Trusted DBMS Architecture. Trusted DBMS Architecture featuring Trusted OS

Transcription

1 Trusted DBMS Architecture featuring Trusted OS KIM, Hyung Chan Security Research Group, New Wave Computing Lab. Dept. of Information and Communications, Gwangju Institue of Science and Technology (GIST) Oct 10, 2005 for SSR Tokyo Dept. of Info. & Comm., GIST, 1 Oryong-dong Buk-gu Gwangju , Korea Contents Trusted DBMS Trusted DBMS Architecture Some Korean Products for DB Protection Security Research Group 2 1

2 Database Security Security in DB systems [Russell et al. 1991] Secrecy Disclosure to an unauthorized individual Integrity Improper modification System availability Avoiding denial of service Database Protection Requirements Protection from improper access Protection from inference Integrity of the database Operational integrity of data Semantic integrity of data Accountability and auditing User Authentication Management and protection of sensitive data Multilevel protection Confinement Security Research Group 3 Security Control in Database Flow Control [Denning 76,77,82] Regulation the information flow among accessible objects Ex. Forbidding low-to-high information flow. Inference Control [Denning & Schlorer 83] Protecting data from indirect detection Ex. statistical inference Access Control Responsible for mediating all accesses in the system according to rules Security Research Group 4 2

3 Trusted DBMS including Security Features DBMS End User On-line queries Login Authentication User Profiles Logs Auditor Security axioms Schemas: Views Logical scheme Internal scheme Authorization System Data Manager Authorization rules Transaction Manager OS control Application programs File system DBA SA Database H/W control Executable files Security Research Group 5 Trusted DBMS Design with TOS TOS is useful in realizing TDBMS. Managed(Security-relavant) I/O function. Encrypted Filesystem. Extended Access Control primitives. Multilevel protection Role-Based Access Control However, DBMS Security shouldn t be considered a simple extension to the underlying OS functions. Security Research Group 6 3

4 Trusted DBMS Design with TOS Differences btw OSs and DBMS. [Henning 88] Object granularity obj. in DBMS is more finer. Semantic data correlations Access control should be enforced considering semantic relations among data. Metadata Structure of the data. It also target of the protection. Logical and physical objects OS(Physical): file, memory, devices DBMS(Logical): view, relations Multiple data types Statistical mode, administrative mode (In OS, only physical access) Static and Dynamic objects In DBMS, objects can be created dynamically (ex. Result of query) Multilevel transactions In OS, only elementary operations involved. Data life cycle Data in the database has a long lifecycle. Security Research Group 7 Trusted DBMS Architectures Two General Types Woods Hole Architecture [US Air force Study 1982] MAC enforcement is delegated to Trusted OS. Development of multilevel secure DBMS using untrusted off-the-shelf RDBMS with minimal changes Kernelized and Distributed Architecture Trusted Subject Architecture MAC is enforced by itself Security Research Group 8 4

5 Trusted DBMS Architectures Kernelized Architecture Multiple off-the-shelf DBMS are associated with each TFEs. TFE enforce multilevel protection by attaching security labels. Trusted OS responsible for the physical accesses to data in the database with mandatory protection. SeeView(Reseach Prototype) and Oracle(Commercial) High user High Trusted front end (TFE) High DBMS Trusted OS Database (high & low data) Low user Low Trusted front end Low DBMS Security Research Group 9 Trusted DBMS Architectures Pros and Cons of Kernelized Architecture Pros Easy to implement High level assurance Separation of data by TOS Easy evaluation If TOS is well-evaluated. Cons Additional overhead As TOS involves to manage data by the security level. Need-to-combine data from multiple level of DB On higher trusted user s query. Distributed Architecture Against cons of Kernelzied arch. An RDBMS at security level i contains at level i can access For ex. (i. i-1,.. 1). Additional overhead in update operation. Security Research Group 10 5

6 Trusted DBMS Architectures Trusted Subject Architecture High user Untrusted front end Low user Untrusted front end TCB TDBMS + TOS Trusted DB acting as a trusted subject with respect to the OS. Subject having DBMS label are considered trusted subjects and are exempt from TOS mandatory controls. Sybase (with VAX(B2), Secure Unix(B1)) Trusted DBMS Trusted OS Database Security Research Group 11 Trusted DBMS Architectures Pros and Cons of Trusted Subject Architecture Pros Overhead minimization in retrieval and update. TOS may just maintain one database object. DBMS has access to all levels of data at the same time. Cons Large amount of trusted code required. Lacks the potential to be evaluated. Possible problem on separation of mandatory objects. Security Research Group 12 6

7 Threats to DB Introduced by Inadequate OS Security Attacks on Operating Systems OS Kernel exploitation Ptrace, Page Fault exploitation, LKM attack Program Attack Buffer overflow, TOCTTOU Attacks on Network Module Remote Attack Buffer overflow from remote site [ex. MS RPC] Inadequate Web script SQL Injection [Over 50% of CVE advisories] Many cases involve the possibility of database corruption. DB itself needs to equip self-defending or self-healing mechanisms. One case: Self-Healing DB, Transaction level intrusion tolerance [P.Liu 04] Data consistency check and recovery after facing the attack Security Research Group 13 Some Korean Products for DB Protection (3) Security Research Group 14 7

8 D amo Penta Security (In Korean) DB Extrusion Prevention System PKI based DB encryption/decryption solution Target Platform: Oracle Main Function Batch encryption of stored data. Column based runtime encryption/decryption. User access control for protected columns. Access Control Audit for unprotected columns. Encryption/Decryption Security Research Group 15 DB Safer & Charkra PNP Secure ( Main Function SQL Logging and Monitoring Access Control Attr.: User, IP, SQL, target schema etc. Network console logging (on DBMS connection) Policy driven control for settlement transaction (DB Safer- Decide) Inetworks ( Access Control SQL based on organizational transaction process SQL analysis (Server Time, Session Count, Transaction Usage, Return Row ) Log Audit Security Research Group 16 8

9 Characteristics Korea Commercial Products Ad-on type on Major vendor s DBMS Sybase, Oracle, DB2, MS-SQL, Informix Korean Commercial DBMS: UniSQL (DAC based Access Control) Ad-on type protection software exists. Security Research Group 17 Concluding Remark Trusted DBMS Architecture Coupled arch. with Trusted OS Korean Products Recent Research?! Some illuminated subjects: Security Administration of Distributed Database. Object-Oriented / Site(Domain) bounded Network Security perspective Access Control in SQL (MLS/RBAC) Cryptographic techniques in Database Inference Control Managed Transaction XML with DB Security Embedded or Real Time DB Secure DB management in wireless mobile environment Not much on Security Architecture with Trusted OS. (Mostly before the middle of 90??) Security Research Group 18 9

10 Bibliography S. Castano, M. Fugini, G. Martellam, P. Samarati, Database Security, ACM Press (Prentice-Hall ptr), M. S. Oliver, D. L. Spooner, Database and Application Security XV, Proc. of IFIP TC11/WG th Annual Working Conference on Database and Application Security, Kluwer Academic Publishers, Lunt, T.F. Report from the second RADC database security workshop Computer Security Applications Conference, 1989., Fifth Annual 4-8 Dec Page(s): N. Wu, Database Security Coursework, Walid Rjaibi, An introduction to multilevel secure relational database management systems, Proceedings of the 2004 conference of the Centre for Advanced Studies on Collaborative research, VORMETRIC Inc., Defending OS Vulnerabilities in an Oracle Environment, Vormetric Technical Brief, P. Liu, J. Jing, P. Luenam, Y. Wang, L. Li, S. Ingsriswang, The Design and Implementation of a Self-Healing Database System, Journal of Intelligent Information Systems, Vol. 23, No. 3, , 2004 Security Research Group 19 10