Upload
katrina-melton
View
213
Download
0
Tags:
Embed Size (px)
Citation preview
Survey Presentation in Multilevel Secure Database
60-564: Security and Privacy on the InternetInstructor: Dr. A. K. AggarwalPresented By: Vic Ho & Kashif SaeedDate: April 8, 2006
Table of Contents
What is MLS RDBMS?Bell-LaPadula Security ModelEvaluation and CertificationMLS ArchitectureMultilevel RelationsPolyinstantiationIntegrity PropertiesUpdate Operation
MultiLevel Secure RDBMS
Capability that allows information with different classifications to be available in an information system.
Users have different security clearances and authorizations.
Preventing users from accessing information for which they are not cleared
Emergence of MLS RDBMS
U.S. military and intelligence communities segregating data based upon its security classification.
“Air gap” with “sneaker net” used to make it secure.
Along came drawbacks Redundant databases Redundant workstations High cost of IT infrastructure Inefficiency
Solution
Using MLS, allowing classified information to be stored, processed and distributed in a secure way without compromising the drawbacks listed previously.
Features of MLS
Users have different security clearances and authorizations.
MLS database used by users as the way they use classic RDBMS
Different levels of security can be enforced, e.g. “Top Secret”, “Secret” etc.
Bell-LaPadula Security Model
MLS uses the basic security model presented by Bell and LaPadula
The model consists of ObjectsSubjects
Object is considered as passive entity e.g. Flat files, records, fields within a record etc.
Bell-LaPadula Security Model
Subjects is an active process that can request access to an object
Objects are assigned a classification and subject a clearance.
Classification and clearance are collectively called labels
Labels have two components, “hierarchical component” and a set of “unordered compartments”
Bell-LaPadula Security Model
MLS enforces two restrictions on all data accesses:
“No Read UP”: A subject can read an object if and only if its label dominates the object’s label.
“No Write Down”: A subject can write on an object if the object’s label dominates the subject’s label.
back
Evaluation and Certification
Systems will be carrying highly classified data and might be used by organizations like military, air force or government agencies.
Every MLS system must obtain security evaluation certificate.
Common criteria, adopted as an ISO.Trusted Computer System Evaluation
Criteria (TCSEC)
MLS Architecture
Depending upon how the access control is handled, we have two types of architectures
Woods Hole Architecture Trusted Subject Architecture.
MLS Architecture > Woods Hole Architecture
Delegated through a trusted operating system.
Uses an un-trusted RDBMS with a wrap around of trusted code.
Two categories of such a schemeKernelized ArchitectureDistributed architectures
MLS Architecture > Woods Hole Architecture > Kernelized Architecture
Security level is implemented using a separate copy of off-the-shelf un-trusted RDBMS and trusted front-end.
A trusted Operating System is used in the middle to enforce the access control policies.
Using MAC users can be restricted to access different fragments of the database.
MLS Architecture > Woods Hole Architecture > Kernelized Architecture
AdvantagesRDBMS associated with High security level
can access other Low trusted database as well.
Data is associated with different security levels that enforce strict access controls.
Minimizes time in evaluation of the RDBMS if used with pre evaluated operating system
MLS Architecture > Woods Hole Architecture > Kernelized Architecture
High RDBMS
High Trusted Front-End
Low Trusted Front-End
High User Low User
LOW RDBMS
Trusted Operating System
High Data Low Data
MLS Architecture > Woods Hole Architecture
> Distributed architectures
Multiple copies of trusted Front-End and RDBMS are used with different storage databases.
At any particular security level say k, it contains replica of every other data that the subject at level k can access.
DrawbackTo sync the entire database in case of
updates at one point.
MLS Architecture > Trusted Subject Architecture.
Trusted RDBMS and trusted Operating System is used along with an un-trusted Front-End
Mandatory Access Control is enforced by the RDBMS itself Advantages:
Access to data levels at the same time along with minimal retrieval time and update processing
Trusted RDBMS
Trusted Operating System
Un-trusted Front-End
Un-trusted Front-End
Database
High User Low User
Multilevel Relation
Express two properties, similar to single-level relation, with the addition of access class.
Relation Schema: It’s a state invariant multilevel relation scheme R (A1, C1, A2, C2 …An, Cn, TC) such that each Ai belongs to a domain Di and each Ci is a classification attribute for Ai and TC is the tuple class attribute.
Relation Instance: It’s a collection of state dependent relation instances Rc (A1, C1, A2, C2 …An, Cn, TC) one for each access class c.
Polyinstantiation
Allowing multiple copies of same primary key to coexist in same relation.
Could be used against inference, denial of service to legitimate users and also to protect against “covert channels”, e.g. storage covert channel
Example.
Multilevel Integrity Properties
Multilevel relation is composed of sets of tuples rather than a single set of tuple.
Instances might have different access classes and hence is more complex.
Multilevel relations exhibit four additional properties in addition to the not null property of primary key in single-level traditional RDBMS.
Multilevel Integrity Properties > Entity Integrity
Multilevel relation R satisfies entity integrity if and only if for all instances Rc of R and t Rc
Ai AK t[Ai] ≠ null
Ai, Aj AK t[Ci]= t[Cj]
Ai AK t[Ci] t[CAK]
Multilevel Integrity Properties >Null Integrity
Multilevel relation R satisfies null integrity if and only if for each instance of Rc of R following conditions are true.
For all t Rc t[Ai] = null t[Ci] = t[CAK]. Tuple t subsumes tuple s if for every
attribute Ai, either (a) t[Ai,Ci] = s[Ai,Ci] or (b) t[Ai] ≠ null and s[Ai] = null
Multilevel Integrity Properties >Inter-Instance Integrity
R satisfies inter-instance integrity if and only if for all c/ ≤ c we have RC/ = (RC, c’) is the filter function.
Multilevel Integrity Properties > Polyinstantiation Integrity
The relation R satisfies polyinstantiation integrity if and only if for every RC we have for all Ai: AK, CAK, Ci Ai. This property implicitly defines what is meant by the primary key in a multilevel relation.
Update Operation
Insert, update, delete SQL update operations.
In single-level relation, these operations will overwrite the data.
Can not do the same in MLS relation. WHY?
Example
Table of Contents
Mandatory Access Control Basic Model of MLS MAC Implementation Methodology Inference Problem Single Key Schemes (Terminology & Phases) Single Key Scheme for Single Inference Channels Single Key Scheme for Multiple Inference Channels
without “Repeated Object” Single Key Scheme for Multiple Inference Channels
with “Repeated Object” Main Drawback of Single Key Schemes
MAC Implementation in RDBMS
Mandatory Access Control (MAC): Restricting access to objects based on the sensitivity of the information contained in the objects and the formal authorization of subjects to access information of such sensitivity [1].
Multilevel Security (MLS): One of the well-known implementation of MAC.
MAC Implementation in RDBMS
Basic Model of MLS
Object: A passive entity (i.e. Information saved in the database). Each of objects is assigned a classification.
Subject: An active process which is used to request access to objects. Each of subjects is assigned a clearance.
Label: A piece of information which includes two type of components: hierarchical component and a set of unordered compartments.
Hierarchical Component: Information about the sensitivity of the data.
Compartments Component: Information about the sensitivity or category of the labeled data. It is nonhierarchical.
MAC Implementation in RDBMS
MAC Implementation Methodology
Features Define label types Define label access rules and exceptions Assign labels and exceptions to database
users Attach a label type and a set of label access
rules to a database table
MAC Implementation in RDBMS
Label Component
A database entity that can be CREATED, ALTERED and DROPPED. Specify a set of valid elements for that label component. The set of elements can be either ordered or unordered. The rank of an element is higher than the rank of the following elements.
Example Create a label component Label component: level Ordered set A set of valid values: TOP SECRET, SECRET and CLASSIFIED
CREATE LABEL COMPONENT levelOF TYPE varchar(15)USING ORDERED SET{“TOP SECRET”, “SECRET”, “CLASSIFIED”}
MAC Implementation in RDBMS
Label Type
A database entity that can be CREATED, ALTERED and DROPPED. Define the set of label components that make up a label.. Example Create a label type Label type: MLS Label component: level
CREATE LABEL TYPE MLSCOMPONENTS level,compartments MULTIVALUED
Note Keyword MULTIVALUED indicates that the compartments component can have more than
one single value at one time. Keyword MULTIVALUED is only used to specify for label components which contain an
unordered set.
MAC Implementation in RDBMS
Access Label
A database entity that can be CREATED and DROPPED. It can be assigned (GRANT and REVOKE) to database users. It cooperates with the label access rules to determine which labeled rows
can be accessed by users.
Example Create a access label Access label: L1 Label type: MLS
CREATE ACCESS LABEL L1OF LABEL TYPE MLSlevel “SECRET”, compartments “NATO”
MAC Implementation in RDBMS
Row Label
A database entity that can be INSERTED and UPDATED using the ROWLABEL function.
Label a data row in a database table.
Example Insert a row Database table: T1
INSERT INTO T1 VALUES(ROWLABEL(“SECRET”, “NATO”), 1, 2)
MAC Implementation in RDBMS
Label Access Policy A database entity that can be CREATED, ALTERED and DROPPED. Define the label access rules to determine which users has authority to access a labeled data row in a
database table.
Two Access Rules Categories: Read Access Rules and Write Access Rules
Example Create a label access rule Implement two restrictions of MLS (“No Read Up” and “No Write Down”)
CREATE LABEL POLICY mls-policyLABEL TYPE MLSREAD ACCESS RULE rule1ACCESS LABEL level >= ROW LABEL levelREAD ACCESS RULE rule2ROW LABEL compartments INACCESS LABEL compartmentsWRITE ACCESS RULE rule1ACCESS LABEL level <= ROW LABEL levelWRITE ACCESS RULE rule2ACCESS LABEL compartments INROW LABEL compartments
MAC Implementation in RDBMS
Exceptions A database entity that can be assigned (GRANT and REVOKE)
to database users. Provide the flexibility for some database users to bypass label
access rules.
Example Grant an exception User: Joe Bypass the write access rules (rule1 and rule 2) in label access policy mls-policy
GRANT EXCEPTIONON WRITE ACCESS RULE rule1, rule2FROM LABEL POLICY mls-policyTO USER Joe
Inference Control Schemes in Multilevel Secure Database
Inference Problem
The information classified at a higher security level can be discovered by users classified at a lower security level by means of inference [1].
The most common way to do inference in this problem is from the responses of a serial of queries.
Inference Control Schemes in Multilevel Secure Database
Single Key Schemes (Terminology) [1]Three single key schemes which are used to handle inference control
problem under three different conditions.
Object (O): A unit of information saved in a database or the relationship between objects. Oi simply means the ith object in the inference channel.
Inference Channel: A minimum set of objects needed for performing an inference.
Length of Inference Channel (m): The number of objects in the inference channel. An inference channel with
the length of m is also called an m-channel.A Key Set (K):
Each key contains information about the association to objects. The number of keys in a key set is m – 1 where m is the length of inference channel.
Reserved Object: An object in the inference channel which is not associated with any key at all.
Inference Control Schemes in Multilevel Secure Database
Single Key Schemes (Phases)
Key Initialization: Establishes the associations between keys and
objects. The algorithm runs one time only unless the entire
system is going to refresh.
Query Processing: Details the algorithm of a query. The algorithm runs whenever a user wants to access
an object.
Inference Control Schemes in Multilevel Secure Database
Basic Idea of Key Schemes
Perform the inference: Must have access to all the objects in the inference channel.
Request to access an object in the inference channel: Requires a key
Major Idea: Number of keys is one less than the number of objects in the
inference channel
Inference Control Schemes in Multilevel Secure Database
Single Key Scheme for Single Inference Channels
1) Key Initialization: Associate every object in the inference channel with all the m - 1 keys denoted by K( ) = K, i = 1, 2, …, m.
2) Query Processing: Select a key randomly. Delete the association between the
requested object and the other keys. Delete the association between the
selected key and the other objects.
Note: When all m - 1 keys have been used, m - 1 objects of m objects in the channel are associated with keys, and there is one object left which is the reserved object.
Inference Control Schemes in Multilevel Secure Database
Single Key Scheme for Multiple Inference Channels without “Repeated Object”
Consideration: There are multiple inference channels in the database and all channels are disjoint each other
Solution: Allocate one set of keys to each inference channel.
1) Key Initialization: Inference channel: C The number of inference channel in the
database: l The length of the channel Cj: mj , where j = 1, 2,
…, l Maximum length of all inference channels: mmax
Therefore, the key set K contains mmax - 1 keys.
2) Query Processing: Similar to the algorithm of the first key scheme.
Inference Control Schemes in Multilevel Secure Database
Single Key Scheme for Multiple Inference Channels with “Repeated Object”
Consideration: Multiple inference channels in the database and some object appear in more than one channel
1) Key Initialization: Similar to the algorithm of the second key scheme
2) Query Processing: When the repeated object is NOT the reserved object, the user
request access to the object should be same as other objects. When the repeated object is the reserved object, the user
request access to the object should be denied.
Inference Control Schemes in Multilevel Secure Database
Main Drawback of Single Key Schemes & Solution
Main Drawback: If the length of the channel is short, it will cause a
serious problem when the key set is refreshed.
Solution: Add a requirement of extra authorization when
access the reserved object.
Conclusion
Summarized four selected papers in the filed of Multilevel Secure Databases
Architecture of MLS RDBMSSecurity Model for MLSMAC Implementation MethodologyA Set of Key Schemes to Handle the
Inference Problem
Reference
[1] Chen, X. and Wei, R. A Dynamic Method for Handling the Inference Problem in Multilevel Secure Databases. Information Technology: Coding and Computing, 2005 (ITCC 2005). International Conference on Volume 1, April 4-6, 2005. Page(s):751 – 756 Vol. 1
[2] Rjaibi, W. An Introduction to Multilevel Secure Relational Database Management Systems. Proceedings of the 2004 conference of the Centre for Advanced Studies on Collaborative research (CASCON), Markham, Ontario, Canada. October 5-7, 2004. Page(s): 232-241
[3] Rjaibi, W and Bird, P. A Multi-Purpose Implementation of Mandatory Access Control in Relational Database Management Systems. Proceedings of the 30th VLDB Conference, Toronto, Canada, 2004. Page(s): 1010-1020
[4] Sushil, J and Ravi, S. Toward a Multilevel Secure Relational Data Model. ACM Sigmod International Conference on Management Data, Denver, Colorado. May 1991, Page(s): 50-59