redundancy and information leakage in fine grained access control
DESCRIPTION
Redundancy and Information Leakage in Fine Grained Access Control. Govind Kabra (Univ of Illinois, Urbana-Champaign) Ravi Ramamurthy (Microsoft Research) S. Sudarshan (IIT Bombay). Errata in proceedings. Fonts not correctly displayed Joins appear as ! Semijoin appear as “for all” - PowerPoint PPT PresentationTRANSCRIPT
April 19, 2023 1
Redundancy and Information Leakage in Fine Grained Access Control
Govind Kabra (Univ of Illinois, Urbana-Champaign)
Ravi Ramamurthy (Microsoft Research)
S. Sudarshan (IIT Bombay)
April 19, 2023 2
Errata in proceedings
Fonts not correctly displayed Joins appear as ! Semijoin appear as “for all”
To obtain correct versions Download from homepages Send email
April 19, 2023 3
Fine Grained Access Control SQL authorization at the level of
table/column e.g. grant select on employee(name) to public
Fine-grained access control examples Managers can see records of their employees Faculty has access to grades of courses they
taught
Application-layer support for FGA Several limitations
Database support for FGA Validity checking model View replacement model
User A
User B
User C
April 19, 2023 4
Based on rewriting of queryCreate authorization view RA In user query, replace R by RA
Auth view authL: customers can see the lineitems only for their orders
Several proposals Oracle VPD, Sybase row level security LeFevre et al. [VLDB04], Agrawal et al. [ICDE05]
Key implementation issues Redundancy in rewritten queries Information leakage through UDFs, timing analysis, exceptions
View Replacement model for FGA
User Query:select * from lineitemwhere shipmode=‘express’
σ
L
σ
authL σ
O
σ
L
April 19, 2023 5
Redundancy Removal
Most queries access only authorized data
April 19, 2023 6
Auth view authL: Customers can see lineitems only for their own orders
Query: Customer 123 wants to see details of lineitems shipped using express mode only for his orders
Select * from lineitem L, orders O
where l_orderkey = o_orderkey
and o_custkey=123
and l_shipmode=‘express’
RA would often be of the form R A
Redundancy between queries and authorization predicates
σ
O
σ
L
σ
O
σ
authL
σ
O
σ
O
σ
L
April 19, 2023 7
In general, RR is equivalent to query minimization
Heuristic approach: eliminate redundant semi-joins If E2 subsumes E1, then transform E1 E2 to E1
Added transformation rules in a rule based optimizer Use materialized view matching support for testing subsumptions
Redundancy detection and removal
σ
O
σ
O
σ
L Apply RRσ
O
σ
L
E1 E2
April 19, 2023 8
TPC-H Benchmark Queries, with authorization checks
Comparing normalized execution times
Performance benefits of RR
TPCH Query Execution Time Without RR
Execution Time With RR
Query 3 100.00 48.28
Query 6 56.03 38.79
Query 10 94.83 55.45
Query 12 77.57 43.97
Query 14 49.14 38.79
April 19, 2023 9
Information Leakage
So you thought only the query result matters?
April 19, 2023 10
Auth view myemployee: only those employee whose dept_id is in A1
Query:
select * from employee where myudf(salary)
Final query plan is not safe UDF may be pushed down in plan, and executed on
unauthorized intermediate result As a side-effect, UDF may expose values passed to it [Litchfield] Can be partly solved using sandboxing
Information Leakage via UDFs
σmyudf(E.salary)
myemployees
σmyudf(E.salary)
employees A1
σmyudf(E.salary)
employees
A1
April 19, 2023 11
Exceptions, Error Messages Query: select * from employee
where 1/(salary-100K) = 0.23 Query plan: Selection condition in query gets pushed below
authorization semi-join Divide by zero exception if salary = 100K Reveals that employee has salary = 100K
Timing Analysis Sub-query can perform an expensive computation only if certain
tuples are present in its input
To prevent leakage, treat all channels as unsafe operations
Other channels of information leakage
April 19, 2023 12
UDFonTop: Keep UDFs at the top of query plan Definitely safe, no information leakage Better plans possible if UDF is selective
Optimal Safe plan When is a plan safe? How to search for optimal plan amongst alternative safe plans?
Preventing Information Leakage via UDFs
σmyudf(E.salary)
employees
A1
σmyudf(E.salary)
employees A1
April 19, 2023 13
Safe plans w.r.t. UDFs Approach 1: If UDF uses attributes from R, apply
authorization checks for R before UDF Not sufficient; Full expression must be authorized Expression that can be rewritten using authorized views [RMSR04] How to efficiently infer which expressions are authorized?
Auth Views: employee, (medical-record A2) Query: Find names of all employee having AIDS
σudf2(E.name)
σM.disease=‘AIDS’
medical-record A2
σudf2(E.name)
employees σM.disease=‘AIDS’
medical-record
A2
σudf2(E.name)
employees
σM.disease=‘AIDS’
medical-record
A2
employees
April 19, 2023 14
Framework of rule based optimizer
σ
employees
medical-records
Q1
G4
G2
G3
σemployees
medical-records
Q1
G1
G5
G6
G7
G4
G2
G3
σemployees
medical-records
Q1
G5
G6
G1
April 19, 2023 15
Inferring authorization of expressions Authorization as a logical property of group
Start with the rewritten query:
Mark groups containing original authorization views as authorized
If all children of any expression in a group are authorized, the group is inferred to be authorized Propagate authorization upwards to the parent groups
April 19, 2023 16
Inferring authorization of expressions
Authorization as a logical property of group Start with the rewritten query:
Mark groups containing original authorization views as authorized
Propagate authorization upwards to the parent groups
σ
employees
medical-records
Q1
G4
G2
G3
σemployees
medical-records
Q1
G1
G5
G6
G7
G4
G2
G3
σemployees
medical-records
Q1
G5
G6
G1
G5
G1
G6
G5G7
G1 G4
G2
G6
G3
σemployees
medical-records
Q1
April 19, 2023 17
Extending optimizer to find optimal safe plan
Only Safe Transformations Allow UDF push-down/pull-up only on top of authorized
expressions Only safe alternatives are present in memo, pick the optimal
plan
Pick Safe Plan Allow all transformations for UDF Use “required/derived feature” to pick only plans where UDF
are on top of authorized expression
April 19, 2023 18
Performance Evaluation Study utility of RR and Optimal Safe Plan Auth: Managers can see information only pertinent to
their region authNation: Nation ( (Region)) authCustomer: Customer (Nation ( (Region))) …
Query: Find supplier who fulfill “important” orders
AuthorizationView replacement
σσ
April 19, 2023 19
Both RR and Optimal Safe Plan are necessary
No RR With RR
UDF On
Top
Safe Optimal
Safe Optimal
UDF On Top
No RR
Apply RR
Apply Both
47.83
23.25
100.00
53.25
April 19, 2023 20
Integrating RR and Optimal safe plan Rule-based optimizers involve a simplification phase
followed by a transformation phase RR in simplification reduces query size and optimization time
But RR in simplification interferes with safety inference Optimal safe plan generation requires preserving
the following input plan until memo is created
RR can possibly remove some Ai
Possible integration: RR in transformation phase – increased optimization time RR in simplification phase with conditioned authorization for safe
plan generation
April 19, 2023 21
Conclusions Redundancy in queries
Transformation rules for redundancy removal
Information leakage Definition of a safe plan Extending optimizer for generating optimal safe plan
Preliminary performance study of proposed techniques Ensure safety while providing significant performance benefits
Future: Study conditioned authorization Better solution for timing analysis based information leakage Add rules for handling authorizations involving nullification and
aggregation
Questions?
April 19, 2023 22
Better solutions for handling Exceptions/ Timing analysis based information leakage Naïve solution: treat any operation that
generates an exception like a UDF and pull to top (or on safe expressions) Delayed selection expensive plan (possibly)
Better solution: push weaker selection which never raises an
exception, but retain original selection on top
Similar approach looks promising for timing analysis