一种实用的安全数据库多级关系模型

安全数据库管理系统的安全策略可以为数据库提供强大的安全功能,现在BLP模型是用得比较普遍的策略模型之一。为了适应BLP模型,采用一种实用的多级关系模型作为安全数据库的基础,这是原有关系模型的扩展。该文描述了多级关系模型的原理和内容,特别对多级关系模型的分解与合并做了详羊细的阐述。并说明了这个模型适合于在多级安全操作系统上实现多级数据库管理系统。     

多级安全空间数据库的语义

本文提出了为每一元素（数据项）赋予安全级时的多级关系－层次数据模型，该模型处理多级空间数据，在该模型下，引入了上下层关系完整性，在吸收基于信赖的语义和基于事实的语义思想的基础上，修改了SELECT语句的格式和语义，扩充了MLR中基于数据的语义，为防止数据模型引入的隐通道，我们修改了MLR中其它SQL语句的语义和处理，最后证明了多级关系－层次数据模型是安全的。     

具备多级安全机制的在线数据库同态加密方案

随着在线数据库管理系统的广泛应用,需要对数据库中存储的敏感信息进行加密。运用同态加密技术的数据库加密方案可以实现不用解密而直接操作密文数据,从而降低了加密对应用性能的影响。多级安全机制能够为数据库管理系统提供更高层级的信息安全保护。文章针对在线数据库管理系统的特点,提出了一种具备多级安全机制的同态加密方案。该方案数据库服务器端配置了所有安全等级的加解密密钥,客户端仅配置与自身安全等级相适应的加解密密钥;包含字段和记录两层加密机制,层次清晰,运算简单;具备多级安全机制,高安全等级用户所在的客户端能够解密数据库服务器中的低安全等级数据;支持所有数据库关系操作。实验结果表明,文章密钥配置方案合理可行,加密方案加解密原理正确,支持多级安全等级机制。     

多级数据库安全模型

多级安全是指一种保护敏感级信息资源不被非法使用的控制策略，它将系统内的主体（如用户、进程、事务）与客体（如文件、设备、表、元组等）按需要分成不同的安全级，通过安全级来限制主体对客体的访问。数据库管理系统中的多级安全是指每个主体（直接或间接）仅能访问其有许可权的客体。作者研究出一个实现强制访问控制和自主访问控制的多级安全数据库模型，模型满足TCSEC的B1级安全要求。     

动态推理控制

防止未授权的用户从可读取的安全等级较低的数据中推理出安全等级较高的数据是多级关系数据库达到安全的必要保证。由于数据库中元组、属性、元素之间的相互关联性,多级关系数据库存在着推理通道。它的存在对信息的安全造成很大威胁。主要论述了多级安全数据库系统的推理通道的来源,分析了目前在多级安全数据库系统中推理问题的成果。在此基础上,提出了一种动态控制推理通道的方法并给出了相应算法。     

多级安全数据库系统推理问题研究

在多级安全数据库系统中,推理问题是低安全级的用户利用他能够访问到的数据以及自身的知识,推断出高安全级的机密信息,从而构成对数据库的攻击。该文综述了控制数据库推理问题的方法,并比较了它们的优缺点。     

一种新的多级安全数据库同态加密方案

为提高加密数据库的应用性能,可以运用同态加密技术使得不用解密而直接操作密文数据.而多级安全机制能够为数据库管理系统提供更高层级的信息安全保护.本文提出了一种新的基于数论的数据库加密方案,该方案具有合理可行的密钥配置,加解密运算过程简单,并且具备多级安全机制,能够支持对密文的关系操作和动态扩展.     

关于多级数据库安全的建议

数据是大多数安全系统保护的关键对象,许多用户（人、程序或系统）依靠数据库管理系统（DBMS）来管理并保护数据。然而数据库管理系统并不能提供完善的保护性能。基于此原因,本论文针对于多级数据库的安全提出了一种建议,并列举了几种实现方法。     

多级安全关系数据库系统审计功能的设计

本文简要地介绍了多级安全关系数据库系统和计算机系统的审计，强调指出了多级安全关系数据库系统审计功能的设计必须遵循多级安全策略，并就审计粒度的选择，审计开关和阈值的设置，审计日志的维护和查询等方面的设计作了详细的讨论。     

主动实时数据库事务及其处理

主动实时数据库事务较之传统数据库事务要复杂得多，文中首先对主动实时数据库事务的语义模型，信赖关系进行了初步的探讨；然后简要地分析了主动实时事务的构造及执行特征，并提出了截止时间计算模型，最后介绍了我们研制一和个主动实时的ＤＢＭＳ原型系统ＡＲＴＳ－Ｉ中主动实时事务的管理机制。     

A trusted subject architecture for multilevel secureobject-oriented databases

We address security in object-oriented database systems for multilevel secure environments. Such an environment consists of users cleared to various security levels, accessing information labeled with varying classifications. Our purpose is three-fold. First, we show how security can be naturally incorporated into the object model of computing so as to form a foundation for building multilevel secure object-oriented database management systems. Next, we show how such an abstract security model can be realized under a cost-effective, viable, and popular security architecture. Finally, we give security arguments based on trusted subjects and a formal proof to demonstrate the confidentiality of our architecture and approach. A notable feature of our solution is the support for secure synchronous write-up operations. This is useful when low level users want to send information to higher level users. In the object-oriented context, this is naturally modeled and efficiently accomplished through write-up messages sent by low level subjects. However, such write-up messages can pose confidentiality leaks (through timing and signaling channels) if the timing of the receipt and processing of the messages is observable to lower level senders. Such covert channels are a formidable obstacle in building high-assurance secure systems. Further, solutions to problems such as these have been known to involve various tradeoffs between confidentiality, integrity, and performance. We present a concurrent computation model that closes such channels while preserving the conflicting goals of confidentiality, integrity, and performance. Finally, we give a confidentiality proof for a trusted subject architecture and implementation and demonstrate that the trusted subject (process) cannot leak information in violation of multilevel security     

Logical foundations of multilevel databases

In this paper, we propose a formal model for multilevel databases. This model aims at being a generic model, that is it can be interpreted for any kind of database (relational, object-oriented …). Our model has three layers. The first layer corresponds to a model for a non-protected database. The second layer corresponds to a model for a multilevel database. In this second layer, we propose a list of theorems that must be respected in order to build a secure multilevel database. We also propose a new solution to manage cover stories without using the ambiguous technique of polyinstantiation. The third layer corresponds to a model for a MultiView database, that is, a database that provides at each security level a consistent view of the multilevel database. Finally, as an illustration, we interpret our 3-layer model in the case of an object-oriented database.     

Designing secure databases

Security is an important issue that must be considered as a fundamental requirement in information systems development, and particularly in database design. Therefore security, as a further quality property of software, must be tackled at all stages of the development. The most extended secure database model is the multilevel model, which permits the classification of information according to its confidentiality, and considers mandatory access control. Nevertheless, the problem is that no database design methodologies that consider security (and therefore secure database models) across the entire life cycle, particularly at the earliest stages currently exist. Therefore it is not possible to design secure databases appropriately. Our aim is to solve this problem by proposing a methodology for the design of secure databases. In addition to this methodology, we have defined some models that allow us to include security information in the database model, and a constraint language to define security constraints. As a result, we can specify a fine-grained classification of the information, defining with a high degree of accuracy which properties each user has to own in order to be able to access each piece of information. The methodology consists of four stages: requirements gathering; database analysis; multilevel relational logical design; and specific logical design. The first three stages define activities to analyze and design a secure database, thus producing a general secure database model. The last stage is made up of activities that adapt the general secure data model to one of the most popular secure database management systems: Oracle9i Label Security. This methodology has been used in a genuine case by the Data Processing Center of Provincial Government. In order to support the methodology, we have implemented an extension of Rational Rose, including and managing security information and constraints in the first stages of the methodology.     

Alternative correctness criteria for concurrent execution oftransactions in multilevel secure databases

Investigates issues related to transaction concurrency control in multilevel secure databases. This paper demonstrates how the conflicts between the correctness requirements and the secrecy requirements can be reconciled by proposing two different solutions. It first explores the correctness criteria that are weaker than one-copy serializability. Each of these weaker criteria, though not as strict as one-copy serializability, is required to preserve database consistency in some meaningful way, and moreover, its implementation does not require the scheduler to be trusted. It proposes three different, increasingly stricter notions of serializability (level-wise serializability, one-item read serializability and pair-wise serializability) that can serve as substitutes for one-copy serializability. The paper then investigates secure concurrency control protocols that generate one-copy serializable histories and presents a multiversion timestamping protocol that has several very desirable properties: it is secure, produces multiversion histories that are equivalent to serial one-copy histories in which transactions are placed in a timestamp order, eliminates starvation and can be implemented using single-level untrusted schedulers     

A semantic framework of the multilevel secure relational model

A multilevel relational database represents information in a multilevel state of the world, which is the knowledge of the truth value of a statement with respect to a level in a security lattice. The authors develop a semantic framework of the multilevel secure relational model with tuple-level labelling, which formalizes the notion of validity in multilevel relational databases. They also identify the multilevel security properties that precisely characterize the validity of multilevel relational databases, which can be maintained efficiently. Finally, they give an update semantics of the multilevel secure relational model that preserves both integrity and secrecy     

The partitioned synchronization rule for planar extendible partialorders

The partitioned synchronization rule is a technique for proving the correctness of concurrency control algorithms. Prior work has shown the applicability of the partitioned synchronization rule to hierarchically decomposed databases whose structure is restricted to semitrees. The principal contribution of the paper is a demonstration that the partitioned synchronization rule also applies to more general structures than semitrees, specifically, to any planar extendible partial order, a partial order which when extended with a least and a greatest element still remains planar. To demonstrate utility, the paper presents two applications of the partitioned synchronization rule. The first application shows correctness of a component based timestamp generation algorithm suitable for implementing a timestamp ordering concurrency control algorithm. The second application shows correctness of a snapshot algorithm for concurrency control in a replicated multilevel secure database; we choose this application to highlight that hierarchically decomposed databases and multilevel secure databases are structurally similar. In both cases, the correctness proofs via the partitioned synchronization rule are substantially simpler than corresponding direct proofs     

Modelling data secrecy and integrity

The paper describes a semantic data model used as a design environment for multilevel secure database applications. The proposed technique is built around the concept of security classification constraints (security semantics) and takes into account that security restrictions may either have effects on the static part of a system, on the behavior of the system (the system functions), or on both. As security constraints may influence each other appropriate integrity mechanisms are necessary and modelling of a multilevel application must be data as well as function driven. This functionality is included in the proposed semantic data model for multilevel security by developing secure data schemas, secure function schemas, a procedure for alternating iterative refinements on either schema, and a powerful integrity system to check the consistency of the classification constraints and of the multilevel secure database application.     

一种结合用户许可的多级安全策略模型

针对BLP模型存在“向上写”规则破坏数据完整性、主体分配权限过大及客体安全等级不变的问题,提出一种结合用户许可的多级安全策略模型。该模型利用可信度标识对主体写操作进行完整性保护,通过用户许可标识解决BLP模型和可信度标识存在的主体分配权限过大问题,结合系统管理员仲裁机制对修改的客体安全等级进行动态调整。理论分析表明,该模型能够保证系统的安全。     

基于扩展客体层次结构的安全数据库策略模型

安全策略模型是安全可信系统的基础.Bell-LaPadula模型是多级安全系统中广泛应用的安全策略模型,但它缺乏针对数据模型的完整性和一致性规则.以该模型为基础,针对数据库系统的数据模型,提出了一个以扩展客体层次结构为基础的安全策略模型.模型通过扩展客体层次结构使完整性成为模型的内在属性,并引入或重新定义了客体域、扩展安全公理和操作规则.模型更加适应多级安全数据库系统的要求,增强了策略模型与系统规格和高层模型的一致性.普遍性和通用性安全模型的扩展和增强,特别是安全性以外的特性的引入是安全策略模型向实际系统模型转化的必要步骤.     

A hookup theorem for multilevel security

A security property for trusted multilevel systems, restrictiveness, is described. It restricts the inferences a user can make about sensitive information. This property is a hookup property, or composable, meaning that a collection of secure restrictive systems when hooked together form a secure restrictive composite system. It is argued that the inference control and composability of restrictiveness make it an attractive choice for a security policy on trusted systems and processes