Research Statement

Research Statement
Jeff Pittges
Motivation
External attacks on computer systems are well publicized and well recognized as a
serious problem. However, insiders perpetrate over 80 percent of all security breaches.
Until recently corporations rarely reported data leakage (i.e., the loss of confidential
information). Emerging regulations, including the Health Insurance Portability and
Accountability Act (HIPAA), require corporations to protect sensitive information and
publicly disclose security breaches. Analysts estimate that data leakage costs
corporations over a billion dollars a year. Consequently, data security, data leakage, and
privacy are becoming urgent challenges for the database community [1].
Most database security architectures rely on a fortress security model in which access to
the database management system (DBMS) is strictly controlled while the data within the
database is stored in the clear. Not only is the data unprotected from attackers who
circumvent the access controls, the data is also unprotected from authorized personnel
thereby creating unnecessary threats to privacy and security.
Solution
One solution to this problem is to apply fine-grained role-based access privileges, but this
approach still leaves the data exposed. Most popular database management systems
allow database administrators to encrypt data thereby applying the principle of Defensein-Depth
[10]. Data encryption adds a layer of protection but it is still possible to recover
the original data by decrypting the encrypted data [4, 5, 6].
A Translucent Database [7, 8] uses one-way hash functions and other cryptographic
algorithms to obfuscate the original data without destroying the function of the data. For
example, the Unix password file applies a one-way hash function to each password
before the password is stored in the file. Each time a user logs into the system the hash
function is applied to the password entered by the user and the result is compared with
the user password stored in the password file. If an attacker gains access to the contents
of the password file it is impossible for the attacker to obtain the original data thereby
preventing access to the user passwords.
Translucent data is secure and translucent data renders attacks uninteresting because the
data has no value to the attacker. Translucent data also protects privacy because
authorized users are unable to view the original data. The Microsoft Hailstorm project
[9], an online store of personal information including an individual’s calendar, contacts,
and credit card numbers, was built on the concept of a translucent database.

The techniques to create a translucent database are readily available to any application
developer. However, implementing translucency in the application layer creates an
undesirable dependency between the application and the database. There are also
database performance considerations. Finally, application developers are not given time
to implement security features and when time is allocated for security, few developers
have the necessary skills to implement security features correctly. The goal of my
research is to extend database management systems to provide native support for
translucency thereby increasing data security and privacy and reducing data leakage.
Plan
The Oracle Database 10g provides a built-in package named DBMS_CRYPTO that
provides functions for generating keys, managing keys, and encrypting and decrypting
data [10]. However, Oracle’s DBMS_CRYPTO package uses a block cipher rather than
applying encryption to specific data columns as discussed in [4]. A block cipher requires
the DBMS to encrypt and decrypt data as the data moves between main memory and
disk. Therefore, the data in main memory is exposed as clear text and the query
execution engine does not operate on encrypted data. Hence, Oracle 10g does not
provide native support for data encryption. I plan to build on the research presented
above by: (1) developing native DBMS support for cryptography, (2) extending the
cryptographic functions supported by the DBMS to include one-way hash algorithms, and
(3) developing a framework that makes security far more accessible to practitioners. To
my knowledge, no similar work exists in the published literature. Furthermore, I am
optimistic the recent NSF CyberTrust and CyberInfrastructure programs will continue to
support such security-related research.
The first step in my research plan is to extend the Data Definition Language (DDL) and
Data Manipulation Language (DML) to support policy-based security. Consider a
security policy stating that all HIPAA data must be encrypted. The database
administrator (DBA) should be able to define a HIPAA data type and when a database
table is defined with a column of type HIPAA the DBMS should automatically encrypt
the data. The DDL statements used to create the table should allow the DBA to select the
cryptographic algorithm from a set of algorithms natively supported by the DBMS. The
first step of my research will create a mechanism for implementing policy-based security
within the DBMS that is easily accessible to practitioners.
The theoretical constructs developed in the first step of my research will lack significant
impact unless they can be implemented and tested in realistic scenarios. My 15 years of
database experience are rife with examples of promising ideas that have been shelved due
to the absence of rigorous testing academic research requires. Drawing on this
experience, the second step of my research plan is to implement a system that supports
the constructs developed in the first step. This system will serve as a tool to evaluate the
results of the first step and guide further research. This system may be developed by
extending an existing open source database such as MySQL. This work should provide
interesting projects for students and challenging programming assignments for computer
science classes.

While the first and second steps of my research will demonstrate the ability to store data
securely, the full extend of my research goals may only be realized if the DBMS is able
to operate on translucent data without recovering the original data thereby enhancing the
security of the data and protecting privacy. Therefore, the third step of my research plan
will develop functions that operate directly on translucent data. These functions include
searching, partial matching, and data mining operations that are efficient while preserving
data security and privacy.
References
1. Database Security (Common Sense Principles).
http://www.governmentsecurity.org/articles/DatabaseSecurityCommonsensePrinciples.php
2. Database Security Issues: Inference.
3. http://databases.about.com/od/security/l/aainference.htm
4. Mattsson, Ulf T. A Database Encryption Solution that is Protecting Against External
and Internal Threats, Meeting Regulatory Requirements. February 25, 2005.
http://database.ittoolbox.com/white-papers/a-database-encryption-solution-that-is-
protecting-against-external-and-internal-threats-meeting-regulatory-requirements-
4266
5. Newman, Aaron C. Encryption of Data at Rest. May 28, 2002.
http://database.ittoolbox.com/white-papers/encryption-of-data-at-rest-1922
6. MacVittie, Don. Time is Right for Database Encryption. December 9, 2003.
http://www.networkcomputing.com/showitem.jhtml;jsessionid=ZWGY32WNMZH0
EQSNDBCCKHY?articleID=16401578
7. Wayner, Peter. Translucent Databases. Baltimore: Flyzone Press. 2002.
8. Garfinkel, Simon. Protecting Privacy with Translucent Databases. August 2, 2002.
http://www.oreillynet.com/pub/a/network/2002/08/02/simson.html
9. Microsoft Hailstorm. http://xml.coverpages.org/hailstorm.html
10. Nanda, Arup. Encrypt Your Data Assets. Oracle Magazine. January/February 2005.
http://www.oracle.com/technology/oramag/oracle/05-jan/o15security.html