Đang tải... (xem toàn văn)
Mandatory access controls Introduction to Mandatory Access Control (Security Classes, MAC properties, Multilevel relation, Pros and cons of MAC); MAC in Oracle - Oracle Label Security, security classes, classification level.
MANDATORY ACCESS CONTROLS Faculty of Computer Science & Engineering HCMC University of Technology Information Systems of Technology OUTLINE Introduction to Mandatory Access Control MAC in Oracle: Oracle Label Security INTRODUCTION TO MAC Security Classes MAC properties Multilevel relation Pros and cons of MAC INTRODUCTION TO MAC Mandatory Access Control (MAC): MAC applies to large amounts of information requiring strong protect in environments where both the system data and users can be classified clearly MAC is a mechanism for enforcing multiple level of security Propose Model: Bell-LaPadula SECURITY CLASSES Classifies subjects and objects based on security classes Security class: Classification level Category A subject classification reflects the degree of trust and the application area A object classification reflects the sensitivity of the information CLASSIFICATION LEVEL Typical classification level are: Top secret (TS) Secret (S) Confidential (C) Unclassified (U) Where TS is the highest level and U is the lowest: TS ≥ S ≥ C ≥ U CATEGORY Categories tend to reflect the system areas or departments of the organization Example: there are departments of the organization: Sales, Production, Delivery SECURITY CLASSES A security class is defined as follow: SC = (A, C) A: classification level C: category A relation of partial order on the security classes: SC ≤ SC’ is verified, only if: A ≤ A’ and C’ ⊇ C Examples: (2, Sales) ≤ (3, (Sales, Production)) (2, (Sales, Production)) ≤ (3, Sales) INTRODUCTION TO MAC Security Classes MAC properties Multilevel relation Pros and cons of MAC MAC PROPERTIES Simple security property: A subject S is not allowed read access to an object O unless class(S) ≥ class(O) No read-up Star property (or * property): A subject S is not allowed to write an object O unless class(S) ≤ class(O) No write-down These restrictions together ensure that there is no direct flow of information from high to low subjects!!! 10 MULTILEVEL RELATION Multilevel relation: MAC + relational database model Data objects: attributes and tuples Each attribute A is associated with a classification attribute C A tuple classification attribute TC is to provide a classification for each tuple as a whole, the highest of all attribute classification values R(A1,C1,A2,C2, …, An,Cn,TC) The apparent key of a multilevel relation is the set of attributes that would have formed the primary key in a regular (single-level) relation 15 Multilevel relation A multilevel relation will appear to contain different data to subjects (users) with different security levels 16 Multilevel relation SELECT * FROM EMPLOYEE A user with security level S 17 Multilevel relation SELECT * FROM EMPLOYEE A user with security level C 18 Multilevel relation SELECT * FROM EMPLOYEE A user with security level U 19 Multilevel relation SELECT * FROM EMPLOYEE A user with security level U 20 Properties of Multilevel relation Read and write operations: satisfy the No Read-Up and No Write-Down principles 21 Properties of Multilevel relation Entity integrity: all attributes that are members of the apparent key must not be null and must have the same security classification within each individual tuple In addition, all other attribute values in the tuple must have a security classification greater than or equal to that of the apparent key This constraint ensures that a user can see the key if the user is permitted to see any part of the tuple at all 22 PROPERTIES OF MULTILEVEL RELATION Polyinstantiation: where several tuples can have the same apparent key value but have different attribute values for users at different classification levels 23 POLYINSTANTIATION EXAMPLE (security level C) A user with security level C tries to update the value of JobPerformance of Smith to ‘Excellent’: UPDATE EMPLOYEE SET JobPerformance = ‘Excellent’ WHERE Name = ‘Smith’; 24 POLYINSTANTIATION EXAMPLE 25 INTRODUCTION TO MAC Security Classes MAC properties Multilevel relation Pros and cons of MAC 26 PROS AND CONS OF MAC Pros: Provide a high degree of protection – in a way of preventing any illegal flow of information Suitable for military types of applications Cons: Not easy to apply: require a strict classification of subjects and objects into security levels Applicable for very few environments 27 OUTLINE Introduction to Mandatory Access Control MAC in Oracle: Oracle Label Security 28 OUTLINE Introduction to Mandatory Access Control MAC in Oracle: Oracle Label Security (Lab) 29 ... to Mandatory Access Control MAC in Oracle: Oracle Label Security INTRODUCTION TO MAC Security Classes MAC properties Multilevel relation Pros and cons of MAC INTRODUCTION TO MAC Mandatory Access. .. very few environments 27 OUTLINE Introduction to Mandatory Access Control MAC in Oracle: Oracle Label Security 28 OUTLINE Introduction to Mandatory Access Control MAC in Oracle: Oracle Label Security... relation Pros and cons of MAC MAC PROPERTIES Simple security property: A subject S is not allowed read access to an object O unless class(S) ≥ class(O) No read-up Star property (or * property): A subject