1. Trang chủ
  2. » Công Nghệ Thông Tin

Bài giảng Bảo mật cơ sở dữ liệu: Chương 3 - Trần Thị Kim Chi (tt)

59 152 1
Tài liệu được quét OCR, nội dung có thể không chính xác

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Định dạng
Số trang 59
Dung lượng 588,35 KB

Nội dung

Bài giảng Bảo mật cơ sở dữ liệu - Chương 3: Bảo mật theo cơ chế MAC cung cấp cho người học các kiến thức: Define Mandatory Access Control Models, secrecy-preserving models, integrity-preserving models, multi-Level security, multi-level databases access control models,... Mời các bạn cùng tham khảo.

Trang 1

Bảo mật theo cơ chề MAC

Trang 2

Agenda Define Mandatory Access Control Models Secrecy-preserving models Integrity-preserving models Multi-Level security

Multi-level databases access control models Multi-level secure DBMS architecture

Trang 3

DDØTTT7Z VIAnHAaAtorv 2 sô (_()Ÿ LQ

xx Mandatory Access Control : A system-wide policy

decrees who 1s allowed to have access; individual user cannot alter that access

** Relies on the system to control access xx Examples:

- The law allows a court to access driving records without the owners’ permission

x< Traditional MAC mechanisms have been tightly coupled to a few security models

Trang 4

Mandatory Access Control vs Discretionary Access Control

%x MAC is centrally controlled by a security policy

administrator; users do not have the ability to override the policy and, for example, grant access to files that would otherwise be restricted

%x DAC, which also governs the ability of subjects to access objects, allows users the ability to make policy decisions and/or assign security attributes

%x MAC-enabled systems allow policy administrators to implement organization-wide security policies

Trang 5

Degrees of MAC system strength

%x In some systems, users have the authority to decide whether to grant access to any other user To allow that, all users

have clearances for all data This 1s not necessarily true of a MAC system If individuals or processes exist that may be denied access to any of the data in the system environment, then the system must be trusted to enforce MAC Since

there can be various levels of data classification and user clearances, this implies a quantified scale for robustness For example, more robustness 1s indicated for system

environments containing classified Top Secret information and uncleared users than for one with Secret information and users cleared to at least Confidential To promote consistency and eliminate subjectivity in degrees of robustness, an extensive scientific analysis and risk

assessment of the topic produced a landmark benchmar

1 AL C Sia tr 1 ihe ties ee

Trang 6

Evaluation of MAC system strength

¥x The Common Criteria[7] is based on this science and it

intended to preserve the Assurance Level as EAL levels and the functionality specifications as Protection Profiles Of these two essential components of objective robustness

benchmarks, only EAL levels were faithfully preserved In one case, TCSEC level C2[8] (not a MAC capable category) was fairly faithfully preserved in the Common Criteria, as

the Controlled Access Protection Profile (CAPP).[9] Multilevel security (MLS) Protection Profiles (such as

MLSOSPP similar to B2)[10] 1s more general than B2 They

are pursuant to MLS, but lack the detailed implementation requirements of their Orange Book predecessors, focusing more on objectives This gives certifiers more subjective flexibility in deciding whether the evaluated product’s

technical features adequately achieve the objective,

Trang 8

Definition and need for MLS

%x Multilevel security involves a database in which

the data stored has an associated classification and consequently constraints for their access

*x MLS allows users with different classification

levels to get different views from the same data

*x MLS cannot allow downward leaking, meaning

Trang 9

Definition and need for MLS

%x Usually multilevel systems are with the federal

government

%x Some private systems also have multilevel security needs

3x MLS relation is split into several single-level relations, A recovery algorithm reconstructs the MLS relation from the decomposed single-level relations

Sx At times MLS updates cannot be completed because it would result in leakage or destruction of secret

Trang 10

Definition and need for MLS

*< In relational model, relations are tables

and relations consist of tuples (rows) and

attributes (columns)

* Example:

Consider the relation

SOD (Starship, Objective, Destination)

Starship Objective Destination

Enterprise Exploration Talos

Voyager Spying Mars

Trang 11

Definition and need for MLS

x The relation in the example has no

classification associated with it ina relational model

x The same example in MLS with

Trang 12

Definition and need for MLS

*< In MLS, access classes can be assigned to:

— Individual tuple in a relation — Individual attribute of a relation

— Individual data element of tuples in a relation x Bell — LaPadula Model

Trang 13

Bell — LaPadula Model

%x Proposed by David Bell and Len Lapadula in 1973, in response to U.S Air Force concerns over the security of time-sharing mainframe systems *x This model is the most widely recognized Access

Matrix model with classified data

The model deal with confidentiality only

X

x This model has two components:

- Classification - Set of categories

Trang 14

Bell — LaPadula Model

Two properties: No read up and No write down xx Simple security property: Subject A is allowed to

read object O only if class(O) class(A)

*_nroperty: Subject A is allowed to write object

O only if class(A) class(Q)

k

Xš The *-property was Bell and LaPadulaˆs critical innovation It was driven by the fear that a user with “Secret” clearance might be “tricked” by

attackers (e.g., through Trojan horse programs or software vulnerabilities) to copy down the

information to a Unclassified” area where the

Trang 15

Bell — LaPadula Model

= Classification has four values {U, C, S, TS} =U = unclassified

="C = confidential ="S = secret

=TS = top secret

=" Classifications are ordered: TS >S>C>U

= Set of categories consists of the data environment and the application area, I.e., Nuclear, Army,

Financial, Research

Example: In USA, a “SECRET” clearance involves

Trang 16

Bell — LaPadula Model

% An access class cl dominates > an access class

c2 iff

- Security level of cl is greater than or equal to that of c2 - The categories of cl include those of c2

TS, {Army,Nuclear }

TS,{Army } S,{Army,Nuclear} TS,{Nuclear}

Trang 17

Bell — LaPadula Model

** Bell-LaPadula model is based on a subject- object paradigm

* Subjects are active elements of the system that execute actions

x Objects are passive elements of the system that contain information

Trang 18

Bell — LaPadula Model

** Subjects execute access modes on objects x Access modes are:

- Read-only

- Append (writing without reading)

- Execute

- Read-write (writing known data)

Trang 19

Bell — LaPadula Model

¥x Control direct and indirect flows of information %x Prevent leakage to unauthorized subjects

%x User can connect to the system with any access class dominated by their clearance

TS, {Army,Nuclear }

TS,{Army } S,{Army,Nuclear} TS,{Nuclear}

Trang 20

Two Principles

* To protect information confidentiality

- No-read-up, a subject is allowed a read access to an object only if the access class of the subject dominate the access class of the object - No-write-down, a subject is allowed a write

Trang 21

No-read-up & No-write-down OBJECTS Information Flow

=" Can TS subject write to S object? =" Can S subject write to U object?

Trang 22

Solution to Trojan Horse

** Possible classification reflecting the access

restrictions:

- Secret for Vicky and “Market”

- Unclassified to John and “Stolen”

Trang 23

Applying BLP: An Example

xx Alice has (Secret, {NUC, EUR}) clearance xx David has (Secret, {EUR}) clearance

- David can talk to Alice (“write up” or “read down’’)

- Alice cannot talk to David (“read up” or “write down’’)

xx Alice is a user, and she can login with a different ID (as a different principle) with reduced

clearance

Trang 24

BLP: Problem

* If I can write up, then how about writing files with blanks?

- Blind writing up may cause integrity

Trang 25

Bell — LaPadula Model

xT wo main properties of this model for a

secure system are:

- Simple security property - Star property

* Simple security means: A subject may

have read or write access to an object only if the clearance of the subject dominates the

Trang 26

Bell — LaPadula Model

x Star property means: An untrusted subject may:

append if object security dominates subject security write if object security equals subject security

read if object security is less than subject security

* This model guarantees secrecy by preventing unauthorized release of information

* This model does not protect from

Trang 27

Key Points

*< Confidentiality models restrict flow of information

*< Bell-LaPadula (BLP) models multilevel security Cornerstone of much work in computer security

- Simple security property says no read up and - Star property says no write down

Trang 28

The Biba Model

XA model due to Ken Biba which is often referred to as

“Bell-LaPadula upside down.”

%x It deals with integrity alone and ignores confidentiality entirely

%x Biba model covers integrity levels, which are analogous to sensitivity levels in Bell-LaPadula

%x Integrity levels cover inappropriate modification of data

%x Prevents unauthorized users from making modifications

Trang 29

The Biba Model

Two properties:

%= Simple Integrity Property: A low integrity subject will not write or modify high integrity data

Xš *-Properíy: The high integrity subject will not read low integrity data

Trang 30

Integrity Level

x Integrity level of a user reflects user’s

trustworthiness for inserting, modifying, or deleting information

* Integrity level of an object reflects both the degree of trust that can be placed on the

Trang 31

Two principles

X No-read-down: A subject is allowed a read access to an object only if the access class of the object dominates the access class of the subject

* No-write-up: A subject is allowed a write

Trang 33

Applying Mandatory Policies to Databases

** Commercial DBMSs Oracle, Sybase, and TruData have MLS versions of their DBMS

¥m Because of Bell-LaPadula restrictions, subjects having different

clearances see different versions of a multilevel relation

[NamelAn| Dept |Àp|Salary|As[ {Name]\An|Dept]A\p|Salary},s| Bob | U |]Depti] U} 100K {U Bob | U J|Dept1[ U | 100k EU

Jim Ƒ U |Deptl{ U | 100K EU Jim Ƒ U |Deptl| U | 100k EU Ann | 5 |Dept2{| 5 | 200E {5 Sam | JDeptl[U| - U Sam U JDept1{ U | 150K {S (a) (b)

Trang 34

Polyinstantiation

** Request by low level subject

- An unclassified subject request insert of <Ann, Deptl, 1OOK>

%x If this update is rejected, then the user would be able to infer something about Ann

Trang 35

Polyinstantiation

X Request by high level subjects

- A secret subject request to insert <Bob, Dept2, 200K> - Inform the subject of the conflict and refuse the insertion (no) - Overwrite the existing tuple (no)

Name]An Dept Ap|Salary|As Name|Ayn Dept Ap|Salary Bob | U]Deptl] U |] 100K |U Bob | U []Depti] U | 100K

Trang 36

Challenges

* Cover Stories

- Non-true data to hide the existence of the actual value

- Not released is a cause of information leakage

x Fine-grained is not easy

Trang 37

Covert Channels

3x A covert channel is an information flow that is not controlled by a security mechanism

%= In BLP, you could use the access control mechanism itself

to construct a covert channel

-— A low level subject makes an object “dummy.obj” at its own level - Its high level accomplice either upgrades the security level of

dummy.obj to high or leaves it unchanged

- Later, the low level subject tries to read dummy.obj Success or failure of this request disclose the action of the high-level subject

One bit of information has flown from high to low

Trang 38

Covert Channels (conf ` d)

Xš Other Examples for Covert Channels:

- Timing Channels - Resource State

- Hidden Information in downgraded documents

%x Commonly used techniques for reducing covert channels:

Reduce abusable functionality

High level processes get lowest resource allocation priority and can be preempted by low level processes

Random delays, clock noise, randomized resource availability Auditing the use of known channels

Trang 39

Multilateral Security

%x Instead of the information flow-control boundaries being

horizontal, as in the MLS model, we instead need the

boundaries to be the mostly vertical Xš Examples:

- In aconsultant company, a person who consult for BankOne should not have access to the data of JPMC-Chase

- An intelligence organization wants to keep the names of agents working in one foreign country secret from the department

responsible for spying on another

Trang 40

Multilateral Security

%x Multilateral security models:

- The Chinese Wall Model

Trang 41

Chinese Wall Model Problem: -— Tony advises American Bank about investments - He is asked to advise Toyland Bank about investments

x Conflict of interest to accept, because his

Trang 42

Organization

x Organize entities into “conflict of interest” classes

x Control subject accesses to each class

x Control writing to all classes to ensure

information is not passed along in violation

of rules

Trang 43

The Chinese Wall Model

Xš Proposed by Brewer and Nash to model access rules in a consultancy business where analysts have to make sure that no conflicts of interest arise when they are dealing with different clients

%x Informally, conflicts arise because clients are direct competitors in the same market or because of the

ownership of companies Analysts have to adhere to the following security policy:

- Rule: There must be no information flow that causes a conflict of interest

¥x Conflict of Interest (Col) classes: indicate which

Ngày đăng: 30/01/2020, 11:10

TỪ KHÓA LIÊN QUAN