Your SlideShare is downloading. ×
0
A Portable Implementation Framework for Intrusion-Resilient Database Management Systems Alexey Smirnov and Tzi-cker Chiueh...
Outline <ul><li>Motivation </li></ul><ul><li>System Architecture </li></ul><ul><li>Transaction Dependency Tracking </li></...
Motivation <ul><li>Suppose you are a DBA and you have just noticed that your database has been compromised 24 hours ago. H...
Motivation <ul><li>Ideally, an  intrusion-resilient   DBMS should be able to </li></ul><ul><ul><li>Track inter-transaction...
Definition of Transaction Dependency <ul><li>A  read set  of an SQL statement S is the set of rows fetched by this stateme...
Limitations of Transaction Dependency Model <ul><li>This definition is prone to both false positives and false negatives. ...
Limitations of Transaction Dependency Model <ul><li>This definition is prone to both false positives and false negatives. ...
Limitations of Transaction Dependency Model <ul><li>This definition is prone to both false positives and false negatives. ...
Limitation of Transaction Dependency Model <ul><li>Another limitation is that in general, it is impossible to determine al...
How to Track Transaction Dependencies? <ul><li>Such a tracking mechanism should be able to intercept both read and write a...
How to Track Transaction Dependencies? <ul><li>Such a tracking mechanism should be able to intercept both read and write a...
How to Track Transaction Dependencies? <ul><li>Such a tracking mechanism should be able to intercept both read and write a...
How to Track Transaction Dependencies? <ul><li>Such a tracking mechanism should be able to intercept both read and write a...
Transaction Dependency Tracking <ul><li>RDB  inserts a proxy JDBC driver between the DB server and a client that transpare...
Transaction Dependency Tracking <ul><li>RDB  inserts a proxy JDBC driver between the DB server and a client that transpare...
Transaction Dependency Tracking <ul><li>RDB  inserts a proxy JDBC driver between the DB server and a client that transpare...
Transaction Dependency Tracking <ul><li>The following changes are made to the database at the time of its creation: </li><...
Transaction Dependency Tracking <ul><li>The JDBC proxy needs to update field  tr_id  when the data is modified and to sele...
Transaction Dependency Tracking <ul><li>The JDBC proxy needs to update field  tr_id  when the data is modified and to sele...
Transaction Dependency Tracking <ul><li>The JDBC proxy needs to update field  tr_id  when the data is modified and to sele...
Transaction Dependency Tracking <ul><li>The JDBC proxy needs to update field  tr_id  when the data is modified and to sele...
Summary of the Tracking Subsystem <ul><li>Transaction dependency tracking is implemented as a JDBC proxy driver and is the...
Database Repair Process <ul><li>The database is repaired by committing  compensating transactions . </li></ul><ul><li>When...
Database Log Analysis <ul><li>At repair time, RDB analyses the database transaction log to build a complete dependency gra...
Database Log Analysis <ul><li>Oracle LogMiner  – translates binary log into a database view that can be queried. It contai...
Dependency Graph Visualization <ul><li>We used GraphViz  ( AT&T) </li></ul><ul><li>The application allows the user to sele...
Performance Evaluation <ul><li>We used TPC-C benchmark to evaluate the run-time overhead of JDBC proxy. </li></ul><ul><li>...
Performance Evaluation <ul><li>Overhead is between 6% and 13%. </li></ul>
Performance Evaluation <ul><li>Our interpretation of these results: the overhead comes mostly from additional writes to th...
Summary <ul><li>We developed  RDB , a portable framework that can render an off-the-shelf DBMS intrusion resilient without...
Upcoming SlideShare
Loading in...5
×

RDB - Repairable Database Systems

654

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
654
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "RDB - Repairable Database Systems"

  1. 1. A Portable Implementation Framework for Intrusion-Resilient Database Management Systems Alexey Smirnov and Tzi-cker Chiueh Department of Computer Science SUNY at Stony Brook DSN 2004
  2. 2. Outline <ul><li>Motivation </li></ul><ul><li>System Architecture </li></ul><ul><li>Transaction Dependency Tracking </li></ul><ul><li>Database Repair Process </li></ul><ul><li>Performance Evaluation </li></ul><ul><li>Summary </li></ul>
  3. 3. Motivation <ul><li>Suppose you are a DBA and you have just noticed that your database has been compromised 24 hours ago. How would you repair the database? </li></ul><ul><li>Currently, the only way to do this is to restore a database backup and manually recommit benign transactions. </li></ul><ul><li>Difficulties: (1) how to tell benign transactions from malicious; (2) the amount of data can be huge and the repair process is very error-prone. </li></ul>
  4. 4. Motivation <ul><li>Ideally, an intrusion-resilient DBMS should be able to </li></ul><ul><ul><li>Track inter-transaction dependencies; </li></ul></ul><ul><ul><li>Perform a selective transaction rollback. </li></ul></ul><ul><li>We propose implementation framework called RDB that can render an off-the-self DBMS intrusion resilient without modifying its internals. RDB has two components: tracking subsystem which runs at run-time and recovery subsystem which runs offline. </li></ul>
  5. 5. Definition of Transaction Dependency <ul><li>A read set of an SQL statement S is the set of rows fetched by this statement. </li></ul><ul><li>We will say that statement S 2 depends on statement S 1 if at least one row from the read set of S 2 was modified by S 1 . </li></ul><ul><li>We will say that transaction T 2 depends on transaction T 1 if at least one statement of T 2 depends on a statement from T 1 . </li></ul>
  6. 6. Limitations of Transaction Dependency Model <ul><li>This definition is prone to both false positives and false negatives. </li></ul><ul><li>Example of a false positive dependency: </li></ul>7 1 300 6 2 200 5 3 100 A3 A2 A1
  7. 7. Limitations of Transaction Dependency Model <ul><li>This definition is prone to both false positives and false negatives. </li></ul><ul><li>Example of a false positive dependency: </li></ul>T1: SET A2=5 WHERE A1<250 7 1 300 6 5 200 5 5 100 A3 A2 A1
  8. 8. Limitations of Transaction Dependency Model <ul><li>This definition is prone to both false positives and false negatives. </li></ul><ul><li>Example of a false positive dependency: </li></ul>T1: SET A2=5 WHERE A1<250 T2: SELECT A3 WHERE A3>3 7 1 300 6 5 200 5 5 100 A3 A2 A1
  9. 9. Limitation of Transaction Dependency Model <ul><li>Another limitation is that in general, it is impossible to determine all transaction dependencies by looking at the traffic between a client and the DB server only because part of the logic may be inside the application itself. </li></ul>
  10. 10. How to Track Transaction Dependencies? <ul><li>Such a tracking mechanism should be able to intercept both read and write actions performed in the database. Possible approaches are: </li></ul>
  11. 11. How to Track Transaction Dependencies? <ul><li>Such a tracking mechanism should be able to intercept both read and write actions performed in the database. Possible approaches are: </li></ul>Database log analysis – read actions are not logged;
  12. 12. How to Track Transaction Dependencies? <ul><li>Such a tracking mechanism should be able to intercept both read and write actions performed in the database. Possible approaches are: </li></ul><ul><ul><li>Database triggers – will miss out SELECT statements; </li></ul></ul>Database log analysis – read actions are not logged;
  13. 13. How to Track Transaction Dependencies? <ul><li>Such a tracking mechanism should be able to intercept both read and write actions performed in the database. Possible approaches are: </li></ul><ul><ul><li>Database triggers – will miss out SELECT statements; </li></ul></ul>Database log analysis – read actions are not logged; <ul><ul><li>Tracking proxy – will intercept SQL statements coming from the client to the server; </li></ul></ul>
  14. 14. Transaction Dependency Tracking <ul><li>RDB inserts a proxy JDBC driver between the DB server and a client that transparently intercepts all queries and results. The proxy can be either on the client side </li></ul>
  15. 15. Transaction Dependency Tracking <ul><li>RDB inserts a proxy JDBC driver between the DB server and a client that transparently intercepts all queries and results. The proxy can be either on the client side </li></ul>
  16. 16. Transaction Dependency Tracking <ul><li>RDB inserts a proxy JDBC driver between the DB server and a client that transparently intercepts all queries and results. The proxy can be either on the client side or on the server side. </li></ul>
  17. 17. Transaction Dependency Tracking <ul><li>The following changes are made to the database at the time of its creation: </li></ul><ul><ul><li>Table trans_dep(tr_id:INTEGER, dep_tr_ids:VARCHAR) – stores IDs of transactions that depend on transation tr_id ; </li></ul></ul><ul><ul><li>Table annot(tr_id:INTEGER, descr:VARCHAR) – stores annotation for transaction tr_id ; </li></ul></ul><ul><ul><li>A new field tr_id is added to each table. It contains the ID of last transaction that modified each row. </li></ul></ul><ul><li>The proxy uses its own transaction IDs because there is no standard way to access internal transaction ID. </li></ul>
  18. 18. Transaction Dependency Tracking <ul><li>The JDBC proxy needs to update field tr_id when the data is modified and to select it when the data is fetched. The proxy rewrites SQL statements coming from the client. </li></ul>SELECT a FROM t WHERE c SELECT a, t.tr_id FROM t WHERE c
  19. 19. Transaction Dependency Tracking <ul><li>The JDBC proxy needs to update field tr_id when the data is modified and to select it when the data is fetched. The proxy rewrites SQL statements coming from the client. </li></ul>UPDATE t SET a=v WHERE c UPDATE t SET a=v, tr_id=curTrID WHERE c
  20. 20. Transaction Dependency Tracking <ul><li>The JDBC proxy needs to update field tr_id when the data is modified and to select it when the data is fetched. The proxy rewrites SQL statements coming from the client. </li></ul>INSERT INTO t(a) VALUES(v) INSERT INTO t(a, tr_id) VALUES(v, curTrID)
  21. 21. Transaction Dependency Tracking <ul><li>The JDBC proxy needs to update field tr_id when the data is modified and to select it when the data is fetched. The proxy rewrites SQL statements coming from the client. </li></ul>COMMIT INSERT INTO trans_dep(curTrID,…) COMMIT
  22. 22. Summary of the Tracking Subsystem <ul><li>Transaction dependency tracking is implemented as a JDBC proxy driver and is therefore highly portable across different DBMSs. </li></ul><ul><li>The proxy uses a lightweight approach aimed at tracking all read actions in a database. </li></ul>
  23. 23. Database Repair Process <ul><li>The database is repaired by committing compensating transactions . </li></ul><ul><li>When using RDB , the repair process consists of: </li></ul><ul><ul><li>Database log analysis (to reconstruct complete dependency information and generate compensating transactions); </li></ul></ul><ul><ul><li>Dependency graph visualization; </li></ul></ul><ul><ul><li>Repairing the database by committing compensating transactions; </li></ul></ul>
  24. 24. Database Log Analysis <ul><li>At repair time, RDB analyses the database transaction log to build a complete dependency graph and to generate compensating transactions. Different DBMSs provide different facilities for log analysis. We have studied three DB servers: </li></ul><ul><ul><li>PostgreSQL 7.2.2 </li></ul></ul><ul><ul><li>Oracle 9.2.0 </li></ul></ul><ul><ul><li>Sybase ASE 12.5 </li></ul></ul>
  25. 25. Database Log Analysis <ul><li>Oracle LogMiner – translates binary log into a database view that can be queried. It contains the transaction ID, the original SQL statement and a compensating SQL statement . </li></ul><ul><li>PostgreSQL – no end-user programs or APIs for log analysis. We have implemented a plugin that provides a LogMiner-kind functionality </li></ul><ul><li>Sybase – can provide a dump of its binary transaction log. The format of this dump is partially described in Sybase manuals. We have developed a tool that parses this dump and generates compensating statements. </li></ul>
  26. 26. Dependency Graph Visualization <ul><li>We used GraphViz ( AT&T) </li></ul><ul><li>The application allows the user to select an initial set of malicious transactions and computes its transitive closure. Then the result can be refined by the user to build the final set of transactions to be undone. </li></ul><ul><li>We are working on a more powerful tool that can discard certain types of dependencies. </li></ul>
  27. 27. Performance Evaluation <ul><li>We used TPC-C benchmark to evaluate the run-time overhead of JDBC proxy. </li></ul><ul><li>Test database size ~ 4GB. </li></ul><ul><li>We varied the following parameters: </li></ul><ul><ul><li>Transaction mix (read intensive and read/write intensive); </li></ul></ul><ul><ul><li>Connection type (local or over a network); </li></ul></ul><ul><ul><li>Total footprint size (effect of database cache); </li></ul></ul>
  28. 28. Performance Evaluation <ul><li>Overhead is between 6% and 13%. </li></ul>
  29. 29. Performance Evaluation <ul><li>Our interpretation of these results: the overhead comes mostly from additional writes to the database and transaction log. </li></ul><ul><li>Why overhead for read-intensive transactions is less than that for read/write intensive: when there are few dependencies, the number of additional writes is also small. </li></ul><ul><li>Why overhead increases when the footprint decreases: because there are fewer disk accesses performed on behalf of the client. </li></ul>
  30. 30. Summary <ul><li>We developed RDB , a portable framework that can render an off-the-shelf DBMS intrusion resilient without having access to its internals. </li></ul><ul><li>The prototype has some limitations: </li></ul><ul><ul><li>The tracking mechanism is row-based rather than column-based. This can lead to false dependencies. </li></ul></ul><ul><ul><li>No support for stored procedures. </li></ul></ul><ul><ul><li>Many DBMS vendors provide custom extensions to SQL. Currently, only part of SQL-92 is supported. </li></ul></ul>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×