Auditing Compliance with a Hippocratic Database
description
Transcript of Auditing Compliance with a Hippocratic Database
![Page 1: Auditing Compliance with a Hippocratic Database](https://reader035.fdocuments.us/reader035/viewer/2022062803/568146a0550346895db3b97d/html5/thumbnails/1.jpg)
Auditing Compliance with a Hippocratic Database
Javier Salinas Martín
![Page 2: Auditing Compliance with a Hippocratic Database](https://reader035.fdocuments.us/reader035/viewer/2022062803/568146a0550346895db3b97d/html5/thumbnails/2.jpg)
Outline
Introduction System architecture:
– Logs– Audits– Audit queries
Performance
![Page 3: Auditing Compliance with a Hippocratic Database](https://reader035.fdocuments.us/reader035/viewer/2022062803/568146a0550346895db3b97d/html5/thumbnails/3.jpg)
Introduction
Responsibly managing privacy sensitive data is mandatory
Approaches:– Physically logging the results of each query– New system to audit whether the database
executed a query in the past that accessed private data
![Page 4: Auditing Compliance with a Hippocratic Database](https://reader035.fdocuments.us/reader035/viewer/2022062803/568146a0550346895db3b97d/html5/thumbnails/4.jpg)
System properties
Non-disruptive Fast and precise Fine-grained Convenient
![Page 5: Auditing Compliance with a Hippocratic Database](https://reader035.fdocuments.us/reader035/viewer/2022062803/568146a0550346895db3b97d/html5/thumbnails/5.jpg)
System architecture
![Page 6: Auditing Compliance with a Hippocratic Database](https://reader035.fdocuments.us/reader035/viewer/2022062803/568146a0550346895db3b97d/html5/thumbnails/6.jpg)
Logs
Query log: timestamp, user ID
Temporal extensions: for each table T, a backlog table Tb is created– Time stamped– Interval stamped
![Page 7: Auditing Compliance with a Hippocratic Database](https://reader035.fdocuments.us/reader035/viewer/2022062803/568146a0550346895db3b97d/html5/thumbnails/7.jpg)
Time stamped organization
A tuple in Tb has two additional columns:– TS: time of storage– OP: operation {‘insert’, ‘delete’, ‘update’}
Triggers are used to capture updates Recover state of T at time τ: take a snapshot
![Page 8: Auditing Compliance with a Hippocratic Database](https://reader035.fdocuments.us/reader035/viewer/2022062803/568146a0550346895db3b97d/html5/thumbnails/8.jpg)
Interval stamped organization
Period of time for wich each tuple was alive:– TS: time of storage– TE: end time
Insert trigger adds t to Tb, setting TE to null Update trigger searches for tuple b such that b.P=t.P
and b.TE=null and sets b.TE to the current time and inserts new tuple t
Delete trigger searches for tuple b such that b.P=t.P and b.TE=null and sets b.TE to the current time
![Page 9: Auditing Compliance with a Hippocratic Database](https://reader035.fdocuments.us/reader035/viewer/2022062803/568146a0550346895db3b97d/html5/thumbnails/9.jpg)
Audit expressions
Identical to that of a select query No disctinct in the select list “Audit” replaces “Select”
U: cross product of all the base tables in the database
Cells that satisfy the expression are marked in U
![Page 10: Auditing Compliance with a Hippocratic Database](https://reader035.fdocuments.us/reader035/viewer/2022062803/568146a0550346895db3b97d/html5/thumbnails/10.jpg)
Schema used for examples
![Page 11: Auditing Compliance with a Hippocratic Database](https://reader035.fdocuments.us/reader035/viewer/2022062803/568146a0550346895db3b97d/html5/thumbnails/11.jpg)
Example of audit expression
Audit if the disease information of anybody living in the ZIP code 95120 was diclosed
Cells corresponding to the disease column of those tuples in the Customer x Treatment table that have c.cid=t.pcid and c.zip = 95120 are marked
![Page 12: Auditing Compliance with a Hippocratic Database](https://reader035.fdocuments.us/reader035/viewer/2022062803/568146a0550346895db3b97d/html5/thumbnails/12.jpg)
Some definitions
Tuple t, Query Q, Audit A Indispensable tuple: omitting t makes a
difference on Q Candidate query: Q accesses all columns A
specifies in its audit list Suspicious query: Q and A share an
indispensable tuple
![Page 13: Auditing Compliance with a Hippocratic Database](https://reader035.fdocuments.us/reader035/viewer/2022062803/568146a0550346895db3b97d/html5/thumbnails/13.jpg)
Example 1
Q is a candidate query with respect to A Q is suspicious with respect to A if there is a
customer who lived in the ZIP code 95120 and was treated for diabetes
![Page 14: Auditing Compliance with a Hippocratic Database](https://reader035.fdocuments.us/reader035/viewer/2022062803/568146a0550346895db3b97d/html5/thumbnails/14.jpg)
Example 2
Q is not suspicious with respect to A Anyone who looks at the output of the query
will not learn that Alice has cancer
![Page 15: Auditing Compliance with a Hippocratic Database](https://reader035.fdocuments.us/reader035/viewer/2022062803/568146a0550346895db3b97d/html5/thumbnails/15.jpg)
System architecture
![Page 16: Auditing Compliance with a Hippocratic Database](https://reader035.fdocuments.us/reader035/viewer/2022062803/568146a0550346895db3b97d/html5/thumbnails/16.jpg)
Audit query generation
Full audit expression
Two steps:– Static analysis: select candidate queries from the query log– Audit query generation: augment every candidate query
with information from the audit expression and combine them into an audit query that unions their output
![Page 17: Auditing Compliance with a Hippocratic Database](https://reader035.fdocuments.us/reader035/viewer/2022062803/568146a0550346895db3b97d/html5/thumbnails/17.jpg)
Static analysis
Select candidate queries
Four steps:– Check whether Q is a candidate query– Check whether timestamp of Q is out of range– Check whether the purpose-recipient pair of Q matches any
of the purpose-recipient specified in the otherthan clause of A
– Check for contradictions between predicates
Set of candidate queries Q= {Q1,…,Qn}
![Page 18: Auditing Compliance with a Hippocratic Database](https://reader035.fdocuments.us/reader035/viewer/2022062803/568146a0550346895db3b97d/html5/thumbnails/18.jpg)
Audit Query Generation
Augment every Qi with A
Result is another query AQi, defined against the backlog database at time τi
τi is the timestamp of Qi as recorded in the query log
All AQi are combined into one AQ audit query whose output is the union of the output of the individual AQi
AQ is executed against the backlog database
![Page 19: Auditing Compliance with a Hippocratic Database](https://reader035.fdocuments.us/reader035/viewer/2022062803/568146a0550346895db3b97d/html5/thumbnails/19.jpg)
Audit Query Generation example
Example:
![Page 20: Auditing Compliance with a Hippocratic Database](https://reader035.fdocuments.us/reader035/viewer/2022062803/568146a0550346895db3b97d/html5/thumbnails/20.jpg)
Audit Query Generation example
![Page 21: Auditing Compliance with a Hippocratic Database](https://reader035.fdocuments.us/reader035/viewer/2022062803/568146a0550346895db3b97d/html5/thumbnails/21.jpg)
Audit Query Generation example
![Page 22: Auditing Compliance with a Hippocratic Database](https://reader035.fdocuments.us/reader035/viewer/2022062803/568146a0550346895db3b97d/html5/thumbnails/22.jpg)
Performance
Cost of maintaining backlog tables
![Page 23: Auditing Compliance with a Hippocratic Database](https://reader035.fdocuments.us/reader035/viewer/2022062803/568146a0550346895db3b97d/html5/thumbnails/23.jpg)
Performance
Execution time of an audit query
![Page 24: Auditing Compliance with a Hippocratic Database](https://reader035.fdocuments.us/reader035/viewer/2022062803/568146a0550346895db3b97d/html5/thumbnails/24.jpg)
Questions?