Mandatory Access Control Oracle Label Virtual Private Database Present Nguyen Thi Thuy loan 1

1

Mandatory Access ControlOracle Label

Virtual Private Database

PresentNguyen Thi Thuy loan

2

Mandatory Access Control• Limitation of DAC:

– Global policy: DAC let users to decide the access control policies on their data, regardless of whether those policies are consistent with the global policies. Therefore, if there is a global policy, DAC has trouble to ensure consistency.

– Information flow: information can be copied from one object to another, so access to a copy is possible even if the owner of the original does not provide access to the original copy. This has been a major concern for military.

– Malicious software: DAC policies can be easily changed by owner, so a malicious program (e.g., a downloaded untrustworthy program) running by the owner can change DAC policies on behalf of the owner.

• MAC mechanisms assign a security level to all information, assign a security clearance to each user, and ensure that all users only have access to that data for which they have a clearance.

3

Mandatory Access Control• Mandatory Access Control (MAC) is is a set of security policies

constrained according to system classification, configuration and authentication. MAC policy management and settings are established in one secure network and limited to system administrators.

• A system-wide policy decrees who is allowed to have access; individual user cannot alter that access.

• Relies on the system to control access.• Examples:

– The law allows a court to access driving records without the owners’ permission.

• Traditional MAC mechanisms have been tightly coupled to a few security models.

• Recently, systems supporting flexible security models start to appear (e.g., SELinux, Trusted Solaris, TrustedBSD, etc.)

4

Mandatory Access Control• Multilevel Security

– People and information are classified into different levels of trust and sensitivity. These levels represent the well-known security classifications:• Unclassified Confidential Secret Top Secret.⇒ ⇒ ⇒

– Clearance level indicates the level of trust given to a person with a security clearance, or a computer that processes classified information, or an area that has been physically secured for storing classified information. The level indicates the highest level of classified information to be stored or handled by the person, device, or location.

– Classification level indicates the level of sensitivity associated with some information, like that in a document or a computer file. The level is supposed to indicate the degree of damage the country could suffer if the information is disclosed to an enemy.

– Security level is a generic term for either a clearance level or a classification level.

5

Mandatory Access Control

• The Bell-LaPadula Security Policy Model– Proposed by David Bell and Len Lapadula in 1973, in response to U.S. Air Force concerns over the security of time-sharing mainframe systems.

– This model is the most widely recognized MLS model.– The model deal with confidentiality only.– Two properties: No read up and No write down.

• Simple security property: Subject A is allowed to read object O only if class(O) ≤ class(A).

• *property: Subject A is allowed to write object O only if class(A) ≤ class(O).

6


• The Bell-LaPadula Security Policy Model– Proposed by David Bell and Len Lapadula in 1973, in response to U.S. Air Force concerns over the security of time-sharing mainframe systems.

– This model is the most widely recognized MLS model.– The model deal with confidentiality only.– Two properties: No read up and No write down.

• Simple security property: Subject A is allowed to read object O only if class(O) ≤ class(A).

• *property: Subject A is allowed to write object O only if class(A) ≤ class(O).

7


• The Bell-LaPadula Security Policy Model– All current access operations: an access operation is described by a triple (s,o,a), s ϵ S, o ϵ O, a ϵ A• E.g.: (Alice, fun.com, read)

– The set of all current access operations is an element of P(SOA)• E.g.: {(Alice, fun.com, read), (Bob, fun.com, write), …}

8


• The Bell-LaPadula Security Policy Model– Current assignment of security levels:

• maximal security level: fS: S L (L … labels)

• current security level: fC: S L

• classification: fO: O L

– The security level of a user is the user’s clearance.– Current security level allows subjects to be down-graded temporarily (more later).

– F LS LSLO is the set of security level assignments; f = (fS, fC, fO)denotes an element of F.

9


• The Bell-LaPadula Security Policy Model– defined by the access control matrix M.–M is the set of access control matrices.– The state set of BLP: V = BM F• B is our shorthand for P(SOA)• b denotes a set of current access operations• a state is denoted by (b,M,f)

10


• The Bell-LaPadula Security Policy Model– Discretionary Security Property (ds-property): Access must be permitted by the access control matrix: (s,o,a)Mso

– Simple Security (ss)-Property (no read-up): if (s,o,a) b, then fS(s) fO(o) if access is in observe mode.

11


• The Bell-LaPadula Security Policy Model limitations– BLP intended for systems with static security levels.– BLP contains covert channels: a low subject can detect the existence of high objects when it is denied access.

– Sometimes, it is not sufficient to hide only the contents of objects. Also their existence may have to be hidden.

– Convert channels

12


• The Biba Model– Due to Ken Biba.– Deal with integrity alone and ignores confidentiality entirely.– Biba model covers integrity levels, which are analogous to sensitivity levels in Bell-LaPadula

– Integrity levels cover inappropriate modification of data– Prevents unauthorized users from making modifications (1st goal of integrity)

– Two properties:• Simple Integrity Property: A low integrity subject will not write or modify high integrity data.

• *-Property: The high integrity subject will not read low integrity data.• Read Up, Write Down - Subjects cannot read objects of lesser integrity, subjects cannot write to objects of higher integrity

13


• The Biba model is focused on the integrity of information

• The Bell-LaPadula model is focused on the confidentiality of information. – No read up, no write down.”

• Subjects are assigned clearance levels drawn from the lattice of security labels.– C(S) = "clearance of the subject S"

• A principal may read objects with lower (or equal) security label.– Read: C(O) ≤ C(S)

• A principal may write objects with higher (or equal) security label.– Write: C(S) ≤ C(O)

14


• Instead of the information flow-control boundaries being horizontal, as in the MLS model, we instead need the boundaries to be the mostly vertical.– Examples: In a consultant company, a person who consult for BankOne should not have access to the data of JPMC-Chase..

– An intelligence organization wants to keep the names of agents working in one foreign country secret from the department responsible for spying on another.

• Also known as compartmentation.• Multilateral security models:

– The Chinese Wall Model– The BMA Model (British Medical Association)

15

Mandatory Access Control• Only administrators, not data owners, make changes to a resource's security

label.• All data is assigned security level that reflects its relative sensitivity,

confidentiality, and protection value.• All users can read from a lower classification than the one they are granted (A

"secret" user can read an unclassified document).• All users can write to a higher classification (A "secret" user can post information

to a Top Secret resource).• All users are given read/write access to objects only of the same classification (a

"secret" user can only read/write to a secret document).• Access is authorized or restricted to objects based on the time of day depending

on the labeling on the resource and the user's credentials (driven by policy).• Access is authorized or restricted to objects based on the security characteristics

of the HTTP client (e.g. SSL bit length, version information, originating IP address or domain, etc.)

16

Oracle Label Security

• Oracle Label Security enables to control the display of individual table rows using labels that are assigned to individual table rows and application users.

• Based on multi-level security (MLS) requirements • Restrict sensitive information to only authorized users. • Oracle Label Security policies can be applied to one or more application tables.

• Oracle Label Security works by comparing the row label with a user's label authorizations.

17


• Benefits – It enables row level data classification and provides out of the box access mediation based on the data classification and the user label authorization or security clearance.

– It enables you to assign label authorizations or security clearances to both database users and application users.

– It provides both a graphical user interface and APIs for defining and storing data classification labels and user label authorizations.

– It integrates with Oracle Database Vault and Oracle Advanced Security Data Redaction, enabling security clearances to be use in both Database Vault command rules and Data Redaction policy definitions.

18


• Components – Labels: Labels for data and users, along with authorizations for users and program units, govern access to specified protected objects. • Levels• Compartments• Groups

– Policy. A policy is a name associated with these labels, rules, authorizations, and protected tables.

19


• Level Sensitivity Components– A level is a ranking that denotes the sensitivity of the information it labels.

– Every label must include one level. Oracle Label Security permits defining up to 10,000 levels in a policy.

20


• Compartment Components– Identify areas that describe the sensitivity of the labeled data, providing a finer level of granularity within a level.

– Associate the data with one or more security areas.

21


• Group Components– Identify organizations owning or accessing the data. All data pertaining to a certain department can have that department's group in the label.

– Groups are hierarchical. A group can thus be associated with a parent group.

22


23


• Oracle Label Security Architecture

24


• Access Controls and Privileges– Data labels specify the sensitivity of data rows.– User labels provide the appropriate authorizations to users.

– Access mediation between users and rows of data depends on users' labels.

25


• Access Controls and Privileges– The Session Label

• Each Oracle Label Security user has a set of authorizations that include:• A maximum and minimum level• A set of authorized compartments• A set of authorized groups• For each compartment and group, a specification of read-only access, or read/write access

– The Row Label• When a user writes data without specifying its label, a row label is assigned automatically, using the user's session label.

• However, the user can set the label for the written row, within certain restrictions on the components of the label he specifies

26


• User Authorizations– Authorizations Set by the Administrator• Authorized Levels• Authorized Compartments• Authorized Groups

– Computed Session Labels• Oracle Label Security automatically computes a number of labels based on the value of the session label.

27


• Read/Write Access– The user has a maximum authorization for the data he or she can read; the user's write authorization is a subset of that. The minimum write level controls the user's ability to disseminate data by lowering its sensitivity. The user cannot write data with a level lower than the minimum level the administrator assigned to this user.

– In addition, there are separate lists of compartments and groups for which the user is authorized; that is, for which the user has at least read access. An access flag indicates whether the user can also write to individual compartments or groups.

28


– Read Access• The user's level must be greater than or equal to the level of the data.• The user's label must include at least one of the

groups that belong to the data (or the parent group of one such subgroup).• The user's label must include all the compartments that belong to the data.

29


– Read Access

30


–Write Access• The level in the data label must be greater than or equal to the user's minimum level and less than or equal to the user's session level.

• When groups are present, the user's label must include at least one of the groups with write access that appear in the data label (or the parent of one such subgroup). In addition, the user's label must include all the compartments in the data label.

• When no groups are present, the user's label must have write access on all of the compartments in the data label.

31


–Write Access

32


• Enable

33


• Tập lệnh liên quan tới policy• CREATE/ALTER/DROP_LEVEL/COMPARTMENT/GROUP

• SET_LEVELS/COMPARTMENT/GROUP• CREATE/DISABLE/ALTER/DROP_POLICY• CREATE/ALTER/DROP_LABEL/POLICY• APPLY_TABLE/SCHEMA_POLICY

34


• Special Row Label Privileges– The WRITEUP privilege enables the user to raise the level of data within a row, without compromising the compartments or groups.

– The WRITEDOWN privilege enables the user to lower the level of data within a row, without compromising the compartments or groups. The user can lower the level to any level equal to or greater than his or her minimum authorized level.

– The WRITEACROSS privilege allows the user to change the compartments and groups of data, without altering its sensitivity level. This guarantees, for example, that SENSITIVE data remains at the SENSITIVE level, but at the same time enables the data's dissemination to be managed.

35


• VPD enables you to create security policies to control database access at the row and column level.

36


• VPD is a feature of Oracle Database Enterprise Edition, was introduced in Oracle8i and is one of the most popular security features in the database.

• VPD is used when the standard object privileges and associated database roles are insufficient to meet application security requirements.

• VPD policies can be simple or complex depending on your security requirements.

• VPD can be used in combination with the "application context" feature to enforce sophisticated row and/or column level security requirements for privacy and regulatory compliance.

37


• A customer can only see his orders in the 'orders' table (below), when he is listed in the 'customers' table (above).

38

Virtual Private Database• Column Relevance: The account manager with the account_mgr_id "149"

can see all rows from the customers table, but not the credit limits. As soon as she queries the 'credit_limit' column, she can only see her own customers.

39

Virtual Private Database• The most advanced configuration ("Column Hiding") of VPD allows for the

most effective combination of ease-of-use and security: She still has access to all public information in the 'customers' table, but confidential information remains hidden.

40


• Create a Policy Function

41

• Result

42


Create the Oracle Virtual Private Database Policy• DBMS_RLS.ADD_POLICY

43

Virtual Private Database• When a user directly or indirectly accesses a table, view, or synonym that is

protected with an Oracle Virtual Private Database policy, Oracle Database dynamically modifies the SQL statement of the user. This modification creates a WHERE condition (called a predicate) returned by a function implementing the security policy. Oracle Database modifies the statement dynamically, transparently to the user, using any condition that can be expressed in or returned by a function. You can apply Oracle Virtual Private Database policies to SELECT, INSERT, UPDATE, INDEX, and DELETE statements.

Suppose a user performs the following query:SELECT * FROM OE.ORDERS;

The Oracle Virtual Private Database policy dynamically appends the statement with a WHERE clause. For example:

SELECT * FROM OE.ORDERS WHERE SALES_REP_ID = 159; the user can only view orders by Sales Representative 159.

44

Benefits of Using Oracle Virtual Private Database Policies

• Basing Security Policies on Database Objects Rather Than Applications– Security. By attaching security policies directly to tables, views, or synonyms, fine-grained access control ensures that the same security is in force, no matter how a user accesses the data.

– Simplicity. You add the security policy to a table, view, or synonym only once, rather than repeatedly adding it to each of your table-based, view-based, or synonym-based applications.

– Flexibility. You can have one security policy for SELECT statements, another for INSERT statements, and still others for UPDATE and DELETE statements

45

Thank You .

46

Reference

• E. Bertino, G. Ghinita, A. Kamra: “Access Control for Databases: Concepts and Systems”

• Label Security Administrator's Guide _ Oracle White Paper

• Oracle Label Security with Oracle Database 12c _ Oracle White Paper

• Using Oracle Virtual Private Database to Control Data Access _ Oracle Database Online Documentation 12c Release 1

Documents

Mandatory Access Control Oracle Label Virtual Private Database Present Nguyen Thi Thuy loan 1