#$% &'( ) +)$,-./ $., (Logical DB Sec.) (2 )6 7 )8 #$% ) 9-: ;.< 34$7 (2 6#$% -6#$;61 = '6, 9; > $A.

Size: px

Start display at page:

Download "#$% &'( ) *+)$,-./ $., (Logical DB Sec.) (2 )6 7 )8 #$% ) 9-: ;.*< 34$7 (2 6#$% -6#$;61 = '6, 9; > $A."

Marcus Booth
5 years ago
Views:

#$% jalili@sharif.edu 1 &'( ) *+)$,-./ 012 34$., (Logical DB Sec.

1 #$% 1 &'( ) *+)$,-./ $., (Logical DB Sec.) (2 )6 7 )8 #$% ) 9-: ;.*< 34$7 (2 6#$% -6#$;61 = '6, 9; > ;7?.?&7:$@ $A. = #$% )B1'

2 2-&'( $6A 7 DE #$% )=: ', :'? &7:$@ (Analysis)- (Conceptual design)g+ #$% (Detailed design)h3 #$% (Implementation))= (Test) (Maintenance))'G 3 1-; DBMS#$%.'$@ K OS DBMSJ2 $ G3E ', ;7?)$,.$4 ;$= OSM, )$, &8 > LK &, DBMS &, L : 1 $= DN &, L 7 )G$ $A = DBMS OS L )G+ :? )', & -: J2 OS )',&&... ': 9$2 9&2,J2 DBMS $3)', && DBMS L 8 O, DBMS ) $:.'? A: D'? &, ', '7 #, $: TT ' $: R S PQ8 OS DBMS OS? (file)-:-ue3:? OS (view)'-u (2? DBMS

3 2-; DBMS#$% DBMS OSL 7 ) D+ & DBMS ) R ;'W )X 1# 7$' 1# ' $7 R;'W M.71, ) R ;'W DBMS XR9W $7 1# & E3: $7 )$, OSJ2 7 )? DBMS'-,( OSE3: )? )? )$, $7<, A: &, = 2 'W )G<4$.'$@ $ ; DN &, ', &4 '4 $@ 7 Z7[ \2 DBMS Y4$ 67 J26 >6 &&4'< $ execute write9read' )& DK ]8, G OSJ2.' $/ (Data Life cycle) D# &^$W LX D6# 6% 6GX = 6_+# '6, DBMS '6)', D# &^$W >.';] 5 1-DBMS 7 ) 3E :'4;', DBMS&4 7 ) 3E $7 )$, )', & Z7[ D 9 G 9 &2,:)&2,) )$, Z7[ $7 DQ# '$@ Ka ', -K R &, &, Z7[ )G $7 $74.'?-H/ 3 ', (write);7? (read)l'^ L PbU $7 ^ > )$, G $7 $74 Z7[ R &7,?* &, $7 $74:(Name-dependant)* &,&7, &7,?)7&, $7 $74 :(Data-Dependant) &, &7,... LE9L= &,&7,:(Context-Dependant)&= &,&7, (History-Dependant)&c[ &, &7, $ e7&, &7,:(Result-Dependant)&d7 &,&7,

4 2-DBMS 7 ) 3E )?=d 6K &E;# L$,4 )G?=d D$f ', DBMS.'.7< 2 'W _+# GK? &, GX g[ 7 )G.W$, ;7:$@ $A. g[ Z7[ )G.W$, Z7[ ) &, L 9? $ :(Covert Channel) LG )G14 = )K 6, =6d $6h D6Kb% LX 6 ', LE '. L$,4 &4 8 ; &,.'4 ' *(7 $h %. )'7 = +7 (Inference Control)i77 $74 M, ; >4 &, L &4 aggregation M, )$@E, PK.$4 ' = )$)G77 &, 7 3-DBMS 7 ) 3E (Poly-instantiation) 'W.D+7 7 J2, */ > = & ;'W (Auditing))$=,.'?, '+ 3 i77 $74 )$, )$=, &, j,$ DKb% back door R $..'?, $l LE DBMSk$% = $7 G (Uniformity of Mechanisms) G3E 7^E 6^$, 76, 6 6, O.$ ) $74 Z7[ ) < O^.7< )$,.$@ $/ +7 m$7< )G3E 0 4 6# $6 &, 'W$.'' $/ R8? ^ *7 4 ', 7 ) $74. n7 -,/ $h 4 :

5 1-DKb% N )& N k6$% = 6G 6 $6f:(Well-formed Transactions) Z$8 o^ ) Y4$ (Arbitrary Procedures) )7^)& )&, $: o^ )G<4$ (Authenticated Users) '? k' L$,4.? d =d L$,4 &, ', G D$f (Least Privilege)=d -/'# )$6, =6 6 M, =d &4 &Kd, L$44 )$, L$,4 )= ' )$, -N > L<4 d.'4 n$^ '7 G &, $,4 >:(Separation of duties)z_ >E+ (Continuity of Operation) DK ' (Replication)) $E *+ >4, (Reconstruction of Events)M/ )= =,.? +7 b, '? k# Z<4 ',.7? 7: before-image after-image auditing*+ >4, 9 2-DKb% N )& N 8/, L$4 >W 6 6 $( = )'G )$, M/ ) ), E$ DN &, L$4 >W *7 ; +7 r@.'?, * ;$ ; L3 ', *7 = +7 o ;$ (Delegation of Authority)$' s+.< = &4 '?, ) &, # ;K Z28 ', s+ d

6 1-System R)?=d '! &N K = /' LK &, 9IBM)DBMS;7[ = '$@ $/ _+# &4'7?LK&, ' '?, ' & )G1'' ' ;.'E ' $7 DB*7 &,&4'7*7 L$,4 L GK ::$@ $A ' $= $7 DQ# ' > = G L'^ )$,:Read ' &, G L$4 &:v)$,:insert ' > = G ]8, wl# )$,:Delete ' > )G ]8, $f )$,:Update = ' > -4 wl# )$,:Drop >6 &6,&64 update$6 '4 4 DN &, ' > &, $7 DQ#.? R ' * L System R)?=d '.'E.7< (Decentralized) '? M=DN &, )?=d $' 9'. '' '> d LE r$,4 $ LX )$6, )=dr $=d Pb4 DN &,' ' d 1' $,4 > $@.'?,&7? ' '?,'> ' ;&4 2$? $.'2K =d ]8, L$,4 $ &,&4 k# ;(LX '4 d) ' >1 >6? )'G*7 &4 G?=d &Kd&, $ $,4 &, k# > )2K,.? &:v)?=d $6 &6, =6d )2K k#l )$, grant option $ &,' )?=d > )2K.'?, $ L$,

7 3-System R)?=d ' (s, p, t, ts, g, go) :$8 'W > DN &, '7 )?=d $? 2K =d > &, &4 4 -K:s.? 2K &4 )=d k# L:p? R LX &, )?=d &4 1':t. '? d 2K -K L= LX &4 = :ts. $4 2K =d &4 K:g '?, {yes,no}$( = E &4 grant option L:go <B, select, T, 10, A, yes> <C, select, T, 20, B, no> :U.'?, g[< ', 3 &%,$ L7 9'?, update)?=d -K $@ Jv P'8,) * d revoke-k *7,&4* &-1;&, L= (.* 13 4-System R)?=d ' :,'^ $= DN &, SQL grant7 &4' +7 PUBLIC= ' user-list) &,' '4 2K -K '6^ 2K &%,$ ' )$, k# ; L$,4 &, DN ;.'? 6G -6K $ 'W$. * )$@ y=, k# '?, &7? 2K k# &4 $,4 $.$, y=, 9' '? 2K O &4 )?=d k#, '^ $= DN &, SQL revoke

8 5-System R)?=d ' revoke-k 3E (Recursive) DN &, y=, -K System R.' d (Cascading))<,X 06$ ;6&6, x$,4 &, y$,4 = t)$, p)$@ y =, xo '? 2K t)$, p)g?=d &4? Z$8. '< 2K 3@$ y&,. ;, = ', 2K ; $z )'8, 'b U 15 6-System R)?=d ' A 10 B 30 D 40 E 70 G 20 C B has granted a privilege to D, who has passed it to E, who has passed it to G F 10 B A D B revokes D s privilege C F 16 8

9 7-System R)?=d ' & ')$, ' ]8, &4' L$,4 &, LE ;System R.' Z$8 ' $.'?.7&,&7,)?=d.7< )$, 4 o > ; :U )$, '6', G &, $7 =d G A$,4 &,'^ = B' B$,4 salary>1000&4 2K A&, )?=d' LX )$, =, LX )$,' > ' DN ; ' ' 17 8-System R)?=d ' ' & ' ) {(# L &( 6 ;6E '6 >61 96W (View Semantics)' )8 &4 ; &, &7,.'?, &7? & ' &,. )$' )=d 6 & ' )$, k# ; X &4 ; &, Pb4 ' > )$, k# > ;7?. 7, & =6d ;6 9'6?, &7? grant option, )=d& ' )$, $,4 $@.?'^grant option, * &%,$')$,. ' Z$8 L= w$8 (Time Stamp) = 0W$,.$@ Z$8 &%,$ = 0W$, L= ' >1 {(#

10 9-System R)?=d ' 1-' )= &6, &62, ' &, $7 )$, L$,4 &, j,$ )?=d DKb%.? $^ SYSCOLAUTH SYSAUTH) : $= D+N SYSAUTH '?, )?=d&4)$,4:userid.? d LX )$, )?=d &4 1':Tname ('=V& '=R).'4 g[< Tname ' R:Type. $4 2K k# userid&, &4)$,4:Grantor ( 0~$: Y '() '? $,4 &, read=d &4 = ''<:Read ( 0~$: Y '() '? $,4 &, insert=d &4 = ''<:Insert ( 0~$: Y '() '? $,4 &, delete=d &4 = ''<:Delete '? L7 LX $,4 &, update=d &4 G7 ''<:Update $^ grant option, '? =d X &4 LX ''<:Grantopt System R)?=d ' 2-' )= L76-6 > SYSAUTH' &4 = = SYSCOLAUTH '.< $_ G ' ; DN ;.'?, 'X some&4 Update : $= D+N SYSCOLAUTH '?, update)?=d &4)$,4:UserId. '? Z$8 LX )$,update k# &4 1' ''<:Table. '? Z$8 LX )$,update k# &4 7 :Column. $4 2K k# ;&4)$,4 :Grantor $^ '? grant option, =d ; X &E ''<:Grantopt

11 12-System R)?=d ' ' $, L$ $, O 1993 non-cascadable revoke cascadable revoke )'8,'b non-cascadable revoke = )& ;7? System R)?=d ' A 10 B 30 D 40 E 70 G 20 C F B has granted a privilege to D, who has passed it to E, who has passed it to G A 10 B C D E F G B revokes D s privilege 22 11

12 ; ) )8 N )G@ :'E 4 N 1#, ' SDBMS System-High.? ;E 7 J2 ;$Q, L$,4 &, o ; E6?X 7 &,&4 $ L.G > )= E?X.'? 1# ; Q, 7 > &3 4 ^$, &7.1, '^ $l LE )DBMS= +7 Multilevel -66,/ $66h 66 (Trusted) 667K 66 )66DBMS = $, (Untrusted)7K Trusted Subject Arch. 7K OS DBMS> = +7,» Woods Hole Arch. :v 7K )$7:, 7K -,/ $h DBMS> = +7 Replicated 9kernelized 9Integrity Lock: R & $,»» 23 ; ) )8 R Architecture Research prototype Commercial DBMS Integrity Lock Mitre TRUDATA Kernelized SeaView Oracle Replicated NRL Trusted Subject A1 Secure DBMS Sybase Informix Ingres Oracle DEC 24 12

13 Trusted Subject Arch )$6, L $/ O )$, 7K -,/ $h )front-end=) &Kd (high low) D+7 7 \2 -E6< (Trusted Computer Base) TCB> TOS TDBMS.' 2 'W)? = _+# DBMS {+ ; J2 $, Q, J2.' J2 )G.W$,)$@E,, -# ; = Sybase 25 High user 2-Trusted Subject Arch low user Untrusted Front end Untrusted Front end Trusted DBMS Trusted OS Database (DBMS & NON-DBMS DATA) 26 13

14 1-Woods Hole Archs 7K -,/ $h )front-end = )&Kd & K O > &Kd ; = y.= LX L d DA -K &62, 7K -,/ $h back-end >, y $_ ; Woods Hole Archs High user low user Untrusted Front end Untrusted Front end Trusted front end (reference monitor) UnTrusted DBMS Database 28 14

15 1- Integrity Lock Arch 6?=$ y Y K &4-7 (Untrusted Front-end) UFE> &,.'' d $ )$, 67K -,/ $h DBMS UFEL &4 3 (Trusted Front-end) TFE>.'4 -K (Trusted Filter)7K $7: > LK &,&Q;. $/ 67 06W$, &, j,$ DKb% &4? > )$, ƒ[ ': > stamp. & 9'?3 $: > 1$74 ) $.'E '1 TFE&, stamp.'?, i77 % ; =d $h DKb% < N -E< projection selection= +7 K &, DBMS & UFE TFE -H;-# 29 High user low user Untrusted Front end Untrusted Front end Trusted Filter Cryptographic Unit Append Check Stamp Stamp Query Store Response UnTrusted DBMS Database 30 15

16 Kernelized Arch. 6 $7 6 &64 $6@ 6 $6/ +7 7K OS> ). $7 $74 Ka DB E3: 67K 6 OS '? $^ &,< 7 )G.W$,) DB)?.'?, 6 -'6. 26 > ) $7 &, 2 'W $7 d.'4 31 High user Kernelized Arch. low user Trusted front end Trusted front end High DBMS Low DBMS Trusted OS Database (High & Low) data 32 16

17 Replicated Arch. )8 ; '< )= L4 8/ O )'8, 'b -E? 33 High user low user Trusted front end Trusted front end High DBMS Low DBMS Database (High & Low) data Database (Low data) 34 17

18 $E<,

Multilevel relations: Schema and multiple instances based on each access class. A multilevel relation consists of two parts:

Multilevel relations: Schema and multiple instances based on each access class. A multilevel relation consists of two parts: The Jajodia & Sandhu model Jajodia & Sandhu (1991), a model for the application of mandatory policies in relational database systems. Based on the sec classifications introduced in BLP. It extends the