Specification of Content-Dependent Security Policies

Similar documents
CSE 565 Computer Security Fall 2018

Instances and Classes. SOFTWARE ENGINEERING Christopher A. Welty David A. Ferrucci. 24 Summer 1999 intelligence

E-R Model. Hi! Here in this lecture we are going to discuss about the E-R Model.

Static type safety guarantees for the operators of a relational database querying system. Cédric Lavanchy

Statistical Databases: Query Restriction

Database Security Overview. Murat Kantarcioglu

THE EFFECT OF JOIN SELECTIVITIES ON OPTIMAL NESTING ORDER

Understanding Recursion

Chapter 2. DB2 concepts

CS2 Current Technologies Note 1 CS2Bh

CA IDMS. Logical Record Facility Guide. Release

SQL: Data Definition Language. csc343, Introduction to Databases Diane Horton Fall 2017

Database Security Lecture 10

Access Control Models

Relational Model: History

Access Control. Access control: ensures that all direct accesses to object are authorized a scheme for mapping users to allowed actions

Aaron Lovato. April 26, 2010

Integration of Product Ontologies for B2B Marketplaces: A Preview

Garbage Collection (2) Advanced Operating Systems Lecture 9

ASSIGNMENT NO Computer System with Open Source Operating System. 2. Mysql

Verification of Multiple Agent Knowledge-based Systems

Access Control. Protects against accidental and malicious threats by

Chapter 6 5/2/2008. Chapter Outline. Database State for COMPANY. The Relational Algebra and Calculus

Chapter 1. Types of Databases and Database Applications. Basic Definitions. Introduction to Databases

Slicing and Dicing Data in CF and SQL: Part 1

MEMORANDUM AND ORDER ON PLAINTIFFS' MOTION TO COMPEL

Why the end-to-end principle matters for privacy

Data about data is database Select correct option: True False Partially True None of the Above

COSC 304 Introduction to Database Systems. Views and Security. Dr. Ramon Lawrence University of British Columbia Okanagan

More SQL: Complex Queries, Triggers, Views, and Schema Modification

Enhancing Internet Search Engines to Achieve Concept-based Retrieval

Locking SAS Data Objects

DATABASE MANAGEMENT SYSTEM SHORT QUESTIONS. QUESTION 1: What is database?

Hoare Logic. COMP2600 Formal Methods for Software Engineering. Rajeev Goré

Illustrative Example of Logical Database Creation

maxecurity Product Suite

A Framework for Securing Databases from Intrusion Threats

CS121 MIDTERM REVIEW. CS121: Relational Databases Fall 2017 Lecture 13

Database Management System Dr. S. Srinath Department of Computer Science & Engineering Indian Institute of Technology, Madras Lecture No.

Choosing a sophisticated locking system: Where security is an issue, compromise is simply not an option

6. Relational Algebra (Part II)

Horizontal Aggregations in SQL to Prepare Data Sets Using PIVOT Operator

Database Optimization

Database Management System Dr. S. Srinath Department of Computer Science & Engineering Indian Institute of Technology, Madras Lecture No.

CIS Reading Packet: "Views, and Simple Reports - Part 1"

6.001 Notes: Section 6.1

FusionDB: Conflict Management System for Small-Science Databases

Supplementary Notes on Abstract Syntax

SAS Data Libraries. Definition CHAPTER 26

Slicing and Dicing Data in CF and SQL: Part 2

Relational Model Concepts

6.001 Notes: Section 4.1

Using Data Transfer Services

PROCEDURE POLICY DEFINITIONS AD DATA GOVERNANCE PROCEDURE. Administration (AD) APPROVED: President and CEO

Metaheuristic Optimization with Evolver, Genocop and OptQuest

UML data models from an ORM perspective: Part 4

Harvard School of Engineering and Applied Sciences CS 152: Programming Languages

COUNT Function. The COUNT function returns the number of rows in a query.

Objectives. After completing this lesson, you should be able to do the following:

CREATING CUSTOMIZED DATABASE VIEWS WITH USER-DEFINED NON- CONSISTENCY REQUIREMENTS

COMPUTER SIMULATION OF COMPLEX SYSTEMS USING AUTOMATA NETWORKS K. Ming Leung

Detecting Logical Errors in SQL Queries

Database 2: Slicing and Dicing Data in CF and SQL

Shaw Privacy Policy. 1- Our commitment to you

Earthquake data in geonet.org.nz

! Use of formal notations. ! in software system descriptions. ! for a broad range of effects. ! and varying levels of use. !

CS 377 Database Systems

Handling Missing Values via Decomposition of the Conditioned Set

Chapter 16: Advanced MySQL- Grouping Records and Joining Tables. Informatics Practices Class XII. By- Rajesh Kumar Mishra

SQL. Dean Williamson, Ph.D. Assistant Vice President Institutional Research, Effectiveness, Analysis & Accreditation Prairie View A&M University

Variables and Typing

Row and Column Access Control in Db2 11. (Db2 on Linux, UNIX and Windows) Philip K. Gunning, CISSP

BHG (Singapore) Pte. Ltd. [2017] SGPDPC 16. Mr. Yeong Zee Kin, Deputy Commissioner Case No DP B0440

Harvest in a Citrix Environment

Database Fundamentals Chapter 1

Create and Manage Partner Portals

download instant at The Relational Data Model

Customer Proprietary Network Information

Users Guide. Kerio Technologies

Lecturer 4: File Handling

Presto 2.0. Using Presto Rules

SYSTEM 2000 Essentials

Where did you hear that? Information and the Sources They Come From

OASIS PKI Action Plan Overcoming Obstacles to PKI Deployment and Usage

Copyright 1982, by the author(s). All rights reserved.

Database Management Systems,

Web Services for Relational Data Access

Modeling Dependencies for Cascading Selective Undo

Global Namin-g in Distributed systems

Relational Database Management Systems Mar/Apr I. Section-A: 5 X 4 =20 Marks

1 Introduction CHAPTER ONE: SETS

6. Hoare Logic and Weakest Preconditions

Lecture 01. Fall 2018 Borough of Manhattan Community College

Type Inference: Constraint Generation

Provable data privacy

Database Management Systems MIT Introduction By S. Sabraz Nawaz

JOURNAL OF OBJECT TECHNOLOGY

III. Chapter 11, Creating a New Post Office, on page 155 Chapter 12, Managing Post Offices, on page 175. novdocx (en) 11 December 2007.

Information Systems (Informationssysteme)

University Privacy Campaign. Introduction to the Personal Data (Privacy) Ordinance

Transcription:

Specification of Content-Dependent Security Policies David L. Spooner Mathematical Sciences Department Rensselaer Polytechnic Institute Troy, NY 12181 Abstract: The protection of information from unauthorized disclosure is an important consideration for the designers of any large multiuser computer system. A general purpose database management system often requires the enforcement of contentdependent security policies in which a decision to allow access must be based on the value of the data itself. Several authors ([Har76], [Sto76], [Gri76], [Sum77], [Min78], [Spo83], and others) have proposed mechanisms for implementinq content-dependent security policies. Few authors, however, have investigated the properties of models for the specification of such policies. This paper identifies several problems created by inadequate models for the specification of content-dependent security ~olicies. If a specification model is too liberal in the types of policies it can express, it may provide an increased opportunity for compromise of data. If the specification model is too conservative, it cannot express many desirable policies. Thus a flexible model which will allow a compromise between these two extremes is needed for specifying content-dependent policies. Such a model is proposed here. I. Introduction The protection of information from unauthorized disclosure is an important consideration for the designers of any large multiuser computer system. The rapid increase in the numbers of new computer users and the increasing use of computer networks make the protection of information an even more critical issue. The problem is further complicated by the increasing complexity of computer systems. Permission to copy without fee all or part of this material is granted provided that the copies are not made or distributed for atrect commercial advantage, the ACM copyright notice and the title of the publication and its date appear, and notice is given that copying is by permission of the Association for Computing Machinery. To copy otherwise, or to republish, requires a fee and/or specific permission. 1983 ACM0-89791-120-2/83/010/0141 $00.75 The tried and true methods of ~rotectinq information using traditional operating system primitives (i.e. capabilities and access lists) are not adequate for enforcing data security in a general purpose database management system (DBMS). Such systems demand more sophisticated and flexible protection mechanisms. One of the most important differences is that a DBMS often requires the enforcement of content-dependent security ~olicies in which a decision to allow access to data must be based on the value of the data itself. The need for content-dependent security policies occurs frequently in DBMS applications. For example, consider a file of employee records for a large corporation. Each record contains the fields: NAME, JOB, SALARY, and MANAGER. A reasonable security requirement for this file is that a manager may only access records of employees he manages. Thus a particular manager may access a record only if he is listed in the MANAGER field of the record. Content-dependent security policies are usually expressed using access rules with Boolean predicates describing subsets of the data which a user is authorized to access. Unlike other types of security policies, content-dependent policies must be enforced at run-time when the data is actually retrieved and can be used to make an access decision. Several authors ([HarT6], [Sto76], [GriT6], [Sum77], [Min78], [Spo83], and others) have suggested mechanisms for implementing content-dependent security policies. Section 2 defines the concept of contentdependent security in more detail. Little work has been focussed on the properties of models for the specification of content-dependent policies. In section 3, several problems created by inadequate models for the specification of such policies are discussed. If a specification model is too liberal in the types of policies it can express, it may provide an increased opportunity for compromise of data. If the specification model is too conservative, it cannot express many desirable policies. Thus a flexible model which will allow a 141

compromise between these two extremes is needed for specifying content-dependent security Policies. Such a model is discussed in section 4. 2_~_ Content-De_pendent Security To facilitate further discussion, a notation is needed for expressinq access rules for users. The followinq notation will be used in this paper. It is assumed that all data is stored in the form of relations or tables. Suitable modifications can be made for handling other data structures. The basic access rights which a user may have to the columns of a relation include such things as read, and write access. The complete set of basic access rights is unimportant for this discussion. An access rule for user u has the following form: u:relation name[column list] (rights list) where predicate This rule states that user u has the basic rights listed in the rights list to the columns of the named relation ]isted in the column list whenever the specified predicate is true. If the access rule is to apply to all columns of a relation, the column list can be replaced by the word "all." No restrictions are placed on the set of data items which may be used in a Dredicate. Range variables for each relation are used in the column list and predicate to avoid ambiguity. A range variable for a relation is a variable whose value can be any row of the relation. Thus individual data items in a relation are named as: relation range variable. column name The access rules have a syntax very similar to the syntax for queries in QUEL, the query language for the INGRES database system [Sto76]. As an example, consider the following relational database of employee information for a large corporation. EMPLOYEE...................................... NAME JOBTITLE JOBRANKISALARY I I... MANAGER I............. DIRECTORY I NAMEI LL BU L I G ROOM... i... i I Suppose that a clerk in the payroll department is to be allowed access to the name, salary, and department of all programmers in departments 5 and 6. This content-dependent policy can be expressed as follows: Examole I. Range of d is DIRECTORY clerk: EMPLOYEE[e. NAME, e. SALARY] (read) where e. JOBTITLE="PROGRAMMER" & e. NAME=d. NAME& (d. DEPT=5 1 d. DEPT=6) clerk: DIRECTORY[d. DEPT] (read) where e. JOBTITLE="PROGRAMMER" & e. NAME=d. NAME& (d. DEPT=5 1 d. DEPT=6) The first access rule says that the clerk has read access to the NAME and SALARY fields of any row in relation EMPLOYEE for which the JOBTITLE of that row has the value "PROGRAMMER" and for which there is a row in the DIRECTORY relation with the same value for the NAME field and the DEPT field equal to 5 or 6. The second access rule is similar. Note the use of the range variable e to specify that the values for fields NAME, SALARY, and JOBTITLE in the column list and the predicate must all come from the same row of relation EMPLOYEE. Range variable d serves a similar purpose for relation DIRECTORY. 3. Problems in the Specification of Content-Dependent Policies Suppose that user u has an access rule for data item A and in the predicate of the rule is a reference to data item B. If user u has no access rules for data item B, or has only rules specifying content-dependent read access to data item B, user u may not be authorized to access data item B to evaluate the predicate for A. Evaluation of the predicate for A may therefore compromise the value of data item B. The remainder of this section discusses Dotential solutions to this problem and the consequences each solution has on models for the specification of content-dependent security policies. There are two cases to consider: I) user u has unconditional read access to data item B, and 2) user u has content-dependent read access or no read access to data item B. 3.1 Unconditional Read Access If user u has an access rule giving 142

him unconditional read access to data item B, then the predicate for data item A can be evaluated without compromising the value of data item B. Suppose that a policy specification model requires that a user have unconditional access to all data items referenced in predicates of access rules. As is seen in the next examole, this can limit the policies which can be expressed in the model. Consider the EMPLOYEE relation defined in section 2, and suppose that salary is directly related to job rank. A security policy that one might wish to enforce is that a clerk in the personnel department may look at employee names and job titles for all employees of rank no greater than i0, say. The clerk should not be able to determine any individual salary. He is therefore not authorized to access the JOBRANK or SALARY columns of the relation. Such a policy can be expressed as follows: Example 2. Summers and Fernandez [Sum77] chose the opoosite solution. In their model the predicate in the access rule for B is "anded" to the predicate in the access rule for A. Access to A is allowed only if this new predicate evaluates to true. This approach seems inherently more secure, but can lead to several problems. If access to A de!)ends on the content of B, access to B deoends on the content of C, and so on, it may be necessary to evaluate a oredicate of nearly unbounded length to authorize access to A. In addition, this approach reduces the ranqe of policies which can be expressed in a specification model. Returning to Example 2, suppose that the access rules for the clerk are extended to allow him to read the JOBRANK column for employees with a job rank less than 5. This can be expressed with the following access rules. Example 3. write) where e. JOBRANK<=I0 write) where e. JOBRANK<=i0 clerk: EMPLOYEE[e. JOBRANK] (read) where e. JOBRANK<5 If the requirement is made that a user must have unconditional read access to data items referenced in a predicate, then this policy specification is illegal since the clerk has no access to the JOBRANK column. This policy, and others like it, cannot be expressed in a policy specification model with such a restriction. It may be argued that since the clerk has no access rules allowing him to manipulate the JOBRANK column, it doesn't matter if the security system consults the job rank of an employee in making an access decision for the clerk. This is a policy decision for the security officer of the system. 3.2 Content-Dependent Read Access or No Read Access Consider now the situation where user u has an access rule for data item A with a content-dependent predicate referencing data item B. He also has an access rule giving him content-dependent read access to B. User u may or may not be authorized to read the value of data item B to evaluate the predicate of A. Spooner, Gudes, and Fischer [Spo80] in their model recognized this problem and chose as a temporary solution to ignor the access rules for B when B is referenced in a predicate. A similar approach has been taken by others ([Sto76], [Gri76], [Har76], and others). Using the enforcement scheme of Summers and Fernandez, the clerk is able to access the name and job title only for employees with job rank less than 5. This is clearly not what was intended. Using this enforcement scheme, there is no way to express the desired policy. Regardless of the method used for enforcement of such policies, there is a more serious problem. SuDoose that a user has knowledge of the predicates defined in his access rules (a resonable assumotion in many if not most situations). He may be able to infer information about the value of a data item referenced in the predicate of an access rule by attempting to use the rule and noticing whether or not he is denied access. In essense, the predicates in the access rules create many of the same problems encountered in protecting statistical databases [Den78]. The problem is made even more difficult by noticing that a user may receive access rules from several different People for different applications. These many different authorizers may be unaware of the potential compromise of data made possible by using the access rules together. Consider now the final situation in which user u has an access rule ~or data item A with a predicate referencing data item B, and has no access rules for data item B. This case is similar to the situation where user u has contentdependent access to B, and all the 143

comments above apply. Only with the enforcement approach which ignors the access rules for B, will access to A be permitted. 42 - Content-Dependent S~ecification Model From the discussion above, it is clear that the choice of anv model for the specification and enforcement of contentdependent security policies has the potential for introducing unwanted sideeffects. These side-effects range from limiting expressibility of policies, to introducing the potential for compromise of data items. The side-effects exist in varying degrees in all models. As a result, the security officer for a system must be given the ability to choose between several models so that he may select the model which most closely satisfies his needs. Suppose that a new basic access right for data items, say "pred," is introduced into a specification model. This new access right, when given to a user for a data item, allows the security system to access the data item on his behalf when evaluating a predicate in an access rule. It allows no other type of access. This new access right can be added to the model of Summers and Fernandez [Sum77]. The model is modified so that if user u has an access rule for data item A with a predicate referencing data item B, and user u also has the pred right to B, then the evaluation of the predicate for A takes place unchanged. If the user does not have the pred right for B but has another access rule giving him contentdependent access to B, then the predicate from the access rule for B is anded to the precicate in the access rule for A before it is evaluated as before. If the user has no access rule for B, access to A is denied. This model provides the security officer with the flexibility needed to selectively decide which users may access which data items for the purposes of predicate evaluation. It also increases the range of potential content-dependent security polcies which can be expressed using the model of Summers and Fernandez. Consider again Example 2. An access rule can be defined for the clerk giving him the pred right for the JOBRANK column. Example 4. write) where e. JOBRANK<=I0 clerk: EMPLOYEE[e. JOBRANK] where true (pred) This allows the security system to access the JOBRANK column on behalf of the clerk when evaluating the predicate in the access rule for the NAME and JOBTITLE columns. As a second example, reconsider Example 3. The security officer, at his own discretion, can define an access rule giving the clerk the pred right to the JOBRANK column. If this is done, the policy is enforced as intended. Two problems must be addressed when the pred right is introduced into a specification model. The first problem concerns what to do when a user has an access rule giving him the pred right for a column, but with a content-dependent predicate. This can be handled like all other access rules by "anding" the predicate from the access rule for the pred right to any predicate referencing the column. The second problem concerns who may grant the pred right to a user. Suppose in Example 4 that one person (X) is responsible for defining access rules for the NAME and JOBTITLE columns and that another person (Y) is responsible for defining access rules for the JOBRANK column. Should person X be able to grant the pred right for the JOBRANK column to the clerk? It may be desirable to allow this since the access rule for JOBRANK is defined only to ensure that the access rule for NAME and JOBTITLE is enforced correctly. One solution is to allow Y to grant to X the ability to define access rules containing the pred right for the JOBRANK column. Introduction of the pred right solves several problems in the specification of content-dependent security policies, but it does nothing to eliminate the potential compromise of data items referenced in predicates of access rules. No simple solution to this problem is evident. In fact, a complete solution is impossible in the case where users know the predicates in their access rules or can discover them. A content-dependent access rule partitions the occurrences of a column into two sets, those which can be accessed and those which cannot. The user can always infer some information from noting which occurrences can and cannot be accessed. More work is required to find ways to minimize the problem. Clearly the work in protecting statistical databases is relevant [Den78]. Under general operating conditions, a user may receive access rules from several sources for different applications. These rules can be used together in unpredictable ways to compromise data in the system. Others ([Hat76]) have identified this problem and noted that the predicates from the access rules can be "anded" or "ored" together. Either solution can lead to access policies being enforced differently from what is 144

intended. Restrictions can be placed on the ways access rules for data items can be used together, perhaps by identifying those access rules belonging to a particular application. This idea has been investigated by Summers and Fernandez [Sum77]. More research is needed to achieve a general yet effective implementation of this idea. References [Den78] Denning, D. E. "A Review of Research on Statistical Database Security." Foundations of Secure Computation, R.A. DeMillo, et. al. Eds, Academic Press, New York, 1978. [Gri76] Griffiths, P. and B. Wade. "An Authorization Mechanism for a Relational Database System." ACM Transactions on Data Base Systems, 1 (1976), 3 (Sept), pp 242-255. [Har76] Hartson, H. R. and D. K. Hsiao. "A Semantic Model for Date Base Protection Languages." Systems for Large Data Bases, North-Holland Publishing Company, pp. 27-42, 1976. [MinT8] Minski, N. "An Operation-Control Scheme for Authorization in Computer Systems." International Journal of Computer and Information Sciences, 7 (1978), 2 (June), pp. 157-191. [Spo80] Spooner, D. L., E. Gudes, and P. C. Fischer. "The Logical Object Model for Data Base Operating Systems." Proc. Computer Software and Applications Conference, IEEE, pp.769-775, 1980. [SDo83] Spooner, D. "The Design of a Unified Security Model for a Database Operating System," Proc. Sixteenth Hawaii International Conference on Systems Sciences, pp. 75-82, 1983. [Sto76] Stonebraker, M., and P. Rubinstein. "The INGRES Protection System." Proc. ACM Conference, Houston, pp. 80-84, 1976. [Sum77] Summers, R. C. and E. B. Fernandez. "A System Structure for Data Security." IBM Los Angeles Scientific Center Report, G320-2689, April, 1977. 145

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback