Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

Reflective Database Access Control by isJvo8d0

VIEWS: 9 PAGES: 22

									A Medical Database Case
  Study for Reflective
Database Access Control
 Lars E. Olson1, Carl A. Gunter1, and Sarah
              Peterson Olson2
1University of Illinois at Urbana-Champaign

  2University of Nebraska Medical Center
   ACM-Based Access Control

                       Patients

Name       Home         Optin     Room     Diag
           Addr                                        ACM
Emily     1 Main St.      Y       108       Flu       Entries
                                                       Alice
 Fred     2 Center        N       203    Broken leg
            Ave.                                       Bob
George    3 College       Y       207      Lung
             Dr.                          cancer
Harriet    4 Park         N       301      Food
           Blvd.                         poisoning


                                                                2
   ACM-Based Access Control

                       Patients

Name       Home         Optin     Room     Diag
           Addr
Emily     1 Main St.      Y       108       Flu

 Fred     2 Center        N       203    Broken leg
            Ave.
George    3 College       Y       207      Lung
             Dr.                          cancer
Harriet    4 Park         N       301      Food
           Blvd.                         poisoning


                                                      3
  ACM-Based Access Control

         Second_Floor_Patients

                                       ACM
                                      Entries
                                        Carol
 Fred                    203     Broken leg
                                       David
George                   207       Lung
                                  cancer




                                                4
        ACM Weaknesses

• Complicated policies can be awkward to
  define

• “All patients can access their own
  records”

• “Every nurse can view the records of
  patients assigned to their floor”

                                           5
            Motivation

• ACMs describe extent, rather than intent
• Decision support data is often already in
  the database
  – Redundancy
  – Possibility of update anomalies




                                              6
   Reflective Database Access
             Control
• Solution: access policies should contain queries
  – Not limited to read-only operations
  – Policies not assumed to be “omniscient”
• Is this a secure solution? (CCS ’08)
• Is this a practical solution? (DBSec ’09)
• What is it useful for? (SPIMACS ’09)


                              Database




                                                     7
         TD and RDBAC

• Transaction Datalog: an extension to
  classical datalog with update predicates
• Query on a rule may change the database
  state
  – Audit policies
  – Chinese Wall policies
• Mathematical model enables formal
  security analysis


                                             8
 Case Study: Medical Database

• HIPAA legislation
  – Protects privacy of patients
  – Access to electronic health records must be
    restricted “based on the specific roles of the
    members of their workforce.”
• Idealism meets reality: emergencies are
  common
• Commonly implemented by Honor
  System, e.g. sign a form yearly

                                                     9
        Case Study Goals

• Demonstrate usefulness of RDBAC in a
  real-world scenario
• Enforce privacy constraints of HIPAA
• Address practical needs for emergency
  access

• NOT designed for a particular medical
  center
• BUT should be realistic
                                          10
General Access Patterns




         Database




                          11
General Access Patterns




                          Database




                                     12
         Example Policies
• Patients may view their own medical data
• Primary care physicians may view their own
  patients’ data
• Caregivers assigned to consult with a patient
  may view that patient’s data
• Lab technicians may enter new records for
  any patient, but the ID of the technician is
  included in the record
• Current employees may access any patient’s
  record, but an audit record is generated

                                                  13
         Example TD Rules
view.labResult(User, PtntID, Date, Type, ...) :-
  labResult(PtntID, Date, Type, ...),
  person(PtntID, User).

view.labResult(User, PtntID, Date, Type, ...) :-
  labResult(PtntID, Date, Type, ...),
  person(UserID, User),
  hasAccess(UserID, PtntID).

view.labResultEmerg(User, PtntID, Date, Type, ...,
  Note) :-
  labResult(PtntID, Date, Type, ...),
  employee(UserID, User),
  ins.labResultAudit(UserID, PtntID, now, Note).



                                                     14
    Formal Security Analysis
• “No untrusted user can ever gain access
  to a patient’s lab results.”
• Automated analysis difficult (often
  impossible) problem to solve
• “Safe rewritability”
  – Limits domain of values that untrusted users
    can insert
  – Previously established theorem to decide
    analysis
  – Must guarantee that untrusted users cannot
    trigger actions that run as a trusted user

                                                   15
   Results of Formal Analysis
• Uses upper-bound estimate on safely
  rewritable policies
  – Rules with retractions, rules not safely
    rewritable omitted
  – Sample database populated, verified with
    Prolog
  – Omitted rules analyzed manually
• Analysis scalability
  – Running time A: increased patients &
    doctors
  – Running time B: increased patients only

                                               16
                                Results of Formal Analysis
                       100000



                       10000
Execution Time (sec)




                        1000
                                                                                  Running Time A
                                                                                  Running Time B
                         100



                          10



                           1
                           10,000      100,000           1,000,000   10,000,000
                                           Number of patients
                                                                                              17
  Future Research Possibilities
• Improvements to TD
  – Aggregation
  – More expressive negations
• Improvements to analysis
  – State-independent analysis
  – Detecting irrelevant rules
• Development of Case Study
  – Discretionary access to patient records
     • “Trusted users” no longer constant
     • Specifying exceptions
  – Adverse drug interactions (requires negation
    over join)

                                                   18
            Conclusions

• Reflective Database Access Control is a
  more flexible model than ACM-Based
  Access Control.

• RDBAC provides benefits for real-world
  scenarios.
  – More expressive policies
  – Formal security analysis



                                            19
    For More Information…

• http://seclab.illinois.edu/
• Internet search on “Illinois Security Lab”
  or “Reflective Database Access Control”




                                               20
    Policies Defined with TD

• Policies may be written by lower-privileged
  users
• Problem: read information from higher-
  privilege table, write to lower-privilege
• Solution:
  – TD rules include explicit parameter for the
    permission
  – Policy subqueries are executed with definer’s
    privilege
  – Policy body cannot do anything the definer can’t
    already do manually.

                                                       21
    Analysis of Omitted Rules
• Infinite domain of values to insert
  – Note value from “break-the-glass” rules
  – Prolog can sometimes handle infinite domains
  – Otherwise, these values do not affect access
    privileges
• Deletions still constitute subset of maximal
  database
• Executable only by trusted users
  – Only active employees may execute rules
  – Only trusted users may add active employees
  – Any rules that invoke omitted rules are also
    executable only by trusted users (transitive closure)
                                                            22

								
To top