Databases Reference
In-Depth Information
be lost. Time stamps can be exploited to achieve this goal. The containing
phase can be done by just adding an access control rule to the Containment
Executor, which denies access to the set of objects updated during the period
of time from the time
B
commits to the time the containing phase starts.
This period of time is called the
containing-time-window
. When the containing
phase starts, every active transaction should be aborted because they could
spread damage. New transactions can be executed only after the containing
phase ends.
It is clear that the containing phase
overcontains
the damage in most cases.
Many objects updated within the containing time window can be undamaged.
And we must uncontain them as soon as possible to reduce the corresponding
availability loss. Accurate uncontainment can be done based on the reports
from the Damage Assessor, which could be too slow due to the assessment
latency. [75] shows that transaction
types
can be exploited to do much
quicker
uncontainment. In particular, assuming that (a) each transaction
T
i
belongs
to a transaction type
type
(
T
i
) and (b) the
profile
for
type
(
T
i
) is known, the
read set template
and
write set template
can be extracted from
type
(
T
i
)'s
profile. The templates specify the kind of objects that transactions of
type
(
T
i
)
can read or write. As a result, the
approximate
read-from dependency among
a history of transactions can be quickly captured by identifying the read-
from dependency among the types of these transactions. Moreover, the type-
based approach can be made more accurate by
materializing
the templates
of transactions using their inputs before analyzing the read-from dependency
among the types.
Other damage quarantine methods
(a) In [76], a color scheme for
marking and containing damage is used to develop a mechanism by which
databases under attack could still be safely used. This scheme assumes that
each data record has an (accurate) initial damage mark or color (note that
such marks may be generated by the damage assessment process), then specific
color-based access controls are enforced to make sure that the damage will not
spread from corrupted data objects to clean ones.
(b)
Attack Isolation
The idea is to isolate likely suspicious transactions
before a definite determination of intrusion is reported. In particular, when
a suspicious session
B
is discovered, isolating
B
and the associated transac-
tions transparently into a separate environment that still appears to
B
to be
the actual system allows
B
's activities to be kept under surveillance without
risking further harm to the system. An isolation strategy that has been used
in such instances is known as
fishbowling
. Fishbowling involves setting up a
separate look-alike host or file system and transparently redirecting the sus-
picious entity's requests to it. This approach allows the incident to be further
studied to determine the real source, nature, and goal of the activity, but it
has some limitations, particularly when considered at the application level.
First, the substitute host or file system is essentially sacrificed during the
suspected attack to monitor
B
, consuming significant resources that may be
scarce. Second, since
B
is cut off from the real system, if
B
proves innocent,
