Download Survey Presentation in Multilevel Secure Database

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
Document related concepts

Extensible Storage Engine wikipedia , lookup

Concurrency control wikipedia , lookup

Database wikipedia , lookup

Microsoft Access wikipedia , lookup

Functional Database Model wikipedia , lookup

Clusterpoint wikipedia , lookup

Microsoft Jet Database Engine wikipedia , lookup

Versant Object Database wikipedia , lookup

ContactPoint wikipedia , lookup

Relational model wikipedia , lookup

Database model wikipedia , lookup

Transcript 
Survey Presentation in
Multilevel Secure Database
60-564: Security and Privacy on the Internet
Instructor: Dr. A. K. Aggarwal
Presented By: Vic Ho & Kashif Saeed
Date: April 8, 2006
Table of Contents
What is MLS RDBMS?
 Bell-LaPadula Security Model
 Evaluation and Certification
 MLS Architecture
 Multilevel Relations
 Polyinstantiation
 Integrity Properties
 Update Operation

MultiLevel Secure RDBMS
Capability that allows information with
different classifications to be available in
an information system.
 Users have different security clearances
and authorizations.
 Preventing users from accessing
information for which they are not
cleared

Emergence of MLS RDBMS

U.S. military and intelligence communities
segregating data based upon its security
classification.
 “Air gap” with “sneaker net” used to make it
secure.
 Along came drawbacks




Redundant databases
Redundant workstations
High cost of IT infrastructure
Inefficiency
Solution

Using MLS, allowing classified
information to be stored, processed and
distributed in a secure way without
compromising the drawbacks listed
previously.
Features of MLS
Users have different security clearances
and authorizations.
 MLS database used by users as the way
they use classic RDBMS
 Different levels of security can be
enforced, e.g. “Top Secret”, “Secret” etc.

Bell-LaPadula Security Model
MLS uses the basic security model
presented by Bell and LaPadula
 The model consists of

Objects
 Subjects


Object is considered as passive entity
e.g. Flat files, records, fields within a
record etc.
Bell-LaPadula Security Model
Subjects is an active process that can
request access to an object
 Objects are assigned a classification and
subject a clearance.
 Classification and clearance are
collectively called labels
 Labels have two components,
“hierarchical component” and a set of
“unordered compartments”

Bell-LaPadula Security Model
MLS enforces two restrictions on all data
accesses:
 “No Read UP”: A subject can read an
object if and only if its label dominates
the object’s label.
 “No Write Down”: A subject can write on
an object if the object’s label dominates
the subject’s label.

back
Evaluation and Certification
Systems will be carrying highly classified
data and might be used by organizations
like military, air force or government
agencies.
 Every MLS system must obtain security
evaluation certificate.
 Common criteria, adopted as an ISO.
 Trusted Computer System Evaluation
Criteria (TCSEC)

MLS Architecture
Depending upon how the access control
is handled, we have two types of
architectures
 Woods Hole Architecture
 Trusted Subject Architecture.

MLS Architecture > Woods Hole
Architecture
Delegated through a trusted operating
system.
 Uses an un-trusted RDBMS with a wrap
around of trusted code.
 Two categories of such a scheme
 Kernelized Architecture
 Distributed architectures

MLS Architecture > Woods Hole
Architecture > Kernelized Architecture
Security level is implemented using a
separate copy of off-the-shelf un-trusted
RDBMS and trusted front-end.
 A trusted Operating System is used in
the middle to enforce the access control
policies.
 Using MAC users can be restricted to
access different fragments of the
database.

MLS Architecture > Woods Hole
Architecture > Kernelized Architecture

Advantages
RDBMS associated with High security level
can access other Low trusted database as
well.
 Data is associated with different security
levels that enforce strict access controls.
 Minimizes time in evaluation of the RDBMS
if used with pre evaluated operating system

MLS Architecture > Woods Hole
Architecture > Kernelized Architecture
High User
High Trusted
Front-End
High
RDBMS
Low User
Low Trusted
Front-End
LOW
RDBMS
Trusted Operating System
High Data
Low Data
MLS Architecture > Woods Hole Architecture
> Distributed architectures
Multiple copies of trusted Front-End and
RDBMS are used with different storage
databases.
 At any particular security level say k, it
contains replica of every other data that
the subject at level k can access.
 Drawback


To sync the entire database in case of
updates at one point.
MLS Architecture > Trusted
Subject
Architecture.

Trusted RDBMS and trusted Operating
System is used along with an un-trusted FrontEnd
High User
Low User
 Mandatory Access Control
Un-trusted
Un-trusted
Front-End
Front-End
is enforced by the RDBMS
itself
 Advantages:
Access to data levels at the same
time along with minimal retrieval time
and update processing

Trusted RDBMS
Trusted Operating System
Database
Multilevel Relation

Express two properties, similar to single-level
relation, with the addition of access class.
 Relation Schema: It’s a state invariant
multilevel relation scheme R (A1, C1, A2,
C2 …An, Cn, TC) such that each Ai belongs to
a domain Di and each Ci is a classification
attribute for Ai and TC is the tuple class
attribute.
 Relation Instance: It’s a collection of state
dependent relation instances Rc (A1, C1, A2,
C2 …An, Cn, TC) one for each access class c.
Polyinstantiation
Allowing multiple copies of same primary
key to coexist in same relation.
 Could be used against inference, denial
of service to legitimate users and also to
protect against “covert channels”, e.g.
storage covert channel
 Example.

Multilevel Integrity Properties
Multilevel relation is composed of sets of
tuples rather than a single set of tuple.
 Instances might have different access
classes and hence is more complex.
 Multilevel relations exhibit four additional
properties in addition to the not null
property of primary key in single-level
traditional RDBMS.

Multilevel Integrity Properties >
Entity Integrity
Multilevel relation R satisfies entity
integrity if and only if for all instances
Rc of R and t  Rc




Ai  AK  t[Ai] ≠ null
Ai, Aj  AK  t[Ci]= t[Cj]
Ai  AK  t[Ci]  t[CAK]
Multilevel Integrity Properties >
Null Integrity
Multilevel relation R satisfies null
integrity if and only if for each instance
of Rc of R following conditions are
true.



For all t  Rc t[Ai] = null  t[Ci] = t[CAK].
Tuple t subsumes tuple s if for every
attribute Ai, either (a) t[Ai,Ci] = s[Ai,Ci] or
(b) t[Ai] ≠ null and s[Ai] = null
Multilevel Integrity Properties >
Inter-Instance Integrity

R satisfies inter-instance integrity if and
only if for all c/ ≤ c we have
RC/ =  (RC, c’)
  is the filter function.

Multilevel Integrity Properties >
Polyinstantiation Integrity

The relation R satisfies polyinstantiation
integrity if and only if for every RC we
have for all Ai: AK, CAK, Ci  Ai. This
property implicitly defines what is meant
by the primary key in a multilevel
relation.
Update Operation
Insert, update, delete SQL update
operations.
 In single-level relation, these operations
will overwrite the data.
 Can not do the same in MLS relation.
WHY?


Example
Table of Contents









Mandatory Access Control
Basic Model of MLS
MAC Implementation Methodology
Inference Problem
Single Key Schemes (Terminology & Phases)
Single Key Scheme for Single Inference Channels
Single Key Scheme for Multiple Inference Channels
without “Repeated Object”
Single Key Scheme for Multiple Inference Channels
with “Repeated Object”
Main Drawback of Single Key Schemes
MAC Implementation in RDBMS

Mandatory Access Control (MAC):
Restricting access to objects based on
the sensitivity of the information
contained in the objects and the formal
authorization of subjects to access
information of such sensitivity [1].

Multilevel Security (MLS): One of the
well-known implementation of MAC.
MAC Implementation in RDBMS
Basic Model of MLS

Object: A passive entity (i.e. Information saved in the database). Each of
objects is assigned a classification.

Subject: An active process which is used to request access to objects.
Each of subjects is assigned a clearance.

Label: A piece of information which includes two type of components:
hierarchical component and a set of unordered compartments.

Hierarchical Component: Information about the sensitivity of the data.

Compartments Component: Information about the sensitivity or
category of the labeled data. It is nonhierarchical.
MAC Implementation in RDBMS
MAC Implementation Methodology
Features
 Define label types
 Define label access rules and exceptions
 Assign labels and exceptions to database
users
 Attach a label type and a set of label access
rules to a database table
MAC Implementation in RDBMS
Label Component




A database entity that can be CREATED, ALTERED and DROPPED.
Specify a set of valid elements for that label component.
The set of elements can be either ordered or unordered.
The rank of an element is higher than the rank of the following elements.
Example
 Create a label component
 Label component: level
 Ordered set
 A set of valid values: TOP SECRET, SECRET and CLASSIFIED
CREATE LABEL COMPONENT level
OF TYPE varchar(15)
USING ORDERED SET
{“TOP SECRET”, “SECRET”, “CLASSIFIED”}
MAC Implementation in RDBMS
Label Type


A database entity that can be CREATED, ALTERED and DROPPED.
Define the set of label components that make up a label.
.
Example

Create a label type

Label type: MLS

Label component: level
CREATE LABEL TYPE MLS
COMPONENTS level,
compartments MULTIVALUED
Note

Keyword MULTIVALUED indicates that the compartments component can have more than
one single value at one time.

Keyword MULTIVALUED is only used to specify for label components which contain an
unordered set.
MAC Implementation in RDBMS
Access Label


A database entity that can be CREATED and DROPPED.
It can be assigned (GRANT and REVOKE) to database users.
 It cooperates with the label access rules to determine which labeled rows
can be accessed by users.
Example
 Create a access label
 Access label: L1
 Label type: MLS
CREATE ACCESS LABEL L1
OF LABEL TYPE MLS
level “SECRET”, compartments “NATO”
MAC Implementation in RDBMS
Row Label


A database entity that can be INSERTED and
UPDATED using the ROWLABEL function.
Label a data row in a database table.
Example
 Insert a row
 Database table: T1
INSERT INTO T1 VALUES
(ROWLABEL(“SECRET”, “NATO”), 1, 2)
MAC Implementation in RDBMS
Label Access Policy

A database entity that can be CREATED, ALTERED and DROPPED.

Define the label access rules to determine which users has authority to access a labeled data row in a
database table.
Two Access Rules Categories: Read Access Rules and Write Access Rules
Example

Create a label access rule

Implement two restrictions of MLS (“No Read Up” and “No Write Down”)
CREATE LABEL POLICY mls-policy
LABEL TYPE MLS
READ ACCESS RULE rule1
ACCESS LABEL level >= ROW LABEL level
READ ACCESS RULE rule2
ROW LABEL compartments IN
ACCESS LABEL compartments
WRITE ACCESS RULE rule1
ACCESS LABEL level <= ROW LABEL level
WRITE ACCESS RULE rule2
ACCESS LABEL compartments IN
ROW LABEL compartments
MAC Implementation in RDBMS
Exceptions
 A database

entity that can be assigned (GRANT and REVOKE) to
database users.
Provide the flexibility for some database users to bypass label
access rules.
Example
 Grant an exception
 User: Joe
 Bypass the write access rules (rule1 and rule 2) in label access policy mls-policy
GRANT EXCEPTION
ON WRITE ACCESS RULE rule1, rule2
FROM LABEL POLICY mls-policy
TO USER Joe
Inference Control Schemes in
Multilevel Secure Database
Inference Problem

The information classified at a higher security
level can be discovered by users classified at
a lower security level by means of inference
[1].

The most common way to do inference in this
problem is from the responses of a serial of
queries.
Inference Control Schemes in
Multilevel Secure Database
Single Key Schemes (Terminology) [1]
Three single key schemes which are used to handle inference control
problem under three different conditions.
Object (O):


A unit of information saved in a database or the relationship between objects.
Oi simply means the ith object in the inference channel.
Inference Channel:

A minimum set of objects needed for performing an inference.
Length of Inference Channel (m):

The number of objects in the inference channel. An inference channel with
the length of m is also called an m-channel.
A Key Set (K):

Each key contains information about the association to objects. The number
of keys in a key set is m – 1 where m is the length of inference channel.
Reserved Object:

An object in the inference channel which is not associated with any key at all.
Inference Control Schemes in
Multilevel Secure Database
Single Key Schemes (Phases)
Key Initialization:
 Establishes the associations between keys and
objects.
 The algorithm runs one time only unless the entire
system is going to refresh.
Query Processing:
 Details the algorithm of a query.
 The algorithm runs whenever a user wants to access
an object.
Inference Control Schemes in
Multilevel Secure Database
Basic Idea of Key Schemes

Perform the inference:


Request to access an object in the inference channel:


Must have access to all the objects in the inference channel.
Requires a key
Major Idea:

Number of keys is one less than the number of objects in the
inference channel
Inference Control Schemes in
Multilevel Secure Database
Single Key Scheme for Single Inference
Channels
1) Key Initialization: Associate every object in
the inference channel with all the m - 1
keys denoted by K( ) = K, i = 1, 2, …,
m.
2) Query Processing:

Select a key randomly.

Delete the association between the
requested object and the other keys.

Delete the association between the
selected key and the other objects.
Note: When all m - 1 keys have been used, m
- 1 objects of m objects in the channel
are associated with keys, and there is
one object left which is the reserved
object.
Inference Control Schemes in
Multilevel Secure Database
Single Key Scheme for Multiple Inference
Channels without “Repeated Object”


Consideration: There are multiple inference
channels in the database and all channels are
disjoint each other
Solution: Allocate one set of keys to each
inference channel.
1) Key Initialization:

Inference channel: C

The number of inference channel in the database:
l

The length of the channel Cj: mj , where j = 1,
2, …, l

Maximum length of all inference channels: mmax

Therefore, the key set K contains mmax - 1 keys.
2) Query Processing:

Similar to the algorithm of the first key scheme.
Inference Control Schemes in
Multilevel Secure Database
Single Key Scheme for Multiple Inference Channels with
“Repeated Object”
Consideration: Multiple inference channels in the database and
some object appear in more than one channel
1) Key Initialization: Similar to the algorithm of the second key
scheme
2) Query Processing:

When the repeated object is NOT the reserved object, the user
request access to the object should be same as other objects.

When the repeated object is the reserved object, the user
request access to the object should be denied.
Inference Control Schemes in
Multilevel Secure Database
Main Drawback of Single Key Schemes &
Solution

Main Drawback:


If the length of the channel is short, it will cause a
serious problem when the key set is refreshed.
Solution:

Add a requirement of extra authorization when
access the reserved object.
Conclusion
Summarized four selected papers in the
filed of Multilevel Secure Databases
 Architecture of MLS RDBMS
 Security Model for MLS
 MAC Implementation Methodology
 A Set of Key Schemes to Handle the
Inference Problem

Reference
[1]
[2]
[3]
[4]
Chen, X. and Wei, R. A Dynamic Method for Handling the Inference
Problem in Multilevel Secure Databases. Information Technology:
Coding and Computing, 2005 (ITCC 2005). International Conference
on Volume 1, April 4-6, 2005. Page(s):751 – 756 Vol. 1
Rjaibi, W. An Introduction to Multilevel Secure Relational Database
Management Systems. Proceedings of the 2004 conference of the
Centre for Advanced Studies on Collaborative research (CASCON),
Markham, Ontario, Canada. October 5-7, 2004. Page(s): 232-241
Rjaibi, W and Bird, P. A Multi-Purpose Implementation of Mandatory
Access Control in Relational Database Management Systems.
Proceedings of the 30th VLDB Conference, Toronto, Canada, 2004.
Page(s): 1010-1020
Sushil, J and Ravi, S. Toward a Multilevel Secure Relational Data
Model. ACM Sigmod International Conference on Management Data,
Denver, Colorado. May 1991, Page(s): 50-59
Related documents
TPS4e_Ch1_Intro
TPS4e_Ch1_Intro
Observation & Inference
Observation & Inference
General Concepts
General Concepts
ARTIFICIAL INTELLIGENCE
ARTIFICIAL INTELLIGENCE
Summary of Darwin`s theory
Summary of Darwin`s theory
Probability and Mathematical Statistics I
Probability and Mathematical Statistics I
Stat 537: Introduction to Mathematical Statistics 1
Stat 537: Introduction to Mathematical Statistics 1
Introduction to Machine Learning
Introduction to Machine Learning
V. Inference Control Schemes in Multilevel
V. Inference Control Schemes in Multilevel
Warm-Up
Warm-Up
RELATIONAL DATABASE Computer database in which all data is
RELATIONAL DATABASE Computer database in which all data is
Expert Systems
Expert Systems
2014 ACTM State Statistics
2014 ACTM State Statistics