Security checking in relational database management systems augmented with inference engines

In this paper we will discuss the notion of multilevel security and the difficulties encountered in designing an implementation scheme for a security policy for a multilevel secure database management system (MLS/DBMS). We will then describe how these difficulties may be overcome in augmenting a database with an inference engine so that it functions like a knowledge based system.     

动态推理控制

防止未授权的用户从可读取的安全等级较低的数据中推理出安全等级较高的数据是多级关系数据库达到安全的必要保证。由于数据库中元组、属性、元素之间的相互关联性,多级关系数据库存在着推理通道。它的存在对信息的安全造成很大威胁。主要论述了多级安全数据库系统的推理通道的来源,分析了目前在多级安全数据库系统中推理问题的成果。在此基础上,提出了一种动态控制推理通道的方法并给出了相应算法。     

动态推理控制

防止未授权的用户从可读取的安全等级较低的数据中推理出安全等级较高的数据是多级关系数据库达到安全的必要保证.由于数据库中元组、属性、元素之间的相互关联性,多级关系数据库存在着推理通道.它的存在对信息的安全造成很大威胁.主要论述了多级安全数据库系统的推理通道的来源,分析了目前在多级安全数据库系统中推理问题的成果.在此基础上,提出了一种动态控制推理通道的方法并给出了相应算法.     

Database concurrency control in multilevel secure databasemanagement systems

Concurrent execution of transactions in database management systems (DBMSs) may lead to contention for access to data, which in a multilevel secure DBMS (MLS/DBMS) may lead to insecurity. Security issues involved in database concurrency control for MLS/DBMSs are examined, and it is shown how a scheduler can affect security. Data conflict security, (DC-security), a property that implies a system is free of covert channels due to contention for access to data, is introduced. A definition of DC-security based on noninterference is presented. Two properties that constitute a necessary condition for DC-security are introduced along with two simpler necessary conditions. A class of schedulers called output-state-equivalent is identified for which another criterion implies DC-security. The criterion considers separately the behavior of the scheduler in response to those inputs that cause rollback and those that do not. The security properties of several existing scheduling protocols are characterized. Many are found to be insecure     

基于PostgreSQL的强制访问控制的实现

讨论一个基于公开源码数据库PostgreSQL的安全数据库原型系统中强制访问控制机制的现,详细阐述了原型系统对PostgreSQL系统原有数据字典的更改及时DDL、DMI。语言的改造,并介绍了多缀关系的分解与恢复算法。     

多层关系数据库的函数依赖推理控制

多层关系数据库是解决安全数据库中多实例问题的良好方法。防止未授权的用户从可读取的安全等级较低的数据中推理出安全等级较高的数据是多层关系数据库达到安全的必要保证。由于数据库中元组、属性、元素之间的相互关联性,推理问题成为安全数据库的重要内容。文章以数据库中的函数依赖来检查多层关系数据库的各个属性的安全等级,并在此基础上调整各个属性的安全等级,以保证数据的安全性。     

基于可信级别的多级安全策略及其状态机模型

虽然MLS(multilevel security)被广泛应用于各种安全系统,但是它不能实现信道控制等重要的安全策略.将可信级别的概念引入到MLS中,使其可以方便地实现各种信道控制策略.建立了一个实现这种基于可信级别的多级安全策略的访问控制状态机模型,并证明其对定义的策略是安全的,而且可以实现所有静态信息流策略.另外,还扩展了该模型,使其可以支持存储对象安全属性的动态改变.该模型克服了MLS不能解决安全降级问题以及不考虑完整性的缺点,同时又保留了传统分级策略模型易理解、易使用的优点.     

具备多级安全机制的在线数据库同态加密方案

随着在线数据库管理系统的广泛应用,需要对数据库中存储的敏感信息进行加密。运用同态加密技术的数据库加密方案可以实现不用解密而直接操作密文数据,从而降低了加密对应用性能的影响。多级安全机制能够为数据库管理系统提供更高层级的信息安全保护。文章针对在线数据库管理系统的特点,提出了一种具备多级安全机制的同态加密方案。该方案数据库服务器端配置了所有安全等级的加解密密钥,客户端仅配置与自身安全等级相适应的加解密密钥;包含字段和记录两层加密机制,层次清晰,运算简单;具备多级安全机制,高安全等级用户所在的客户端能够解密数据库服务器中的低安全等级数据;支持所有数据库关系操作。实验结果表明,文章密钥配置方案合理可行,加密方案加解密原理正确,支持多级安全等级机制。     

A belief-consistent multilevel secure relational data model

Multilevel relations, based on the current multilevel secure (MLS) relational data models, can present a user with information that is difficult to interpret and may display an inconsistent outlook about the views of other users. Such ambiguity is due to the lack of a comprehensive method for asserting and interpreting beliefs about information at lower security levels. In this paper we present a belief-consistent MLS relational database model which provides an unambiguous interpretation of all visible information and gives the user access to the beliefs of users at lower security levels, neither of which was possible in any of the existing models. We identify different beliefs that can be held by users at higher security levels about information at lower security levels, and introduce a mechanism for asserting beliefs about all accessible tuples. This mechanism provides every user with an unambiguous interpretation of all viewable information and presents a consistent account of the views at all levels visible to the user. In order to implement this assertion mechanism, new database operations, such as verify true and verify false, are presented. We specify the constraints for the write operations, such as update and delete, that maintain belief consistency and redefine the relational algebra operations, such as select, project, union, difference and join.     

基于MySQL的可定制强制访问控制的研究与实现

结合MySQL数据库系统,通过在其源代码中增加安全策略函数、修改原有数据字典、扩展SQL 语句以及建立安全策略统一管理平台的方法,实现了可定制强制访问控制机制.所实现的安全数据库原型系统使数据库安全管理员可以根据应用领域不同的安全需求灵活定义标签结构和访问规则,为增强安全数据库产品可用性、灵活性提供了一种新思路.     

An extended access control mechanism exploiting data dependencies

In general, access control mechanisms in DBMSs ensure that users access only those portions of data for which they have authorizations, according to a predefined set of access control policies. However, it has been shown that access control mechanisms might be not enough. A clear example is the inference problem due to functional dependencies, which might allow a user to discover unauthorized data by exploiting authorized data. In this paper, we wish to investigate data dependencies (e.g., functional dependencies, foreign key constraints, and knowledge-based implications) from a different perspective. In particular, the aim was to investigate data dependencies as a mean for increasing the DBMS utility, that is, the number of queries that can be safely answered, rather than as channels for releasing sensitive data. We believe that, under given circumstances, this unauthorized release may give more benefits than issues. As such, we present a query rewriting technique capable of extending defined access control policies by exploiting data dependencies, in order to authorize unauthorized but inferable data.     

基于信息客体统一化描述的安全标记绑定研究

安全标记与信息客体绑定,一直是制约多级安全走向网络实用化的关键问题。针对这一问题,提出了一种基于信息客体统一化描述的安全标记绑定方法。通过分析客体类型,给出了基于数据树的多类型客体的统一表示模型,据此基于数据树遍历给出了客体与安全标记绑定算法,并讨论了客体的相关操作及其访问控制机制的实施。该方法不仅可提高安全标记绑定的灵活性,实现多类型信息客体与安全标记绑定的统一,而且可实施更为细粒度的访问控制,解决系统间异构数据交换控制难的问题。     

Security constraint processing in a multilevel secure distributeddatabase management system

In a multilevel secure distributed database management system, users cleared at different security levels access and share a distributed database consisting of data at different sensitivity levels. An approach to assigning sensitivity levels, also called security levels, to data is one which utilizes constraints or classification rules. Security constraints provide an effective classification policy. They can be used to assign security levels to the data based on content, context, and time. We extend our previous work on security constraint processing in a centralized multilevel secure database management system by describing techniques for processing security constraints in a distributed environment during query, update, and database design operations     

应用BLP模型对PostgreSQL进行安全增强

文章讨论了应用BLP模型公开源码数据库PostgreSQL进行安全增强、实现安全数据库原型系统的原理与技术细节。文中概括介绍了BLP模型原理及PostgreSQL软件结构,详细阐述了原型系统安全标识实现、PostgreSQL系统原有数据字典的改造、DDL和DML语言的改造,并介绍了多级关系的分解与恢复算法。     

移动环境中多级网络安全切换策略设计

将异构移动网络抽象成多级网络模型,将多级安全引入切换过程,设计了基于MLS（Multilevel Security）的安全切换策略。该策略针对用户连续切换产生的信息泄露问题,规定保证安全等级不降低的约束条件,保证切换过程中用户与网络的安全,并且与其他方案相比,能够提供更全面的安全保护。经形式化证明,该策略是安全的。     

Implementing multilevel security by violation privilege

A multilevel secure information system should be able to support a security structure consisting of a hierarchically defined sensitivity structure containing n levels and a category structure containing m compartments. It should simultaneously protect its contents from unauthorized disclosure arising from either access control violation or leakage, and from improper modification. The protection should not interfere with the efficient processing of information. The system should be able to provide for its own security using trusted hardware or software.The system of controls described in this report will accomplish all these objectives. Furthermore, it will incorporate defenses against the following threats: unplanned delay, unauthorized erasure or destruction, aggregation, inference, spoofing, infiltration, residual images, computer viruses, and post-engagement disclosure.     

安全数据库的推理控制

首先对按元素划分安全级的多级数据库上由函数依赖(FD)和多值函数依赖(MVD)引起的推理问题进行了研究,所提出的推理控制算法在很大程度上提高了数据的可用性.为进一步有效防范推理所导致的敏感信息泄露,给出了基于视图的推理控制方法.该方法能够处理多视图合谋带来的安全问题.最后给出了视图依赖基划分原理,它是以后有关视图推理控制的基础.     

基于数据立方体的数据仓库安全控制

针对数据仓库与在线分析处理(OLAP)系统存在的数据仓库非法访问和敏感信息间接推理问题,在原有统计数据库安全体系架构的基础上,构建OLAP的3层安全控制体系架构,并结合该架构提出一种新的基于数据立方体的推理控制方法。该方法先预防m维推理,然后清除一维推理,简化了m维推理的检测过程。     

An equational logic based approach to the security problem against inference attacks on object-oriented databases

A query is said to be secure against inference attacks by a user if there exists no database instance for which the user can infer the result of the query, using only authorized queries to the user. In this paper, first, the security problem against inference attacks on object-oriented databases is formalized. The definition of inference attacks is based on equational logic. Secondly, the security problem is shown to be undecidable, and a decidable sufficient condition for a given query to be secure under a given schema is proposed. The idea of the sufficient condition is to over-estimate inference attacks using over-estimated results of static type inference. The third contribution is to propose subclasses of schemas and queries for which the security problem becomes decidable. Lastly, the decidability of the security problem is shown to be incomparable with the static type inferability, although the tightness of the over-estimation of the inference attacks is affected in a large degree by that of the static type inference.     

Designing secure databases

Security is an important issue that must be considered as a fundamental requirement in information systems development, and particularly in database design. Therefore security, as a further quality property of software, must be tackled at all stages of the development. The most extended secure database model is the multilevel model, which permits the classification of information according to its confidentiality, and considers mandatory access control. Nevertheless, the problem is that no database design methodologies that consider security (and therefore secure database models) across the entire life cycle, particularly at the earliest stages currently exist. Therefore it is not possible to design secure databases appropriately. Our aim is to solve this problem by proposing a methodology for the design of secure databases. In addition to this methodology, we have defined some models that allow us to include security information in the database model, and a constraint language to define security constraints. As a result, we can specify a fine-grained classification of the information, defining with a high degree of accuracy which properties each user has to own in order to be able to access each piece of information. The methodology consists of four stages: requirements gathering; database analysis; multilevel relational logical design; and specific logical design. The first three stages define activities to analyze and design a secure database, thus producing a general secure database model. The last stage is made up of activities that adapt the general secure data model to one of the most popular secure database management systems: Oracle9i Label Security. This methodology has been used in a genuine case by the Data Processing Center of Provincial Government. In order to support the methodology, we have implemented an extension of Rational Rose, including and managing security information and constraints in the first stages of the methodology.