Regulatory Compliance for DBMS Engines
Project Overview
Spurred by financial scandals and privacy concerns, governments worldwide
have moved to ensure confidence in digital records by regulating their
retention and deletion. The goal of this project is to develop and explore a
DBMS architecture that supports a spectrum of approaches to regulatory
compliance, thereby extending the level of protection afforded by
conventional file-based compliance storage servers to the vast amounts of
structured data residing in databases. The key challenge of this work is to
provide compliance assurances for the DBMS, even against insiders with
superuser powers, while balancing the need for trustworthiness against the
conflicting requirements for scalable performance guarantees and low cost.
The resulting architecture provides tunable tradeoffs between security and
performance, through a spectrum of techniques ranging from tamper detection
to tamper prevention for data, indexes, logs, and metadata; tunable
vulnerability windows; tunable granularities of protection; careful use of
magnetic disk as a cache and of secure coprocessors on the DBMS platform and
compliance storage server platform; and judicious retargeting of an on-disk
encryption unit.
This work enables compliance laws to be applied to business, government, and
personal data now stored in databases, increasing societal confidence in
such data. A new web course on compliance data management will raise the
computer science community's awareness of compliance issues and will help
train a new generation of professionals cognizant of these challenges and
solutions.
Investigators
Systems (up to date links can be found here,
here, and here)
- cDB: Trusted Hardware Enabled Relational Database
cDB deploys tamper-proof hardware to defend against malicious insider adversaries while ensuring the compliance with a wide
range of regulatory policies. cDB provides full-fledged relational queries and can support thousands of TPS. cDB is built around
an open-source DBMS engine core and it allows for transparent query processing of sensitive and non-sensitive data components.
- Forensic Analysis / Dragoon
- The ForensicAnalysis.tar.gz file contains a C implementation of four forensic analysis algorithms we developed: Monochromatic, RGBY, Tiled Bitmap, and a3D.
- ForensicAnalysis_v2.0.tar.gz - This is v2.0 of the Forensic Analysis Algorithms Implementation in C.
The code has been restructured so it is easier to follow (especially in the case of the Tiled Bitmap Algorithm).
- τBerkeleyDB Software - The following is the beta version of the τBerkeleyDB system,
which includes transaction-time support. We have tested this
system, but make no claims about its suitability. The τBerkeleyDB system is dependent on the Beecrypt 4.1.2 and
BerkeleyDB 3.2.9 systems. The downloads for these two systems are
also provided.Please first read the
Overview of Installation and the
Installation Instructions before downloading the system.
tbdb-release.tar.gz.
BerkeleyDB 3.2.9 can be downloaded
here
or from the official site at
http://download.oracle.com/berkeley-db/db-3.2.9.tar.gz.
Beecrypt 4.1.2 can be downloaded
here
or from the official site at
http://sourceforge.net/projects/beecrypt/files/beecrypt/4.1.2/beecrypt-4.1.2.tar.gz/download
- Audit System Software - The following is the beta version of the audit support software
including the notarization and validation daemons, the database
audit GUIs for the DBA, Chief Security Officer (CSO),
and Crime Scene Investigator (CSI), along with setup
instructions and a complete demo of the system. The instructions can be read
here. The system architecture diagram can be downloaded
here. The audit system can be downloaded
here.
Courses
Publications (up to date links can be found here,
here, and here)
-
PAPER:
Sumeet Bajaj, Radu Sion,
"TrustedDB: A Trusted Hardware - based Outsourced Database Engine",
Proceedings of ACM SIGMOD 2011, Athens, Greece (acceptance rate: 23%, 87/379)
-
JOURNAL: Bogdan Carbunar, Radu Sion,
"Toward Private Joins on Outsourced Data",
in the IEEE Journal of Transactions on Knowledge and Data Engineering IEEE TKDE 2011, subject to minor revisions
-
JOURNAL:
Yao Chen, Radu Sion,
"Fighting Mallory the Insider: Strong Write Once Read Many Storage Assurances",
IEEE Transactions on Information Forensics & Security TIFS 2011, subject to revisions
-
JOURNAL: Bogdan Carbunar, Radu Sion,
"Write Once Read Many Oblivious RAM",
IEEE Transactions on Information Forensics & Security TIFS 2011, subject to revisions
-
CONFERENCE: Bogdan Carbunar, Radu Sion,
"Regulatory Compliant Oblivious RAM",
Applied Cryptography and Network Security ACNS 2010 (acceptance rate: 18.5%)
-
CHAPTER:
Radu Sion, Marianne Winslett,
"A Road-Map to Regulatory Compliance for Information Systems", in "The Handbook of Financial Cryptography",
B. Rosenberg (editor), CRC Press 2009
-
JOURNAL:
Ragib Hasan, Radu Sion, Marianne Winslett, "Preventing
History Forgery with Secure Provenance", ACM Transactions on Storage TOS 2009
-
CONFERENCE:
Ragib Hasan, Marianne Winslett: Trustworthy vacuuming and litigation holds in long-term high-integrity records retention, EDBT 2010
-
CONFERENCE:
Soumyadeb Mitra, Marianne Winslett, Richard T. Snodgrass, Shashank Yaduvanshi, Sumedh Ambokar: An Architecture for Regulatory Compliant Database Management, ICDE 2009
-
JOURNAL:
Kyriacos E. Pavlou and Richard T. Snodgrass, "The Tiled Bitmap Forensic Analysis Algorithm," IEEE Transactions on Knowledge and Data Engineering 22(4):590-601, April 2010.
-
SHORT PAPER:
Radu Sion,
"Regulatory Compliance in Data Management", invited entry in the Encyclopedia of Database Systems EDS
2009
-
CONFERENCE:
Peter Williams, Radu Sion, Dennis Shasha, "The Blind Stone Tablet: Outsourcing Durability",
Network and Distributed System Security Symposium NDSS 2009 (acceptance rate: 11.6%)
(draft: pdf)
Sponsors
The National Science Foundation
through IIS 0803197,
0803229,
0803280
|