Polyinstantiation in Relational Databases with Multilevel Security



Similar documents
TRANSMAT Trusted Operations for Untrusted Database Applications

Implementation of Mandatory Access Control in Role-based Security System with Oracle Snapshot Skill

Database Security. Soon M. Chung Department of Computer Science and Engineering Wright State University

INFO/CS 330: Applied Database Systems

SECURITY MODELS FOR OBJECT-ORIENTED DATA BASES

Proc. ACM SIGMOD International Conference on Management Data, Denver, Colarado, May 1991, pages TOWARD A MULTILEVEL SECURE RELATIONAL DATA

Chapter 23. Database Security. Security Issues. Database Security

Security Implications of Distributed Database Management System Models

Architectures for MLS Database Management Systems

Database Security and Authorization

Access Control Models Part I. Murat Kantarcioglu UT Dallas

THE IMPACT OF INHERITANCE ON SECURITY IN OBJECT-ORIENTED DATABASE SYSTEMS

CS377: Database Systems Data Security and Privacy. Li Xiong Department of Mathematics and Computer Science Emory University

Security and Authorization. Introduction to DB Security. Access Controls. Chapter 21

Access Control Matrix

Part III. Access Control Fundamentals

ITM661 Database Systems. Database Security and Administration

Chapter 23. Database Security. Security Issues. Database Security

Trusted RUBIX TM. Version 6. Multilevel Security in Trusted RUBIX White Paper. Revision 2 RELATIONAL DATABASE MANAGEMENT SYSTEM TEL

Database Security Part 7

Security Issues in the Database Language SQL W. Timothy Polk and Lawrence E. Bassham

Database Security. 1 Introduction. 2 Discretionary Security

COSC344 Database Theory and Applications. Lecture 23 Security and Auditing. COSC344 Lecture 23 1

CSE543 - Introduction to Computer and Network Security. Module: Access Control

Welcome to Information Systems Security (503009)

Keywords: Security; data warehouse; data mining; statistical database security; privacy

Database Security. Chapter 21

A Security Domain Model for Implementing Trusted Subject Behaviors

Security Implications of the Choice of Distributed Database Management System Model: Relational vs. Object-Oriented

Database security. André Zúquete Security 1. Advantages of using databases. Shared access Many users use one common, centralized data set

An Empirical View of Database Security Measurements

Database Security. The Need for Database Security

Chapter 24. Database Security. Copyright 2011 Pearson Education, Inc. Publishing as Pearson Addison-Wesley

Security Issues in Relational Databases Management System

Database and Data Mining Security

FOREWORD. May Keith F. Brewster Acting Chief, Partnerships and Processes

How To Control An Inference In A Database System

SECURITY CHAPTER 24 (6/E) CHAPTER 23 (5/E)


Role-Based Access Controls

DESIGN AND IMPLEMENTATION OF MULTILEVEL DATABASES. Ravi Sandhu. George Mason University. Fairfax, VA

International Journal of Scientific & Engineering Research, Volume 6, Issue 5, May ISSN

DNS and Multilevel Secure Networks Architectures and Recommendations

JOURNAL OF OBJECT TECHNOLOGY

Database Security & Cryptography

Role Based Access Control (RBAC) Nicola Zannone

International Journal on Recent and Innovation Trends in Computing and Communication ISSN Volume: 1 Issue: DATABASE SECURITY

Completeness, Versatility, and Practicality in Role Based Administration

Chapter 5 More SQL: Complex Queries, Triggers, Views, and Schema Modification

Post-Class Quiz: Software Development Security Domain

What is a secret? Ruth Nelson

Application Based Access Control on Cloud Networks for Data Security

Security and Cryptography 1. Stefan Köpsell, Thorsten Strufe. Module 8:Access Control and Authentication

BM482E Introduction to Computer Security

Mandatory Access Control

Database Security Curriculum in InfoSec Program

Access Control of Cloud Service Based on UCON

Horizontal Aggregations In SQL To Generate Data Sets For Data Mining Analysis In An Optimized Manner

Security Model and Enforcement for Data-Centric Pub/Sub with High Information Assurance Requirements

Role-Based Access Control Approaches In Mangodb 2.4 and Informix Online Dynamic Server Version 7.2


Chapter 2 Taxonomy and Classification of Access Control Models for Cloud Environments

International Journal of Advanced Research in Computer Science and Software Engineering

DATABASE SECURITY MECHANISM

Views for Multilevel Database Security

How Can Data Sources Specify Their Security Needs to a Data Warehouse?

INDEXING BIOMEDICAL STREAMS IN DATA MANAGEMENT SYSTEM 1. INTRODUCTION

CHAPTER 22 Database Security Integration Using Role-Based Access Control

Database security issues PETRA BILIĆ ALEXANDER SPARBER

IT2304: Database Systems 1 (DBS 1)

CLOUD-HOSTED PROXY BASED COLLABORATION IN MULTI- CLOUD COMPUTING ENVIRONMENTS WITH ABAC METHODS

DATA MINING - 1DL360

IT2305 Database Systems I (Compulsory)

The Specification and Modeling of Computer Security

An Oracle White Paper March Oracle Label Security in Government and Defense Environments

How To Model Access Control Models In Cse543

Best Practices, Procedures and Methods for Access Control Management. Michael Haythorn

Implementation of Mandatory Access Control in Role-based Security System. CSE367 Final Project Report. Professor Steve Demurjian. Fall 2001.

Access Control Basics. Murat Kantarcioglu

The Relational Model. Why Study the Relational Model?

Access Control. ITS335: IT Security. Sirindhorn International Institute of Technology Thammasat University ITS335. Access Control.

Database Security. Database Security Requirements

Access Control. Dr George Danezis

Role-based access control. RBAC: Motivations

Role Based Access Control: Adoption and Implementation in the Developing World

Security and privacy for multimedia database management systems

The Relational Model. Ramakrishnan&Gehrke, Chapter 3 CS4320 1

Marianne Winslett, (fax)

Enhanced Model of SQL Injection Detecting and Prevention

Natural Language Updates to Databases through Dialogue

Access Control Fundamentals

Role Based Access Control Framework for Network Enterprises

Chapter 6: Physical Database Design and Performance. Database Development Process. Physical Design Process. Physical Database Design

OLAP Online Privacy Control

1. INTRODUCTION TO RDBMS


DATABASE SECURITY MECHANISMS AND IMPLEMENTATIONS

Information Security Policy

Unit A. Target + Unit B Unit C

Transcription:

Polyinstantiation in Relational Databases with Multilevel Security Andro Galinovi King ICT d.o.o., Buzinski prilaz 10, 10010 Zagreb, Croatia E-mail: andro.galinovic@king-ict.hr Vlatka Anton i University of Zagreb, Faculty of Electrical Engineering and Computing Unska 3, 10000 Zagreb, Croatia E-mail: vlatka.antoncic@vip.hr Abstract. Polyinstantiation provides the ability to create more versions of single information. It is used to prevent inference attacks. This paper explains the use of polyinstantiation in relational databases with multilevel security for implementing e.g. cover stories. It describes common methods of access controls in relational databases and describes multilevel relational databases. This paper also shows how polyinstantiation can be implemented and what types of architecture support it. Keywords. Database, security, relational, multilevel, polyinstantiation, discretionary access control, mandatory access control 1. Introduction Database security and protection is often more complex problem then security and protection of other information systems. This is why security mechanisms that are embedded in most data base management systems (DBMS) are quite complex. Because of the fact that databases contain structured and normalized data, information can be revealed indirectly or can be guessed, based upon some known information. There are two basic methods for revealing information, aggregation and inference. Aggregation is a method used to collect less sensitive information or parts of them, from different sources which we have access to, in order to obtain aggregate information which is more sensitive. Inference is a method with which we can deduce or infer the whole information, which we do not have access to, by observing available, less sensitive information. Basic protection mechanisms are contentdependent access control, cell suppression, partitioning, noise and perturbation [10]. Most of these, and other methods, are based on denying information access to an individual. On one hand that is very efficient and ensures secrecy, but on the other hand it raises suspicions and confirms sensitivity of data. This presents a convert channel. The best way to convince that the information is not sensitive and that nothing is hidden is fake honesty. So, instead of denying access, cover stories are used. Ability to create more versions of single information, depending on security level, is called polyinstantiation and is one of basic mechanisms in databases with multilevel security (MLS). The need for polyinstantiation was first noticed by T.H. Hinke and M. Schaefer in year 1975 [1]. The term polyinstantiation originated from SeaView project [3]. Most conflicts between security and integrity in multilevel secure DBMS come from incompatibility of basic principles of database security with integrity issues that have to be met [4]. Basic security principle is: security class of information should determine security class of all information it depends on. 2. Access control in relational databases In DBMS discretionary access control (DAC) is usually implemented. In this kind of access control the owner of an object has discretionary right to grant access for an object to any subject. Two most common implementations of DAC are access control lists and access control matrix. SQL 89 standard uses DAC and defines five types of privileges which establish the granularity of user access to the database: insert, delete, select, update and references. Privileges can be granted to one user or to all users (public). There is also a capability to grant access for 127 Proceedings of the ITI 2007 29 th Int. Conf. on Information Technology Interfaces, June 25-28, 2007, Cavtat, Croatia

further access granting (with grant option). Standard does not define and does not demand possibility of revoking privileges. It is left up to the DBMS manufacturers. SQL 92 standard added a possibility for more precise determination of privileges, possibility for determining activities in case of losing referential integrity and it added a command for revoking privileges (revoke). The SQL:1999 standard contains support for non-discretionally access control model - role based access control (RBAC). Many manufacturers of DBMS have implemented some form of RBAC, e.g. IBM (Informix DMBS), Sybase and Oracle (9i - Oracle Label Security). Mandatory access control (MAC) is more complex and secure model, which is based on the classification of information sensitivity and authorization level of subjects (users, programs ) [11]. MAC is not directly supported in SQL or in relational databases. Polyinstantiation is often used in databases with MAC support to avoid inference [12]. 3. Multilevel relational databases According to [3], multilevel relation has polyinstantiation when it holds two or more tuples with the same primary key. In this context the primary key is the key that the database user defines as the primary. The true primary key that the user doesn t see, and which is used by the DBMS while accessing tuples, is more complex and composite. This will be discussed in detail while explaining polyinstantiation integrity. The model that we will present in this section was developed by S. Jajodia and R Sandhu in 1991 [7]. Multilevel relation scheme R is defined as R(A 1, C 1, A 2, C 2,..., A n, C n, C R ), where A i D i (that is, each attribute A i is an element of its domain D i ), each C i is classification of A i, and C R is classification of the whole tuple. The domain of C i is specified with a set {L i,..., H i } which represents allowed values for access classes, ranging from L i to H i. The domain of C R is defined like a union of domains of each C i. An example of a classification can be: unclassified (U), classified (C), secret (S) and top secret (TS) [12]. There is one tuple t c {a 1, c 1, a 2, c 2,..., a n, c n, c r } for each class with sensitivity c, where a i D i or a i = null, c c i, c i null, and c r is maximum value of c i. There are four basic integrity properties in multilevel databases that have to be fulfilled: entity integrity, null integrity, interinstance integrity and polyinstantiation integrity. Entity integrity is defined as following. Let K be the apparent primary key (user defined) of a relation, and C K classification of the key. If an attribute A i is an element of the key (A i K) it can not be null. This is an inherited property from the standard relational model. Secondly, for each two elements of the key (A i, A j K), classifications of that attributes have to be the same, that is t[c i ] = t[c j ]. In other words the key is uniformly classified. This property insures that the entire key K is either visible or entirely null for the specific access class c (as we will see in interinstance integrity). Thirdly, for each element A i that is not a part of the key (A i K), classification of that element must be the same or higher then the classification of the key (t[c i ] t[c K ]). This property rules out the possibility of associating non-null attributes with a null primary key. A multilevel relation R satisfies null integrity if and only if for each instance R c of R both of the following conditions are true: null elements are classified with the same level as the key and relation t C can not include two different tuples such that one subsumes the other. Tuple t subsumes tuple s if for each attribute A i either t[a i, C i ] = s[a i, C i ] or t[a i ] null and s[a i ]=null. Which means the tuple t is either identical to tuple s or that they differ only in those attributes in which one value is null. Relation R satisfies interinstance integrity if and only if for all c < c and R c =σ c' (R c ) following statement is true: for each tuple t R c such that t[c K ] c', exists a tuple t' R c' with t'[k, C K ] = t[k, C K ] and for A i K t'[a i, C i ] = t[a i, C i ], {null, t[c K ]}, if t[c i ] c' otherwise Selection function (σ F (R)) returns one tuple for each access class. Function restricts each subject on reviewing only the part of multilevel relation for which it is authorized. This property 128

means that subject can only review information whose key has lower or equal level of classification then the subject itself. For all tuples that satisfy this condition, the subject can see the key and those values that have lower or equal level of classification than the subject. If the subject can t access a certain value within the tuple he reads a null value. In this case null value can infer hidden data. This model also raises another question. When a query is executed with the classification c, and there are two tuples with classification c and c respectably, where c>c >c, does the c classified subject reads the c or c classified tuple? This is called query ambiguity. Relation R satisfies polyinstantiation integrity if and only if for each tuple t A i : K, C K, C i A i applies. That is, for each tuple t apparent key K, classification of the key C K, and classification of an attribute A i (C i ) functionally determines the value of an attribute A i. Polyinstantiation integrity defines the primary key in a multilevel relation. The primary key of a multilevel relation is K C K C O, where K is a set of data attributes consisting the user specified primary key, C K is a classification of that key, and C O is a set of classification attributes for data attributes that are not part of the key (K) C O = C j, A j K This property defines following function dependency K C K C O A O, where A O is a set of all attributes that are not part of the key. This property enables the creation of cover stories i.e. tuples with the same user defined primary key but different data. This is used to protect against inference attacks. The normal, one level relation, is a special case in which C K = C O for each tuple [7]. 3.1. Types of multilevel relational databases In multilevel relational databases access privileges can be defined on a relation level, tuple level, attribute level or data elements level. Polyinstantiation does not arise explicitly when access privileges are determined on relation level or attribute level. In this chapter we will discuss cases of access privileges that are defined on tuple level and on data element level. When access privileges based on data element level are used, two types of polyinstantiation are possible: entity polyinstantiation and attribute polyinstantiation [6]. Entity (tuple) polyinstantiation appears when two or more tuples in one relation have the same apparent primary key but different key classifications. Attribute (element) polyinstantiation appears when two or more tuples have the same apparent key and the same classifications of the key, but different values of one or more other attributes (that are not part of the key). When access classification determined on tuple level is used, polyinstantiation means that more tuples, with the same apparent primary key and different data, based on classification of the tuple exist. It is important to notice that if access classification is determined on tuple level, it is no longer possible to defer entity polyinstantiation and attribute polyinstantiation. 3.2. How the polyinstantiation occurs? Polyinstantiation can occur in two possible ways. They are called visible and invisible polyinstantiation. Visible polyinstantiation occurs when subject with higher level of clearance tries to insert information in a filed that already has that information, but with lower level of sensitivity. By changing that value, one of basic principles of mandatory model of access control would be violated. The *-property that says don t write down [5]. That change would cause disclosure of information with higher classification to a subject with lower classification. In order to avoid this convert channel it s necessary to create a new tuple for data with higher classification. This gives rise to polyinstantiation. Invisible polyinstantiation occurs in reversed situation, when subject with lower level of classification tries to insert information in a filed that already has that information, but with higher classification. If that change was to be declined, system would confirm existence of information with higher level of classification. In order to avoid this convert channel a new tuple is added for data with lower classification. This also gives rise to polyinstantiation. 129

4. Polyinstantiation example Let us have three levels of classification, low (L), medium (M) and high (H). Let us take a look on multilevel relation scheme missions, with classification on attribute level, shown in Table 1. The apparent key of this relation are attributes Starship and Mission. Table 1. Starship Mission Destination C Voyager L Explore L Nebula L L Voyager M Lost M Delta q. M M Enterprise L On leave L Risa L L Defiant L Explore L Wormhole M M Defiant H Defense H Dominion H H The subject with low (L) clearance can see data presented in Table 2. Table 2. Starship Mission Destination C Voyager L Explore L Nebula L L Enterprise L On leave L Risa L L Defiant L Explore L Null L L The subject with medium (M) clearance can see data presented in Table 3. Table 3. Starship Mission Destination C Voyager L Explore L Nebula L L Voyager M Lost M Delta q. M M Enterprise L On leave L Risa L L Defiant L Explore L Wormhole M M control. The most common are Trusted Computing Base (TCB) Subset Architecture, Trusted Subject Architecture and Integrity Lock Architecture [2]. All architectures depend on operating system so its confidentiality and reliability should not be questionable. 5.1. Trusted Computer Based Subset Architecture Trusted Computer Based Subset Architecture implements MAC model by maintaining the database in multiple single-level files that are accessed through a trusted operating system that controls and determines access rights. Architecture is suitable and with its design it implicates polyinstantiation. It enables data separation, based on classification, in different files, and access control is controlled by operating system based on DBMS instructions. This architecture does not exclude the possibility of using a DAC model that is directly implemented in the DBMS. The main advantage of this architecture is, that, it does not demand trust in DBMS, and the main flaw is that the number of files grows rapidly if we really want to support polyinstantiation. Fig. 1 shows the scheme of this architecture. Only subject with high (H) clearance can see all data, as presented in Table 1. 5. Implementation of polyinstantiation It is worth mentioning that MAC based DBMS can be designed without need of changing the SQL syntax. But, if true support for polyinstantiation is to be used, changes are needed. In most SQL based DBMS polyinstantiation can be implemented with builtin functionality and a few tricks [2]. A typical example of this is adding a view that would perform the selection function (σ F (R)), mentioned earlier, and thus hide the complexity of a MLS relation. There are several architectures used for implementing DBMS with mandatory access Figure 1. Trusted Computer Based Subset Architecture 5.2. Trusted Subject Architecture Trusted Subject Architecture allows discretionary and mandatory access control. Data is stored in files of high classification of an operating system. In these files DBMS objects are labeled with their classifications. Those labels are basic for MAC model implementation. 130

This architecture does not implicate polyinstantiation, like TCB Subset Architecture, but it supports it. Support for polyinstantiation must be explicitly implemented if required. DAC model, just like in the case of the TCB Subset Architecture, is supported and based on the DBMS mechanisms. Fig. 2 represents scheme of this model. Figure 2. Trusted Subject Architecture 5.3. Integrity Lock Architecture Integrity lock architecture uses untrusted DBMS in combination with trusted operating system and trusted filter. DAC model, just like with previous models, is supported and based on DBMS mechanisms. Trusted filter enables and implements MAC model and classification labeling. Cryptography and cryptography hash functions are used for securing classified data. This architecture allows the usage of commercially available DBMS with additional security filters. The main disadvantage of this architecture is added overhead. Fig. 3 represents scheme of this architecture. 6. Analysis To implement polyinstantiation, a record in the table has to be entered more than once. Each record will contain the same information, except for the classification level for which it is assigned. Polyinstantiation contradicts basic database principals, like normalization and integrity. There is a tradeoff between security and integrity. Polyinstantiation will also slow down the query response time, because of the extra processing required. The database has to search through multiple instances of the same record. Some of integrity constraints have to be sacrificed in order to increase security in database. As stated earlier in section 3 this model has several drawbacks. First, it can infer hidden data through NULL values. Secondly, there is semantic ambiguity because tuples with the same apparent primary key but different key classification, can refer to different or the same information. Semantic ambiguity is addressed in the Smith-Winslett Belief model [9]. Thirdly, as already mentioned, ambiguity occurs during queries. One additional problem occurs, an update can result in an exponential increase in the number of tuples. This is called proliferation of tuples due to updates. A semantic solution to proliferation is addressed in Smith-Winslett Belief model [9]. In order to avoid wasting space it is possible to expand classification in a way that security label contains a list of classifications, and thus reduces the number of semantically identical tuples [13]. This principle is used in the Belief-Consistent Model [16][17]. Researchers continue to look for ways to resolve problems of inference. This problem is especially difficult in statistical databases [8][14][15]. 7. Conclusion Figure 3. Integrity Lock Architecture Multilevel relational databases allow very complex security implementations and very precise access control. Polyinstantiation like a product of realization of multilevel security causes many dilemmas, over implementations themselves and over its need. Possibility for supporting polyinstantiation complicates systems and brings entropy, but if there is a need for that kind of precision in access control, multilevel databases polyinstantiation should be considered. 131

So far, the best way to defend from inference is the use of polyinstantiation. Until new methods are discovered it will be the best weapon against it. Curiosity is in human nature, and the best way to satisfy it, is through cover stories. It is our opinion that polyinstantiation is not well suited for commercial use of databases, because commercial sector does not have so rigid security classifications defined. This type of database security is more suited for military or government databases, where such structure already exists and where classified data needs to be protected. 8. References [1] Hinke TH, Schaefer M. Secure Data Management System, Tech. Report RADC- TR-75-266, System Development Corp., Nov. 1975. [2] Polk WT, Bassham LE. Security Issues in the Database Language SQL, 1993 [3] Denning DE, Lunt TF, Schell RR, Heckman M, Shockley WR. A Multilevel Relational Data Model, Proc. IEEE Symp. Security and Privacy, Apr. 1987, pp. 220-234. [4] Meadows C, Jajodia S. Integrity versus Security in Multi-Level Secure Databases, in Database Security: Status and Prospects, C. Landwehr, ed., North-Holland, Amsterdam, 1988, pp. 89-101. [5] Bell DE, La Padula LJ. Secure Computer Systems: Unified Exposition and Multics Interpretation, MTR 2997, The MITRE Corporation, Bedford, MA, July 1975. [6] Jajodia S, Sandhu R, Blaustein BT. Solutions to the Polyinstantiation Problem, in Information Security: An Integrated Collection of Essays, M. Abrams et al., eds., IEEE Computer Society Press (1995), pp. 493-529. [7] Jajodia S, Sandhu R. Toward a Multilevel Secure Relational Data Model, Proceedings of the ACM Int'l. Conf. on Management of Data (SIGMOD), pp, 50-59, May 1991. [8] Jajodia S, Meadows C. Inference Problems in Multilevel Secure Database Management Systems, in Information Security: An Integrated Collection of Essays, M. Abrams et al., eds., IEEE Computer Society Press (1995), pp. 570-585 [9] Smith K, Winslett M. Entity Modeling in the MLS Relational Model, Proceedings of the 18 th VLDB Conference, Vancouver, B.C, pp.199-210, 1992 [10] Harris S. CISSP Certification All-in-One Exam Guide, 2nd edition, pp. 675-678, McGraw-Hill/Osborne, 2003 [11] Lindqvist H. Mandatory Access Control, Masters thesis in computer science, Umea University, May 18, 22006 [12] Sandhu RS, Jajodia S. Data and database security and controls, Handbook of Information Security Management, Auerbach, 1993 [13] Sandhu R, Chen F, The multilevel relational (MLR) data model, ACM Transactions on Information and System Security (TISSEC), v.1 n.1, p.93-132, Nov. 1998 [14] Adam NR., Wortmann JC. Security-Control Methods for Statistical Databases: A Comparative Study, ACM Computing Surveys, Vol. 21, No. 4, Dec. 1989, pp. 515-556. [15] Denning DE., Schlorer J. Inference Controls for Statistical Databases, Computer, Vol. 16, No. 7, July 1983, pp. 69-82. [16] Jukic N, Vrbsky SV. Asserting Beliefs in MLS Relational Models. SIGMOD Record, Vol. 26, No. 3, pp. 30-35, 1997. [17] Jukic N, Vrbsky S., Parrish A., Dixon B, Jukic B. A Belief-Consistent Multilevel Secure Relational Data Model. Information Systems, Vol. 24, No. 5, pp. 377-402, 1999. 132

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information