Bài giảng Bảo mật CSDL - Chap 4: Mandatory Access Control Models - Part 2

Bảo mật theo cơ chế MACMandatory Access Control Models AgendaDefine Mandatory Access Control ModelsSecrecy-preserving modelsIntegrity-preserving modelsMulti-Level securityMulti-level databases access control modelsMulti-level secure DBMS architectureMAC trong các hệ QTCSDL thông dụng Define Mandatory Access ControlMandatory Access Control : A system-wide policy decrees who is allowed to have access; individual user cannot alter that access.Relies on the system to control access.Examples:The law allows a court to access driving records without the owners’ permission.Traditional MAC mechanisms have been tightly coupled to a few security models.Recently, systems supporting flexible security models start to appear (e.g., SELinux, Trusted Solaris, TrustedBSD, etc.)Mandatory Access Control vs Discretionary Access ControlMAC is centrally controlled by a security policy administrator; users do not have the ability to override the policy and, for example, grant access to files that would otherwise be restricted. DAC, which also governs the ability of subjects to access objects, allows users the ability to make policy decisions and/or assign security attributes. MAC-enabled systems allow policy administrators to implement organization-wide security policies. With DAC, users cannot override or modify this policy, either accidentally or intentionally. This allows security administrators to define a central policy that is guaranteed (in principle) to be enforced for all users.Degrees of MAC system strengthIn some systems, users have the authority to decide whether to grant access to any other user. To allow that, all users have clearances for all data. This is not necessarily true of a MAC system. If individuals or processes exist that may be denied access to any of the data in the system environment, then the system must be trusted to enforce MAC. Since there can be various levels of data classification and user clearances, this implies a quantified scale for robustness. For example, more robustness is indicated for system environments containing classified Top Secret information and uncleared users than for one with Secret information and users cleared to at least Confidential. To promote consistency and eliminate subjectivity in degrees of robustness, an extensive scientific analysis and risk assessment of the topic produced a landmark benchmark standardization quantifying security robustness capabilities of systems and mapping them to the degrees of trust warranted for various security environments. The result was documented in CSC-STD-004-85.[6] Two relatively independent components of robustness were defined: Assurance Level and Functionality. Both were specified with a degree of precision that warranted significant confidence in certifications based on these criteria.Evaluation of MAC system strengthThe Common Criteria[7] is based on this science and it intended to preserve the Assurance Level as EAL levels and the functionality specifications as Protection Profiles. Of these two essential components of objective robustness benchmarks, only EAL levels were faithfully preserved. In one case, TCSEC level C2[8] (not a MAC capable category) was fairly faithfully preserved in the Common Criteria, as the Controlled Access Protection Profile (CAPP).[9] Multilevel security (MLS) Protection Profiles (such as MLSOSPP similar to B2)[10] is more general than B2. They are pursuant to MLS, but lack the detailed implementation requirements of their Orange Book predecessors, focusing more on objectives. This gives certifiers more subjective flexibility in deciding whether the evaluated product’s technical features adequately achieve the objective, potentially eroding consistency of evaluated products and making it easier to attain certification for less trustworthy products. For these reasons, the importance of the technical details of the Protection Profile is critical to determining the suitability of a product.Such an architecture prevents an authenticated user or process at a specific classification or trust-level from accessing information, processes, or devices in a different level. This provides a containment mechanism of users and processes, both known and unknown (an unknown program (for example) might comprise an untrusted application where the system should monitor and/or control accesses to devices and files).Multilevel Security (MLS)Definition and need for MLSSecurity ClassificationSecrecy-Based Mandatory Policies: Bell-LaPadula ModelIntegrity-based Mandatory Policies: The Biba ModelLimitation of Mandatory PoliciesHybrid PoliciesThe Chinese Wall PolicyDefinition and need for MLSMultilevel security involves a database in which the data stored has an associated classification and consequently constraints for their accessMLS allows users with different classification levels to get different views from the same dataMLS cannot allow downward leaking, meaning that a user with a lower classification views data stored with a higher classificationDefinition and need for MLSUsually multilevel systems are with the federal governmentSome private systems also have multilevel security needsMLS relation is split into several single-level relations, A recovery algorithm reconstructs the MLS relation from the decomposed single-level relationsAt times MLS updates cannot be completed because it would result in leakage or destruction of secret informationDefinition and need for MLSIn relational model, relations are tables and relations consist of tuples (rows) and attributes (columns)Example: Consider the relation SOD(Starship, Objective, Destination)StarshipObjectiveDestinationEnterpriseVoyagerExplorationSpyingTalosMarsDefinition and need for MLSThe relation in the example has no classification associated with it in a relational modelThe same example in MLS with classification will be as follows:StarshipObjectiveDestinationEnterprise UVoyager UExploration USpying STalos UMars SDefinition and need for MLSIn MLS, access classes can be assigned to:Individual tuple in a relationIndividual attribute of a relationIndividual data element of tuples in a relationBell – LaPadula ModelBiba ModelBell – LaPadula ModelProposed by David Bell and Len Lapadula in 1973, in response to U.S. Air Force concerns over the security of time-sharing mainframe systems.This model is the most widely recognized Access Matrix model with classified dataThe model deal with confidentiality only.This model has two components:ClassificationSet of categories Bell-LaPadula model shows how to use Mandatory Access Control to prevent the Trojan HorseBell – LaPadula ModelTwo properties: No read up and No write down.Simple security property: Subject A is allowed to read object O only if class(O) class(A).*-property: Subject A is allowed to write object O only if class(A) class(O).The *-property was Bell and LaPadula’s critical innovation. It was driven by the fear that a user with “Secret” clearance might be “tricked” by attackers (e.g., through Trojan horse programs or software vulnerabilities) to copy down the information to a ”Unclassified” area where the attackers can read.Bell – LaPadula ModelExample: In USA, a “SECRET” clearance involves checking FBI fingerprint files. Classification has four values {U, C, S, TS}U = unclassifiedC = confidentialS = secretTS = top secret Classifications are ordered: TS > S > C > U Set of categories consists of the data environment and the application area, i.e., Nuclear, Army, Financial, ResearchBell – LaPadula ModelAn access class c1 dominates ≥ an access class c2 iffSecurity level of c1 is greater than or equal to that of c2The categories of c1 include those of c2Bell – LaPadula ModelBell-LaPadula model is based on a subject-object paradigmSubjects are active elements of the system that execute actionsObjects are passive elements of the system that contain informationSubjects act on behalf of users who have a security level associated with them (indicating the level of system trust)Bell – LaPadula ModelSubjects execute access modes on objectsAccess modes are:Read-onlyAppend (writing without reading)ExecuteRead-write (writing known data)Decentralized administration of privileges on objectsBell – LaPadula ModelControl direct and indirect flows of informationPrevent leakage to unauthorized subjectsUser can connect to the system with any access class dominated by their clearanceTwo PrinciplesTo protect information confidentialityNo-read-up, a subject is allowed a read access to an object only if the access class of the subject dominate the access class of the objectNo-write-down, a subject is allowed a write access to an object only if the access class of the subject is dominated by the access class of the objectNo-read-up & No-write-downCan TS subject write to S object?Can S subject write to U object? How to apply to the Trojan Horse case?Solution to Trojan HorsePossible classification reflecting the access restrictions:Secret for Vicky and “Market”Unclassified to John and “Stolen”If Vicky connect to system as secret, write is blockedIf Vicky connects to system as unclassified, read is blockedIs Vicky allowed to write to the unclassified object? How?Applying BLP: An Example Alice has (Secret, {NUC, EUR}) clearanceDavid has (Secret, {EUR}) clearanceDavid can talk to Alice (“write up” or “read down”)Alice cannot talk to David (“read up” or “write down”)Alice is a user, and she can login with a different ID (as a different principle) with reduced clearanceAlias1 (Secret, {NUC, EUR}) Alias2 (Secret, {EUR}) BLP: ProblemIf I can write up, then how about writing files with blanks?Blind writing up may cause integrity problems, but not a confidentiality breachBell – LaPadula ModelTwo main properties of this model for a secure system are:Simple security propertyStar propertySimple security means: A subject may have read or write access to an object only if the clearance of the subject dominates the security level of the objectBell – LaPadula ModelStar property means: An untrusted subject may: append if object security dominates subject security write if object security equals subject security read if object security is less than subject securityThis model guarantees secrecy by preventing unauthorized release of informationThis model does not protect from unauthorized modification of informationKey PointsConfidentiality models restrict flow of informationBell-LaPadula (BLP) models multilevel securityCornerstone of much work in computer securitySimple security property says no read up and Star property says no write downBoth ensure information can only flow upThe Biba ModelA model due to Ken Biba which is often referred to as “Bell-LaPadula upside down.”It deals with integrity alone and ignores confidentiality entirely.Biba model covers integrity levels, which are analogous to sensitivity levels in Bell-LaPadulaIntegrity levels cover inappropriate modification of dataPrevents unauthorized users from making modifications (1st goal of integrity)The Biba ModelTwo properties:Simple Integrity Property: A low integrity subject will not write or modify high integrity data.*-Property: The high integrity subject will not read low integrity data.Read Up, Write Down - Subjects cannot read objects of lesser integrity, subjects cannot write to objects of higher integrityEach subject and object in the system is assigned an integrity classificationCrucialImportantUnknown Integrity LevelIntegrity level of a user reflects user’s trustworthiness for inserting, modifying, or deleting informationIntegrity level of an object reflects both the degree of trust that can be placed on the info stored in the object, and the potential damage could result from unauthorized modification of infoTwo principlesNo-read-down: A subject is allowed a read access to an object only if the access class of the object dominates the access class of the subjectNo-write-up: A subject is allowed a write access to an object only if the access class of the subject is dominated by the access class of the objectQ: How to control both the secrecy and integrity?Applying Mandatory Policies to DatabasesCommercial DBMSs Oracle, Sybase, and TruData have MLS versions of their DBMSBecause of Bell-LaPadula restrictions, subjects having different clearances see different versions of a multilevel relationVisible to a user with unclassified level. Visible to a user with secret level. PolyinstantiationRequest by low level subjectAn unclassified subject request insert of If this update is rejected, then the user would be able to infer something about AnnMLS would allow the secret channel to permit data update and protect data integrityVisible to a user with secret level. Visible to a user with unclassified level. PolyinstantiationRequest by high level subjectsA secret subject request to insert Inform the subject of the conflict and refuse the insertion (no)Overwrite the existing tuple (no)ChallengesCover Stories Non-true data to hide the existence of the actual valueNot released is a cause of information leakageFine-grained is not easyAggregation, associationBlock inference channelsCovert ChannelsA covert channel is an information flow that is not controlled by a security mechanism.In BLP, you could use the access control mechanism itself to construct a covert channel.A low level subject makes an object “dummy.obj” at its own level.Its high level accomplice either upgrades the security level of dummy.obj to high or leaves it unchanged.Later, the low level subject tries to read dummy.obj. Success or failure of this request disclose the action of the high-level subject. One bit of information has flown from high to low. Failure means dummy.obj has be upgraded; success means dummy.obj has not been changedCovert Channels (cont’d)Other Examples for Covert Channels:Timing ChannelsResource StateHidden Information in downgraded documentsCommonly used techniques for reducing covert channels:Reduce abusable functionalityHigh level processes get lowest resource allocation priority and can be preempted by low level processes.Random delays, clock noise, randomized resource availability.Auditing the use of known channelsPolyinstantiation Multilateral SecurityInstead of the information flow-control boundaries being horizontal, as in the MLS model, we instead need the boundaries to be the mostly vertical.Examples:In a consultant company, a person who consult for BankOne should not have access to the data of JPMC-Chase.An intelligence organization wants to keep the names of agents working in one foreign country secret from the department responsible for spying on another.Also known as compartmentation.Multilateral SecurityMultilateral security models:The Chinese Wall ModelThe BMA Model (British Medical Association)Chinese Wall ModelProblem:Tony advises American Bank about investmentsHe is asked to advise Toyland Bank about investmentsConflict of interest to accept, because his advice for either bank would affect his advice to the other bankOrganizationOrganize entities into “conflict of interest” classesControl subject accesses to each classControl writing to all classes to ensure information is not passed along in violation of rulesAllow sanitized data to be viewed by everyoneThe Chinese Wall ModelProposed by Brewer and Nash to model access rules in a consultancy business where analysts have to make sure that no conflicts of interest arise when they are dealing with different clients.Informally, conflicts arise because clients are direct competitors in the same market or because of the ownership of companies. Analysts have to adhere to the following security policy:Rule: There must be no information flow that causes a conflict of interest.Conflict of Interest (CoI) classes: indicate which companies are in competition.The Chinese Wall ModelConsider a consulting businessA consultant is authorized to work for any client, but some clients have secrecy and integrity requirements relative to other clientsCoca-Cola and PespiThe Chinese Wall model enables definition of such scenariosOnly allow subjects to read data from one of the conflicted partiesMust control writing tooDefinitionsObjects: items of information related to a companyCompany dataset (CD): contains objects related to a single companyWritten CD(O)Conflict of interest class (COI): contains datasets of companies in competitionWritten COI(O)Assume: each object belongs to exactly one COI classExampleBank of AmericaCitibankBank of the WestBank COI ClassShell OilUnion ’76Standard OilARCOGasoline Company COI ClassThe Chinese Wall ModelRead Rule: A subject S can read an object O if: O is in the same Dataset as an object already accessed by S, or O belongs to a CoI class from which S has not yet accessed any information.Write Rule: A subject S can write an object O if: S can read O according to the Read Rule, and No object in a different company dataset (i.e., not O’s company dataset) can be read.The Chinese Wall ModelIn the write rule, the flow of information is comfined to its own company dataset. Without this rule, a person who can access both A and B can read the information from A and write to B; this way, another person who can access B can also access the information in A indirectly. If this person can also access C, which is in the same CoI class as A, we have a violation.The access restriction for both read and write can be lifted for sanitized information.The Chinese Wall ModelCompany Dataset: The set of objects that may belong to a company – CD(O)Conflict of Interest Class: Datasets of companies in conflict – COI(O)Each object has only oneRead iff (CW-Simple Security Property) Let PR(S) be the set of objects that a subject S has already readIf a subject S reads an O belonging to dataset CD, she can never read another O’ where CD(O’) is a member of COI(O) and CD(O’) is not equal CD(O)Objects can be sanitizedThe Chinese Wall ModelWhat about control of writing? Suppose CD1 and CD2 are have a conflict of interestWhat if one user can read from CD3 and CD1And another can read from CD3 and CD2?Now suppose either user can write to CD3What happens?Thus, a writer can only access objects in one datasetTemporal ElementIf Anthony reads any CD in a COI, he can never read another CD in that COIPossible that information learned earlier may allow him to make decisions laterLet PR(S) be set of objects that S has already readBank of AmericaCitibankBank of the WestBank COI ClassCW-Simple Security Conditions can read o iff :s has read something in o’s dataset, and object o is in the same company datasets as the objects already access by s, that is “within the Wall”, ors has not read any objects in o’s conflict of interest class, what s has read belongs to an entirely different conflict of interest classIgnores sanitized data (see below)SanitizationPublic information may belong to a CDAs is publicly available, no conflicts of interest ariseSo, should not affect ability of analysts to readTypically, all sensitive data removed from such information before it is released publicly (called sanitization)Add third condition to CW-Simple Security Condition:3. o is a sanitized objectWritingAnthony, Susan work in same trading houseAnthony can read Bank 1’s CD, Gas’ CDSusan can read Bank 2’s CD, Gas’ CDIf Anthony could write to Gas’ CD, Susan can read itHence, indirectly, she can read information from Bank 1’s CD, a clear conflict of interestCW-*-PropertyWrite access is only permitted ifAccess is permitted by the CW-simple security rule, andFor all unsanitized objects o’, if s can read o’, then CD(o’) = CD(o)Says that s can write to an object if all the (unsanitized) objects he/she can read are in the same datasetMultilevel DBMSs Architecture Trusted subject. The DBMS itself must be trusted to ensure mandatory policy Trusted Computing Base: Data are partitioned in different databases, one for each levelReferenceSushil Jajodia and Ravi S. Sandhu, Toward a Multilevel Secure Relational Model, essay