Đang tải... (xem toàn văn)
Bài giảng Bảo mật cơ sở dữ liệu - Chương 3: Bảo mật theo cơ chế MAC cung cấp cho người học các kiến thức: Define Mandatory Access Control Models, secrecy-preserving models, integrity-preserving models, multi-Level security, multi-level databases access control models,... Mời các bạn cùng tham khảo.
Bảo mật theo chế MAC Mandatory Access Control Models Agenda Define Mandatory Access Control Models Secrecy-preserving models Integrity-preserving models Multi-Level security Multi-level databases access control models Multi-level secure DBMS architecture MAC hệ QTCSDL thông dụng Define Mandatory Access Control Mandatory Access Control : A system-wide policy decrees who is allowed to have access; individual user cannot alter that access Relies on the system to control access Examples: – The law allows a court to access driving records without the owners’ permission Traditional MAC mechanisms have been tightly coupled to a few security models Recently, systems supporting flexible security models start to appear (e.g., SELinux, Trusted Solaris, TrustedBSD, etc.) Mandatory Access Control vs Discretionary Access Control MAC is centrally controlled by a security policy administrator; users not have the ability to override the policy and, for example, grant access to files that would otherwise be restricted DAC, which also governs the ability of subjects to access objects, allows users the ability to make policy decisions and/or assign security attributes MAC-enabled systems allow policy administrators to implement organization-wide security policies With DAC, users cannot override or modify this policy, either accidentally or intentionally This allows security administrators to define a central policy that is guaranteed (in principle) to be enforced for all users Degrees of MAC system strength In some systems, users have the authority to decide whether to grant access to any other user To allow that, all users have clearances for all data This is not necessarily true of a MAC system If individuals or processes exist that may be denied access to any of the data in the system environment, then the system must be trusted to enforce MAC Since there can be various levels of data classification and user clearances, this implies a quantified scale for robustness For example, more robustness is indicated for system environments containing classified Top Secret information and uncleared users than for one with Secret information and users cleared to at least Confidential To promote consistency and eliminate subjectivity in degrees of robustness, an extensive scientific analysis and risk assessment of the topic produced a landmark benchmark Evaluation of MAC system strength The Common Criteria[7] is based on this science and it intended to preserve the Assurance Level as EAL levels and the functionality specifications as Protection Profiles Of these two essential components of objective robustness benchmarks, only EAL levels were faithfully preserved In one case, TCSEC level C2[8] (not a MAC capable category) was fairly faithfully preserved in the Common Criteria, as the Controlled Access Protection Profile (CAPP).[9] Multilevel security (MLS) Protection Profiles (such as MLSOSPP similar to B2)[10] is more general than B2 They are pursuant to MLS, but lack the detailed implementation requirements of their Orange Book predecessors, focusing more on objectives This gives certifiers more subjective flexibility in deciding whether the evaluated product’s technical features adequately achieve the objective, Multilevel Security (MLS) Definition and need for MLS – Security Classification – Secrecy-Based Mandatory Policies: BellLaPadula Model – Integrity-based Mandatory Policies: The Biba Model – Limitation of Mandatory Policies Hybrid Policies – The Chinese Wall Policy Definition and need for MLS Multilevel security involves a database in which the data stored has an associated classification and consequently constraints for their access MLS allows users with different classification levels to get different views from the same data MLS cannot allow downward leaking, meaning that a user with a lower classification views data stored with a higher classification Definition and need for MLS Usually multilevel systems are with the federal government Some private systems also have multilevel security needs MLS relation is split into several single-level relations, A recovery algorithm reconstructs the MLS relation from the decomposed single-level relations At times MLS updates cannot be completed because it would result in leakage or destruction of secret information Definition and need for MLS In relational model, relations are tables and relations consist of tuples (rows) and attributes (columns) Example: Consider the relation SOD(Starship, Objective, Destination) Starship Enterprise Voyager Objective Exploration Spying Destination Talos Mars Definitions Objects: items of information related to a company Company dataset (CD): contains objects related to a single company – Written CD(O) Conflict of interest class (COI): contains datasets of companies in competition – Written COI(O) – Assume: each object belongs to exactly one COI class Example Bank COI Class Bank of America Citibank Bank of the West Gasoline Company COI Class Shell Oil Union ’76 Standard Oil ARCO The Chinese Wall Model Read Rule: A subject S can read an object O if: O is in the same Dataset as an object already accessed by S, or O belongs to a CoI class from which S has not yet accessed any information Write Rule: A subject S can write an object O if: S can read O according to the Read Rule, and No object in a different company dataset (i.e., not O’s company dataset) can be read The Chinese Wall Model In the write rule, the flow of information is comfined to its own company dataset Without this rule, a person who can access both A and B can read the information from A and write to B; this way, another person who can access B can also access the information in A indirectly If this person can also access C, which is in the same CoI class as A, we have a violation The access restriction for both read and write can be lifted for sanitized information The Chinese Wall Model Company Dataset: The set of objects that may belong to a company – CD(O) Conflict of Interest Class: Datasets of companies in conflict – COI(O) – Each object has only one Read iff (CW-Simple Security Property) Let PR(S) be the set of objects that a subject S has already read – If a subject S reads an O belonging to dataset CD, she can never read another O’ where CD(O’) is a member of COI(O) and CD(O’) is not equal CD(O) – Objects can be sanitized The Chinese Wall Model What about control of writing? Suppose CD1 and CD2 are have a conflict of interest – What if one user can read from CD3 and CD1… – And another can read from CD3 and CD2? Now suppose either user can write to CD3 – What happens? Thus, a writer can only access objects in one dataset Temporal Element If Anthony reads any CD in a COI, he can never read another CD in that COI – Possible that information learned earlier may allow him to make decisions later – Let PR(S) be set of objects that S has already read Bank COI Class Bank of America Citibank Bank of the West CW-Simple Security Condition s can read o iff : s has read something in o’s dataset, and object o is in the same company datasets as the objects already access by s, that is “within the Wall”, or s has not read any objects in o’s conflict of interest class, what s has read belongs to an entirely different conflict of interest class Ignores sanitized data (see below) Sanitization Public information may belong to a CD – As is publicly available, no conflicts of interest arise – So, should not affect ability of analysts to read – Typically, all sensitive data removed from such information before it is released publicly (called sanitization) Add third condition to CW-Simple Security Condition: – o is a sanitized object Writing Anthony, Susan work in same trading house Anthony can read Bank 1’s CD, Gas’ CD Susan can read Bank 2’s CD, Gas’ CD If Anthony could write to Gas’ CD, Susan can read it – Hence, indirectly, she can read information from Bank 1’s CD, a clear conflict of interest CW-*-Property Write access is only permitted if – Access is permitted by the CW-simple security rule, and – For all unsanitized objects o’, if s can read o’, then CD(o’) = CD(o) Says that s can write to an object if all the (unsanitized) objects he/she can read are in the same dataset Multilevel DBMSs Architecture • Trusted subject The DBMS itself must be trusted to ensure mandatory policy • Trusted Computing Base: Data are partitioned in different databases, one for each level Reference Sushil Jajodia and Ravi S Sandhu, Toward a Multilevel Secure Relational Model, essay 20 Discussion (15 min) Customer order scenario from page 161 in the textbook Identify the subject, actions, objects Design the MAC Lab (Feb 21) Install Oracle Label Security & Using Oracle Label Security – http://apex.oracle.com/pls/apex/f?p=4478 5:24:3634991866798098::NO:24:P24_CONTENT _ID,P24_PREV_PAGE:4509,2 – http://apex.oracle.com/pls/apex/f?p=4478 5:24:3634991866798098::NO:24:P24_CONTENT _ID,P24_PREV_PAGE:4548,2 ... Access Control Models Secrecy-preserving models Integrity-preserving models Multi-Level security Multi-level databases access control models Multi-level secure DBMS architecture MAC hệ QTCSDL thông... information confidentiality – No-read-up, a subject is allowed a read access to an object only if the access class of the subject dominate the access class of the object – No-write-down, a subject is allowed... only if the access class of the subject is dominated by the access class of the object No-read-up & No-write-down Can TS subject write to S object? Can S subject write to U object? How to