Database Security. Professor Sushil Jajodia George Mason University

Transcription

1 Database Security Professor Sushil Jajodia Geore Mason University Discretionary Access Controls Users can protect what they own. The owner may rant access to others. The owner may define the type of access (read/write/execute) iven to others. Pae 1

2 Access Control Mechanisms Identification and Authentication (I&A) Security throuh Views Stored Procedures Grant and Revoke Query Modification Identification and Authentication I&A provided by DBMS can be distinct from I&A provided by the underlyin OS For example, in SQL/DS, CONNECT <user> IDENTIFIED BY <password> Pae 2

3 Security Throuh Views EMP NAME DEPT SALARY MANAGER Smith Toy 10,000 Jones Jones Toy 15,000 Baker Baker Admin 40,000 Hardin Adams Candy 20,000 Hardin Hardin Admin 50,000 None Example CREATE VIEW TOY_DEPT AS SELECT NAME, SALARY, MANAGER FROM EMP WHERE DEPT = 'Toy' TOY_DEPT NAME SALARY MANAGER Smith 10,000 Jones Jones 15,000 Baker Pae 3

4 Example CREATE VIEW TOY_EMP_MGR AS SELECT EMP, MANAGER FROM EMP WHERE DEPT = 'Toy' TOY_EMP_MGR NAME Smith Jones MANAGER Jones Baker Example CREATE VIEW AVSAL(DEPT, AVG) AS SELECT DEPT, AVG(SALARY) FROM EMP GROUP BY DEPT Pae 4

5 Stored Procedures Some systems allow for compilin a proram first and then executin it later. The user who compiles a proram becomes the owner of the proram, and ives others execute privilee usin the RUN command GRANT RUN ON proram_a TO JAJODIA Suppose proram_a needs to access the relation EMP. Jajodia can execute proram_a even thouh he does not have permission to access EMP The Grant Command GRANT <privilee> ON <relation> TO <users> [WITH GRANT OPTION] GRANT SELECT ON EMP TO JAJODIA GRANT SELECT ON EMP TO JAJODIA WITH GRANT OPTION GRANT SELECT, UPDATE(SALARY) ON EMP TO JIM, JILL GRANT ALL PRIVILEGES ON EMP TO SMITH GRANT SELECT(NAME,DEPT) ON EMP TO PUBLIC The GRANT command applies to base relations as well as views Pae 5

6 The Revoke Command REVOKE <privilees> [ON <relations>] FROM <users> REVOKE SELECT ON EMP FROM JAJODIA REVOKE UPDATE ON EMP FROM SMITH REVOKE RESOURCE FROM ABRAMS REVOKE DBA FROM SMITH CASCADE Timestamped Authorizations 10 B E A D 20 C F Pae 6

7 Cascadin Revocation Grant sequence: A B C D B revokes privilee from C : A 10 B Timestamps Make a Difference 10 B E A D 20 C F Pae 7

8 Timestamps Make a Difference 10 B E A D 20 C F Nontimestamped Authorizations B E A D C F Pae 8

9 Cascadin Revocation Grant sequence: A B C D B revokes privilee from C : A B Revoke Operation Under Nontimestamped Model B E A D C F Pae 9

10 Query Modification JAJODIA: GRANT SELECT ON EMP TO THOMAS WHERE SALARY < THOMAS: SELECT * FROM EMP DBMS: SELECT * FROM EMP WHERE SALARY < Note: Note: Althouh we we can can accomplish this this throuh views, there there are are sinificant differences Limitations Many views cannot be updated Neative authorization is not possible It is enerally difficult to determine who has access to what (THE SAFETY PROBLEM) Cannot withstand sophisticated attacks Pae 10

11 MODES OF OPERATION SYSTEM HIGH MULTILEVEL SYSTEM HIGH DBMS'S All users are cleared to the hihest level of data stored in the database All outoin data below system hih must be scrutinized manually by a qualified human uard prior to its release Pae 11

12 SYSTEM HIGH DBMS'S DATA PEOPLE HIGH LOW HIGH SECURITY PERIMETER SYSTEM HIGH DBMS'S DATA PEOPLE HIGH LOW LOW GUARD HIGH SECURITY PERIMETER Pae 12

13 SYSTEM HIGH DBMS'S ADVANTAGES Existin DBMS's can be used with no chane DISADVANTAGES Cost of clearance procedure investiation costs opportunity costs Increased security risk due to more people bein cleared at hiher levels Manual review of low data released from the system costly, slow does a "human in the loop" make it secure? Multilevel Secure Relational Model: Issues Granularity of Protection - In operatin systems, protected objects are files. - In databases, there are several possibilities: relations, attributes, tuples, data elements. Which of these should a DBMS implement? Relation level is easier to implement, but may be too inflexible. Data element level aravates many problems (such as polyinstantiation). Pae 13

14 Relation-Level Granularity A SECRET USER SEES: Starship Objective Destination Enterprise Exploration Talos Voyaer Spyin Mars AN UNCLASSIFIED USER SEES: Starship Objective Destination Enterprise Exploration Talos Voyaer Exploration Talos It It is is difficult to to relate the the two two instances. If If the the U-user chanes the the destination of of Enterprise to to Mars, should a chane be be made to to the the Secret instance as as well? Attribute-Level Granularity A SECRET USER SEES: Starship U Objective C Destination S Enterprise Exploration Talos Voyaer Spyin Mars Values for for each attribute are are all all visible at at some level (and above). We We cannot model an an application where some starships, but but not not all, all, are are unclassified. Pae 14

15 Tuple-Level Granularity A SECRET USER SEES: Starship Objective Destination TL Enterprise Exploration Talos U Voyaer Spyin Mars S AN UNCLASSIFIED USER SEES: Starship Objective Destination TL Enterprise Exploration Talos U We We cannot model an an application where the the destination of of Enterprise is is Secret and, therefore, invisible to to U- U- user Element-Level Granularity A SECRET USER SEES: Starship Objective Destination Enterprise U Exploration U Talos U Voyaer U Spyin S Mars S AN UNCLASSIFIED USER SEES: Starship Objective Destination Enterprise U Exploration U Talos U Voyaer U Null U Null U We We have maximum modelin flexibility, but but we we compound the the polyinstantiation problem. Pae 15

16 Write Ups Althouh BLP permits write ups, DBMSs ususally permit a subject to write at its level only Usually a subject requires special privilees to be able to write up Trusted Subjects Not all subjects abide by the two BLP restrictions. Some subjects (called trusted subject) have special privilees that permit them to bypass certain MAC controls For example,trusted Oracle permits these special privilees: READUP which allows subjects to read data at hiher access classes WRITEUP which allows subjects to write data at hiher access classes WRITEDOWN which allows subjects to write data at lower access classes Pae 16

17 Polyinstantiation What is polyinstantiation? How does polyinstantiation occur? Primary Key in Classical Relations X is a primary key of a relation scheme R if any relation r for R at all times satisfies: Uniqueness Property r does not contain two distinct tuples with the same values for X. Minimality Property No proper subset Y of X satisfies the uniqueness property. Pae 17

18 Example Allowed: Starship Objective Destination Enterprise Exploration Talos Voyaer Exploration Talos Not Allowed: Starship Objective Destination Enterprise Exploration Talos Enterprise Spyin Mars Polyinstantiation with Tuple Labelin S-instance: Starship Objective Destination TL Enterprise Exploration Talos U Enterprise Spyin Mars S Questions: How many starships are there? What are the real objective and destination of Enterprise? Pae 18

19 Polyinstantiation Due to Low Users S-instance: Starship Objective Destination Enterprise Exploration Talos U Voyaer Spyin Mars S U-instance: Starship Objective Destination Enterprise Exploration Talos U U-user: Insert (Voyaer, Exploration, Mars). Refuse Update Downward covert channel Accept Update: 1) Overwrite hih data May lead to serious interity problems 2) Do not overwrite hih data Show the hih user both tuples The 2nd option leads to entity polyinstantiation Polyinstantiation Due to Hih Users U-instance: Starship Objective Destination Enterprise Exploration Talos U S-user: Insert (Enterprise, Exploration, Mars). Refuse Update Denial of Service Accept Update Tuple Polyinstantiation Pae 19

20 References S. Jajodia, R. S. Sandhu, B. T. Blaustein, Solutions to the Polyinstantiation Problem, In Information Security: An Interated Collection of Essays, M. Abrams, S. Jajodia, H. Podell, eds., IEEE Computer Society, Evaluated DBMS Products Sybase SQL and SQL Secure Servers Evaluations in process (March 20, 1995) with two candidate classes SQL Server--C2; SQL Secure Server--B1 INFORMIX-OnLine/Secure TCSEC C2/B1 RAMP November 1994, ITSEC E3 April 1995 Oracle7/Trusted Oracle7 TCSEC C2/B1 April 1994, ITSEC E3 September 1994 Pae 20

21 Evaluated DBMS Products INGRES/Enhanced Security ITSEC E3 May 1993 Provides ANSI DAC & MAC Open INGRES/Intellient Database In ITSEC evaluation at E3 Provides ANSI DAC ADABASE ITSEC E1 May 1993 Only on VAX/VMS 5.4 and above [Trusted] Oracle7 EVALUATED PRODUCT: [Trusted] Oracle7 VENDOR: Oracle Corporation RELEASE: with the Procedural Option DATE: 5 April 1994 TCSEC EVALUATION CLASS: [B1]/C2 ITSEC EVALUATION: E3 OS PLATFORM: HP-UX BLS Anticipated that ports to additional platforms will be evaluated under RAMP Pae 21

22 Trusted Oracle Version 7.0 Trusted Oracle can be confiured in DBMS MAC mode OS MAC mode TCB in Trusted Oracle is layered into two TCBs: OS TCB DBMS TCB The way MAC is enforced depends on the mode In DBMS MAC mode, DBMS TCB is responsible for labelin DBMS objects and enforcin MAC on DBMS objects In OS MAC mode, OS TCB is responsible for labelin DBMS objects and enforcin MAC on DBMS objects DBMS MAC Mode Architecture MAC is enforced throuh a trusted subject architecture DBMS runs as a trusted subject with OS MAC privilees OS TCB enforces MAC only on OS storae objects and DAC on OS named objects DBMS TCB enforces MAC on database storae objects (tuples of a relation) and DAC on database named objects (tables and views) Pae 22

23 Polyinstantiation in DBMS MAC Mode Two types of interity constraints can be specified on tables UNIQUE key interity constraint ensures that each value in a column or a set of columns is unique PRIMARY key interity constraint ensures, in addition to uniqueness, ensures that the values are not null Different Options for Enforcin Uniqueness Enforce these constraints (hence no polyinstantiation) and audit the covert channel Audit all insertions (successful and unsuccessful) Audit all SQL statements that return an Oracle messae because the specified structure or object already exists Make the rowlabel column part of the unique key (hence no covert channel) Thus, the table will have polyinstantiation. If it is necessary to maintain uniqueness, you must periodically eliminate the duplicate values. Use a sinle, multilevel sequence as a default value for the unique or primary key column (note that this sequence may introduce a covert channel) Use a separate sequence at each security label as a default value for the unique or primary key column Pae 23

24 Advantaes of DBMS MAC Mode Ease of administration Simpler multilevel application development Ability to enforce data interity across multiple levels Superior performance when applications require data at several levels simultaneously OS MAC Mode Architecture There is a separate database for each security level There is communication between these databases so users at hiher levels can read data at lower levels In OS MAC mode, MAC is enforced throuh a kernelized (aka TCB subset) architecture A database named object is stored as one or more sinle-level OS files OS TCB is responsible for labelin these OS files and enforcin MAC and DAC on them DBMS subjects must comply with the OS security policy DBMS TCB is responsible for DAC on database named objects Pae 24

25 Polyinstantiation in OS MAC Mode It is not possible to define multilevel UNIQUE or PRIMARY key interity constraints (since OS MAC mode prohibits the ability to read rows at hiher security labels) Thus, the only option is to use sequences Advantaes of OS MAC Mode Can be as secure as the underlyin OS with respect to the MAC Sinle level applications do not suffer from any performance penalty Will also perform well if the number of data levels is small Archival and storae media are sinle-level Pae 25

26 [Trusted] Oracle7 Audit Employs OS I&A mechanism Provides a hihly confiurable set of auditin capabilities Ability to selectively audit very specific operations Application specific auditin implemented usin Oracle7 triers Oracle (Unevaluated) Security Features Secure Network Services Add-on packae to Oracle SQL Net connectivity software Provides comprehensive, reliable and transparent data security Based on technoloy licensed from RSA Data Security, Inc. Adds full datastream encryption and interity checkin Announced May 2, 1995: Areements with Banyan Systems Inc., Bull Worldwide Information Systems, CyberSAFE Corporation, ICL Enterprises, Identix and Security Dynamics Centralized authentication servers based on Kerberos and SESAME SecurID Card Sinle sin-on to heteroeneous environments Finerprint identity verification Pae 26