Title: Main Types of security:
1Database Security and Authorization
By Yazmin Escoto Rodriguez Christine Tannuwidjaja
2Main Types of Security
- Enforce security of portions of a database
against unauthorized access - - Database Security and Authorization Subsystem
- Prevent unauthorized persons from accessing the
system itself - - Access Control
- Control the access to statistical databases
- - Statistical Database Security
- Protect sensitive data that is being transmitted
via some type of communications - - Data Encryption
3Database Security and Authorization Subsystem
- Discretionary Security Mechanisms
- - concerned with defining, modeling, and
enforcing access to information - Mandatory Security Mechanisms for Multilevel
Security - - requires that data items and users are
assigned to certain security labels
4Mandatory Access Control
- Elements
- OBJECTS
CLASSIFICATIONS -
--class(o)-- - SUBJECTS CLEARANCE
-
--clear(s)-- -
- Levels Top Secret, Secret,
Confidential, Unclassified
5Mandatory Access Control
- Rules
- Simple Property subject s is allowed to read
data item d if clear(s) class(d) - -property
- subject s is allowed to write data item d if
clear(s) class(d)
- Simple Property protects information from
unauthorized access - -property protects data from contamination or
unauthorized modification
6Multilevel Security Databases- example
- Set up
-
- we have - subject x
with clear(x) TS - -
subject y with clear(y) S - -
subject z with clear(z) U
Project Name Topic Location TC
Black, TS Databases, TS Los Angeles, TS TS
Silver, S Supply Chain, S New York, S S
Gold, U Inventories, S Atlanta, S S
Indigo, U Telecommunication, U Austin, U U
7Multilevel Security Databases- example
Project Name Topic Location TC
Black, TS Databases, TS Los Angeles, TS TS
Silver, S Supply Chain, S New York, S S
Gold, U Inventories, S Atlanta, S S
Indigo, U Telecommunication, U Austin, U U
Project Name Topic Location TC
Silver, S Supply Chain, S New York, S S
Gold, U Inventories, S Atlanta, S S
Indigo, U Telecommunication, U Austin, U U
8Multilevel Security Databases- example
Project Name Topic Location TC
Black, TS Databases, TS Los Angeles, TS TS
Silver, S Supply Chain, S New York, S S
Gold, U Inventories, S Atlanta, S S
Indigo, U Telecommunication, U Austin, U U
Project Name Topic Location TC
Gold, U -, U -, U U
Indigo, U Telecommunication, U Austin, U U
9Multilevel Security Databases- example
- subject z wants to insert the next tuple
- lt Silver, LP, Omahagt
Project Name Topic Location TC
Black, TS Databases, TS Los Angeles, TS TS
Silver, S Supply Chain, S New York, S S
Gold, U Inventories, S Atlanta, S S
Indigo, U Telecommunication, U Austin, U U
Silver, U Linear Programming, U Omaha, U U
Polyinstantiation the existence of multiple
data objects with the same key
10Multilevel Security Databases- example
Project Name Topic Location TC
Gold, U -, U -, U U
Indigo, U Telecommunication, U Austin, U U
- subject z wants to replace the null values with
certain data items - lt Markov Chain, New Jerseygt
Project Name Topic Location TC
Black, TS Databases, TS Los Angeles, TS TS
Silver, S Supply Chain, S New York, S S
Gold, U Inventories, S Atlanta, S S
Indigo, U Telecommunication, U Austin, U U
Gold, U Markov Chain, U New Jersey, U U
11Security Relevant Knowledge
Data Flow Diagram -- represents the functions the
system should perform
Entity Relationship -- describes the structural
part of the database
- Classification Constraints
- To assign to security classifications concepts of
schemas - ones that classify items
- ones that classify query results
12System Object
In security it is the target of protection
- Entity type
- Specialization type
- Relationship type
What is it?
O(A1..,An) - Ai (i1..N) is an attribute and is
defined over domain Di
Has an identity property (key attributes) A ?
(A1,..,An)
Notation
13Multilevel Secure Application
MAJOR QUESTION Which way should the attributes
and occurrences of O be assigned to proper
security classifications?
CLASSIFICATION
RESULT
Security object O ? multilevel security object Om
Performed by means of security constraints
14Graphical Extensions to the ER
Secrecy Levels Ranges of Secrecy
Levels Aggregation leading to TS
(N..constant) Inference leading to
Co Evaluation of predicate P Security
dependency
(U)
(Co)
(S)
(TS)
U..S
Co..TS
N
X
P
15ER Diagram
SSN
Function
Date
Title
Name
Is Assigned to
Subject
Employee
Project
(0,N)
(0,M)
Dep
Client
Salary
Title
SSN
16Object Classification Constraints Simple
Constraints
- Let X be a set of attributes of security object O
(X ? A1,,An) -
- SiC (O(X))C, (C ? SL)
- Results in a multilevel object Om(A1, C1,, An,
Cn,TC) where CiC ? Ai ? X, Ci left unchanged for
Ai ? X - Application to ER
- - SiC(Is Assigned to,Function,S)
- - assigns property Function of relationship
Is Assigned to to a classification of secret.
17ER Diagram classifying properties of security
objects
SSN
Function
Date
Title
Name
Is Assigned to
Subject
Employee
Project
(0,N)
(0,M)
Dep
Client
Salary
Title
SSN
18Object Classification Constraints Content-based
Constraints
- Let Ai be an attribute of security object O with
domain Di, let P be a predicate defined on Ai and
let X ? Ai,,An - CbC (O(X), P Ai ? a) C or CbC (O(X), P Ai ?
Aj) C - (? ? ,?,lt,gt,,, a ? Di, i ? j, C ? SL)
- For any instance o of security object O(A1,,An)
for which a predicate evaluates into true the
transformation into o(a1,c1,,an,cn,tc) is
performed - Classifications are assigned in a way that ci C
in the case Ai ? X, ci left unchanged otherwise - Application to ER
- - CbC (Employee, SSN, Name, Salary, ,
100, Co)) - - represents the semantic that properties
SSN and Name of employees with a salary 100 are
treated as confidential information
19ER Diagram classifying properties of security
objects
SSN
Function
Date
Title
Name
Is Assigned to
Subject
Employee
Project
(0,N)
(0,M)
P
Dep
Client
Salary
Title
SSN
20Object Classification Constraints Complex
Constraints
- Let O, O be two security objects and the
existence of an instance o of O is dependent on
the existence of a corresponding occurrence o of
O where the k values of the identifying property
K of o are identical to k values of attributes
of o (foreign key) - Let P(O) be a valid predicate defined on o and
let X ? A1,,An be an attribute set of O - CoC (O(X), P(O)) C (C ? SL)
- For every instance o of security object
O(A1,,An) for which a predicate evaluates into
true in the related object o of O the
transformation into o(a1,c1,,an,cn,tc) is
performed - Classifications are assigned in a way that ci C
in the case Ai ? X, ci left unchanged otherwise
21Object Classification Constraints Complex
Constraints (cont)
- Application to ER
- - CoC (Is Assigned to, SSN, Project,
Subject, , Research, S) - - individual assignment data (SSN) is
regarded as secret information in the case the
assignment refers to a project with Subject
Research
22ER Diagram classifying properties of security
objects
SSN
Function
Date
Title
Name
Is Assigned to
Subject
Employee
Project
(0,N)
(0,M)
P
Dep
Client
Salary
Title
SSN
P
23Object Classification Constraints Level-based
Constraints
- Let level (Ai) be a function that returns the
classification ci of the value of attribute Ai in
object o(a1,c1,,an,cn,tc) of a multilevel
security object Om - Let X be a set of attributes of Om such that X ?
A1,,An - LbC (O(X)) level (Ai)
- Result for every object o(a1,c1,,an,cn,tc) to
the assignment cj ci in the case Aj ? X - Application to ER
- - LbC (Project, Client, Subject)
- - states that property Client of security
object Project must always have the same
classification as the property Subject of the
Project
24ER Diagram classifying properties of security
objects
SSN
Function
Date
Title
Name
Is Assigned to
Subject
Employee
Project
(0,N)
(0,M)
P
Dep
Client
Salary
Title
SSN
P
25Query Result Classification Constraints
Association-based Constraints
- Let O (A1,An) be a security object with
identifying property K - Let X (X ? A1,,An (K ? X ) be a set of
attributes of O - AbC (O (K,X)) C (C ? SL)
- Results in the assignment of security level C to
the retrieval result of each query that takes X
together with identifying property K - Application to ER
- - AbC (Employee, Salary, Co)
- - the salary of an individual person is
confidential - - the value of salaries without the
information which employee gets what salary is
unclassified
26ER Diagram classifying query results
SSN
Function
Date
Title
Name
Is Assigned to
Subject
Employee
Project
(0,N)
(0,M)
Dep
Client
Co
Salary
Title
SSN
27Query Result Classification Constraints
Aggregation Constraints
- Let count(O) be a function that returns the
number of instances referenced by a particular
query and belonging to security object O
(A1,,An) - Let X (X ? A1,,An) be sensitive attributes of
O - AgC (O, (X, count(O) gt n C (C ? SL, n ? N)
- Result into the classification C for the
retrieval result of a query in the case count(O)
gt n, i.e. the number of instances of O referenced
by a query accessing properties X exceeds the
value n
28Query Result Classification Constraints
Aggregation Constraints (cont)
- Application to ER
- - AgC (Is Assigned to, Title, 3, S)
- - the information which employee is assigned
to what projects is regarded as unclassified - - aggregating all assignments for a certain
project and thereby inferring which team is
responsible for what project is considered secret
29ER Diagram classifying query results
SSN
Function
Date
Title
Name
Is Assigned to
Subject
Employee
Project
(0,N)
(0,M)
Dep
Client
Co
Salary
Title
SSN
3
30Query Result Classification Constraints
Inference Constraints
- Let PO be the set of multilevel objects involved
in a potential logical inference - Let O, O be two particular objects from PO with
corresponding multilevel representation O
(A1,C1,,An,Cn,TC) and
O (A1,C1,,An,Cn,TC) -
- Let X ? A1,,An and Y ? A1,,An)
- IfC (O(X), O(Y)) C
- Results into the assignment of security level C
to the retrieval result of each query that takes
Y together with the properties in X
31Query Result Classification Constraints
Inference Constraints (cont)
- Application to ER
- - IfC (Employee, Dep, Project, Subject,
Co) - - consider the situation where the
information which employee is assigned to what
projects is considered as confidential - - from having access to the department an
employee works for and to the subject of a
project, users may infer which department may be
responsible for the project and thus may conclude
which employee are involved
32ER Diagram classifying query results
SSN
Function
Date
Title
Name
Is Assigned to
Subject
Employee
Project
(0,N)
(0,M)
Dep
Client
Co
Salary
Title
SSN
3
X
33QUESTION?