Survey Presentation in Multilevel Secure Database : Security and Privacy on the Internet Instructor: Dr. A. K. Aggarwal Presented By: Vic Ho & Kashif Saeed Date: April 8, 2006

Table of Contents What is MLS RDBMS? Bell-LaPadula Security Model Evaluation and Certification MLS Architecture Multilevel Relations Polyinstantiation Integrity Properties Update Operation

MultiLevel Secure RDBMS Capability that allows information with different classifications to be available in an information system. Users have different security clearances and authorizations. Preventing users from accessing information for which they are not cleared

Emergence of MLS RDBMS U.S. military and intelligence communities segregating data based upon its security classification. “Air gap” with “sneaker net” used to make it secure. Along came drawbacks Redundant databases Redundant workstations High cost of IT infrastructure Inefficiency

Solution Using MLS, allowing classified information to be stored, processed and distributed in a secure way without compromising the drawbacks listed previously.

Features of MLS Users have different security clearances and authorizations. MLS database used by users as the way they use classic RDBMS Different levels of security can be enforced, e.g. “Top Secret”, “Secret” etc.

Bell-LaPadula Security Model MLS uses the basic security model presented by Bell and LaPadula The model consists of Objects Subjects Object is considered as passive entity e.g. Flat files, records, fields within a record etc.

Bell-LaPadula Security Model Subjects is an active process that can request access to an object Objects are assigned a classification and subject a clearance. Classification and clearance are collectively called labels Labels have two components, “hierarchical component” and a set of “unordered compartments”

Bell-LaPadula Security Model MLS enforces two restrictions on all data accesses: “No Read UP”: A subject can read an object if and only if its label dominates the object’s label. “No Write Down”: A subject can write on an object if the object’s label dominates the subject’s label. back

Evaluation and Certification Systems will be carrying highly classified data and might be used by organizations like military, air force or government agencies. Every MLS system must obtain security evaluation certificate. Common criteria, adopted as an ISO. Trusted Computer System Evaluation Criteria (TCSEC)

MLS Architecture Depending upon how the access control is handled, we have two types of architectures Woods Hole Architecture Trusted Subject Architecture.

MLS Architecture > Woods Hole Architecture Delegated through a trusted operating system. Uses an un-trusted RDBMS with a wrap around of trusted code. Two categories of such a scheme Kernelized Architecture Distributed architectures

MLS Architecture > Woods Hole Architecture > Kernelized Architecture Security level is implemented using a separate copy of off-the-shelf un-trusted RDBMS and trusted front-end. A trusted Operating System is used in the middle to enforce the access control policies. Using MAC users can be restricted to access different fragments of the database.

MLS Architecture > Woods Hole Architecture > Kernelized Architecture Advantages RDBMS associated with High security level can access other Low trusted database as well. Data is associated with different security levels that enforce strict access controls. Minimizes time in evaluation of the RDBMS if used with pre evaluated operating system

MLS Architecture > Woods Hole Architecture > Kernelized Architecture High RDBMS High Trusted Front-End Low Trusted Front-End High UserLow User LOW RDBMS Trusted Operating System High Data Low Data

MLS Architecture > Woods Hole Architecture > Distributed architectures Multiple copies of trusted Front-End and RDBMS are used with different storage databases. At any particular security level say k, it contains replica of every other data that the subject at level k can access. Drawback To sync the entire database in case of updates at one point.

MLS Architecture > Trusted Subject Architecture. Trusted RDBMS and trusted Operating System is used along with an un-trusted Front- End Mandatory Access Control is enforced by the RDBMS itself Advantages: Access to data levels at the same time along with minimal retrieval time and update processing Trusted RDBMS Trusted Operating System Un-trusted Front-End Database High UserLow User

Multilevel Relation Express two properties, similar to single-level relation, with the addition of access class. Relation Schema: It’s a state invariant multilevel relation scheme R (A1, C1, A2, C2 …An, Cn, TC) such that each Ai belongs to a domain Di and each Ci is a classification attribute for Ai and TC is the tuple class attribute. Relation Instance: It’s a collection of state dependent relation instances Rc (A1, C1, A2, C2 …An, Cn, TC) one for each access class c.

Polyinstantiation Allowing multiple copies of same primary key to coexist in same relation. Could be used against inference, denial of service to legitimate users and also to protect against “covert channels”, e.g. storage covert channel Example.

Multilevel Integrity Properties Multilevel relation is composed of sets of tuples rather than a single set of tuple. Instances might have different access classes and hence is more complex. Multilevel relations exhibit four additional properties in addition to the not null property of primary key in single-level traditional RDBMS.

Multilevel Integrity Properties > Entity Integrity Multilevel relation R satisfies entity integrity if and only if for all instances Rc of R and t  Rc A i  AK  t[A i ] ≠ null A i, A j  AK  t[C i ]= t[C j ] A i  AK  t[C i ]  t[C AK ]

Multilevel Integrity Properties > Null Integrity Multilevel relation R satisfies null integrity if and only if for each instance of Rc of R following conditions are true. For all t  Rc t[Ai] = null  t[Ci] = t[CAK]. Tuple t subsumes tuple s if for every attribute Ai, either (a) t[Ai,Ci] = s[Ai,Ci] or (b) t[Ai] ≠ null and s[Ai] = null

Multilevel Integrity Properties > Inter-Instance Integrity R satisfies inter-instance integrity if and only if for all c/ ≤ c we have RC/ =  (RC, c’)  is the filter function.

Multilevel Integrity Properties > Polyinstantiation Integrity The relation R satisfies polyinstantiation integrity if and only if for every RC we have for all Ai: AK, CAK, Ci  Ai. This property implicitly defines what is meant by the primary key in a multilevel relation.

Update Operation Insert, update, delete SQL update operations. In single-level relation, these operations will overwrite the data. Can not do the same in MLS relation. WHY? Example

Table of Contents Mandatory Access Control Basic Model of MLS MAC Implementation Methodology Inference Problem Single Key Schemes (Terminology & Phases) Single Key Scheme for Single Inference Channels Single Key Scheme for Multiple Inference Channels without “Repeated Object” Single Key Scheme for Multiple Inference Channels with “Repeated Object” Main Drawback of Single Key Schemes

MAC Implementation in RDBMS Mandatory Access Control (MAC): Restricting access to objects based on the sensitivity of the information contained in the objects and the formal authorization of subjects to access information of such sensitivity [1]. Multilevel Security (MLS): One of the well-known implementation of MAC.

MAC Implementation in RDBMS Basic Model of MLS Object: A passive entity (i.e. Information saved in the database). Each of objects is assigned a classification. Subject: An active process which is used to request access to objects. Each of subjects is assigned a clearance. Label: A piece of information which includes two type of components: hierarchical component and a set of unordered compartments. Hierarchical Component: Information about the sensitivity of the data. Compartments Component: Information about the sensitivity or category of the labeled data. It is nonhierarchical.

MAC Implementation in RDBMS MAC Implementation Methodology Features Define label types Define label access rules and exceptions Assign labels and exceptions to database users Attach a label type and a set of label access rules to a database table

MAC Implementation in RDBMS Label Component A database entity that can be CREATED, ALTERED and DROPPED. Specify a set of valid elements for that label component. The set of elements can be either ordered or unordered. The rank of an element is higher than the rank of the following elements. Example Create a label component Label component: level Ordered set A set of valid values: TOP SECRET, SECRET and CLASSIFIED CREATE LABEL COMPONENT level OF TYPE varchar(15) USING ORDERED SET {“TOP SECRET”, “SECRET”, “CLASSIFIED”}

MAC Implementation in RDBMS Label Type A database entity that can be CREATED, ALTERED and DROPPED. Define the set of label components that make up a label.. Example Create a label type Label type: MLS Label component: level CREATE LABEL TYPE MLS COMPONENTS level, compartments MULTIVALUED Note Keyword MULTIVALUED indicates that the compartments component can have more than one single value at one time. Keyword MULTIVALUED is only used to specify for label components which contain an unordered set.

MAC Implementation in RDBMS Access Label A database entity that can be CREATED and DROPPED. It can be assigned (GRANT and REVOKE) to database users. It cooperates with the label access rules to determine which labeled rows can be accessed by users. Example Create a access label Access label: L1 Label type: MLS CREATE ACCESS LABEL L1 OF LABEL TYPE MLS level “SECRET”, compartments “NATO”

MAC Implementation in RDBMS Row Label A database entity that can be INSERTED and UPDATED using the ROWLABEL function. Label a data row in a database table. Example Insert a row Database table: T1 INSERT INTO T1 VALUES (ROWLABEL(“SECRET”, “NATO”), 1, 2)

MAC Implementation in RDBMS Label Access Policy A database entity that can be CREATED, ALTERED and DROPPED. Define the label access rules to determine which users has authority to access a labeled data row in a database table. Two Access Rules Categories: Read Access Rules and Write Access Rules Example Create a label access rule Implement two restrictions of MLS (“No Read Up” and “No Write Down”) CREATE LABEL POLICY mls-policy LABEL TYPE MLS READ ACCESS RULE rule1 ACCESS LABEL level >= ROW LABEL level READ ACCESS RULE rule2 ROW LABEL compartments IN ACCESS LABEL compartments WRITE ACCESS RULE rule1 ACCESS LABEL level <= ROW LABEL level WRITE ACCESS RULE rule2 ACCESS LABEL compartments IN ROW LABEL compartments

MAC Implementation in RDBMS Exceptions A database entity that can be assigned (GRANT and REVOKE) to database users. Provide the flexibility for some database users to bypass label access rules. Example Grant an exception User: Joe Bypass the write access rules (rule1 and rule 2) in label access policy mls-policy GRANT EXCEPTION ON WRITE ACCESS RULE rule1, rule2 FROM LABEL POLICY mls-policy TO USER Joe

Inference Control Schemes in Multilevel Secure Database Inference Problem The information classified at a higher security level can be discovered by users classified at a lower security level by means of inference [1]. The most common way to do inference in this problem is from the responses of a serial of queries.

Inference Control Schemes in Multilevel Secure Database Single Key Schemes (Terminology) [1] Three single key schemes which are used to handle inference control problem under three different conditions. Object (O): A unit of information saved in a database or the relationship between objects. O i simply means the ith object in the inference channel. Inference Channel: A minimum set of objects needed for performing an inference. Length of Inference Channel (m): The number of objects in the inference channel. An inference channel with the length of m is also called an m-channel. A Key Set (K): Each key contains information about the association to objects. The number of keys in a key set is m – 1 where m is the length of inference channel. Reserved Object: An object in the inference channel which is not associated with any key at all.

Inference Control Schemes in Multilevel Secure Database Single Key Schemes (Phases) Key Initialization: Establishes the associations between keys and objects. The algorithm runs one time only unless the entire system is going to refresh. Query Processing: Details the algorithm of a query. The algorithm runs whenever a user wants to access an object.

Inference Control Schemes in Multilevel Secure Database Basic Idea of Key Schemes Perform the inference: Must have access to all the objects in the inference channel. Request to access an object in the inference channel: Requires a key Major Idea: Number of keys is one less than the number of objects in the inference channel

Inference Control Schemes in Multilevel Secure Database Single Key Scheme for Single Inference Channels 1) Key Initialization: Associate every object in the inference channel with all the m - 1 keys denoted by K( ) = K, i = 1, 2, …, m. 2) Query Processing: Select a key randomly. Delete the association between the requested object and the other keys. Delete the association between the selected key and the other objects. Note: When all m - 1 keys have been used, m - 1 objects of m objects in the channel are associated with keys, and there is one object left which is the reserved object.

Inference Control Schemes in Multilevel Secure Database Single Key Scheme for Multiple Inference Channels without “Repeated Object” Consideration: There are multiple inference channels in the database and all channels are disjoint each other Solution: Allocate one set of keys to each inference channel. 1) Key Initialization: Inference channel: C The number of inference channel in the database: l The length of the channel C j : m j, where j = 1, 2, …, l Maximum length of all inference channels: m max Therefore, the key set K contains m max - 1 keys. 2) Query Processing: Similar to the algorithm of the first key scheme.

Inference Control Schemes in Multilevel Secure Database Single Key Scheme for Multiple Inference Channels with “Repeated Object” Consideration: Multiple inference channels in the database and some object appear in more than one channel 1) Key Initialization: Similar to the algorithm of the second key scheme 2) Query Processing: When the repeated object is NOT the reserved object, the user request access to the object should be same as other objects. When the repeated object is the reserved object, the user request access to the object should be denied.

Inference Control Schemes in Multilevel Secure Database Main Drawback of Single Key Schemes & Solution Main Drawback: If the length of the channel is short, it will cause a serious problem when the key set is refreshed. Solution: Add a requirement of extra authorization when access the reserved object.

Conclusion Summarized four selected papers in the filed of Multilevel Secure Databases Architecture of MLS RDBMS Security Model for MLS MAC Implementation Methodology A Set of Key Schemes to Handle the Inference Problem

Reference [1]Chen, X. and Wei, R. A Dynamic Method for Handling the Inference Problem in Multilevel Secure Databases. Information Technology: Coding and Computing, 2005 (ITCC 2005). International Conference on Volume 1, April 4-6, Page(s):751 – 756 Vol. 1 [2]Rjaibi, W. An Introduction to Multilevel Secure Relational Database Management Systems. Proceedings of the 2004 conference of the Centre for Advanced Studies on Collaborative research (CASCON), Markham, Ontario, Canada. October 5-7, Page(s): [3]Rjaibi, W and Bird, P. A Multi-Purpose Implementation of Mandatory Access Control in Relational Database Management Systems. Proceedings of the 30th VLDB Conference, Toronto, Canada, Page(s): [4]Sushil, J and Ravi, S. Toward a Multilevel Secure Relational Data Model. ACM Sigmod International Conference on Management Data, Denver, Colorado. May 1991, Page(s): 50-59