This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1 @Carnegie MellonDatabases
Simultaneous Scalability and Simultaneous Scalability and Security for Data-Intensive Web Security for Data-Intensive Web ApplicationsApplications
Simultaneous Scalability and Simultaneous Scalability and Security for Data-Intensive Web Security for Data-Intensive Web ApplicationsApplications
• Encrypt nothing more precise invalidation, poor security
7 @Carnegie MellonDatabases
Opportunity for managing the Opportunity for managing the tradeofftradeoff
But for most data, nontrivial to assess: 1. Data-sensitivity2. Scalability impact of securing the data
Data Sensitivity
Extremely sensitive
Completely insensitive
Moderately sensitive
Credit card information
Bestsellers list
Inventory records
Don’t careCare but worried about scalability impact
Secure atall costs
Not all data is equally sensitive
8 @Carnegie MellonDatabases
Managing the security-scalability Managing the security-scalability tradeofftradeoff
Security
Sca
labi
lity
Encrypt sensitive and moderately sensitive data
Encrypt sensitive data Our approach
Extremely sensitive
Moderatelysensitive
Encrypt data not useful for invalidationinvalidation
Tradeoff has to be managed only over remaining data
9 @Carnegie MellonDatabases
Key insight: Queries and updates can Key insight: Queries and updates can only be instantiations of templates only be instantiations of templates
Can identify data not useful for invalidationGiven templates:
Q1: SELECT cust_name FROM customers WHERE cust_id=?
U1: DELETE FROM toys WHERE toy_id=?
Parameters and results not useful for invalidation
SELECT cust_name FROM customers WHERE cust_id=123
cust_name
John
template Query resultparameter
Encrypting them has no scalability overhead
10 @Carnegie MellonDatabases
OutlineOutline
Security-scalability tradeoff Four operating points in the tradeoff space Identifying data not useful for invalidation Evaluation results Related work and summary
Q3 SELECT cust_name FROM customers WHERE cust_id=?
Accessible by DSSP?
x x xxx
x
: Yes x : No
17 @Carnegie MellonDatabases
OutlineOutline
Security-Scalability Tradeoff Four operating points in the tradeoff space Identifying data not useful for invalidation Evaluation results Related work and summary
18 @Carnegie MellonDatabases
Sometimes invalidation strategies Sometimes invalidation strategies have same invalidation behaviorhave same invalidation behavior
Template and View have same behavior
Q1: SELECT cust_name FROM customers WHERE cust_id=?
U1: DELETE FROM toys WHERE toy_id=?
Parameters and results can be encrypted
Find template pairs for which different invalidation strategies
have same invalidation behavior
Invalidation behavior characterization:
19 @Carnegie MellonDatabases
Applications can expose (not Applications can expose (not encrypt) on a per-template basisencrypt) on a per-template basis
Nothing Template Template, parameters
Template, parameters, result
Nothing
Template
Template, parameters
Query Exposure
Upd
ate
Exp
osur
e
Encrypt data as long as invalidationsdo not increase for any template pair
Invalidation MatrixInvalidation Matrix
20 @Carnegie MellonDatabases
OutlineOutline
Security-Scalability Tradeoff Four operating points in the tradeoff space Identifying data not useful for invalidation Evaluation results Related work and summary
21 @Carnegie MellonDatabases
Benchmark ApplicationsBenchmark Applications
Auction (RUBiS, from Rice)
Bulletin board (RUBBoS, from Rice)
Bookstore (TPC-W, from UW-Madison)
22 @Carnegie MellonDatabases
Evaluation MethodologyEvaluation Methodology
California Privacy Law determined sensitive data
Home serverCDN and DSSPUsers
5 ms 100 ms
Scalability: max # concurrent users with acceptable response times
Security: # templates with encrypted results
23 @Carnegie MellonDatabases
0
300
600
900
Auction Bboard Bookstore
Blind Template Statement View
Sca
labi
lity
(num
ber
of
conc
urre
nt u
sers
sup
port
ed)
Magnitude of Security-Scalability tradeoffMagnitude of Security-Scalability tradeoff
Benchmark Applications
0 0
1.Blanket encryption (Blind) hurts scalability2.View has the best scalability
24 @Carnegie MellonDatabases
Security ResultsSecurity Results
Bboard
and result
Additional query data that can be encrypted using our approach, without hurting scalability
Parameters
Result
Nothing
Auction
18
6 4 17 7
12
Bookstore
14
7 7
Different numbers denote the # query templates
Can encrypt results for over 50% of the templates
25 @Carnegie MellonDatabases
Security Results in DetailSecurity Results in Detail
Auction: The historical record of user bids was not exposed
Bboard: The rating users give one another based on the quality of their posting
Bookstore: Book purchase association rules discovered by the vendor – customers who purchase book A also purchase book B
View invalidation strategies: [Levy and Sagiv 1993], [Candan+ 2002], [Choi and Luo 2004]
28 @Carnegie MellonDatabases
SummarySummary
Security-scalability tradeoff in presence of DSSP
Shortcut to manage the tradeoff Static analysis of database templates Find data not useful for invalidation Tradeoff has to be managed only over remaining data
Evaluation on three application benchmarks Blanket encryption hurts scalability Data identified by our approach is moderately sensitive
29 @Carnegie MellonDatabases
30 @Carnegie MellonDatabases
Back-up slides….Back-up slides….
31 @Carnegie MellonDatabases
Key insight: Set of queries and updates Key insight: Set of queries and updates can be determined by inspecting the can be determined by inspecting the codecodefunction get_toy_id ($toy_name) {
Statically identify data not useful for invalidationGiven templates:
32 @Carnegie MellonDatabases
Summary of Our ApproachSummary of Our Approach
Initial list of encrypted data(highly sensitive)
Static analysis
of templatesFinal list of encrypted data
1. For each query, update template pair, construct an IM. Use IM characterization results to see if Blind=Template, Template=Statement, and Statement=View in each case
2. Use a greedy algorithm to find all data that is not useful for invalidation
Tradeoff needs to be managed over reduced data
Privacy law
33 @Carnegie MellonDatabases
Flow of InvalidationsFlow of Invalidations
invalidate
(upon miss)
queryupdate CDN
DSSP (untrusted)
homeorganization
cache
34 @Carnegie MellonDatabases
Template Exposure LevelsTemplate Exposure Levels
Four levels of how much data is exposed per template
Nothing Template Template, Parameters
Template, Parameters, Result
greater exposure (more help for invalidation)
greater security
blind template statement view
Control the security-scalability tradeoff by controlling exposure levels