Slide 1Slide 2Slide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide 9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21Slide 22Slide 23Slide 24Auditing Compliance with a Hippocratic DatabaseJavier Salinas MartínOutlineIntroductionSystem architecture:–Logs–Audits–Audit queriesPerformanceIntroductionResponsibly managing privacy sensitive data is mandatoryApproaches:–Physically logging the results of each query–New system to audit whether the database executed a query in the past that accessed private dataSystem propertiesNon-disruptiveFast and preciseFine-grainedConvenientSystem architectureLogsQuery log: timestamp, user IDTemporal extensions: for each table T, a backlog table Tb is created–Time stamped–Interval stampedTime stamped organizationA tuple in Tb has two additional columns:–TS: time of storage–OP: operation {‘insert’, ‘delete’, ‘update’}Triggers are used to capture updatesRecover state of T at time τ: take a snapshotInterval stamped organizationPeriod of time for wich each tuple was alive:–TS: time of storage–TE: end timeInsert trigger adds t to Tb, setting TE to nullUpdate trigger searches for tuple b such that b.P=t.P and b.TE=null and sets b.TE to the current time and inserts new tuple tDelete trigger searches for tuple b such that b.P=t.P and b.TE=null and sets b.TE to the current timeAudit expressionsIdentical to that of a select queryNo disctinct in the select list“Audit” replaces “Select”U: cross product of all the base tables in the databaseCells that satisfy the expression are marked in USchema used for examplesExample of audit expressionAudit if the disease information of anybody living in the ZIP code 95120 was diclosedCells corresponding to the disease column of those tuples in the Customer x Treatment table that have c.cid=t.pcid and c.zip = 95120 are markedSome definitionsTuple t, Query Q, Audit AIndispensable tuple: omitting t makes a difference on QCandidate query: Q accesses all columns A specifies in its audit listSuspicious query: Q and A share an indispensable tupleExample 1Q is a candidate query with respect to AQ is suspicious with respect to A if there is a customer who lived in the ZIP code 95120 and was treated for diabetesExample 2Q is not suspicious with respect to AAnyone who looks at the output of the query will not learn that Alice has cancerSystem architectureAudit query generationFull audit expressionTwo steps:–Static analysis: select candidate queries from the query log–Audit query generation: augment every candidate query with information from the audit expression and combine them into an audit query that unions their outputStatic analysisSelect candidate queriesFour steps:–Check whether Q is a candidate query–Check whether timestamp of Q is out of range–Check whether the purpose-recipient pair of Q matches any of the purpose-recipient specified in the otherthan clause of A–Check for contradictions between predicatesSet of candidate queries Q= {Q1,…,Qn}Audit Query GenerationAugment every Qi with AResult is another query AQi, defined against the backlog database at time τiτi is the timestamp of Qi as recorded in the query logAll AQi are combined into one AQ audit query whose output is the union of the output of the individual AQiAQ is executed against the backlog databaseAudit Query Generation exampleExample:Audit Query Generation exampleAudit Query Generation examplePerformanceCost of maintaining backlog tablesPerformanceExecution time of an audit
View Full Document