ISA 765 -- Database &
Distributed Systems Security -- Spring 2006
Prof. Alex Brodsky (http://ise.gmu.edu/~brodsky)
George Mason University
New Announcements: Note, there will be additional office hours on Monday,
May 8, 3:30 –5:15 PM
Class Location: Science and Technology I, rm. 122
Meeting Time: Wednesday, 7:20-10:00 PM
Instructor’s office: ST-441, Fairfax campus, George Mason University
Office hours: Wednesday, 4:00-6:00 PM
Telephone: 703-993-1529
Fax: 703-993-1638
Email: mailto:brodsky@gmu.edu
Course Home Page: http://classweb.gmu.edu/brodsky/isa765 (this site)
Course Description
Science and study of methods of protecting data: Discretionary and mandatory access controls, secure database design, data integrity, secure architectures, secure transaction processing, information flow controls, inference controls, and auditing. Security models for relational and object-oriented databases. Security of databases in a distributed environment. Statistical database security.
Prerequisites: INFS 762 and INFS 614; or permission of instructor
Text Book: Marshall D. Abrams, Sushil Jajodia, and Harold J. Podell, eds. Information Security: An Integrated Collection of Essays, IEEE Computer Society Press, 1995. Available on line at http://www.acsa-admin.org/secshelf/book001/book001.html from http://www.acsa-admin.org/secshelf/books.html
Additional Readings:
· N. R. Adam and J. C. Wortmann. “Security-control methods for statistical databases: A comparative study,” ACM Computing Surveys, 21(4):515-556, December 1989.
· Edward Amoroso. Fundamental of Computer Security Technology. Prentice-Hall, Englewood Cliffs, NJ, 1994.
· Silvana Castano, Mariagrazia Fugini, Giancarlo Martella, and Pierangela Samarati. Database Security, Addison-Wesley, Reading, MA, 1994.
· Dorothy E. Denning. Cryptography and Data Security, Addison-Wesley, Reading, MA, 1983.
Also, lecture notes and electronic copies of relevant papers will be provided as necessary.
Examination and Grading:
There are two exams (midterm and final), plus a term paper. Term paper should be no more than 15 pages long. An outline of the term paper (2-4 pages) is submitted after the midterm exam. Each exam constitutes 30% of the final grade and the term paper remaining 40%.
Tentative Class Meetings Schedule:
|
# |
Date |
Topic |
Handout |
What is Due |
|
1 |
Jan 25 |
DBMS access control – I |
1,2 |
|
|
2 |
Feb 1 |
DBMS access control - II |
1,2 |
|
|
3 |
Feb 8 |
Covert Channels |
3 |
|
|
4 |
Feb 15 |
Multi-level Secure Relational Model |
4 |
|
|
5 |
Feb 22 |
Multilevel Secure DBMS Architectures |
5 |
Tentative term paper topic |
|
6 |
March 1 |
Integrity Models and Mechanisms |
7 |
|
|
7 |
March 8 |
Auditing in Relational Databases |
8 |
|
|
8 |
March 15 |
Security in Statistical Databases (note: we DO meet in spite the Spring break) |
|
|
|
9 |
March 22 |
Midterm Exam (note: material from March 15 will not appear in the midterm exam) |
9 |
Term-paper outline |
|
10 |
March 29 |
Surviving Information Warfare Attacks on Databases |
12 |
|
|
11 |
April 5 |
Avoiding Loss of Fairness |
13 |
|
|
12 |
April 12 |
No Class |
|
|
|
13 |
April 19 |
Inference Channels in relational databases |
19 |
|
|
14 |
April 26 |
Inference Channels in numerical databases |
20 |
|
|
15 |
May 3 |
Hippocratic Databases; Catch-up and review |
18 |
Compete term paper |
|
16 |
May 10 |
Final Exam |
21 |
|
Tentative List of Handouts:
|
Handout 1: Discretionary Access Controls in DBMS |
|
|
Handout 2: Mandatory Access Controls |
|
|
Handout 3: Covert Channels |
|
|
Handout 4: Multilevel Secure Relational Model |
|
|
Handout 5: Multilevel Secure DBMS Architectures |
|
|
Handout 6: Commercial Products and Research Prototypes |
|
|
Handout 7: Integrity Models and Mechanisms |
|
|
Handout 8: Auditing in Relational Databases |
|
|
Handout 9: Security in Statistical Databases |
|
|
Handout 10: Sample Midterm |
|
|
Handout 11: Protecting Identities in Microdata Release |
|
|
Handout 12: Surviving Information Warfare Attacks on Databases |
|
|
Handout 13: Avoiding Loss of Fairness |
|
|
Handout 14: Watermarking Relational Databases |
PDF File |
|
Handout 15: Recent Advances in Access Control Models |
PDF File |
|
Handout 16: Trust Management |
PDF File |
|
Handout 17: Secure Group Key Management |
PDF File |
|
Handout 18: Hippocratic Databases Hippocratic Db Handout 19: Inference in Relational Databases Relational Inference Handout 20: Inference in Numeric Databases Numeric Inference Handout 21: Sample Final |
|
Reading Assignments
For Handout 1:
· Patricia P. Griffiths and Bradford W. Wade, "An authorization mechanism for a relational database system," ACM Trans. Database Syst., 1, 3 (Sep. 1976), pages 242-255. (ACM Link) (local copy)
· Ronald Fagin, "On an authorization mechanism," ACM Trans. Database Syst., 3, 3 (Sep. 1978), pages 310-319. (ACM Link) (local copy)
· E. Bertino, P. Samarati, S. Jajodia, "An extended authorization model for relational databases," IEEE Trans. on Knowledge and Data Engineering, Volume: 9, 1 , Jan.-Feb. 1997, pages 85-101. (http://ieeexplore.ieee.org/xpls/authors.jsp) (local copy)
For Handout 2: From Abrams et al. Essay 2
For Handout 4: From Abrams et al. Essays 20 and 21
For Handout 5: From Abrams et al. Essay 19
For Handout 6: From Abrams et al. Essay 23
For Handout 7:
· From Abrams et al. Essay 27
· Clark, D.D. and Wilson, D.R. "A Comparison of Commercial and Military Computer Security Policies." Proceedings of the IEEE Symposium on Security and Privacy, 1987, pages 184-194. PDF
For Handout 8: From Abrams et al. Essay 25
For Handout 9:
· N. R. Adam and J. C. Wortmann. “Security-control methods for statistical databases: A comparative study,” ACM Computing Surveys, 21(4):515-556, December 1989.
For Handout 11:
· P. Samarati, “Protecting respondents’ identities in microdata release,” IEEE Trans. On Knowledge and Data Engineering, Vol. 13, No. 6, 2001, pages 1010-1027. PDF
For Handout 12:
· P. Ammann, S. Jajodia, C. D. McCollum, and B. T. Blaustein, “Surviving information warfare attacks on databases,” Proc. IEEE Symp. on Research in Security and Privacy, Oakland, Calif., May 1997, pages 164-174. PDF
· S. Jajodia, P. Ammann, C. D. McCollum, “Surviving information warfare attacks,” IEEE Computer, Vol. 32, No. 4, April 1999, pages 57-63. PDF
· Sushil Jajodia, Catherine D. McCollum and Paul Ammann, “Trusted recovery,” Communications of the ACM, Vol. 42, No. 7, July 1999, pages 71-75.
For Handout 13:
· Peng Liu, Peng Ning, Sushil Jajodia, "Avoiding loss of fairness owing to failures in fair data exchange systems," Decision Support Systems, Vol. 31, 2001, pages 337-350. PDF
For Handout 14:
· Rakesh Agrawal, Jerry Kiernan, “Watermarking relational databases,” Proc. 28th VLDB Conf., 2002. PDF
For Handout 15:
· Sushil Jajodia, Pierangela Samarati, Maria Luisa Sapino, V. S. Subrahmanian, ``Flexible support for multiple access control policies,'' ACM Trans. on Database Systems, Vol. 26, No. 2, June 2001, pages 214-260. PDF
For Handout 16:
· Ninghui Li, John C. Mitchell, William H. Winsborough, “Design of a role-based trust management framework,” Proc. IEEE Symp. on Security and Privacy, 2002. PDF
For Handout 17:
· Sencun Zhu, Sushil Jajodia, “Scalable group rekeying for secure multicast: A survey,” Proc. 5th International Workshop on Distributed Computing, Springer Lecture Notes in Computer Science, Vol. 2918 (Samir R. Das and Sajal K. Das, editors), 2004, pages 1-10. PDF
For Handout 18:
· S. Jajodia, “Database security and privacy,” ACM Computing Surveys, 50th anniversary commemorative issue, Vol. 28, No. 1, March 1996, pages 129-131. PDF
· Rakesh Agrawal, Jerry Kiernan, Ramakrishnan Srikant, Yirong Xu, “Hippocratic Databases,” Proc. VLDB Conf, 2002. PDF
For Handout 19:
· Alexander Brodsky, Csilla Farkas, Duminda Wijesekera, Xiaoyang Sean Wang "Constraints, Inference Channels and Secure Databases," CP 2000: 98-113 PDF
For Handout 20
· TBD
Links to Relevant Sites
· Privacy and Databases – Rajeev Motwani, Stanford University