ậ
ả
ơ ế B o m t theo c ch MAC Mandatory Access Control Models
Agenda
3.
1. Define Mandatory Access Control Models 2. Secrecypreserving models Integritypreserving models
4. MultiLevel security 5. Multilevel databases access control models 6. Multilevel secure DBMS architecture ụ ệ 7. MAC trong các h QTCSDL thông d ng
Define Mandatory Access Control
Mandatory Access Control : A systemwide policy decrees who is allowed to have access; individual user cannot alter that access. Relies on the system to control access. Examples: – The law allows a court to access driving records
Traditional MAC mechanisms have been tightly coupled to a few security models. Recently, systems supporting flexible security models start to appear (e.g., SELinux, Trusted Solaris, TrustedBSD, etc.)
without the owners’ permission.
Mandatory Access Control vs Discretionary Access Control
MAC is centrally controlled by a security policy administrator; users do not have the ability to override the policy and, for example, grant access to files that would otherwise be restricted. DAC, which also governs the ability of subjects to access objects, allows users the ability to make policy decisions and/or assign security attributes. MACenabled systems allow policy administrators to implement organizationwide security policies. With DAC, users cannot override or modify this policy, either accidentally or intentionally. This allows security administrators to define a central policy that is guaranteed (in principle) to be enforced for all users.
Degrees of MAC system strength
In some systems, users have the authority to decide whether to grant access to any other user. To allow that, all users have clearances for all data. This is not necessarily true of a MAC system. If individuals or processes exist that may be denied access to any of the data in the system environment, then the system must be trusted to enforce MAC. Since there can be various levels of data classification and user clearances, this implies a quantified scale for robustness. For example, more robustness is indicated for system environments containing classified Top Secret information and uncleared users than for one with Secret information and users cleared to at least Confidential. To promote consistency and eliminate subjectivity in degrees of robustness, an extensive scientific analysis and risk assessment of the topic produced a landmark benchmark standardization quantifying security robustness capabilities
of systems and mapping them to the degrees of trust
warranted for various security environments. The result was
documented in CSCSTD00485.[6] Two relatively
independent components of robustness were defined:
Assurance Level and Functionality. Both were specified
with a degree of precision that warranted significant
confidence in certifications based on these criteria.
Evaluation of MAC system strength
The Common Criteria[7] is based on this science and it intended to preserve the Assurance Level as EAL levels and the functionality specifications as Protection Profiles. Of these two essential components of objective robustness benchmarks, only EAL levels were faithfully preserved. In one case, TCSEC level C2[8] (not a MAC capable category) was fairly faithfully preserved in the Common Criteria, as the Controlled Access Protection Profile (CAPP).[9] Multilevel security (MLS) Protection Profiles (such as MLSOSPP similar to B2)[10] is more general than B2. They are pursuant to MLS, but lack the detailed implementation requirements of their Orange Book predecessors, focusing more on objectives. This gives certifiers more subjective flexibility in deciding whether the evaluated product’s technical features adequately achieve the objective, potentially eroding consistency of evaluated products and
making it easier to attain certification for less trustworthy
products. For these reasons, the importance of the technical
details of the Protection Profile is critical to determining the
suitability of a product.
Such an architecture prevents an authenticated user or
process at a specific classification or trustlevel from
accessing information, processes, or devices in a different
level. This provides a containment mechanism of users and
processes, both known and unknown (an unknown program
(for example) might comprise an untrusted application
where the system should monitor and/or control accesses to
devices and files).
Multilevel Security (MLS)
Definition and need for MLS – Security Classification – SecrecyBased Mandatory Policies: Bell
LaPadula Model
– Integritybased Mandatory Policies: The
Biba Model
– Limitation of Mandatory Policies Hybrid Policies – The Chinese Wall Policy
Definition and need for MLS
Multilevel security involves a database in which the data stored has an associated classification and consequently constraints for their access MLS allows users with different classification levels to get different views from the same data MLS cannot allow downward leaking, meaning that a user with a lower classification views data stored with a higher classification
Definition and need for MLS
Usually multilevel systems are with the federal government Some private systems also have multilevel security needs MLS relation is split into several singlelevel relations, A recovery algorithm reconstructs the MLS relation from the decomposed singlelevel relations At times MLS updates cannot be completed because it would result in leakage or destruction of secret information
Definition and need for MLS
In relational model, relations are tables and relations consist of tuples (rows) and attributes (columns) Example: Consider the relation SOD(Starship, Objective, Destination)
Enterprise Voyager
Exploration Spying
Talos Mars
Starship Objective Destination
Definition and need for MLS
The relation in the example has no classification associated with it in a relational model The same example in MLS with classification will be as follows:
Destination
Talos U Mars S
Starship Enterprise U Voyager U Objective Exploration U Spying S
Definition and need for MLS
In MLS, access classes can be assigned to: – Individual tuple in a relation – Individual attribute of a relation – Individual data element of tuples in a relation Bell – LaPadula Model Biba Model
shows how
Bell – LaPadula Model Proposed by David Bell and Len Lapadula in 1973, in response to U.S. Air Force concerns over the security of timesharing mainframe systems. This model is the most widely recognized Access Matrix model with classified data The model deal with confidentiality only. This model has two components: – Classification – Set of categories BellLaPadula model to use Mandatory Access Control to prevent the Trojan Horse
Bell – LaPadula Model
Two properties: No read up and No write down. Simple security property: Subject A is allowed to read object O only if class(O) class(A). *property: Subject A is allowed to write object O only if class(A) class(O). The *property was Bell and LaPadula’s critical innovation. It was driven by the fear that a user with “Secret” clearance might be “tricked” by attackers (e.g., through Trojan horse programs or software vulnerabilities) to copy down the information to a ”Unclassified” area where the attackers can read.
Bell – LaPadula Model
n Classification has four values {U, C, S, TS}
n U = unclassified n C = confidential n S = secret n TS = top secret
n Classifications are ordered: TS > S > C > U n Set of categories consists of the data environment
and the application area, i.e., Nuclear, Army, Financial, Research
Example: In USA, a “SECRET” clearance involves checking FBI fingerprint files.
Bell – LaPadula Model
An access class c1 dominates ≥ an access class c2 iff – Security level of c1 is greater than or equal to that of c2 – The categories of c1 include those of c2
Bell – LaPadula Model
level
BellLaPadula model is based on a subject object paradigm Subjects are active elements of the system that execute actions Objects are passive elements of the system that contain information Subjects act on behalf of users who have a them associated with security (indicating the level of system trust)
Bell – LaPadula Model
Subjects execute access modes on objects Access modes are: – Readonly – Append (writing without reading) – Execute – Readwrite (writing known data) Decentralized administration of privileges on objects
Bell – LaPadula Model
Control direct and indirect flows of information Prevent leakage to unauthorized subjects User can connect to the system with any access class dominated by their clearance
Two Principles
To protect information confidentiality – Noreadup, a subject is allowed a read access to an object only if the access class of the subject dominate the access class of the object – Nowritedown, a subject is allowed a write access to an object only if the access class of the subject is dominated by the access class of the object
Noreadup & Nowritedown
n Can TS subject write to S object? n Can S subject write to U object? n How to apply to the Trojan Horse case?
Solution to Trojan Horse
Possible classification reflecting the access restrictions: – Secret for Vicky and “Market” – Unclassified to John and “Stolen” If Vicky connect to system as secret, write is blocked If Vicky connects to system as unclassified, read is blocked Is Vicky allowed to write to the unclassified object? How?
Applying BLP: An Example
Alice has (Secret, {NUC, EUR}) clearance David has (Secret, {EUR}) clearance – David can talk to Alice (“write up” or “read down”) – Alice cannot talk to David (“read up” or “write down”) Alice is a user, and she can login with a different ID (as a different principle) with reduced clearance – Alias1 (Secret, {NUC, EUR}) – Alias2 (Secret, {EUR})
BLP: Problem
If I can write up, then how about writing files with blanks? – Blind writing up may cause integrity
problems, but not a confidentiality breach
Bell – LaPadula Model
Two main properties of this model for a secure system are: – Simple security property – Star property Simple security means: A subject may have read or write access to an object only if the clearance of the subject dominates the security level of the object
Bell – LaPadula Model
Star property means: An untrusted subject may: append if object security dominates subject security
This model guarantees secrecy by preventing unauthorized release of information This model does not protect from unauthorized modification of information
write if object security equals subject security read if object security is less than subject security
Key Points
Confidentiality models restrict flow of information BellLaPadula (BLP) models multilevel security
– Simple security property says no read up and – Star property says no write down – Both ensure information can only flow up
Cornerstone of much work in computer security
The Biba Model
A model due to Ken Biba which is often referred to as “BellLaPadula upside down.” It deals with integrity alone and ignores confidentiality entirely. Biba model covers integrity levels, which are analogous to sensitivity levels in BellLaPadula Integrity levels cover inappropriate modification of data Prevents unauthorized users from making modifications (1st goal of integrity)
The Biba Model
Two properties:
Important – Unknown
Simple Integrity Property: A low integrity subject will not write or modify high integrity data. *Property: The high integrity subject will not read low integrity data. Read Up, Write Down Subjects cannot read objects of lesser integrity, subjects cannot write to objects of higher integrity Each subject and object in the system is assigned an integrity classification – Crucial –
Integrity Level
Integrity level of a user reflects user’s trustworthiness for inserting, modifying, or deleting information Integrity level of an object reflects both the degree of trust that can be placed on the info stored in the object, and the potential damage could result from unauthorized modification of info
Two principles
Noreaddown: A subject is allowed a read access to an object only if the access class of the object dominates the access class of the subject Nowriteup: A subject is allowed a write access to an object only if the access class of the subject is dominated by the access class of the object
Q: How to control both the secrecy and integrity?
Applying Mandatory Policies to Databases
Commercial DBMSs Oracle, Sybase, and TruData have MLS versions of their DBMS
Because of BellLaPadula restrictions, subjects having different clearances see different versions of a multilevel relation
Visible to a user with unclassified level.
Visible to a user with secret level.
Polyinstantiation
Request by low level subject
– An unclassified subject request insert of
Visible to a user with secret level.
Visible to a user with unclassified level.
Polyinstantiation
Request by high level subjects
– A secret subject request to insert – Inform the subject of the conflict and refuse the 200K> – Overwrite the existing tuple (no) insertion (no) Cover Stories
– Nontrue data to hide the existence of the actual value – Not released is a cause of information leakage
Finegrained is not easy
– Aggregation, association
– Block inference channels – Later, the low level subject tries to read dummy.obj. Success or failure of this request disclose the action of the highlevel subject. • One bit of information has flown from high to low.
• Failure means dummy.obj has be upgraded; success means dummy.obj has not been changed A covert channel is an information flow that is not
controlled by a security mechanism.
In BLP, you could use the access control mechanism itself
to construct a covert channel.
– A low level subject makes an object “dummy.obj” at its own level.
–
Its high level accomplice either upgrades the security level of
dummy.obj to high or leaves it unchanged. can be preempted by low level processes. – Random delays, clock noise, randomized resource availability.
– Auditing the use of known channels
– Polyinstantiation Other Examples for Covert Channels:
– Timing Channels
– Resource State
– Hidden Information in downgraded documents
Commonly used techniques for reducing covert channels:
– Reduce abusable functionality
– High level processes get lowest resource allocation priority and In a consultant company, a person who consult for BankOne
should not have access to the data of JPMCChase. – An intelligence organization wants to keep the names of agents
working in one foreign country secret from the department
responsible for spying on another.
Also known as compartmentation. Instead of the information flowcontrol boundaries being
horizontal, as in the MLS model, we instead need the
boundaries to be the mostly vertical.
Examples:
– Multilateral security models:
– The Chinese Wall Model
– The BMA Model (British Medical Association) Problem: – Tony advises American Bank about investments – He is asked to advise Toyland Bank about investments Conflict of interest to accept, because his
advice for either bank would affect his
advice to the other bank Organize entities into “conflict of interest”
classes
Control subject accesses to each class
Control writing to all classes to ensure
information is not passed along in violation
of rules
Allow sanitized data to be viewed by
everyone interest. Proposed by Brewer and Nash to model access rules in a
consultancy business where analysts have to make sure
that no conflicts of interest arise when they are dealing
with different clients.
Informally, conflicts arise because clients are direct
competitors in the same market or because of the
ownership of companies. Analysts have to adhere to the
following security policy:
– Rule: There must be no information flow that causes a conflict of Conflict of Interest (CoI) classes: indicate which
companies are in competition. Consider a consulting business
A consultant is authorized to work for any client, but some
clients have secrecy and integrity requirements relative to
other clients
– CocaCola and Pespi
The Chinese Wall model enables definition of such
scenarios
– Only allow subjects to read data from one of the conflicted parties
– Must control writing too Objects: items of information related to a
company
Company dataset (CD): contains objects related to
a single company
– Written CD(O)
Conflict of interest class (COI): contains datasets
of companies in competition
– Written COI(O)
– Assume: each object belongs to exactly one COI class Bank COI Class Gasoline Company COI Class Bank of America Shell Oil Standard Oil Citibank Bank of the West ARCO Union ’76 Read Rule: A subject S can read an object O if: O is in the same Dataset as an object already accessed by
S, or
O belongs to a CoI class from which S has not yet
accessed any information. Write Rule: A subject S can write an object O if:
S can read O according to the Read Rule, and
No object in a different company dataset (i.e., not O’s
company dataset) can be read. In the write rule, the flow of information is comfined to its
own company dataset. Without this rule, a person who can
access both A and B can read the information from A and
write to B; this way, another person who can access B can
also access the information in A indirectly.
If this person can also access C, which is in the same CoI
class as A, we have a violation.
The access restriction for both read and write can be lifted
for sanitized information. If a subject S reads an O belonging to dataset CD, she can never
read another O’ where CD(O’) is a member of COI(O) and
CD(O’) is not equal CD(O) – Objects can be sanitized Company Dataset: The set of objects that may belong to a
company – CD(O)
Conflict of Interest Class: Datasets of companies in
conflict – COI(O)
– Each object has only one
Read iff (CWSimple Security Property) Let PR(S) be the
set of objects that a subject S has already read
– What about control of writing? Suppose CD1 and CD2 are have a conflict of interest
– What if one user can read from CD3 and CD1…
– And another can read from CD3 and CD2?
Now suppose either user can write to CD3
– What happens?
Thus, a writer can only access objects in one dataset If Anthony reads any CD in a COI, he can never
read another CD in that COI
– Possible that information learned earlier may allow him – Let PR(S) be set of objects that S has already read Bank COI Class Bank of America Citibank Bank of the West to make decisions later s can read o iff :
1. 2. s has read something in o’s dataset, and object o is
in the same company datasets as the objects
already access by s, that is “within the Wall”, or
s has not read any objects in o’s conflict of interest
class, what s has read belongs to an entirely
different conflict of interest class
Ignores sanitized data (see below) Public information may belong to a CD
– As is publicly available, no conflicts of – interest arise
So, should not affect ability of analysts to
read – Typically, all sensitive data removed from
such information before it is released
publicly (called sanitization)
Add third condition to CWSimple
Security Condition: – 3. o is a sanitized object Anthony, Susan work in same trading house
Anthony can read Bank 1’s CD, Gas’ CD
Susan can read Bank 2’s CD, Gas’ CD
If Anthony could write to Gas’ CD, Susan
can read it
– Hence, indirectly, she can read information from Bank 1’s CD, a clear conflict of interest Write access is only permitted if – Access is permitted by the CWsimple – security rule, and
For all unsanitized objects o’, if s can read
o’, then CD(o’) = CD(o) Says that s can write to an object if all the
(unsanitized) objects he/she can read are in
the same dataset • • Trusted subject. The DBMS itself must be trusted to
ensure mandatory policy Trusted Computing Base: Data are partitioned in
different databases, one for each level Sushil Jajodia and Ravi S. Sandhu, Toward
a Multilevel Secure Relational Model, essay
20 Customer order scenario from page 161 in
the textbook
Identify the subject, actions, objects
Design the MAC Install Oracle Label Security & Using
Oracle Label Security
– http://apex.oracle.com/pls/apex/f?p=44785:24:3634991866798098::NO:24:P24_CONTENT_ID,P24_PREV_PAGE:4509,2
– http://apex.oracle.com/pls/apex/f?p=44785:24:3634991866798098::NO:24:P24_CONTENT_ID,P24_PREV_PAGE:4548,2Challenges
Covert Channels
Covert Channels (cont’d)
Multilateral Security
Multilateral Security
Chinese Wall Model
Organization
The Chinese Wall Model
The Chinese Wall Model
Definitions
Example
The Chinese Wall Model
The Chinese Wall Model
The Chinese Wall Model
The Chinese Wall Model
Temporal Element
CWSimple Security Condition
Sanitization
Writing
CW*Property
Multilevel DBMSs Architecture
Reference
Discussion (15 min)
Lab 3 (Feb. 21)
![Sổ tay Kỹ năng nhận diện & phòng chống lừa đảo trực tuyến [Mới nhất]](https://cdn.tailieu.vn/images/document/thumbnail/2025/20251017/kimphuong1001/135x160/8271760665726.jpg)
![Cẩm nang An toàn trực tuyến [Mới nhất]](https://cdn.tailieu.vn/images/document/thumbnail/2025/20251017/kimphuong1001/135x160/8031760666413.jpg)
