Inference-usability confinement by maintaining inference-proof views of an information system
International Journal of Computational Science and Engineering
Inference-Proof view update transactions with minimal refusals
DPM'11 Proceedings of the 6th international conference, and 4th international conference on Data Privacy Management and Autonomous Spontaneus Security
Revising belief without revealing secrets
FoIKS'12 Proceedings of the 7th international conference on Foundations of Information and Knowledge Systems
DBSec'12 Proceedings of the 26th Annual IFIP WG 11.3 conference on Data and Applications Security and Privacy
Dynamic policy adaptation for inference control of queries to a propositional information system
Journal of Computer Security - DBSec 2011
Hi-index | 0.00 |
Inference control aims at disabling a participant to gain a piece of information to be kept confidential. Considering a server-client architecture for information systems, we extend Controlled Query Evaluation (CQE), an inference control method to enforce confidentiality in static information systems under queries, to databases that are updatable by a client. More specifically, within the framework of the lying approach to CQE, we study how the server should translate a view update request issued by a client into a new database state in an inference-proof way. In order to avoid dangerous inferences, some such updates have to be denied even though the new database instance would be compatible with the set of integrity constraints declared in the schema and supposed to be known to the client. In contrast, seen from the client's point of view some other updates leading to an incompatible instance should not be denied. We design a control method to resolve this seemingly paradoxical situation and then prove that the general security definitions of CQE, suitably extended to capture both query evaluation and view update processing, and other properties linked to view updates hold. Moreover, we further enhance that control method by adding an inference-proof subprotocol for refreshing the views of the other clients. To ensure inference-proofness, from the other clients' point of view, any view update might be a transaction, i.e., a sequence of elementary updates. (This article extends, elaborates and clarifies our contribution [12] to DBSec 2009 and also comprises some results of our work [9] presented at ESORICS 2009.)