DB Tamper Detection, Forensic Analysis, and Privacy

1
DB Tamper Detection, Forensic Analysis, and
Privacy
2
Outline

• Introduction
• Problems
• Audit log and tamper detection
• Forensic analysis
• Using forensic analysis tool to breach privacy
• Summary

3
Introduction

• Security in business systems
• Data(base) is the most precious resource
• Security techniques try to prevent adversaries
  breaking in
• What if system intrusion happens?
• Audit log
• Help identify db intrusion
• Forensic analysis
• Privacy problem
• Deleted records can still be found in DB systems
  with forensic analysis tools

4
Understanding audit log

• It records any interactions with the data
  (modification, retrieval)
• Mandated by federal laws for many businesses
• Different from recovery log
• Audit log should also include reads
• Forensic analysis mainly depends on audit log

5
Tamper detection in audit logs

• Paper in VLDB2004
• Assumption
• malicious DB operations are captured in audit log
• Problem
• Adversaries may try to tamper audit log too
• How to protect from attacks to audit log?

6
Existing techniques

• Digital notarization services
• Data ? notary ID
• data notary ID ? validation
• costly
• Use write-once-read-many storage
• inefficient

7
Proposal

• Assumption
• A trusted notarization service
• A trusted audit log validation service
• Use notarization service
• Reduce the cost/frequency of using notarization
  service
• One entry per transaction
• Hash chain
• Order records by seq id
• Hash one by one using hash chain

8
Notarization and validation
9
Tamper detection

• If an audit entry is modified
• In validation phase, the hash value will be
  inconsistent with the notarized value
• Further efforts are needed to identify
• When the intrusion happened
• What data was altered
• Who is the intruder

10
Forensic Analysis of Database Tampering

• Paper in SIGMOD06
• Based on the previous paper
• Analyze when and what happened

11
Corruption diagram

• Notations
• NE notarization event
• VE validation event
• CE corruption event
• FVF First validation failure
• Each item for hashing
• Record content
• Transaction timestamp

12
Corruption diagram
Corruption region
transaction time
Record id
13
Timestamp corruption
Change timestamp to hide some activities Problem
difficult to accurately identify
where Solutions Use multiple hash chains
RGB algorithm polychromatic algorithm
14
Threats to privacy in forensic analysis

• Paper in SIGMOD07
• Problems
• Intentionally preserved history is ok
• Recovery log
• Audit log
• Unintentionally preserved history
• Deleted records are not actually deleted

15
Unintentionally preserved history

• Using forensic tools
• E.g., Sleuth Tookit
• able to recover
• Expired data (deleted)
• Random access memory
• Web browsing history

16
Reason of UPH data

• File system
• Deleted block is immediately reallocated
• Database system
• Deleted record is only marked by a deletion bit
• The authors show that
• Most existing DB systems have the problem of UPH
  data
• We will see

17
Possible techniques to prevent UPH data

• Deletion with overwriting
• E.g., overwrite each byte of the block with zero
• Encrypted record
• When deleting the record, we need to destroy the
  key only

18
idea

• Forensically transparent DB system
• Here, forensic means using forensic tools to
  discover UPH data
• Based on the analysis of DB operations
• How is UPH data generated in DB systems
• Apply known techniques to delete data completely
• Overwriting
• Encryption

19
How expired data is reused?
vacuum Table reorganization To remove fragments
20
Definitions

• DB slack
• Deleted records are just marked as deleted
• File System (FS) slack
• Deleted disk blocks are just marked as deleted

21
Lifetime of a data record in DB
22
Privacy leak from transaction log

• Transaction log keeps every write operations
• checkpoint X, time xxxx insert record A,
  time yyyy delete record B
• implemented in circular files
• Sensitive data can be revealed
• E.g., delete operation

23
Forensic analysis of indices

• Problems with Btree structure
• Deleted keys persist in the internal node
• A Btree is determined by a series of
  insertion/deletion
• Can be possibly traced back

24
Experiments

• Forensic discovery on DB-slack data

25
Impact of vacuum
26
DB-slack time distribution
of operations
27
Making DB forensic transparent

• Method of choice
• Overwriting
• encryption
• Consider both privacy and performance
• Table
• Encryption on record level is costly and slow
• Using overwriting
• Log
• Historic log (before the checkpoint) does not
  change
• Using encryption is more efficient
• Decryption is used only when recovery is needed

28
Summary

• Audit log is an important method
• Not only for DB systems
• Any systems (file system, network)
• Not use to prevent intrusion, but used to detect
• Forensic analysis tools can be used to do bad
  things
• DB/FS do not delete data completely