Database Security Part 7



Similar documents
Access Control Models Part I. Murat Kantarcioglu UT Dallas

Part III. Access Control Fundamentals

Access Control Intro, DAC and MAC. System Security

Chapter 23. Database Security. Security Issues. Database Security

Mandatory Access Control

Trusted RUBIX TM. Version 6. Multilevel Security in Trusted RUBIX White Paper. Revision 2 RELATIONAL DATABASE MANAGEMENT SYSTEM TEL

Chapter 23. Database Security. Security Issues. Database Security

Security Enhanced Linux and the Path Forward

Reference Guide for Security in Networks

Database Security and Authorization

Computer security Lecture 3. Access control

INFO/CS 330: Applied Database Systems

Database Security. Soon M. Chung Department of Computer Science and Engineering Wright State University

Role Based Access Control: Adoption and Implementation in the Developing World

Access Control: Policies, Models, and Mechanisms

CS377: Database Systems Data Security and Privacy. Li Xiong Department of Mathematics and Computer Science Emory University

Access Control: Policies, Models, and Mechanisms

SECURITY MODELS FOR OBJECT-ORIENTED DATA BASES

CSE543 - Introduction to Computer and Network Security. Module: Access Control

Security Models: Past, Present and Future

CMSC 421, Operating Systems. Fall Security. URL: Dr. Kalpakis

University of Cambridge

Database Security. Chapter 21

... Lecture 3 Access Control. Information & Communication Security (WS 14/15) Prof. Dr. Kai Rannenberg

Security Goals Services

Mandatory Access Control in Linux

SELinux Policy Management Framework for HIS

Security and Authorization. Introduction to DB Security. Access Controls. Chapter 21

Access Control Basics. Murat Kantarcioglu

Bell & LaPadula Model Security Policy Bell & LaPadula Model Types of Access Permission Matrix

Polyinstantiation in Relational Databases with Multilevel Security

ITM661 Database Systems. Database Security and Administration

IY2760/CS3760: Part 6. IY2760: Part 6

Department of Computer & Information Sciences. INFO-450: Information Systems Security Syllabus

Constructing Trusted Code Base XIV

Chap. 1: Introduction

The Asbestos Operating System

What is a secret? Ruth Nelson

ITSC Training Courses Student IT Competence Programme SIIS1 Information Security

Access Control Fundamentals

Information Security Information & Network Security Lecture 2

Access Control Matrix

CS52600: Information Security

Introduction to Computer Security

Firewalls CSCI 454/554

DISCRETIONARY ACCESS CONTROL. Tran Thi Que Nguyet Faculty of Computer Science & Engineering HCMC University of Technology ttqnguyet@cse.hcmut.edu.

Firewalls. Mahalingam Ramkumar

Weighted Total Mark. Weighted Exam Mark

CIS 551 / TCOM 401 Computer and Network Security

Access Control. ITS335: IT Security. Sirindhorn International Institute of Technology Thammasat University ITS335. Access Control.

Database security. André Zúquete Security 1. Advantages of using databases. Shared access Many users use one common, centralized data set

Content Teaching Academy at James Madison University

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

Security Model and Enforcement for Data-Centric Pub/Sub with High Information Assurance Requirements

Cybersecurity for the C-Level

Chapter 24. Database Security. Copyright 2011 Pearson Education, Inc. Publishing as Pearson Addison-Wesley

SECURITY CHAPTER 24 (6/E) CHAPTER 23 (5/E)

Computer Security DD2395

USER ACCESS CONTROL AND SECURITY MODEL

COSC 472 Network Security

Name: 1. CSE331: Introduction to Networks and Security Fall 2003 Dec. 12, /14 2 /16 3 /16 4 /10 5 /14 6 /5 7 /5 8 /20 9 /35.

CSE543 - Introduction to Computer and Network Security. Module: Reference Monitor

Data Management Policies. Sage ERP Online

Best Practices, Procedures and Methods for Access Control Management. Michael Haythorn

Threats and Attacks. Modifications by Prof. Dong Xuan and Adam C. Champion. Principles of Information Security, 5th Edition 1

Identity Management and Access Control

CS 665: Computer System Security. Designing Trusted Operating Systems. Trusted? What Makes System Trusted. Information Assurance Module

NSA Security-Enhanced Linux (SELinux)

CS 392/681 - Computer Security. Module 16 Vulnerability Analysis

Outline. INF3510 Information Security University of Oslo Spring Lecture 9 Identity Management and Access Control. The concept of identity

Secure Your Mobile Workplace

Data Management & Protection: Common Definitions

Homeland Security Red Teaming

Information Security Policy

Spyware. Michael Glenn Technology Management 2004 Qwest Communications International Inc.

Notes on Network Security - Introduction

Acceptable Use Policy

Intruders and viruses. 8: Network Security 8-1

Chapter 9 Key Management 9.1 Distribution of Public Keys Public Announcement of Public Keys Publicly Available Directory

Secure to the Core: The Next Generation Secure Operating System from CyberGuard

Patterns for Secure Boot and Secure Storage in Computer Systems

TRANSMAT Trusted Operations for Untrusted Database Applications

Session objectives. Access control. Subjects and objects. The request. Information Security

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Lectures 9 Advanced Operating Systems Fundamental Security. Computer Systems Administration TE2003

VALLIAMMAI ENGINEERING COLLEGE

Common Criteria Evaluation Challenges for SELinux. Doc Shankar IBM Linux Technology Center

Introduction to Computer Security

Acceptable Use Policy

DNS and Multilevel Secure Networks Architectures and Recommendations

Transcription:

Database Security Part 7 Discretionary Access Control vs Mandatory Access Control Elisa Bertino bertino@cs.purdue.edu Discretionary Access Control (DAC) No precise definition Widely used in modern operating systems In most implementations it has the notion of owner of an object The owner controls other users accesses to the object Allows access rights to be propagated to other subjects 2 1

Problems with DAC in OS DAC cannot protect against Trojan horse Malware Software bugs Malicious local users It cannot control information flow 3 The Trojan Horse Process P read O1 write O2 O1 (alice,r,o1) O2 (alice,r,o2), (alice,w,o2), (mallory,r,o2) 4 2

Mandatory Access Control Mandatory access control (MAC) restricts the access of subjects to objects based on a system-wide policy The system security policy (as set by the administrator) entirely determines the access rights granted denying users full control over the access to resources that they create. 5 The Need for MAC Host compromise by network-based attacks is the root cause of many serious security problems Worm, Botnet, DDoS, Phishing, Spamming Why hosts can be easily compromised Programs contain exploitable bugs The discretionary access control mechanism in the operating systems was not designed by taking into account buggy software 6 3

MAC MAC specifies the access that subjects have to objects based on subjects and objects classification This type of security has also been referred to as multilevel security Database systems that satisfy multilevel security properties are called multilevel secure database management systems (MLS/DBMSs) Many of the MLS/DBMSs have been designed based on the Bell and LaPadula (BLP) model 7 A Characterization of the Difference between DAC and MAC Discretionary Access Control Models (DAC) Definition [Bishop p.53] If an individual user can set an access control mechanism to allow or deny access to an object, that mechanism is a discretionary access control (DAC), also called an identity-based access control (IBAC). Mandatory Access Control Models (MAC) Definition [Bishop p.53] When a system mechanism controls access to an object and an individual user cannot alter that access, the control is a mandatory access control (MAC) [, occasionally called a rulebased access control.] 8 4

Bell and LaPadula (BLP) Model Elements of the model: objects - passive entities containing information to be protected subjects: active entities requiring accesses to objects (users, processes) access modes: types of operations performed by subjects on objects read: reading operation append: modification operation write: both reading and modification 9 BLP Model Subjects are assigned clearance levels and they can operate at a level up to and including their clearance levels Objects are assigned sensitivity levels The clearance levels as well as the sensitivity levels are called access classes 10 5

BLP Model - access classes An access class consists of two components a security level a category set The security level is an element from a totally ordered set - example {Top Secret (TS), Secret (S), Confidential (C), Unclassified (U)} where TS > S > C >U The category set is a set of elements, dependent from the application area in which data are to be used - example {Army, Navy, Air Force, Nuclear} 11 BLP Model - access classes Access class c i = (L i, SC i ) dominates access class c k = (L k, SC k ), denoted as c i >c k, if both the following conditions hold: L i >L k The security level of c i is greater or equal to the security level of c k SC i SC k The category set of c i includes the category set of c k 12 6

BLP Model - access classes If L i > L k and SC i SC k, we say that c i strictly dominates c k c i and c k are said to be incomparable (denoted as c i < > c k ) if neither c i >c k nor c k >c i holds 13 BLP Model - Examples Access classes c 1 = (TS, {Nuclear, Army}) c 2 = (TS, {Nuclear}) c 3 = (C, {Army}) c 1 > c 2 c 1 > c 3 (TS > C and {Army} {Nuclear, Army}) c 2 < > c 3 14 7

BLP Model - Axioms The state of the system is described by the pair (A, L), where: Ais the set of current accesses: triples of the form (s,o,m) denoting that subject s is exercising access m on object o - example (Bob, o 1, read) Lis the level function: it associates with each element in the system its access class Let O be the set of objects, S the set of subjects, and C the set of access classes L : O S C 15 BLP Model - Axioms Simple security property (no-read-up) a given state (A, L) satisfies the simple security property if for each element a= (s,o,m) A one of the following condition holds 1. m = append 2. (m = read or m = write) and L(s) > L(o) Example: a subject with access class (C, {Army}) is not allowed to read objects with access classes (C, {Navy, Air Force}) or (U, {Air Force}) 16 8

BLP Model - Axioms The simple security property prevents subjects from reading data with access classes dominating or incomparable with respect with the subject access class It therefore ensures that subjects have access only to information for which they have the necessary access class 17 BLP Model - Axioms Star (*) property (no-write-down) a given state (A, L) satisfies the *-property if for each element a= (s,o,m) A one of the following condition holds 1. m = read 2. m = append and L(o) > L(s) 3. m = write and L(o) = L(s) Example: a subject with access class (C,{Army,Nuclear}) is not allowed to append data into objects with access class (U, {Army,Nuclear}) 18 9

BLP Model - Axioms The *-property has been defined to prevent information flow into objects with lower-level access classes or incomparable classes For a system to be secure both properties must be verified by any system state 19 BLP Model Summary of access rules: Simple security property: A subject has read access to an object if its access class dominates the access class of the object; *-Property: A subject has append access to an object if the subject's access class is dominated by that of the object 20 10

An Example of Application The DG/Unix B2 System B2 is an evaluation class for secure systems defined as part of the Trusted Computer System Evaluation Criteria (TCSEC), known also as the Orange Book DG/Unix provides mandatory access controls MAC label identifies security level Default labels, but can define others Initially Processes (users) assigned MAC label of parent Initial label assigned to user, kept in Authorization and Authentication database Objects assigned MAC labels at creation Explicit labels stored as part of attributes Implicit labels determined from parent directory 21 Directory Problem Process p at access class MAC_A tries to create file /tmp/x /tmp/x exists but has access class MAC_B Assume MAC_B > MAC_A (MAC_B dominates MAC_A) Create fails Now p knows a file named x with a higher label exists Fix: only programs with same MAC label as the directory can create files in the directory This solution is too restrictive 22 11

Multilevel Directory Directory with a set of subdirectories, one per label referred to as polyinstantiation of the directory Not normally visible to user p creating /tmp/x actually creates /tmp/d/x where d is the directory corresponding to MAC_A All p s references to /tmp go to /tmp/d The directory problem illustrates an important point: Sometimes it is not sufficient to hide the contents of objects. Also their existence must be hidden. 23 Covert Channels A covert channel allows a transfer of information that violates the MLS policy It is an information flow which is not controlled by a security mechanism Covert channels can be classified into two broad categories: timing and storage channels The difference between the two is that in timing channels the information in conveyed by the timing of events or processes, whereas storage channels do not require any temporal synchronization is that information is conveyed by accessing system information 24 12

Covert Channels - example A well-known covert channel is based on the exploitation of the concurreny control Consider two processes P l and P h of access class low and high respectively; consider a data item d 1 classified at class low; assume that those all the only processes running Suppose that P h requires a read lock on d l ; the lock is granted because no other process is running 25 Covert Channels - example Suppose now that process P l wishes to write the same data item; it thus requires a write lock on d 1 Since process P h holds a read lock on d 1, process P l is forced to wait until P h releases the lock on d 1 By selectively issuing requests to read low data, process P h can modulate the delay experienced by process P l 26 13

Covert Channels - example Since P h has full access to high data, this delay can be used by P h to transfer high information to process P l Thus a timing channel is established between the two processes 27 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information