Projects

Jobs

Contact

Authentic Data Publication for Databases

The publication of high-value and mission critical data on the Internet plays an important role in the government, industry, and health-care sectors. However, owners of such data are often not able or willing to serve millions of query requests per day and furthermore satisfy clients’ data requirements regarding the integrity, availability, and authenticity of the data they manage in their databases. In this article, we give an overview of our work on authentic publication schemes in which a data owner employs a (possibly untrusted) data publisher to answer queries from clients on behalf of the owner. In addition to query answers, publishers provide clients with verification objects a client uses to verify whether the answer is the same as the owner would have provided. We consider two popular types of database systems, those managing relational data and those managing XML data in the form of XML repositories.

• Michael Gertz, April Kwong, Charles U. Martel, Glen Nuckolls, Premkumar T. Devanbu, Stuart S. Stubblebine: Databases that tell the Truth: Authentic Data Publication. In Bulletin of the Technical Committee on Data Engineering, March 2004, Vol 7, No 1. (paper in pdf).

A General Model for Authentic Data Structures

Query answers from on-line databases can easily be corrupted by hackers or malicious databased publishers. Thus it is important to provide mechanisms which allow clients to trust the results from on-line queries. Authentic Publication allows untrusted publishers to securely answer queries from clients on behalf of trusted off-line data owners. Publishers validate answers using hard-to-forge verification objects(VOs), which clients can check efficiently. This approach provides greater scalability, by making it easy to add more publishers, and beter security, since on-line publishers don't need to be trusted. To make authentic pulbication attractive, it is important for the VOs to be small, efficient to compute and efficient to verify. This has lead to researchers to independently develop several different schemes for efficient VO computation based on specific data strucdtures. Our goal is to develop a unifying framework for these disparate results, leading to a generalized security result.

• Chip Martel, Glen Nuckolls, Prem Devanbu, Michael Gertz, April Kwong, Stuart G. Stubblebine, A General Model for Authentic Data Publication, Algorithmica (Springer), Volume 39, January 2004. (paper in pdf).

Authentic Data Publication over the Internet

Integrity critical databases, such as financial information used in high-value decisions, are frequently published over the Internet. Publishers of such data must satisfy the integrity, authenticity, and non-repudiation requirements of clients. Providing this protection over public data networks is an expensive proposition. This is, in part, due to the difficulty of building and running secure systems. In practice, large systems can not be verified to be secure and are frequently penetrated. The negative consequences of a system intrusion at the publisher can be severe. The problem is further complicated by data and server replication to satisfy availability and scalability requirements. To our knowledge this work is the first of its kind to give general approaches for reducing the trust required of publishers of large databases. To do this, we separate the roles of data owner and data publisher. With a few digital signatures on the part of the owner and no trust required of a publisher, we give techniques based on Merkle hash trees that publishers can use to provide authenticity and non-repudiation of the answer to database queries posed by a client. This is done without requiring a key to be held in an on-line system, thus reducing the impact of system penetrations. By reducing the trust required of the publisher, our solution is a step towards the publication of large databases in a scalable manner.

• Authentic Data Publication over the Internet, with Premkumar Devanbu, Michael Gertz, and Charles Martel. Journal of Computer Security, vol. 11, Issue 3, 2003.(paper in pdf).

Certifying Data from Muliple Sources

Data integrity can be problematic when integrating and organizing information from many sources. In this paper we describe efficient mechanisms that enable a group of data owners to contribute data sets to an untrusted third-party publisher, who then answers users’ queries. Each owner gets a proof from the publisher that his data is properly represented, and each user gets a proof that the answer given to them is correct. This allows owners to be confident that their data is being properly represented and for users to be confident they are getting correct answers. We show that a group of data owners can efficiently certify that an untrusted third party publisher has computed the correct digest of the owners’ collected data sets. Users can then verify that the answers they get from the publisher are the same as a fully trusted publisher would provide, or detect if they are not. The results presented support selection and range queries on multi-attribute data sets and are an extension of earlier work on Authentic Publication which assumed that a single trusted owner certified all of the data.

• Glen Nuckolls, Charles U. Martel, Stuart G. Stubblebine: Certifying Data from Multiple Sources. DBSec 2003: 47-60 (paper in pdf).

Authenticating query responses on XML documents without extra signatures and trusted publishers

XML is increasingly becoming the format of choice for information exchange, in critical areas such as government, finance, healthcare and law, where integrity is of the essence. As this trend grows, one can expect that documents (or collections thereof) may get quite large, and clients may wish to query for specific segments of these documents. In critical applications, clients must be assured that they are getting complete and correct answers to their queries. Existing methods for signing XML documents cannot be used to establish that an answer to a query is complete. A simple approach has a server processing queries and certifying answers by digitally signing them with an on-line private key; however, the server, and its on-line private key, would be vulnerable to external hacking and insider attacks. We propose a new approach to signing XML documents which allows untrusted servers to answer certain types of path queries and selection queries over XML documents without the need for trusted on-line signing keys. This approach enhances both the security and scalability of publishing information in XML format over the internet. In addition, it provides greater flexibility in authenticating parts of XML documents, in response to commercial or security policy considerations.

• Prem Devanbu, Michael Gertz, April Kwong, Chip Martel, Glen Nuckolls, and Stuart G. Stubblebine. Flexible Authentication of XML Documents. Eight ACM Conference on Computer and Communications Security, Philadelphia, PA, USA, Nov. 2001. (paper in pdf).
• Prem Devanbu, Michael Gertz, April Kwong, Chip Martel, Glen Nuckolls, and Stuart G. Stubblebine. Flexible authentication of XML Documents. To appear in Journal of Computer Security.

Authentic Third-party Data Publication

Integrity critical databases, such as financial information, which are used in high-value decisions, are frequently published over the internet. Publishers of such data must satisfy the integrity, authenticity, and non-repudiation requirements of end clients. Providing this protection over public data networks is an expensive proposition. To our knowledge this work is the first of its kind to give general approaches for reduce the trust required of the publisher of large, infrequently updated databases. To do this, we separate the roles of owner and publisher. With a few digital signatures on the part of the owner and no trust required of the publisher, we give techniques based on Merkle hash trees, that publishers can use to provide authenticity and non-repudiation of the answer to a database query. This is done without requiring a key to be held in an on-line system, thereby reducing the impact due to the likely system penetration.

• Prem Devanbu, Michael Gertz, Chip Martel, and Stuart G. Stubblebine. Authentic Third-party Data Publication, 14th IFIP 11.3 Working Conference in Database Security, Scoorl, The Netherlands, August, 2000, (Publisher: Kluwer). (paper in pdf).
• Also see a related paper: Authentic Re-Publication by Untrusted Servers: A Novel Approach to Database Survivability, with Prem Devanbu, Michael Gertz, Chip Martel, and Philip Rogaway. In Third Information Survivability Workshop (ISW-2000), 2000. (paper in pdf).

Future of Software Engineering and Security Research

What are important areas of security research to secure software engineering techniques in the year 2000 and beyond? Look no further!

• P. Devanbu, S. Stubblebine. Software Engineering for Security: a roadmap. In ``The Future of Software Engineering'', Special volume published in conjunction with ICSE 2000, Limerick, Ireland. (paper in pdf).

Secure Software Configuration Management and Survivability

Installation, configuration, and administration of desktop software is a non-trivial process. Even a simple application can have numerous dependencies on hardware, device drivers, operating system versions, dynamically linked libraries, and even on other applications. This paper discusses solutions to the configuration problem that addresses the issues of security concerns of users, administrators, software vendors and outside consultants: keeping details of installations private, authenticating licensed users, and software vendors, protecting the integrity of software, secure delegation across administrative boundaries, and protecting proprietary information.

• P. Devanbu, M. Gertz, S. Stubblebine. Security for Automated, Distributed Configuration Management. Proceedings, ICSE 99 Workshop on Software Engineering over the Internet, 1999. (paper in pdf).

More recent directions concerning survivability of systems is being explored in collaboration with UC Davis, University of Colorado, and University of Virginia.

Stack and Queue Integrity on Hostile Platforms

When computationally intensive tasks have to be carried out on trusted, but limited, platforms such as smart cards, it becomes necessary to compensate for the limited resources (Memory, CPU speed) by off-loading implementations of data structures on to an available (but insecure, untrusted) fast co-processor. However, data structures such as stacks, queues, RAMS, and hash tables are useless if certain invariants are violated by a potentially hostile implementation platform. This paper examines approaches that can detect violations of data structure invariants, while placing limited demands on the resources of the secure computing platform.

• P. Devanbu, and S. Stubblebine. Stack and Queue Integrity on Hostile Platforms, IEEE Computer Society Symposium on Research in Security and Privacy, Oakland, CA, May, 1998. (paper in pdf).

• P. Devanbu, and S. Stubblebine. Stack and Queue Integrity on Hostile Platforms, To appear in IEEE Transactions on Software Engineering, 2000.

Secure Software Testing

There are many interesting problems in this area, but right now, with Prem Devanbu, I'm working on cryptographic approaches to verifying claims about quality practices by software vendors. If such techniques are perfected and widely adopted, small, relatively unknown vendors can make verifiable claims about the thoroughness of their software testing practices--without giving up too much proprietary information. Cryptographic techniques are used to protect secrets while reducing the risk of cheating.

• P. Devanbu, and S. Stubblebine. Cryptographic verification of test coverage claims. In Proceedings, Fifth ACM/SIGSOFT Conference on Foundations of Software Engineering, Zurich, Switzerland, Sept. 1997. (paper in pdf).

• P. Devanbu, and S. Stubblebine. Cryptographic Verification of Test Coverage Claims. In IEEE Transactions on Software Engineering, February, 2000, vol. 26, no. 2. (paper in pdf).

Mobile Code Analysis and Configuration Management using Revocation Techniques

Service providers hosting software on servers at the request of content providers need assurance that the hosted software has no undesirable properties. This problem applies to browsers which host applets, networked software which can host software agents, etc. The hosted software's properties are currently verified by testing and/or verification processes by the hosting computer. This increases cost, causes delay, and leads to difficulties in version control. By furnishing content providers with a physically secure computing device with an embedded certified private key, such properties can be verified and/or enforced by the secure computing device at the content provider's site; the secure device can verify such properties, statically whenever possible, and by inserting checks into the executable binary when necessary. The resulting binary is attested by a trusted signature, and can be hosted with confidence. This paper is a preliminary report that outlines our scientific and engineering goals in this project; implementation work is currently under way.

• P. Devanbu, and S. Stubblebine. Research directions for automated software verification: Using trusted hardware. 12th IEEE International Conference on Automated Software Engineering - ASE'97, IEEE Computer Society, Incline Village, Nevada, USA, Nov. 3-5, 1997. (paper in pdf)

Follow on work, with Prem Devanbu, investigates using trusted software certification authorities to verify byte codes, check proofs, or other static analyses, and certify to this fact using signatures. Compromised certification authorities and faulty certification software can be revoked using techniques common to key revocation in distributed systems. For example, buggy versions of Java byte code verifies can be taken out of the loop without forcing customers to download new browser versions. Furthermore re-certification of mobile code is unnecessary in cases where weakness in the faulty certification software are not exploited by the mobile code.

This paper was selected for a best paper award at ICSE'98.

• P. Devanbu, P. Fong, and S. Stubblebine. Techniques for trusted software engineering, Proceedings of the 20th International Conference on Software Engineering, Kyoto, Japan, 1998. (paper in pdf).