ISA 765 - Databases and Distributed System Security

George Mason University

Department Of Computer Science

Fall 2010

ISA 765 - Databases and Distributed System Security

Thursday 7:20 p.m. - 10:00 p.m.
Art and Design 2026
Dr. Michael Smeltzer
msmeltze at gmu dot edu
Office Hours: By Appointment

Last updated 08.29.2010 1000

Announcements

	MIDTERM	FINAL	PAPER	ADJ TOT
TOT
AVG
HI

Finals Schedule
Academic Calendar
Activating your Mason e-mail

UNOFFICIAL DROP DATES
Last day to drop with no tuition liability: Sep. 14
Last day to drop with 33% tuition penalty: Sep. 21
Last day to drop with 67% tuition penalty: Oct. 1
Last day to drop with no academic liability: Oct. 1

msmeltze at gmu dot edu
Office Hours: By Appointment

DESCRIPTION :

Course Catalog: Science and study of methods of protecting data: discretionary and mandatory access controls, secure database design, data integrity, secure architectures, secure transaction processing, information flow controls, inference controls, and auditing. Covers security models for relational and object-oriented databases; security of databases in distributed environment; statistical database security; and survey of commercial systems and research prototypes.

PREREQUISITES :

ISA 614 - Database Management
ISA 562 - Information Security Theory and Practice

The following concepts will be used in the course with minimum or no instruction:

DB replication
DB accounts
Relations, attributes, tuples
Atomicity
Schema
Simple SQL (select, join)
Views
First normal form
Primary keys
Reference monitors
Referential integrity
Functional dependencies
DB consistency
DB indices
DB relational algebra
PKI
Digital signatures
Encryption
DAC and MAC

TEXT:
Marshall D. Abrams, Sushil Jajodia, and Harold J. Podell, eds. Information Security: An Integrated Collection of Essays, IEEE Computer Society Press, 1995. Available on line from Information Security Bookshelf

We will also read papers from the GMU Digital Library, and some found on the Internet. Since there are several papers associated with the lectures, students always ask if the papers will be covered on the exams. The answer is some of the papers are the basis of the lecture material, some present other views for clarification of the lecture content, and some leverage ideas in the lectures.

"NOTIONAL" SCHEDULE:

WEEK	TOPIC	READING
9/2	DB Security Introduction Slides
9/9	DB Discretionary Access Control Slides	1. Griffiths, Patricia P. and Bradford W. Wade. "An authorization mechanism for a relational database system." ACM Transactions on Database Systems,Vol.1, No. 3. Sep. 1976. pp. 242-255. 2. Fagin, Ronald. "On an authorization mechanism."ACM Transactions on Database Systems, Vol. 3 No. 3. Sep. 1978. pages 310-319. 3. Bertino, E., P. Samarati, and S. Jajodia, "An extended authorization model for relational databases," IEEE Transactions on Knowledge and Data Engineering, Vol 9, No. 1. Jan.-Feb. 1997, pages 85-101. 4. Bertino, E., P. Samarati, and S. Jajodia, "A Flexible Authorization Mechanism for Relational Data Management Systems." ACM Transactions on Information Systems, Vol. 17, No. 2, April 1999, Pages 101–140.
9/16	DB Mandatory Access Control Slides	1. Abrams, Jajodia and Podell - Essay 2 by Brinkley and Schell 2. Rjaibi, W. and P. Bird. "A Multi-Purpose Implementation of Mandatory Access Control in Relational Database Management Systems" Proceedings of the 30th VLDB Conference, Toronto, Canada, 2004.
9/23	Covert Channels Slides	1. Proctor, Norman E., and Peter G. Neumann. "Architectural Implications of Covert Channels." Fifteenth National Computer Security Conference, Baltimore, 13-16 October 1992. pp 28-43. 2. Cabuk, Serdar, Carla Brodley, and Clay Shields. "IP Covert Timing Channels: Design and Detection." Computer and Communications Security Conference CCS'04. ACM. October 25-29, 2004.
9/30	Multi Level Secure Relational Model Slides	1. Sandhu, Ravi and Sushil Jajodia. "RESTRICTED POLYINSTANTIATION or How to Close Signaling Channels Without Duplicity." Proc. 3rd RADC Workshop on Multilevel Database Security. 1990. 2. Abrams, Jajodia and Podell - Essay 20 by Jajodia and Sandhu and Essay 21 by Jajodia, Sandhu and Blaustein.
10/7	Multi Level Secure DB Architectures Slides	1. Abrams, Jajodia and Podell - Essay 19 by Notargiacomo
10/14	MIDTERM
10/21	Auditing in Relational DBs Slides	Abrams, Jajodia and Podell - Essay 25 by Jajodia, Gadia and Bhargava
10/28	Inferencing in DBs Slides	1. Adam, N. R. and J. C. Wortmann. "Security-control methods for statistical databases: A comparative study," ACM Computing Surveys, 21(4):515-556, December 1989. 2. Brodsky, Alexander , Csilla Farkas, Duminda Wijesekera, Xiaoyang Sean Wang "Constraints, Inference Channels and Secure Databases" , CP 2000: 98-113.
11/4	Privacy and Linking to External DBs Slides	1.Sweeney,Latanya. "k-anonymity: A model for protecting privacy” International Journal on Uncertainty, Fuzziness and Knowledge-based Systems, 10 (5), 2002; 2. P. Samarati, "Protecting respondents' identities in microdata release," IEEE Trans. On Knowledge and Data Engineering, Vol. 13, No. 6, 2001, pages 1010-1027.
11/11	Encrypted DB Slides	1. Hacigumus, Hakan, Bala Iyer, Chen Li, Sharad Mehrotra. "Executing SQL over Encrypted Data in the Database-Service-Provider Model." ACM SIGMOD. June 4-6, 2002. pp 216-227. 2. Hacigumus, Hakan, Bala Iyer, Sharad Mehrotra. "Efficient Execution of Aggregation Queries over Encrypted Relational Databases." Database Systems for Advanced Applications (DASFAA). 2004. Lecture Notes in Computer Science (LNCS) 2973, pp. 125–136. Springer-Verlag. 2004.
11/18	Information Warfare Attacks on a DB Slides	1. Ammann, P, S. Jajodia, C. D. McCollum, and B. T. Blaustein, "Surviving information warfare attacks on databases." Proc. IEEE Symp. on Research in Security and Privacy, Oakland, Calif., May 1997, pages 164-174. 2. Jajodia, S., P. Ammann, and C. D. McCollum, "Surviving information warfare attacks," IEEE Computer, Vol. 32, No. 4, April 1999, pages 57-63. 3. Jajodia, Sushil, Catherine D. McCollum, and Paul Ammann, "Trusted recovery," Communications of the ACM, Vol. 42, No. 7, July 1999, pages 71-75.
11/25	THANKSGIVING
12/2	Presenetations
12/9	Presenetations
12/16	FINAL 7:30-9:30

PRESENTATION:
Each student will be required to make a 25 minute presentation to the class on an academic article related to the security of databases or distributed systems. The presentations are scheduled for the last two class periods. These will be individual projects rather than group projects and will determine one-third of your grade. I will not identify the articles for you to review; rather part of you grade will be based on your ability to identify and locate a relevant, interesting and understandable article.

One good source of papers will be references listed in the papers we are reading for class. You may also search the GMU article database using keywords or try Google Scholar. You will be evaluated on

Criteria	Points
Pertinence of the article to DB security	5
Quality of the article	5
Student's grasp of the presented material	10
Thoroughness	10
Questions/Answers and class discussion	5
Presentation Skills	5
TOTAL	40

Submit the subject, author, source and year of publication by September 30.
Submit a half page summara of the paper by October 14,
You must provide 1) one printed copy of the article and 2) the presentation to me at the beginning of your talk.
You must provide an electronic copy of the presentation for posting on the class web page. (5 points deducted if you fail to do this)
As quesitons arise about your article and presentation, I will allocate extra credit points to students in the audience based on their participation and insight.
A sample presentation can be found here. You must follow this approach, but are welcome to extend and enhance it. If you include ideas or diagrams from secondary sources, ensure that you give proper credit to the author(s) on the slide.
An evaluation of presentation skills is included to ensure 1) you are prepared, 2) that you aren't just reading notes, 3) that you have grasped the concepts of the paper and are providing more than a simple section-by-section summary, 4) that everyone can hear you, 5) and that you can articulate security ideas.

Plagiarism will result in a score of 0, and I may use automated tools provided by the university to identify plagiarism.
You are not allowed to use a paper published at your place of employment or reviewed for another security class

Presentation Schedule

GRADING:

Grades will be calculated as follows:

Normalize the 100 percentile for each component using the highest score in the class.
Average the individaul percentage scores which allocates points as follows:

	Project
Midterm	33.3%
Final	33.3%
Paper	33.3%

Assign grades
A: 90% -100%
B: 70% - 90%
C: 60% - 70%
F: Below 60%

Example: Suppose your grade on the midterm is 50/60=83.3%, your grade on the final is 54/70 = 77.1%, and your grade on the paper is 74/75 = 98.6 . Let the highest scores in the class on each exam be 58 (58/60=96.6%), 62 (62/70=88.5%), and 75/75=100% respectively. Normalizing your percentile scores by the highest percentile scores yields 83.3/96.6 = 86.2%, 77.1/88.5 = 87.1%, and 98.6/100 = 98.6. Averaging these scores is 90.6% which would be an A.

EXAMS:
GMU Honor Code.
University Finals Schedule

You can NOT make up the exams, and you must take the final during the registrar's official scheduled timeslot
ABSOLUTELY NO EXCEPTIONS!! - Coordinate your travel accordingly.

There will NOT be an option for extra credit.