报告人/Speaker：Prof. Joachim Biskup, Technische Universität Dortmund, Germany（德国多特蒙德工业大学）
题目/Title: Strategies for Generating an Inference-Proof Database View
Introduction of Speaker：
Joachim Biskup received
his diploma degree in mathematics from Technical
University of Hannover in 1972 and his doctor’s degree in computer science
from RWTH Aachen University in 1975. Since 1981 he has
been a professor of computer science in the University of Dortmund. He has performed research in recursion and complexity theory, information
systems with an emphasis on database schema design, query optimization and
mediation, various aspects of security, in particular access control and
inference control for enforcing confidentiality. He has joined the program
committees of many international conferences, including ICDT, FoIKS, ESORICS and DBSec.
This talk is based on joint work with P.
Bonatti, L. Li, R. Menzel, M. Preuß, C.Tadros, L.Wiese etc.
Controlled Interaction Execution (CIE) is
a long-term project to explore options under various settings to assist an
information owner in enforcing his confidentiality requirements when
communicating with an authorized partner. Besides dynamic ownerpartner
interaction sequences, including query answering and update processing, generating
a partner-specific view on the owner's data is a basic task of CIE. Such a view
should be inference-proof regarding a confidentiality policy consisting of
formally expressed prohibitions to learn a sensitive piece of information,
equivalently of secrets to be kept hidden. Inference-proofness means that the
original data -- hidden to the partner -- has been altered into a view observable
by the partner such that (under some assumptions) all ways of rational
reasoning to violate the policy have provably been blocked, even if the partner
will exploit background knowledge including postulated a priori knowledge about
the data application and the expected full awareness of the view generation
algorithm. Hence, restricting to possibilistic policies, for each
prohibition/secret S there exists possible alternative data that does not satisfy S but would lead to the same view.
We present and exemplify three strategies
for view generation: intensional iterative generation by exhaustive querying,
extensional iterative generation by eliminating violations, and extensional generation by global alterations.
Regarding data the examples range over abstract data sources, relational
databases founded on suitable fragments of first-order logic and XML documents.
Regarding alterations, the examples range over total refusals, tailored
weakenings by introducing disjunctions or suppressing data, lying, and a combined