Security constraint processing in a multilevel secure distributeddatabase management system

In a multilevel secure distributed database management system, users cleared at different security levels access and share a distributed database consisting of data at different sensitivity levels. An approach to assigning sensitivity levels, also called security levels, to data is one which utilizes constraints or classification rules. Security constraints provide an effective classification policy. They can be used to assign security levels to the data based on content, context, and time. We extend our previous work on security constraint processing in a centralized multilevel secure database management system by describing techniques for processing security constraints in a distributed environment during query, update, and database design operations     

多级安全数据库设计中的约束处理

安全约束为多级安全数据库系统提供了一种有效的分类策略，可用来为基于时间、语境和内容的数据分派安全等级．本文讨论了数据库设计过程中的安全约束处理技术，并提出了处理基于关联的约束、简单约束和逻辑约束的算法．     

Towards a new approach to secure database design

The problem of designing and managing a secure database system is considered in this paper. The approach which is proposed is primarily concerned with the security information definition and management in a database environment. A multiphase design methodology is presented reflecting current proposals of database design methodology. In particular four design phases are proposed: requirements analysis of the security system, conceptual, logical and physical design of security information. The content and the solution techniques of each phase are examined. A database management system architecture is also presented which is suitable to control access rights to the database.     

Controlling aggregation in distributed object systems: agraph-based approach

The Distributed Object Kernel is a federated database system providing a set of services which allow cooperative processing across different databases. The focus of this paper is the design of a DOK security service that provides for enforcing both local security policies, related to the security of local autonomous databases, and federated security policies, governing access to data aggregates composed of data from multiple distributed databases. We propose Global Access Control, an extended access control mechanism enabling a uniform expression of heterogeneous security information. Mappings from existing Mandatory and Discretionary Access Controls are described. To permit the control of data aggregation, the derivation of unauthorized information from authorized data, our security framework provides a logic-based language, the Federated Logic Language (FELL), which can describe constraints on both single and multiple states of the federation. To enforce constraints, FELL statements are mapped to state transition graphs which model the different subcomputations required to check the aggregation constraints. Graph aggregation operations are proposed for building compound state transition graphs for complex constraints. To monitor aggregation constraints, two marking techniques, called Linear Marking Technique and Zigzag Marking Technique, are proposed. Finally, we describe a three-layer DOK logical secure architecture enabling the implementation of the different security agents. This includes a Coordination layer, a Task layer, and a Database layer. Each contains specialized agents that enforce a different part of the federated security policy. Coordination is performed by the DOK Manager, enforcing security is performed by a specialized Constraint Manager agent, and the database functions are implemented by user and data agents     

Modelling data secrecy and integrity

The paper describes a semantic data model used as a design environment for multilevel secure database applications. The proposed technique is built around the concept of security classification constraints (security semantics) and takes into account that security restrictions may either have effects on the static part of a system, on the behavior of the system (the system functions), or on both. As security constraints may influence each other appropriate integrity mechanisms are necessary and modelling of a multilevel application must be data as well as function driven. This functionality is included in the proposed semantic data model for multilevel security by developing secure data schemas, secure function schemas, a procedure for alternating iterative refinements on either schema, and a powerful integrity system to check the consistency of the classification constraints and of the multilevel secure database application.     

A semantic framework of the multilevel secure relational model

A multilevel relational database represents information in a multilevel state of the world, which is the knowledge of the truth value of a statement with respect to a level in a security lattice. The authors develop a semantic framework of the multilevel secure relational model with tuple-level labelling, which formalizes the notion of validity in multilevel relational databases. They also identify the multilevel security properties that precisely characterize the validity of multilevel relational databases, which can be maintained efficiently. Finally, they give an update semantics of the multilevel secure relational model that preserves both integrity and secrecy     

Modeling security-relevant data semantics

The use of an extended data model which represents both integrity and secrecy aspects of data is demonstrated. This Semantic Data Model for Security (SDMS) provides a technique that assists domain experts, security officers, and database designers in first understanding their security requirements, and then translating them into a good database design. Identifying security requirements at this semantic level provides the basis for analyzing the security requirements and the database design for inference and signaling vulnerabilities. Another contribution is a comprehensive taxonomy of security-relevant data semantics that must be captured and understood to implement a multilevel secure automated information system     

An architecture for automatically developing secure OLAP applications from models

ContextDecision makers query enterprise information stored in Data Warehouses (DW) by using tools (such as On-Line Analytical Processing (OLAP) tools) which use specific views or cubes from the corporate DW or Data Marts, based on the multidimensional modeling. Since the information managed is critical, security constraints have to be correctly established in order to avoid unauthorized accesses.ObjectiveIn previous work we have defined a Model-Driven based approach for developing a secure DWs repository by following a relational approach. Nevertheless, is also important to define security constraints in the metadata layer that connects the DWs repository with the OLAP tools, that is, over the same multidimensional structures that final users manage. This paper defines a proposal to develop secure OLAP applications and incorporates it into our previous approach.MethodOur proposal is composed of models and transformations. Our models have been defined using the extension capabilities from UML (conceptual model) and extending the OLAP package of CWM with security (logical model). Transformations have been defined by using a graphical notation and implemented into QVT and MOFScript. Finally, this proposal has been evaluated through case studies.ResultsA complete MDA architecture for developing secure OLAP applications. The main contributions of this paper are: improvement of a UML profile for conceptual modeling; definition of a logical metamodel for OLAP applications; and definition and implementation of transformations from conceptual to logical models, and from logical models to the secure implementation into a specific OLAP tool (SSAS).ConclusionOur proposal allows us to develop secure OLAP applications, providing a complete MDA architecture composed of several security models and automatic transformations towards the final secure implementation. Security aspects are early identified and fitted into a most robust solution that provides us a better information assurance and a saving of time in maintenance.     

Evaluation of the Pattern-based method for Secure Development (PbSD): A controlled experiment

ContextSecurity in general, and database protection from unauthorized access in particular, are crucial for organizations. Although it has been long accepted that the important system requirements should be considered from the early stages of the development process, non-functional requirements such as security tend to get neglected or dealt with only at later stages of the development process.ObjectiveWe present an empirical study conducted to evaluate a Pattern-based method for Secure Development – PbSD – that aims to help developers, in particular database designers, to design database schemata that comply with the organizational security policies regarding authorization, from the early stages of development. The method provides a complete framework to guide, enforce and verify the correct implementation of security policies within a system design, and eventually generate a database schema from that design.MethodThe PbSD method was evaluated in comparison with a popular existing method that directly specifies the security requirements in SQL and Oracle’s VPD. The two methods were compared with respect to the quality of the created access control specifications, the time it takes to complete the specification, and the perceived quality of the methods.ResultsWe found that the quality of the access control specifications using the PbSD method for secure development were better with respect to privileges granted in the table, column and row granularity levels. Moreover, subjects who used the PbSD method completed the specification task in less time compared to subjects who used SQL. Finally, the subjects perceived the PbSD method clearer and more easy to use.ConclusionThe pattern-based method for secure development can enhance the quality of security specification of databases, and decrease the software development time and cost. The results of the experiment may also indicate that the use of patterns in general has similar benefits; yet this requires further examinations.     

一种新的安全Petri网及其多级安全机制分析

1 引言 Petri网(PN)是一种重要的动态并发系统建模方法,具有因果相关、支持并发、异步和冲突消解等诸多优点,已广泛应用于复杂动态系统建模与仿真验证,例如协议分析、工作流建模、数据库设计等。随着信息安全问题日益突出,迫切需要PN支持多级安全策略的系统建模,使得用PN建立的模型具有良好的多级安全保护机制。但是,现有的PN并不直接支持多级安全系统建模,而且目前对安全PN的研究文献很少。虽然V.Atluri和W.K.Huang等基于着色时间网(CTPN)提出了一种用于多级安全工作流系统建模的安全PN,但他们只考虑了变迁之间的控制安全和时间安全约束,     

基于SQL的数据库访问控制安全研究

安全性对于数据库而言至关重要,从维护数据库系统的安全角度出发,对基于BLP模型的数据库访问控制进行改进,定义数据库访问控制的规则,通过对DDL和DML的改造,多级关系的处理,提出一套安全增强方案,从而有效地增强数据库的安全性。     

Design and implementation of a database inference controller

The Inference Problem compromises database systems which are usually considered to be secure. here, users pose sets of queries and infer unauthorized information from the responses that they obtain. An Inference Controller is a device that prevents and/or detects security violations via inference. We are particularly interested in the inference problem which occurs in a multilevel operating environment. In such an environment, the users are cleared at different security levels and they access a multilevel database where the data is classified at different sensitivity levels. A multilevel secure database management system (MLS/DBMS) manages a multilevel database where its users cannot access data to which they are not authorized. However, providing a solution to the inference problem, where users issue multiple requests and consequently infer unauthorized knowledge is beyond the capability of currently available MLS/DBMSs. This paper describes the design and prototype development of an Inference Controller for a MLS/DBMS that functions during query processing. To our knowledge this is the first such inference controller prototype to be developed. We also describe some extensions to the inference controller so that an integrated solution can be provided to the problem.     

A methodology for designing information security feedback based on User Interface Patterns

A methodology is provided here to assist in the design of secure interactive applications. In particular, this methodology helps design an adequate security information feedback based on User Interface Patterns, the resulting feedback is then evaluated against a set of design/evaluation criteria called Human–Computer Interaction for Security (HCI-S). In case of a security issue the security information feedback is generally presented using the visual and auditory channels required to achieve an effective notifications, and it is explicitly specified in the design of user interfaces for secure web system.     

Correctness criteria for multilevel secure transactions

The benefits of distributed systems and shared database resources are widely recognized, but they often cannot be exploited by users who must protect their data by using label-based access controls. In particular, users of label-based data need to read and write data at different security levels within a single database transaction, which is not currently possible without violating multilevel security constraints. The paper presents a formal model of multilevel transactions which provide this capability. We define four ACIS (atomicity, consistency, isolation, and security) correctness properties of multilevel transactions. While atomicity, consistency and isolation are mutually achievable in standard single-site and distributed transactions, we show that the security requirements of multilevel transactions conflict with some of these goals. This forces trade-offs to be made among the ACIS correctness properties, and we define appropriate partial correctness properties. Due to such trade-offs, an important problem is to design multilevel transaction execution protocols which achieve the greatest possible degree of correctness. These protocols must provide a variety of approaches to making trade-offs according to the differing priorities of various users. We present three transaction execution protocols which achieve a high degree of correctness. These protocols exemplify the correctness trade-offs proven in the paper, and offer realistic implementation options     

Logical foundations of multilevel databases

In this paper, we propose a formal model for multilevel databases. This model aims at being a generic model, that is it can be interpreted for any kind of database (relational, object-oriented …). Our model has three layers. The first layer corresponds to a model for a non-protected database. The second layer corresponds to a model for a multilevel database. In this second layer, we propose a list of theorems that must be respected in order to build a secure multilevel database. We also propose a new solution to manage cover stories without using the ambiguous technique of polyinstantiation. The third layer corresponds to a model for a MultiView database, that is, a database that provides at each security level a consistent view of the multilevel database. Finally, as an illustration, we interpret our 3-layer model in the case of an object-oriented database.     

基于扩展客体层次结构的安全数据库策略模型

安全策略模型是安全可信系统的基础.Bell-LaPadula模型是多级安全系统中广泛应用的安全策略模型,但它缺乏针对数据模型的完整性和一致性规则.以该模型为基础,针对数据库系统的数据模型,提出了一个以扩展客体层次结构为基础的安全策略模型.模型通过扩展客体层次结构使完整性成为模型的内在属性,并引入或重新定义了客体域、扩展安全公理和操作规则.模型更加适应多级安全数据库系统的要求,增强了策略模型与系统规格和高层模型的一致性.普遍性和通用性安全模型的扩展和增强,特别是安全性以外的特性的引入是安全策略模型向实际系统模型转化的必要步骤.     

An approach for modeling and analysis of security system architectures

Security system architecture governs the composition of components in security systems and interactions between them. It plays a central role in the design of software security systems that ensure secure access to distributed resources in networked environment. In particular, the composition of the systems must consistently assure security policies that it is supposed to enforce. However, there is currently no rigorous and systematic way to predict and assure such critical properties in security system design. A systematic approach is introduced to address the problem. We present a methodology for modeling security system architecture and for verifying whether required security constraints are assured by the composition of the components. We introduce the concept of security constraint patterns, which formally specify the generic form of security policies that all implementations of the system architecture must enforce. The analysis of the architecture is driven by the propagation of the global security constraints onto the components in an incremental process. We show that our methodology is both flexible and scalable. It is argued that such a methodology not only ensures the integrity of critical early design decisions, but also provides a framework to guide correct implementations of the design. We demonstrate the methodology through a case study in which we model and analyze the architecture of the Resource Access Decision (RAD) Facility, an OMG standard for application-level authorization service.     

Model-driven multidimensional modeling of secure data warehouses

Data Warehouses (DW), Multidimensional (MD) databases, and On-Line Analytical Processing (OLAP) applications provide companies with many years of historical information for the decision-making process. Owing to the relevant information managed by these systems, they should provide strong security and confidentiality measures from the early stages of a DW project in the MD modeling and enforce them. In the last years, there have been some proposals to accomplish the MD modeling at the conceptual level. Nevertheless, none of them considers security measures as an important element in their models, and therefore, they do not allow us to specify confidentiality constraints to be enforced by the applications that will use these MD models. In this paper, we present an Access Control and Audit (ACA) model for the conceptual MD modeling. Then, we extend the Unified Modeling Language (UML) with this ACA model, representing the security information (gathered in the ACA model) in the conceptual MD modeling, thereby allowing us to obtain secure MD models. Moreover, we use the OSCL (Object Security Constraint Language) to specify our ACA model constraints, avoiding in this way an arbitrary use of them. Furthermore, we align our approach with the Model-Driven Architecture, the Model-Driven Security and the Model-Driven Data Warehouse, offering a proposal highly compatible with the more recent technologies.     

On Logical Foundations of Multilevel Secure Databases

It is envisaged that the application of the multilevel security (MLS) scheme will enhance flexibility and effectiveness of authorization policies in shared enterprise databases and will replace cumbersome authorization enforcement practices through complicated view definitions on a per user basis. However, the critical problem with the current model is that the belief at a higher security level is cluttered with irrelevant or inconsistent data as no mechanism for attenuation is supported. Critics also argue that it is imperative for MLS database users to theorize about the belief of others, perhaps at different security levels, an apparatus that is currently missing and the absence of which is seriously felt.The impetus for our current research is the need to provide an adequate framework for belief reasoning in MLS databases. In this paper, we show that these concepts can be captured in a F-logic style declarative query language, called MultiLog, for MLS deductive databases for which a proof theoretic, model theoretic and fixpoint semantics exist. This development is significant from a database perspective as it now enables us to compute the semantics of MultiLog databases in a bottom-up fashion. We also define a bottom-up procedure to compute unique models of stratified MultiLog databases. Finally, we establish the equivalence of MultiLog's three logical characterizations—model theory, fixpoint theory and proof theory.     

Database concurrency control in multilevel secure databasemanagement systems

Concurrent execution of transactions in database management systems (DBMSs) may lead to contention for access to data, which in a multilevel secure DBMS (MLS/DBMS) may lead to insecurity. Security issues involved in database concurrency control for MLS/DBMSs are examined, and it is shown how a scheduler can affect security. Data conflict security, (DC-security), a property that implies a system is free of covert channels due to contention for access to data, is introduced. A definition of DC-security based on noninterference is presented. Two properties that constitute a necessary condition for DC-security are introduced along with two simpler necessary conditions. A class of schedulers called output-state-equivalent is identified for which another criterion implies DC-security. The criterion considers separately the behavior of the scheduler in response to those inputs that cause rollback and those that do not. The security properties of several existing scheduling protocols are characterized. Many are found to be insecure