Bài giảng Bảo mật cơ sở dữ liệu: Chương 3 - Trần Thị Kim Chi (tt)

Chia sẻ: Hấp Hấp | Ngày: | Loại File: PPTX | Số trang:59

Thêm vào BST

Báo xấu

91
lượt xem 8
download

Download Vui lòng tải xuống để xem tài liệu đầy đủ

Bài giảng "Bảo mật cơ sở dữ liệu - Chương 3: Bảo mật theo cơ chế MAC" cung cấp cho người học các kiến thức: Define Mandatory Access Control Models, secrecy-preserving models, integrity-preserving models, multi-Level security, multi-level databases access control models,... Mời các bạn cùng tham khảo.

Chủ đề:

Bình luận(0) Đăng nhập để gửi bình luận!

Lưu

Nội dung Text: Bài giảng Bảo mật cơ sở dữ liệu: Chương 3 - Trần Thị Kim Chi (tt)

Bảo mật theo cơ chế MAC Mandatory Access Control Models
Agenda 1. Define Mandatory Access Control Models 2. Secrecypreserving models 3. Integritypreserving models 4. MultiLevel security 5. Multilevel databases access control models 6. Multilevel secure DBMS architecture 7. MAC trong các hệ QTCSDL thông dụng
Define Mandatory Access Control Mandatory Access Control : A systemwide policy decrees who is allowed to have access; individual user cannot alter that access. Relies on the system to control access. Examples: – The law allows a court to access driving records without the owners’ permission. Traditional MAC mechanisms have been tightly coupled to a few security models. Recently, systems supporting flexible security models start to appear (e.g., SELinux, Trusted Solaris, TrustedBSD, etc.)
Mandatory Access Control vs Discretionary Access Control MAC is centrally controlled by a security policy administrator; users do not have the ability to override the policy and, for example, grant access to files that would otherwise be restricted. DAC, which also governs the ability of subjects to access objects, allows users the ability to make policy decisions and/or assign security attributes. MACenabled systems allow policy administrators to implement organizationwide security policies. With DAC, users cannot override or modify this policy, either accidentally or intentionally. This allows security administrators to define a central policy that is guaranteed (in principle) to be enforced for all users.
Degrees of MAC system strength In some systems, users have the authority to decide whether to grant access to any other user. To allow that, all users have clearances for all data. This is not necessarily true of a MAC system. If individuals or processes exist that may be denied access to any of the data in the system environment, then the system must be trusted to enforce MAC. Since there can be various levels of data classification and user clearances, this implies a quantified scale for robustness. For example, more robustness is indicated for system environments containing classified Top Secret information and uncleared users than for one with Secret information and users cleared to at least Confidential. To promote consistency and eliminate subjectivity in degrees of robustness, an extensive scientific analysis and risk assessment of the topic produced a landmark benchmark
Evaluation of MAC system strength The Common Criteria[7] is based on this science and it intended to preserve the Assurance Level as EAL levels and the functionality specifications as Protection Profiles. Of these two essential components of objective robustness benchmarks, only EAL levels were faithfully preserved. In one case, TCSEC level C2[8] (not a MAC capable category) was fairly faithfully preserved in the Common Criteria, as the Controlled Access Protection Profile (CAPP).[9] Multilevel security (MLS) Protection Profiles (such as MLSOSPP similar to B2)[10] is more general than B2. They are pursuant to MLS, but lack the detailed implementation requirements of their Orange Book predecessors, focusing more on objectives. This gives certifiers more subjective flexibility in deciding whether the evaluated product’s technical features adequately achieve the objective,
Multilevel Security (MLS) Definition and need for MLS – Security Classification – SecrecyBased Mandatory Policies: Bell LaPadula Model – Integritybased Mandatory Policies: The Biba Model – Limitation of Mandatory Policies Hybrid Policies – The Chinese Wall Policy
Definition and need for MLS Multilevel security involves a database in which the data stored has an associated classification and consequently constraints for their access MLS allows users with different classification levels to get different views from the same data MLS cannot allow downward leaking, meaning that a user with a lower classification views data stored with a higher classification
Definition and need for MLS Usually multilevel systems are with the federal government Some private systems also have multilevel security needs MLS relation is split into several singlelevel relations, A recovery algorithm reconstructs the MLS relation from the decomposed singlelevel relations At times MLS updates cannot be completed because it would result in leakage or destruction of secret information
Definition and need for MLS In relational model, relations are tables and relations consist of tuples (rows) and attributes (columns) Example: Consider the relation SOD(Starship, Objective, Destination) Starship Objective Destination Enterprise Exploration Talos Voyager Spying Mars
Definition and need for MLS The relation in the example has no classification associated with it in a relational model The same example in MLS with classification will be as follows: Starship Objective Destination Enterprise U Exploration U Talos U Voyager U Spying S Mars S
Definition and need for MLS In MLS, access classes can be assigned to: – Individual tuple in a relation – Individual attribute of a relation – Individual data element of tuples in a relation Bell – LaPadula Model Biba Model
Bell – LaPadula Model Proposed by David Bell and Len Lapadula in 1973, in response to U.S. Air Force concerns over the security of timesharing mainframe systems. This model is the most widely recognized Access Matrix model with classified data The model deal with confidentiality only. This model has two components: – Classification – Set of categories BellLaPadula model shows how to use Mandatory Access Control to prevent the Trojan Horse
Bell – LaPadula Model Two properties: No read up and No write down. Simple security property: Subject A is allowed to read object O only if class(O) class(A). *property: Subject A is allowed to write object O only if class(A) class(O). The *property was Bell and LaPadula’s critical innovation. It was driven by the fear that a user with “Secret” clearance might be “tricked” by attackers (e.g., through Trojan horse programs or software vulnerabilities) to copy down the information to a ”Unclassified” area where the attackers can read.
Bell – LaPadula Model n Classification has four values {U, C, S, TS} n U = unclassified n C = confidential n S = secret n TS = top secret n Classifications are ordered: TS > S > C > U n Set of categories consists of the data environment and the application area, i.e., Nuclear, Army, Financial, Research Example: In USA, a “SECRET” clearance involves checking FBI fingerprint files.
Bell – LaPadula Model An access class c1 dominates ≥ an access class c2 iff – Security level of c1 is greater than or equal to that of c2 – The categories of c1 include those of c2
Bell – LaPadula Model BellLaPadula model is based on a subject object paradigm Subjects are active elements of the system that execute actions Objects are passive elements of the system that contain information Subjects act on behalf of users who have a security level associated with them (indicating the level of system trust)
Bell – LaPadula Model Subjects execute access modes on objects Access modes are: – Readonly – Append (writing without reading) – Execute – Readwrite (writing known data) Decentralized administration of privileges on objects
Bell – LaPadula Model Control direct and indirect flows of information Prevent leakage to unauthorized subjects User can connect to the system with any access class dominated by their clearance
Two Principles To protect information confidentiality – Noreadup, a subject is allowed a read access to an object only if the access class of the subject dominate the access class of the object – Nowritedown, a subject is allowed a write access to an object only if the access class of the subject is dominated by the access class of the object