Multilevel relations: Schema and multiple instances based on each access class. A multilevel relation consists of two parts:

Similar documents
#$% &'( ) *+)$,-./ $., (Logical DB Sec.) (2 )6 7 )8 #$% ) 9-: ;.*< 34$7 (2 6#$% -6#$;61 = '6, 9; > $A.

Discretionary Vs. Mandatory

Database Security Overview. Murat Kantarcioglu

Dion Model. Objects and their classification

Discretionary Vs. Mandatory

Mandatory Access Control

Chapter 9: Database Security: An Introduction. Nguyen Thi Ai Thao

Database Security. Authentification: verifying the id of a user. Authorization: checking the access privileges

Access Control. Discretionary Access Control

Trusted DBMS Architecture. Trusted DBMS Architecture featuring Trusted OS

Advanced Systems Security: Multics

Database Security. Professor Sushil Jajodia George Mason University

FOREWARD. Keith F. Brewster May 1996 Acting Chief, Partnerships and Processes

Access Control Models

Acten (Action Entity) Model

CSE 565 Computer Security Fall 2018

An Extended Authorization Model for Relational Databases

Access Control. Protects against accidental and malicious threats by

Towards Formal Evaluation of a High-Assurance Guard

Mobile and Heterogeneous databases Security. A.R. Hurson Computer Science Missouri Science & Technology

Access Control. Access control: ensures that all direct accesses to object are authorized a scheme for mapping users to allowed actions

MULTILEVEL POLICY BASED SECURITY IN DISTRIBUTED DATABASE

CHAPTER 5 SECURITY ADVANCED DATABASE SYSTEMS. Assist. Prof. Dr. Volkan TUNALI

Last time. User Authentication. Security Policies and Models. Beyond passwords Biometrics

DATABASE SECURITY AND PRIVACY. Some slides were taken from Database Access Control Tutorial, Lars Olson, UIUC CS463, Computer Security

Intrusion Detection Types

8.3 Mandatory Flow Control Models

Essay Question: Explain 4 different means by which constrains are represented in the Conceptual Data Model (CDM).

Security Models Trusted Zones SPRING 2018: GANG WANG

[19] P. P. Chen. The Entity-Relationship Model - Towards a unified view of data. ACM Trans. Database Systems (ToDS), Vol. 1, No.

Access control models and policies. Tuomas Aura T Information security technology

DAC vs. MAC. Most people familiar with discretionary access control (DAC)

Topics in Systems and Program Security

Distributed KIDS Labs 1

Verifiable Security Goals

Topics in Systems and Program Security

Issues of Operating Systems Security

Access control models and policies

Advanced Systems Security: Integrity

The Relational Data Model. Data Model

CISC 3140 (CIS 20.2) Design & Implementation of Software Application II

Chapter 14. Active Databases. Database Systems(Part 2) p. 200/286

The Relational Model. Chapter 3

The Relational Model. Chapter 3. Comp 521 Files and Databases Fall

CIS433/533 - Introduction to Computer and Network Security. Access Control

Real Application Security Administration

Labels and Information Flow

Data Dependence Analysis for an Untrusted Transaction Manager

Copyright 2004 Pearson Education, Inc.

Security Kernels C H A P T E R 6

The Relational Model. Chapter 3. Database Management Systems, R. Ramakrishnan and J. Gehrke 1

Advanced Systems Security: Security Goals

Drug-drug interactions database created by thousands of doctors in hundreds of hospitals.

Copyright 2016 Ramez Elmasri and Shamkant B. Navathe

Department of Computer Science Final Exam, CS 4411a Databases II

Asset Analysis -I. 1. Fundamental business processes 2.Critical ICT resources for these processes 3.The impact for the organization if

Systems:;-'./'--'.; r. Ramez Elmasri Department of Computer Science and Engineering The University of Texas at Arlington

Instructor: Jinze Liu. Fall 2008

Database Security Lecture 10

Lecture 21. Isolation: virtual machines, sandboxes Covert channels. The pump Why assurance? Trust and assurance Life cycle and assurance

Post-Class Quiz: Access Control Domain

Asbestos Operating System

Operating System Security. Access control for memory Access control for files, BLP model Access control in Linux file systems (read on your own)

Access control models and policies

Techno India Batanagar Computer Science and Engineering. Model Questions. Subject Name: Database Management System Subject Code: CS 601

Chapter 10 Advanced topics in relational databases

CS317 File and Database Systems

Complex Access Control. Steven M. Bellovin September 10,

Advanced Systems Security: Principles

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Design and implementation of a database inference controller

Oracle Database. Installation and Configuration of Real Application Security Administration (RASADM) Prerequisites

INSE 6160 Database Security and Privacy

A Practical Transaction Model and Untrusted Transaction Manager for a Multilevel-Secure Database System

Fundamentals of. Database Systems. Shamkant B. Navathe. College of Computing Georgia Institute of Technology PEARSON.

The Relational Model. Chapter 3. Comp 521 Files and Databases Fall

CS419 Spring Computer Security. Vinod Ganapathy Lecture 15. Chapter 5: Database security

1. Data Model, Categories, Schemas and Instances. Outline

Access Control Models Part II

The Relational Model. Outline. Why Study the Relational Model? Faloutsos SCS object-relational model

CONSTRAINTS AND UPDATES CHAPTER 3 (6/E) CHAPTER 5 (5/E)

Chapter 13: Design Principles

Database Management System (15ECSC208) UNIT I: Chapter 2: Relational Data Model and Relational Algebra

CDSE Workshop. CDS Concepts and Definitions. Elaine M. Caddick Principal Cybersecurity Engineer 19 July 2016

Rajiv GandhiCollegeof Engineering& Technology, Kirumampakkam.Page 1 of 10

Access Control in Federated Systems

Core Role Based Access Control (RBAC) mechanism for MySQL

CCM Lecture 12. Security Model 1: Bell-LaPadula Model

Networks and security Data bases

Relational Database Systems Part 01. Karine Reis Ferreira

ITCS 3160 DATA BASE DESIGN AND IMPLEMENTATION

CSC 474/574 Information Systems Security

Introduction to Computer Security

Chapter 1 SQL and Data

Lecture 4: Bell LaPadula

AOG Systems Corporation

The DBMS accepts requests for data from the application program and instructs the operating system to transfer the appropriate data.

Computer Security: Principles and Practice

Access Control (slides based Ch. 4 Gollmann)

DESIGNING THE GEMSOS SECURITY KERNEL FOR SECURITY AND PERFORMANCE * Dr. Roger R. Schell Dr. Tien F. Tao Mark Heckman

Transcription:

The Jajodia & Sandhu model Jajodia & Sandhu (1991), a model for the application of mandatory policies in relational database systems. Based on the sec classifications introduced in BLP. It extends the standard relational model to consider the sec classification. Multilevel relations: Schema and multiple instances based on each access class. A multilevel relation consists of two parts: (1) A state-independent multilevel relation scheme R (A 1, C 1,, C n, TC), where each A i is a data attribute defined over domain D i, each C i is a classification attribute for A i, and TC is the tuple class attribute. The domain of C i is specified by a range [L i, H i ] which is specified as a sub-lattice of access classes. The domain of TC is [lub (L i ), lub (H i )]. (2) A collection of state-dependant relation instances R c (A 1, C 1,, A n, C n, TC), one for each access class c in the given lattice; each instance is a set of distinct tuples of the form (a 1, c 1,, a n, c n, tc) where each element a i is either a value of domain D i or null, each c i is a value of the specified range and smaller than tc, that is, c i Î[ L i, H i ] c i tc, and tc is the least upper bound of the classes of the attribute in the tuple: that is, tc = lub { c i : i=1,,n} Example of a multilevel relation Employee TS Instances at the S-level and TS-level of the Employee relation Properties of the model: Read and writes are controlled to the satisfaction of the No-Read-Up and No-Write-Down principles. Other restrictions are put to regulate polyinstantiation. (1) Entity integrity: Let AK be the apparent key of a relation R. A multilevel relation R satisfies entity integrity if, and only if, for all instances R c of R and t ÎR c (1) A i ÎAK Þt[A i ] #null (2) A i, A j Î AK Þt[C i ]=t[c j ], ie. AK is uniformly classified, and (3) A i ÏAK t[c i ]³ t[c AK ] (where C AK is defined as the classification of the apparent key) 1

Null values! Null values have two meanings: Corresponding to real null values or To attributes at a classification higher than the classification of the instance. Two similar value tuples with different attribute sec class (so hidden, turned to null)! Subsumtion relationship: t subsumes s, if for every attribute Ai: t [Ai, Ci] = s [Ai, Ci] or t[ai]!= Null and s [Ai] == Null. Properties of the model (cont.): (2) Null integrity: A mutilevel relation R satisfies null integrity if and only if for each instance R c of R both the following conditions are satisfied: (1) For all t ÎR c, t[a i ] = null Þ t[c i ] = t[c AK ]: that is, null values are classified at the level of the key. (2) R c is subsumption free in the sense that it does not contain two distinct tuples such that one subsumes the other A tuple t subsumes s if for every attribute Ai - t[ai, Ci] = s[ai, Ci] or - t[ai]!= null and s[ai] = null. 3) Inter-instance integrity Controlling the consistency among the different instances of a relation A multilevel relation R satisfies inter-instance integrity if and only if for all c c, Rc = s(r c, c ), where the filter function s produces the c - instance R c from R c as follows: (1) For every tuple t ÎR c such that t[c AK ] c, there is a tuple t ÎRc, with t [AK,C AK ]=t[ak,c AK ] and for Ai ÏAK t [ A i, C i ] = t [ A i, C i ] if t [Ci] c, && = <null, C AK > otherwise Inter-instance integrity (cont.): (2) There are no tuples in R c other than those derived by the above rule. (3) The end result is made subsumption free by exhaustive elimination of subsumed tuples. (4) Polyinstantiation integrity property: A multilevel relation R satisfies Polyinstantiation integrity iff, for every R c, for all A i : (AK, C AK, C i ) A i. That is, the apparent key, together with the classification of the key and the classification of the attribute functionally determines the value of this attribute. Access to Multilevel relations: Deal with the write operations (Insert, Update, Delete) Read is processed through the Read-Down principle. Informally: null integrity and interinstance integrity ensure that, if a tuple value at some security level can be filtered or derived from a higher-classified tuple, then it is sufficient to store the higher classified tuple in the multi-level relation. 2

Insert operation: The insert operation, from a c-user, has the following from: INSERT INTO R c [A i [, A j ] )] VALUES (a i [, a j ] ) The insert operation is granted, if and only if, the following conditions are satisfied: (1) t [AK] does not contain any nulls (2) For all u ÎR c : u [AK] ¹ t[ak] If the conditions are satisfied, the tuple is inserted into R c and all the instances R c >c Results of the operation INSERT VALUES John, Dept2,20K on S and TS instances of Employee from S subject S S TS Instance Update operation: An update operation from a c user has the following form: UPDATE R c SET Ai = S i [, A j = S j ] [WHERE P] Results of the operation UPDATE salary = 30K WHERE Name = Ann on S and TS instances of Employee from TS subject Where each s i is a scalar expression, and p is a predicate expression which identifies those tuples in R c that are to be modified If the conditions are satisfied, the update is propagated into R c >c according to the minimum propagation delay policy: only those tuples which are needed to preserve the inter-instance property are inserted in R c >c Result of the operation UPDATE Department= Dept1 WHERE Name = Ann and S and TS instances of Employee from TS subject Delete Propagation of Delete to Rc >c due to DELETE FROM RC [WHERE P] If t[cak] = c, delete any polyinstantiated tuple in Rc >c If If t[cak] < c, the tuple will continue to exist in all instances Rc >=t[ak]. Sam Rasool Jalili; 2 nd semester 1389-1390; Security, Sharif Uni. of Tech. 3

(تحدید) Confinement Is the problem of preventing a server from leaking info that the user of the service considers confidential. A process that does not store data, cannot leak it. Observing the flow of control can deduce info about the input. è A process than cannot be observed and communicate with the others, cannot leak info... Total isolation. Rasool Jalili; 2 nd semester 1389-1390; Security, Sharif Uni. of Tech. Covert channel The problem is that total isolation is impossible. Unconfined processes can transmit data over the shared resources. A covert channel is a path of communication that was not designed for communication. Transitive confinement. If p is confined to prevent leakage, the calling process q can also be confined to leak. Covert channel Two types of covert channels: 1-Use of storage to transmit info. èthe model should control all accesses to the storage. If it fails, covert channel arise. 2-All processes can obtain a rough idea of timeè time is a communication channel. All processes can read time and can write time. è a shared resource. Isolation Virtual Machine: simulating a computer system. JVM Analyzing all actions against leaking of info: SANDBOX A sandbox is an environment in which the actions of a process are restricted according to the security policy. E.g. JVM 4

Views Views on top of the base tables. A single and effective mechanism to support content-dependent authorization. e.g. User B creates table B and want to grant user A the authorization for just tuples with salary > 1000. What should be done?? Defining the view select * from T where a1>1000 and then grant B the read authorization on the view Views Privileges on views in comparison with privileges on the base tables?? Depends on the view semantics. Definitely, having a privilege on a view depends on having that on all tables directly referenced by the view. View on a single table or on multiple! Depending on the view semantics, the view owner may have more restricted than on the base tables. Privileges of the view owner determined at the time of view definition. Timestamp is the time of view definition. The grantor of the view, is whom has been assigned as the owner of the view at the definition time. Implementation of the model Two relations named: SYSAUTH and SYSCOLAUTH SYSAUTH has the following attributes: UserId: who has the authority Tname Type: R or V Grantor Read: The time at which the grantor granted the read privilege. Default is 0 Insert: The time Delete: The time Update: the columns on which the privilege is granted. It may have All or None or Some values Grantopt: the Grant operation. In the revised version, if two similar grants are happened, two records are inserted with different timestamps. SYSCOLAUTH: If there is specified some in the SYSAUTH update column, a tuple is needed for each column UserId Table Column Grantor Grantopt Fig 4.2 corresponding to Figure 4.1 (a) Extension of the model 1982 by Wilms and Linsday to consider group management. Set of users in a group. Groups may overlap. Applied in System R*, the distributed DBMS. Another extension: having cascadable revoke or non-cascadable revoke! Non-cascade revoke 70 B E G 10 30 40 A D 20 50 60 C F B has granted a privilege to D, who has passed it to E, who has passed it to G 40 70 10 B E G A 60 D 20 50 60 C F B revokes D s privilege 5

Main features of a Secure DB Arch. SDBMSs operate according to two possible modes: System-High or Multilevel In System-High DBMSs, all the users are cleared to the highest security. Before releasing data, a guard must review such data in order to properly release them. This model has the risk for security, as all users are cleared to the highest clearance level. It is simple!! Can use existing DBMSs. Multi-level mode Based on using trusted and untrusted DBMSs. Trusted Subject Archs Using a trusted DBMS and a trusted OS From scratch or extension of the security features. Woods Hole Archs, where an untrusted DBMS is used with an additional trusted filter Integrity Lock Kernelized Replicated Architecture Research prototype Commercial DBMS Integrity Lock Mitre TRUDATA Kernelized SeaView Oracle Replicated NRL Trusted Subject A1 Secure DBMS Sybase Informix Ingres Oracle DEC Trusted Subject Arch Figure in the next slide. A set of untrusted front ends is used to interface with different clearances (Low and High). TDBMS and TOS form a single TCB (Trusted Computing Base) DBMS is responsible for multi-level protection of DB objects. High level dominates the low-level. DBMS subjects and objects are assigned DBMS labels and so trusted and exempted from OS mandatory controls. Sybase adopts this solution by assigning tuplelevel labels. High user Trusted DBMS low user Woods Hole Archs General arch is fig 4.5 A set of untrusted front ends It then interface with a monitor (trusted front end) which cannot be bypassed. It interfaces an untrusted back end. Trusted OS (DBMS & NON-DBMS DATA) 6

High user Trusted front end (reference monitor) UnTrusted DBMS low user Integrity Lock Arch Figure 4.6 Connected via UFE performing pre and post processing of queries. An TFE (Trusted filter) is inserted between UFEs and the untrusted DBMS. TFE is responsible for enforcing sec functions and multilevel protection. Stamp contains sec label and other relevant control data. Stamps are generated and verified by the TFE. TFE responsible for generating audit records. The problem is leakage of unauthorized info and also inference. è selection, projection and must be handled in TFE or UFE!! Not in the DBMS Figure 4.7 High user Trusted Filter Cryptographic Unit UnTrusted DBMS low user Append Check Stamp Stamp Query Store Response Kernelized Arch. Figure 4.9 Trusted OS is used, responsible for the physical access in DB and enforcing mandatory access control. DB objects have similar sec labels stored in trusted OS. Converting multi-level relations into single level relations access. High user Trusted front end High DBMS low user Trusted front end Low DBMS Figure 4.10 Replicated Arch. Expensive. No implementation in real business. Trusted OS (High & Low) data 7

High user Trusted front end low user Trusted front end SeaView Research Prototypes High DBMS Low DBMS SeaView implements the Sea View security model using a kernelized arch. Designed to satisfy the A1 classification of DoD (verification design). Jointly by Oracle, SRI, and Gemini. (High & Low) data (Low data) Five layers: 1- GEMSOS TCB A Mandatory Security Kernel (GEMSOS security kernel) + the Non-Mandatory TCB. GEMSOS security kernel implements the requirement for mandatory policy. Enforces the mandatory sec policy through a labelbased mechanism. Has 8 protection rings: Ring attributes are assigned to each object. A ring number is assigned to each subject. A subject can access an object if its ring number is consistent with the object ring attribute. The Non-Mandatory TCB is responsible for audit and group management. 2- Resource Manager is responsible for providing the requirements of the Oracle DBMS and Sea View. It is a special-purpose OS outside the TCB, since the TCB should have the minimal design. Funcs: Creation of the file system, high-level device drivers, mapping of the high-level objects of DBMS to low-level objects of the OS. 3- Oracle Mandatory Prototype: Management of the single-level objects. Composed of the Oracle Run-Time environment + rewritten Oracle utilities Oracle pre-processor for supporting execution of embedded SQL. 4- MSQL processor: Dealing with multi-layer relations. Converting embedded SQL into normal SQL statements. It is an special SQL designed for SeaView, to deal with multilevel relations. 5- SeaView Users layer composed of the functions required to manage the DB that can be left untrusted. 8

A1 Secure DBMS ASD is a multilevel secure relational DBMS designed in 1992. A prototype is available. Objective: meeting the A1 criterion of DoD classification. Developed by the ADA language. On top of the A1secure OS. Permits interconnection of the trusted and un-trusted systems. It guarantees that data has been protected via both mandatory and discr. access control rules. Only one copy of data is stored in the system, accessed by different sec levels. ASD Can work in 3 different modes As a DBMS server on a LAN As a back-end DBMS for a host computer (single-level and multi-level) As a host-resident DBMS. Fig 4-12 (to be drawn on the board) Comm between untrusted processes is done through TCB. Enforces both BLP and Biba rules. Ingres Commercial Products Oracle Sybase (Sybase secure server) Informix SQLBase Table 4.2 page 266 Design of Secure DBs As the secondary requirement: most cases. è security is added as a library. As the primary requirement. Methodologies for secure software development is normally used in this case. Some cases OS security features are utilized. DoD guidelines Methodology for secure DB design: Preliminary analysis Security requirements and policies Conceptual design Logical design Physical design Figure 4.13 Separating security policies from security mechanisms. Preliminary analysis System risks Features of the database environment: single level or multi-level security support. Applicability of existing security products Integrity of the security products Performance of the resulting security system 9

Requirement analysis and sec policy selection Protection needs for different types of risk are different for different database systems. Sensitivity of information. High-risk and low-risk systems. Data accessibility of who has access to which data. Number and types of users. Reliance of security on the selected technologies. Degree of vulnerability to which the environment is exposed. Security policy selection Secrecy vs integrity vs reliability Maximum sharing vs minimum privilege Granularity of control Attributes used for access control: S/O, location, time, Integrity Priorities Privileges Authority Inheritance Conceptual design Designed through Identification of subjects and objects Identification of access rights granted to Ss over Os. Analysis of the propagation of authorizations in the system through grant/revoke privileges. Should be Complete, of all security requirements initially stated Consistent, if there should be no access, should not be directly or indirectly. Logical and physical design Logical design, mapping of the conceptual design into a logical model supported by the specific DBMS being used; e.g. considering views, queries, Physical design, how to implement access rules and their relationship with the physical structure of DB. Recommendation of implementing security mechanisms. Economy of mechanisms: simplicity as much as possible. Efficiency Linearity of costs, the operation cost should be proportional to the actual use of the mechanism Privilege separation (responsibilities) Minimum privilege. Complete meditation Known design. Sec techniques should be well known for the client. Security by default. Minimum common mechanisms: Mutual independence between mechanisms. Psychological acceptability: easy to use, avoiding heavy restrictions è users to encourage protection, not trying to disable it!! Flexibility: having different policies Isolation: isolation of security mechanisms from the other components, so more resistant. Verifiability Completeness and consistency Observability: the mechanism and the possible attacks against it should be controllable. Problem of residuals: residuals (from the terminated processes) must be erased. Invisibility of data: if a user is unauthorized to access data must be unauthorized about the structure of data. Work factor: too much effort to break a mechanism 10

Intentional traps: Monitor the behavior and the sources of attacks. Emergency measures Secure hardware Programming language, the language, its compiler, Correctness The person relation schema for illustrating statistical database security [ FROM ELMASRI/NAVATHE FIGURE 22.3] 11

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback