Auditing Compliance with a Hippocratic Database - PowerPoint PPT Presentation

About This Presentation
Title:

Auditing Compliance with a Hippocratic Database

Description:

Physically logging the results ... Indispensable tuple: omitting t makes a difference on Q ... Suspicious query: Q and A share an indispensable tuple. Example 1 ... – PowerPoint PPT presentation

Number of Views:51
Avg rating:3.0/5.0
Slides: 25
Provided by: USUA566
Category:

less

Transcript and Presenter's Notes

Title: Auditing Compliance with a Hippocratic Database


1
Auditing Compliance with a Hippocratic Database
  • Javier Salinas Martín

2
Outline
  • Introduction
  • System architecture
  • Logs
  • Audits
  • Audit queries
  • Performance

3
Introduction
  • Responsibly managing privacy sensitive data is
    mandatory
  • Approaches
  • Physically logging the results of each query
  • New system to audit whether the database executed
    a query in the past that accessed private data

4
System properties
  • Non-disruptive
  • Fast and precise
  • Fine-grained
  • Convenient

5
System architecture
6
Logs
  • Query log timestamp, user ID
  • Temporal extensions for each table T, a backlog
    table Tb is created
  • Time stamped
  • Interval stamped

7
Time stamped organization
  • A tuple in Tb has two additional columns
  • TS time of storage
  • OP operation insert, delete, update
  • Triggers are used to capture updates
  • Recover state of T at time t take a snapshot

8
Interval stamped organization
  • Period of time for wich each tuple was alive
  • TS time of storage
  • TE end time
  • Insert trigger adds t to Tb, setting TE to null
  • Update trigger searches for tuple b such that
    b.Pt.P and b.TEnull and sets b.TE to the
    current time and inserts new tuple t
  • Delete trigger searches for tuple b such that
    b.Pt.P and b.TEnull and sets b.TE to the
    current time

9
Audit expressions
  • Identical to that of a select query
  • No disctinct in the select list
  • Audit replaces Select
  • U cross product of all the base tables in the
    database
  • Cells that satisfy the expression are marked in U

10
Schema used for examples
11
Example of audit expression
  • Audit if the disease information of anybody
    living in the ZIP code 95120 was diclosed
  • Cells corresponding to the disease column of
    those tuples in the Customer x Treatment table
    that have c.cidt.pcid and c.zip 95120 are
    marked

12
Some definitions
  • Tuple t, Query Q, Audit A
  • Indispensable tuple omitting t makes a
    difference on Q
  • Candidate query Q accesses all columns A
    specifies in its audit list
  • Suspicious query Q and A share an indispensable
    tuple

13
Example 1
  • Q is a candidate query with respect to A
  • Q is suspicious with respect to A if there is a
    customer who lived in the ZIP code 95120 and was
    treated for diabetes

14
Example 2
  • Q is not suspicious with respect to A
  • Anyone who looks at the output of the query will
    not learn that Alice has cancer

15
System architecture
16
Audit query generation
  • Full audit expression
  • Two steps
  • Static analysis select candidate queries from
    the query log
  • Audit query generation augment every candidate
    query with information from the audit expression
    and combine them into an audit query that unions
    their output

17
Static analysis
  • Select candidate queries
  • Four steps
  • Check whether Q is a candidate query
  • Check whether timestamp of Q is out of range
  • Check whether the purpose-recipient pair of Q
    matches any of the purpose-recipient specified in
    the otherthan clause of A
  • Check for contradictions between predicates
  • Set of candidate queries Q Q1,,Qn

18
Audit Query Generation
  • Augment every Qi with A
  • Result is another query AQi, defined against the
    backlog database at time ti
  • ti is the timestamp of Qi as recorded in the
    query log
  • All AQi are combined into one AQ audit query
    whose output is the union of the output of the
    individual AQi
  • AQ is executed against the backlog database

19
Audit Query Generation example
  • Example

20
Audit Query Generation example
21
Audit Query Generation example
22
Performance
  • Cost of maintaining backlog tables

23
Performance
  • Execution time of an audit query

24
Questions?
Write a Comment
User Comments (0)
About PowerShow.com