Survey Presentation in Multilevel Secure Database 60-564: Security and Privacy on the Internet Instructor: Dr. A. K. Aggarwal Presented By: Vic Ho & Kashif

Survey Presentation in Multilevel Secure Database

60-564: Security and Privacy on the InternetInstructor: Dr. A. K. AggarwalPresented By: Vic Ho & Kashif SaeedDate: April 8, 2006

Table of Contents

What is MLS RDBMS?Bell-LaPadula Security ModelEvaluation and CertificationMLS ArchitectureMultilevel RelationsPolyinstantiationIntegrity PropertiesUpdate Operation

MultiLevel Secure RDBMS

Capability that allows information with different classifications to be available in an information system.

Users have different security clearances and authorizations.

Preventing users from accessing information for which they are not cleared

Emergence of MLS RDBMS

U.S. military and intelligence communities segregating data based upon its security classification.

“Air gap” with “sneaker net” used to make it secure.

Along came drawbacks Redundant databases Redundant workstations High cost of IT infrastructure Inefficiency

Solution

Using MLS, allowing classified information to be stored, processed and distributed in a secure way without compromising the drawbacks listed previously.

Features of MLS

Users have different security clearances and authorizations.

MLS database used by users as the way they use classic RDBMS

Different levels of security can be enforced, e.g. “Top Secret”, “Secret” etc.

Bell-LaPadula Security Model

MLS uses the basic security model presented by Bell and LaPadula

The model consists of ObjectsSubjects

Object is considered as passive entity e.g. Flat files, records, fields within a record etc.


Subjects is an active process that can request access to an object

Objects are assigned a classification and subject a clearance.

Classification and clearance are collectively called labels

Labels have two components, “hierarchical component” and a set of “unordered compartments”


MLS enforces two restrictions on all data accesses:

“No Read UP”: A subject can read an object if and only if its label dominates the object’s label.

“No Write Down”: A subject can write on an object if the object’s label dominates the subject’s label.

back

Evaluation and Certification

Systems will be carrying highly classified data and might be used by organizations like military, air force or government agencies.

Every MLS system must obtain security evaluation certificate.

Common criteria, adopted as an ISO.Trusted Computer System Evaluation

Criteria (TCSEC)

MLS Architecture

Depending upon how the access control is handled, we have two types of architectures

Woods Hole Architecture Trusted Subject Architecture.

MLS Architecture > Woods Hole Architecture

Delegated through a trusted operating system.

Uses an un-trusted RDBMS with a wrap around of trusted code.

Two categories of such a schemeKernelized ArchitectureDistributed architectures

MLS Architecture > Woods Hole Architecture > Kernelized Architecture

Security level is implemented using a separate copy of off-the-shelf un-trusted RDBMS and trusted front-end.

A trusted Operating System is used in the middle to enforce the access control policies.

Using MAC users can be restricted to access different fragments of the database.


AdvantagesRDBMS associated with High security level

can access other Low trusted database as well.

Data is associated with different security levels that enforce strict access controls.

Minimizes time in evaluation of the RDBMS if used with pre evaluated operating system


High RDBMS

High Trusted Front-End

Low Trusted Front-End

High User Low User

LOW RDBMS

Trusted Operating System

High Data Low Data

MLS Architecture > Woods Hole Architecture

> Distributed architectures

Multiple copies of trusted Front-End and RDBMS are used with different storage databases.

At any particular security level say k, it contains replica of every other data that the subject at level k can access.

DrawbackTo sync the entire database in case of

updates at one point.

MLS Architecture > Trusted Subject Architecture.

Trusted RDBMS and trusted Operating System is used along with an un-trusted Front-End

Mandatory Access Control is enforced by the RDBMS itself Advantages:

Access to data levels at the same time along with minimal retrieval time and update processing

Trusted RDBMS

Trusted Operating System

Un-trusted Front-End

Un-trusted Front-End

Database

High User Low User

Multilevel Relation

Express two properties, similar to single-level relation, with the addition of access class.

Relation Schema: It’s a state invariant multilevel relation scheme R (A1, C1, A2, C2 …An, Cn, TC) such that each Ai belongs to a domain Di and each Ci is a classification attribute for Ai and TC is the tuple class attribute.

Relation Instance: It’s a collection of state dependent relation instances Rc (A1, C1, A2, C2 …An, Cn, TC) one for each access class c.

Polyinstantiation

Allowing multiple copies of same primary key to coexist in same relation.

Could be used against inference, denial of service to legitimate users and also to protect against “covert channels”, e.g. storage covert channel

Example.

Multilevel Integrity Properties

Multilevel relation is composed of sets of tuples rather than a single set of tuple.

Instances might have different access classes and hence is more complex.

Multilevel relations exhibit four additional properties in addition to the not null property of primary key in single-level traditional RDBMS.

Multilevel Integrity Properties > Entity Integrity

Multilevel relation R satisfies entity integrity if and only if for all instances Rc of R and t Rc

Ai AK t[Ai] ≠ null

Ai, Aj AK t[Ci]= t[Cj]

Ai AK t[Ci] t[CAK]

Multilevel Integrity Properties >Null Integrity

Multilevel relation R satisfies null integrity if and only if for each instance of Rc of R following conditions are true.

For all t Rc t[Ai] = null t[Ci] = t[CAK]. Tuple t subsumes tuple s if for every

attribute Ai, either (a) t[Ai,Ci] = s[Ai,Ci] or (b) t[Ai] ≠ null and s[Ai] = null

Multilevel Integrity Properties >Inter-Instance Integrity

R satisfies inter-instance integrity if and only if for all c/ ≤ c we have RC/ = (RC, c’) is the filter function.

Multilevel Integrity Properties > Polyinstantiation Integrity

The relation R satisfies polyinstantiation integrity if and only if for every RC we have for all Ai: AK, CAK, Ci Ai. This property implicitly defines what is meant by the primary key in a multilevel relation.

Update Operation

Insert, update, delete SQL update operations.

In single-level relation, these operations will overwrite the data.

Can not do the same in MLS relation. WHY?

Example

Table of Contents

Mandatory Access Control Basic Model of MLS MAC Implementation Methodology Inference Problem Single Key Schemes (Terminology & Phases) Single Key Scheme for Single Inference Channels Single Key Scheme for Multiple Inference Channels

without “Repeated Object” Single Key Scheme for Multiple Inference Channels

with “Repeated Object” Main Drawback of Single Key Schemes

MAC Implementation in RDBMS

Mandatory Access Control (MAC): Restricting access to objects based on the sensitivity of the information contained in the objects and the formal authorization of subjects to access information of such sensitivity [1].

Multilevel Security (MLS): One of the well-known implementation of MAC.


Basic Model of MLS

Object: A passive entity (i.e. Information saved in the database). Each of objects is assigned a classification.

Subject: An active process which is used to request access to objects. Each of subjects is assigned a clearance.

Label: A piece of information which includes two type of components: hierarchical component and a set of unordered compartments.

Hierarchical Component: Information about the sensitivity of the data.

Compartments Component: Information about the sensitivity or category of the labeled data. It is nonhierarchical.


MAC Implementation Methodology

Features Define label types Define label access rules and exceptions Assign labels and exceptions to database

users Attach a label type and a set of label access

rules to a database table


Label Component

A database entity that can be CREATED, ALTERED and DROPPED. Specify a set of valid elements for that label component. The set of elements can be either ordered or unordered. The rank of an element is higher than the rank of the following elements.

Example Create a label component Label component: level Ordered set A set of valid values: TOP SECRET, SECRET and CLASSIFIED

CREATE LABEL COMPONENT levelOF TYPE varchar(15)USING ORDERED SET{“TOP SECRET”, “SECRET”, “CLASSIFIED”}


Label Type

A database entity that can be CREATED, ALTERED and DROPPED. Define the set of label components that make up a label.. Example Create a label type Label type: MLS Label component: level

CREATE LABEL TYPE MLSCOMPONENTS level,compartments MULTIVALUED

Note Keyword MULTIVALUED indicates that the compartments component can have more than

one single value at one time. Keyword MULTIVALUED is only used to specify for label components which contain an

unordered set.


Access Label

A database entity that can be CREATED and DROPPED. It can be assigned (GRANT and REVOKE) to database users. It cooperates with the label access rules to determine which labeled rows

can be accessed by users.

Example Create a access label Access label: L1 Label type: MLS

CREATE ACCESS LABEL L1OF LABEL TYPE MLSlevel “SECRET”, compartments “NATO”


Row Label

A database entity that can be INSERTED and UPDATED using the ROWLABEL function.

Label a data row in a database table.

Example Insert a row Database table: T1

INSERT INTO T1 VALUES(ROWLABEL(“SECRET”, “NATO”), 1, 2)


Label Access Policy A database entity that can be CREATED, ALTERED and DROPPED. Define the label access rules to determine which users has authority to access a labeled data row in a

database table.

Two Access Rules Categories: Read Access Rules and Write Access Rules

Example Create a label access rule Implement two restrictions of MLS (“No Read Up” and “No Write Down”)

CREATE LABEL POLICY mls-policyLABEL TYPE MLSREAD ACCESS RULE rule1ACCESS LABEL level >= ROW LABEL levelREAD ACCESS RULE rule2ROW LABEL compartments INACCESS LABEL compartmentsWRITE ACCESS RULE rule1ACCESS LABEL level <= ROW LABEL levelWRITE ACCESS RULE rule2ACCESS LABEL compartments INROW LABEL compartments


Exceptions A database entity that can be assigned (GRANT and REVOKE)

to database users. Provide the flexibility for some database users to bypass label

access rules.

Example Grant an exception User: Joe Bypass the write access rules (rule1 and rule 2) in label access policy mls-policy

GRANT EXCEPTIONON WRITE ACCESS RULE rule1, rule2FROM LABEL POLICY mls-policyTO USER Joe

Inference Control Schemes in Multilevel Secure Database

Inference Problem

The information classified at a higher security level can be discovered by users classified at a lower security level by means of inference [1].

The most common way to do inference in this problem is from the responses of a serial of queries.


Single Key Schemes (Terminology) [1]Three single key schemes which are used to handle inference control

problem under three different conditions.

Object (O): A unit of information saved in a database or the relationship between objects. Oi simply means the ith object in the inference channel.

Inference Channel: A minimum set of objects needed for performing an inference.

Length of Inference Channel (m): The number of objects in the inference channel. An inference channel with

the length of m is also called an m-channel.A Key Set (K):

Each key contains information about the association to objects. The number of keys in a key set is m – 1 where m is the length of inference channel.

Reserved Object: An object in the inference channel which is not associated with any key at all.


Single Key Schemes (Phases)

Key Initialization: Establishes the associations between keys and

objects. The algorithm runs one time only unless the entire

system is going to refresh.

Query Processing: Details the algorithm of a query. The algorithm runs whenever a user wants to access

an object.


Basic Idea of Key Schemes

Perform the inference: Must have access to all the objects in the inference channel.

Request to access an object in the inference channel: Requires a key

Major Idea: Number of keys is one less than the number of objects in the

inference channel


Single Key Scheme for Single Inference Channels

1) Key Initialization: Associate every object in the inference channel with all the m - 1 keys denoted by K( ) = K, i = 1, 2, …, m.

2) Query Processing: Select a key randomly. Delete the association between the

requested object and the other keys. Delete the association between the

selected key and the other objects.

Note: When all m - 1 keys have been used, m - 1 objects of m objects in the channel are associated with keys, and there is one object left which is the reserved object.


Single Key Scheme for Multiple Inference Channels without “Repeated Object”

Consideration: There are multiple inference channels in the database and all channels are disjoint each other

Solution: Allocate one set of keys to each inference channel.

1) Key Initialization: Inference channel: C The number of inference channel in the

database: l The length of the channel Cj: mj , where j = 1, 2,

…, l Maximum length of all inference channels: mmax

Therefore, the key set K contains mmax - 1 keys.

2) Query Processing: Similar to the algorithm of the first key scheme.


Single Key Scheme for Multiple Inference Channels with “Repeated Object”

Consideration: Multiple inference channels in the database and some object appear in more than one channel

1) Key Initialization: Similar to the algorithm of the second key scheme

2) Query Processing: When the repeated object is NOT the reserved object, the user

request access to the object should be same as other objects. When the repeated object is the reserved object, the user

request access to the object should be denied.


Main Drawback of Single Key Schemes & Solution

Main Drawback: If the length of the channel is short, it will cause a

serious problem when the key set is refreshed.

Solution: Add a requirement of extra authorization when

access the reserved object.

Conclusion

Summarized four selected papers in the filed of Multilevel Secure Databases

Architecture of MLS RDBMSSecurity Model for MLSMAC Implementation MethodologyA Set of Key Schemes to Handle the

Inference Problem

Reference

[1] Chen, X. and Wei, R. A Dynamic Method for Handling the Inference Problem in Multilevel Secure Databases. Information Technology: Coding and Computing, 2005 (ITCC 2005). International Conference on Volume 1, April 4-6, 2005. Page(s):751 – 756 Vol. 1

[2] Rjaibi, W. An Introduction to Multilevel Secure Relational Database Management Systems. Proceedings of the 2004 conference of the Centre for Advanced Studies on Collaborative research (CASCON), Markham, Ontario, Canada. October 5-7, 2004. Page(s): 232-241

[3] Rjaibi, W and Bird, P. A Multi-Purpose Implementation of Mandatory Access Control in Relational Database Management Systems. Proceedings of the 30th VLDB Conference, Toronto, Canada, 2004. Page(s): 1010-1020

[4] Sushil, J and Ravi, S. Toward a Multilevel Secure Relational Data Model. ACM Sigmod International Conference on Management Data, Denver, Colorado. May 1991, Page(s): 50-59

Documents

Survey Presentation in Multilevel Secure Database 60-564: Security and Privacy on the Internet Instructor: Dr. A. K. Aggarwal Presented By: Vic Ho & Kashif