Data and Applications Security Developments and DirectionsOutlineWhat is an MLS/DBMS?Why MLS/DBMS?Summary of DevelopmentsAir Force Summer StudyOutcome of the Air Force Summer StudyTDITaxonomy for MLS/DBMSsIntegrity LockOperating System Providing Mandatory Access ControlExtended KernelTrusted SubjectDistributed Approach - IDistributed Approach IIOverview of MLS/DBMS DesignsOverview of MLS/DBMS Designs (Concluded)Some MLS/DBMS Commercial Products Developed (late 1980s, early 1990s)Some Challenges: Inference ProblemSome Challenges: PolyinstantiationSome Challenges: Covert ChannelMultilevel Secure Data Model: Classifying DatabasesMultilevel Secure Data Model: Classifying RelationsMultilevel Secure Data Model: Classifying Attributes/ColumnsMultilevel Secure Data Model: Classifying Tuples/RowsMultilevel Secure Data Model: Classifying ElementsMultilevel Secure Data Model: Classifying ViewsMultilevel Secure Data Model: Classifying MetadataMLS/DBMS Functions OverviewMLS/DBMS Functions Secure Query ProcessingMLS/DBMS Functions Secure Transaction ManagementMLS/DBMS Functions Secure Integrity ManagementStatus and DirectionsData and Applications Security Developments and DirectionsDr. Bhavani ThuraisinghamThe University of Texas at DallasMultilevel Secure Data ManagementSeptember 10, 2010OutlineWhat is an MLS/DBMS?Summary of DevelopmentsChallengesMLS/DBMS Designs and PrototypesData Models and FunctionsDirectionsWhat is an MLS/DBMS?Users are cleared at different security levelsData in the database is assigned different sensitivity levels--multilevel databaseUsers share the multilevel databaseMLS/DBMS is the software that ensures that users only obtain information at or below their levelIn general, a user reads at or below his level and writes at his levelWhy MLS/DBMS?Operating systems control access to files; coarser grain of granularityDatabase stores relationships between dataContent, Context, and Dynamic access controlTraditional operating systems access control to files is not sufficientNeed multilevel access control for DBMSsSummary of DevelopmentsEarly Efforts 1975 – 1982; example: Hinke-Shafer approach Air Force Summer Study, 1982Research Prototypes (Integrity Lock, SeaView, LDV, etc.); 1984 - PresentTrusted Database Interpretation; published 1991Commercial Products; 1988 - PresentAir Force Summer StudyAir Force convened a summer study to investigate MLS/DBMS designsThen study was divided into three groups focusing on different aspectsGroup 1 investigated the Integrity Lock approach; Trusted subject approach and Distributed approachGroup 2 investigated security for military messaging systemsGroup 3 focused on longer-term issues such as inference and aggregationOutcome of the Air Force Summer StudyReport published in 1983MITRE designed and developed systems based on Integrity Lock and Trust subject architectures 1984 - 1986Rome Air Development Center (RADC, now Air Force Research Lab) funded efforts to examine long-term approaches; example: SeaView and LDV both intended to be A1 systemsRADC also funded efforts to examine the distributed approachSeveral prototypes and products followedTDITrusted Database Interpretation is the Interpretation of the Trusted Computer Systems Evaluation criteria to evaluate commercial productsClasses C1, C2, B1, B2, B3, A1 and BeyondTCB (Trusted Computing Base Subsetting) for MAC, DAC, etc. (mandatory access control, discretionary access control)Companion documents for Inference and Aggregation, Auditing, etc.Taxonomy for MLS/DBMSsIntegrity Lock Architecture: Trusted Filter; Untrusted Back-end, Untrusted Front-end. Checksum is computed by the filter based on data content and security level. Checksum recomputed when data is retrieved. Operating Systems Providing Access Control/ Single Kernel: Multilevel data is partitioned into single level files. Operating system controls access to the filedExtended Kernel: Kernel extensions for functions such as inference and aggregation and constraint processingTrusted Subject: DBMS provides access control to its own data such as relations, tuples and attributesDistributed: Data is partitioned according to security levels; In the partitioned approach, data is not replicated and there is one DBMS per level. In the replicated approach lower level data is replicated at the higher level databasesIntegrity LockDatabaseTrusted Agentto computechecksumsSensorData ManagerUntrustedData ManagerCompute ChecksumBased on stream data valueand Security level;Store data value, Security level and ChecksumCompute ChecksumBased on data valueand Security level retrievedfrom the stored databaseOperating System Providing Mandatory Access ControlUnclassifieddeviceSecretdeviceTopSecretdeviceMultilevelData ManagerUnclassifiedDataSecretDataTopSecretDataExtended KernelMultilevelDataKernel ExtensionsTo enforce additional security policies enforced on datae.g., security constraints, privacy constraints, etc.MultilevelData ManagerTrusted SubjectUnclassifieddeviceSecretdeviceTopSecretdeviceMultilevelData ManagerMultilevelDataTrustedComponentDistributed Approach - IUnclassifiedData ManagerTopSecretData ManagerUnclassifiedDataSecretDataTopSecretDataTrusted Agentto manage Aggregated DataSecretData Manager UnclassifiedData ManagerTopSecretData ManagerUnclassifiedDataSecretDataTopSecretDataTrusted Agentto manage Aggregated DataSecretData ManagerDistributed Approach IIUnclassifiedData ManagerTopSecretData ManagerUnclassifiedDataSecret + UnclassifiedDataTopSecretSecret + UnclassifiedDataTrusted Agentto manage Aggregated DataSecretData ManagerOverview of MLS/DBMS DesignsHinke-Schaefer (SDC Corporation) Introduced operating system providing mandatory access controlIntegrity Lock Prototypes: Two Prototypes developed at MITRE using Ingres and Mistress relational database systemsSeaView: Funded by Rome Air Development Center (RADC) (now Air Force Rome Laboratory) and used operating system providing mandatory access control and introduced polyinstationLock Data Views (LDV) : Extended kernel approach developed by Honeywell and funded by RADC and investigated inference and aggregationOverview of MLS/DBMS Designs (Concluded)ASD, ASD-Views: Developed by TRW based on the Trusted subject approach. ASD Views provided access control on viewsSDDBMS: Effort by Unisys funded by RADC and investigated the distributed approachSINTRA:
View Full Document