Search

US-12626004-B2 - Processing query predicates involving fine-grained privacy-preserving columns

US12626004B2US 12626004 B2US12626004 B2US 12626004B2US-12626004-B2

Abstract

The present disclosure describes techniques for processing query predicates involving fine-grained privacy-preserving columns. A query predicate is received. It is determined whether there is a first match between identification information and operator information in a first row of a predicate catalog table and information associated with the query predicate. It is determined whether a value of a quantity limit in the first row is greater than zero in response to determining that there is the first match between the identification information and the operator information in the first row and the information associated with the query predicate. The query predicate is executed in response to determining that the value of the quantity limit in the first row is greater than zero. The value of the quantity limit in the first row is automatically reduced by one and the predicate catalog table is automatically updated.

Inventors

  • Xinying Yang

Assignees

  • BEIJING VOLCANO ENGINE TECHNOLOGY CO., LTD.

Dates

Publication Date
20260512
Application Date
20240903

Claims (20)

  1. 1 . A method of processing query predicates involving fine-grained privacy-preserving columns, comprising: receiving a query predicate involving a fine-grained privacy-preserving column, wherein the fine-grained privacy-preserving column contains secret information; searching a predicate catalog table and determining whether there is a first match between identification information and operator information in a first row of the predicate catalog table and information associated with the query predicate, wherein each row of the predicate catalog table comprises identification information identifying a particular fine-grained privacy-preserving column and a particular predicate survivor user, operator information indicating one or more predicate operators, a quantity limit that the particular predicate survivor user is allowed to query the particular fine-grained privacy-preserving column using the one or more predicate operators, and an interval at which the quantity limit is to be reset; determining whether a value of a quantity limit in the first row is greater than zero in response to determining that there is the first match between the identification information and the operator information in the first row and the information associated with the query predicate; executing the query predicate in response to determining that the value of the quantity limit in the first row is greater than zero; and automatically reducing the value of the quantity limit in the first row by one and automatically updating the predicate catalog table.
  2. 2 . The method of claim 1 , further comprising: determining whether the value of the quantity limit in the first row is reduced to zero; and determining whether an interval in the first row has a null value in response to determining that the value of the quantity limit in the first row is reduced to zero.
  3. 3 . The method of claim 2 , further comprising: deleting the first row from the predicate catalog table in response to determining that the interval in the first row has the null value.
  4. 4 . The method of claim 2 , further comprising: automatically resetting the quantity limit in the first row at every interval in response to determining that the interval in the first row has a non-null value.
  5. 5 . The method of claim 1 , further comprising: refraining from executing the query predicate in response to determining that the value of the quantity limit in the first row is equal to zero, wherein the interval in the first row has a non-null value; and causing output of an error message indicating that the query predicate is not allowed.
  6. 6 . The method of claim 1 , wherein the query predicate comprises a specific predicate operator, and wherein the method further comprises: determining whether there is a second match between identification information in a second row of the predicate catalog table and the information associated with the query predicate in response to determining the first match is not identified; and determining whether operation information in the second row covers a plurality of predicate operators including the specific predicate operator in response to determining there is the second match between the identification information in the second row and the information associated with the query predicate.
  7. 7 . The method of claim 6 , further comprising: executing the query predicate in response to determining that the operation information in the second row covers the specific predicate operator and determining that a value of a quantity limit in the second row is greater than zero; and automatically reducing the value of the quantity limit in the second row by one.
  8. 8 . The method of claim 6 , further comprising: refraining from executing the query predicate in response to determining that neither the first match nor the second match is identified; and causing output of an error message indicating that the query predicate is not allowed.
  9. 9 . A system of processing query predicates involving fine-grained privacy-preserving columns, comprising: at least one processor; and at least one memory communicatively coupled to the at least one processor and comprising computer-readable instructions that upon execution by the at least one processor cause the at least one processor to perform operations comprising: receiving a query predicate involving a fine-grained privacy-preserving column, wherein the fine-grained privacy-preserving column contains secret information; searching a predicate catalog table and determining whether there is a first match between identification information and operator information in a first row of the predicate catalog table and information associated with the query predicate, wherein each row of the predicate catalog table comprises identification information identifying a particular fine-grained privacy-preserving column and a particular predicate survivor user, operator information indicating one or more predicate operators, a quantity limit that the particular predicate survivor user is allowed to query the particular fine-grained privacy-preserving column using the one or more predicate operators, and an interval at which the quantity limit is to be reset; determining whether a value of a quantity limit in the first row is greater than zero in response to determining that there is the first match between the identification information and the operator information in the first row and the information associated with the query predicate; executing the query predicate in response to determining that the value of the quantity limit in the first row is greater than zero; and automatically reducing the value of the quantity limit in the first row by one and automatically updating the predicate catalog table.
  10. 10 . The system of claim 9 , the operations further comprising: determining whether the value of the quantity limit in the first row is reduced to zero; and determining whether an interval in the first row has a null value in response to determining that the value of the quantity limit in the first row is reduced to zero.
  11. 11 . The system of claim 10 , the operations further comprising: deleting the first row from the predicate catalog table in response to determining that the interval in the first row has the null value; or automatically resetting the quantity limit in the first row at every interval in response to determining that the interval in the first row has a non-null value.
  12. 12 . The system of claim 9 , the operations further comprising: refraining from executing the query predicate in response to determining that the value of the quantity limit in the first row is equal to zero, wherein the interval in the first row has a non-null value; and causing output of an error message indicating that the query predicate is not allowed.
  13. 13 . The system of claim 9 , wherein the query predicate comprises a specific predicate operator, and wherein the operations further comprise: determining whether there is a second match between identification information in a second row of the predicate catalog table and the information associated with the query predicate in response to determining the first match is not identified; and determining whether operation information in the second row covers a plurality of predicate operators including the specific predicate operator in response to determining there is the second match between the identification information in the second row and the information associated with the query predicate.
  14. 14 . The system of claim 13 , the operations further comprising: executing the query predicate in response to determining that the operation information in the second row covers the specific predicate operator and determining that a value of a quantity limit in the second row is greater than zero; and automatically reducing the value of the quantity limit in the second row by one.
  15. 15 . The system of claim 13 , the operations further comprising: refraining from executing the query predicate in response to determining that neither the first match nor the second match is identified; and causing output of an error message indicating that the query predicate is not allowed.
  16. 16 . A non-transitory computer-readable storage medium, storing computer-readable instructions that upon execution by a processor cause the processor to implement operations comprising: receiving a query predicate involving a fine-grained privacy-preserving column, wherein the fine-grained privacy-preserving column contains secret information; searching a predicate catalog table and determining whether there is a first match between identification information and operator information in a first row of the predicate catalog table and information associated with the query predicate, wherein each row of the predicate catalog table comprises identification information identifying a particular fine-grained privacy-preserving column and a particular predicate survivor user, operator information indicating one or more predicate operators, a quantity limit that the particular predicate survivor user is allowed to query the particular fine-grained privacy-preserving column using the one or more predicate operators, and an interval at which the quantity limit is to be reset; determining whether a value of a quantity limit in the first row is greater than zero in response to determining that there is the first match between the identification information and the operator information in the first row and the information associated with the query predicate; executing the query predicate in response to determining that the value of the quantity limit in the first row is greater than zero; and automatically reducing the value of the quantity limit in the first row by one and automatically updating the predicate catalog table.
  17. 17 . The non-transitory computer-readable storage medium of claim 16 , the operations further comprising: determining whether an interval in the first row has a null value in response to determining that a value of the quantity limit in the first row is reduced to zero; and deleting the first row from the predicate catalog table in response to determining that the interval in the first row has the null value; or automatically resetting the quantity limit in the first row at every interval in response to determining that the interval in the first row has a non-null value.
  18. 18 . The non-transitory computer-readable storage medium of claim 16 , the operations further comprising: refraining from executing the query predicate in response to determining that the value of the quantity limit in the first row is equal to zero, wherein the interval in the first row has a non-null value; and causing output of an error message indicating that the query predicate is not allowed.
  19. 19 . The non-transitory computer-readable storage medium of claim 16 , wherein the query predicate comprises a specific predicate operator, and wherein the operations further comprise: determining whether there is a second match between identification information in a second row of the predicate catalog table and the information associated with the query predicate in response to determining the first match is not identified; and determining whether operation information in the second row covers a plurality of predicate operators including the specific predicate operator in response to determining there is the second match between the identification information in the second row and the information associated with the query predicate.
  20. 20 . The non-transitory computer-readable storage medium of claim 19 , the operations further comprising: executing the query predicate in response to determining that the operation information in the second row covers the specific predicate operator and determining that a value of a quantity limit in the second row is greater than zero; and automatically reducing the value of the quantity limit in the second row by one.

Description

BACKGROUND Certain data may be sensitive or confidential. Permission to such data may be restricted to a particular set of parties. For example, sensitive or confidential data may be encrypted so that only authorized parties can access it. As the quantity of sensitive or confidential data continues to increase, people continue to desire new ways for managing access to data. BRIEF DESCRIPTION OF THE DRAWINGS The following detailed description may be better understood when read in conjunction with the appended drawings. For the purposes of illustration, there are shown in the drawings example embodiments of various aspects of the disclosure; however, the invention is not limited to the specific methods and instrumentalities disclosed. FIG. 1 shows an example system for processing query predicates involving fine-grained privacy-preserving columns in accordance with the present disclosure. FIG. 2 shows an example system for processing query predicates involving fine-grained privacy-preserving columns in accordance with the present disclosure. FIG. 3 shows an example system for processing query predicates involving fine-grained privacy-preserving columns in accordance with the present disclosure. FIG. 4 shows an example predicate catalog table in accordance with the present disclosure. FIG. 5 shows an example predicate catalog table in accordance with the present disclosure. FIG. 6 shows an example predicate catalog table in accordance with the present disclosure. FIG. 7 shows an example predicate catalog table in accordance with the present disclosure. FIG. 8 shows an example process for processing query predicates involving fine-grained privacy-preserving columns in accordance with the present disclosure. FIG. 9 shows an example process for processing query predicates involving fine-grained privacy-preserving columns in accordance with the present disclosure. FIG. 10 shows an example process for processing query predicates involving fine-grained privacy-preserving columns in accordance with the present disclosure. FIG. 11 shows an example process for processing query predicates involving fine-grained privacy-preserving columns in accordance with the present disclosure. FIG. 12 shows an example process for processing query predicates involving fine-grained privacy-preserving columns in accordance with the present disclosure. FIG. 13 shows an example process for processing query predicates involving fine-grained privacy-preserving columns in accordance with the present disclosure. FIG. 14 shows an example computing device which may be used to perform any of the techniques disclosed herein. DETAILED DESCRIPTION OF ILLUSTRATIVE EMBODIMENTS An in-enclave (e.g., fully hardware encrypted) relational database that supports privacy-preserving and verifiable functionalities can be implemented by residing an entire database management system (DBMS) in a hardware-based security engine that isolates and protects data in use against attack within a virtual machine (VM). In this fully hardware encrypted database architecture, all memory, central processing unit(s), and input/output (I/O) security can be protected from data leaks. Thus, any DBMS internally used data structures and data stores that do not have explicit retrieval interfaces cannot be viewed by adversaries, such as system and physical logs. When creating or altering a table in this hardware encrypted database architecture, a privacy-preserving column can be defined with an additional keyword “SECRET.” The owner of the secret column can see the plaintext. Other users cannot observe the plaintext in any way, such as for data retrieval, predicate handling, log probing, or statistic viewing. The owner can execute data control language (DCL) operations to grant column visibility to another user (e.g., using the command “GRANT VIEWER DCL”) and to remove or revoke visibility control from a user (e.g., using a “DENY” or “REVOKE” command). These DCL operations can be only executed by the secret column owner to prevent unexpected operations from high-privileged roles such as database administrators (DBAs). An owner of a privacy-preserving column can control visibility of a privacy-preserving column by granting viewing access to, denying viewing access from, or revoking viewing access from another user (e.g., using a GRANT, DENY, or REVOKE command, respectively). If a user that has not been granted viewing access to a privacy-preserving column attempts to executes a DML command with a predicate that contains the privacy-preserving column, an error is returned. The owner of a privacy-preserving column may want to enable a user that is not a viewer of the privacy-preserving column to have limited access (e.g., predicate access) to the secret information in the privacy-preserving column. To enable the user to have predicate access to the secret information in the privacy-preserving column, the owner can grant the user predicate access to the privacy-preserving column (e.g., u