting a 2D-range Tree
• Digest each Y-tree as Merkle tree
• Each internal node in the X-tree gets the hash of three
values: two children and associated Y-tree value
Range Trees
• Let k be the number of answers (out of n)
• Search: O(k+ log2n) time, nlogn space
• improve to O(k+ logn) time with extra
pointers (can still get a hash digest)
• VO (proof) size also O(k+logn)
• Extend to d-dimensions (d-attribute query).
Search time: O(k+log(d-1) n), VO size: same.
Authenticated Data Structures
• Problem: May want to use a variety of
efficient data-structures:
 B-trees (reduce disk access)
 Suffix arrays (string queries)
 Geometric data structures (items within one
mile)
 Many more
Authenticated Data Structures
• Solution: General method to digest a data
structure (produce a single summary hash
value).
• Efficient: Proof size and construction time
= search time.
• Secure: Similar security property: break
only with a specific collision in h
Search DAGS
• Our general setting is any data structure
modeled by:
 A labeled Directed Acyclic Graph (DAG)
 A search process that visits DAG nodes and
determines which neighboring nodes to visit
next (based on labels of visited nodes)
This Models a wide range of structures
A Search DAG
• Search starts at the
unique source node s
of in-degree zero
• Digesting starts from
the sinks (here u, v ):
hash the associated
values
s
b
c
a
u
v
A Search DAG
• D(u): Digest of u
• Node u data : du
• D(u)= h(du)
• D(v)= h(dv)
s
b
c
a
u
v
A Search DAG
• Other Digests use
data and successors
s
b
• D(c) = h(dc, D(v) )
• D(b)=h(db,D(v),D(c))
• D(s) is DAG Digest
c
a
u
v
Verification for Search DAG
• Traditional Merkle Tree verification is
Bottom up (hash path values to root)
• We use top down verification to simulate a
correct search
• Owner provides search procedure P and
root digest D(s)
Authentic Publication
D(s), P
DAG, P
Verification Object for DAG
• VO: information so User can reproduce
the search (and thus verify answers)
• “Lines” of VO match steps of P:
• Data of a node and successor hashes
 ds, D(v1), D(v2) … (successors of s)
 dv1 , D(u1), D(u2), … (successors of v1)
An Example Search
• Starts at s, then visits b
then v
s
b
• VO:
 ds, D(a), D(b), D(c) (line 1)
D(s) = h(ds, D(a), D(b), D(c))
So know data ds is OK.
c
a
u
v
An Example Search
• Starts at s, process ds and
decide b is next
• VO:
 ds, D(a), D(b), D(c) [line 1]
 db, D(v), D(c) [line 2]
If D(b)=h(db,D(v),D(c))
(using D(b) from line 1)
 Data db is correct
s
b
c
a
u
v
Verified Search
• The verified computation proceeds until all
nodes in the actual search are visited (the
VO has one line for each node visited).
• The correct answer is now returned by
search procedure P.
Verified Search
• The verified computation takes time
proportional to the original search (visits
the same nodes).
• Security Proof: shows that a User accepts
the wrong answer only if a specific
collision in hash function h used (e.g.
D(b)=h(d’b,D’(v),D’(c))
Updates
• Typically Digests are updated with work
similar to the data structure’s update time
(e.g. length of the search paths to updated
items)
• If updates are frequent, overall scheme
doesn’t work well (can use time-stamped
digests)
Generalizations
• Allowing multiple Owners: often want to
query data collected from several owners.
Can be done, but now need to trust
owners and data collector.
• Privacy: VO’s may reveal information
about about the data set. Methods to
conceal extra data.
Generalizations
• I/O efficient digests/VO’s: can use a multiway tree to store multiple values in one
disk block (still logically a binary tree for
VO purposes, but stored more efficiently).
• Top-down search DAG approach may be
improved for specific data-structures (e.g.
2D range trees)
Generalizations
• Collections of structured data: XML
documents (can answer path queries)
• Relational operations (Joins, Selection,
Projection)
• Fancier Crypto operations (to reduce VO
size)
References
P. Devanbu, M. Gertz, C. Martel, and S.
G. Stubblebine. Authentic Third Party
Data Publication, 14th IFIP 11.3 Working
Conf. in DB Security (DBSec 2000),
Original Authentic Publication Paper
A General Model for Authenticated
Data Structures, Algorithmica, 2004
Many Data Structures and Search
DAG ( above group and G. Nuckolls)
References
Certifying Data from Multiple Sources,
Proceedings of the 17th Database
Security Conference, 2003
Shows how to use multiple Owners
Flexible authentication of XML documents,
Journal Computer Security, 2004
Survey Chapters
Li, Hadjieleftheriou, Kollios, Reyzin
Authenticated Index Structures for Outsourced
Databases(Overview of area and efficiency issues)
R. Sion: Towards Secure Data Outsourcing
Both in:
Michael Gertz and Sushil Jajodia (eds.):
"Handbook of Database Security: Applications
and Trends", Springer, 2007, to appear.
A. Anagnostopoulos, M. Goodrich, R. Tamassia,
Persistent Authenticated Dictionaries and Their
Applications (allows queries of prior DB
versions)
Authenticated Data Structures for Graph and
Geometric Searching (fancy geometric data
structures)
Pointer for more information
http://truthsayer.cs.ucdavis.edu
Conclusion
• A single signed Digest, can authenticate
answers to many queries
• Secure against hackers and insiders
• Can handle a wide range of data
structures
• Efficient protocols: fast query processing
and small VO’s
Future Work
• Better Update Mechanisms
• Integration of Database optimization
methods
• Actual implementation (partly done by
others), and evaluation
Related documents
Introduction to Database Queries.
Introduction to Database Queries.
ACCESS Chapter 4 Tables and Queries
ACCESS Chapter 4 Tables and Queries
6.851 Advanced Data Structures (Spring`07)
6.851 Advanced Data Structures (Spring`07)
MS Access Tutorial - Welcome
MS Access Tutorial - Welcome
The Gaian Database: a Dynamic Distributed Federated Database
The Gaian Database: a Dynamic Distributed Federated Database
Microsoft Search Labs - Berkeley Database Group
Microsoft Search Labs - Berkeley Database Group
Hiring in Databases - UBC Department of Computer Science
Hiring in Databases - UBC Department of Computer Science
Forms
Forms
Week11TLPlan
Week11TLPlan
Unit 5 Study Guide
Unit 5 Study Guide