1、公司分部開關(guān)電源使用的OutlineWhat is an MLS/DBMS?Summary of DevelopmentsChallengesMLS/DBMS Designs and PrototypesData Models and FunctionsDirections公司分部開關(guān)電源使用的What is an MLS/DBMS?Users are cleared at different security levelsData in the database is assigned different sensitivity levels-multilevel databaseUsers

2、 share the multilevel databaseMLS/DBMS is the software that ensures that users only obtain information at or below their levelIn general, a user reads at or below his level and writes at his level公司分部開關(guān)電源使用的Why MLS/DBMS?Operating systems control access to files; coarser grain of granularityDatabase

3、stores relationships between dataContent, Context, and Dynamic access controlTraditional operating systems access control to files is not sufficientNeed multilevel access control for DBMSs公司分部開關(guān)電源使用的Summary of DevelopmentsEarly Efforts 1975 1982; example: Hinke-Shafer approach Air Force Summer Study

4、, 1982Research Prototypes (Integrity Lock, SeaView, LDV, etc.); 1984 - PresentTrusted Database Interpretation; published 1991Commercial Products; 1988 - Present公司分部開關(guān)電源使用的Air Force Summer StudyAir Force convened a summer study to investigate MLS/DBMS designsThen study was divided into three groups f

5、ocusing on different aspectsGroup 1 investigated the Integrity Lock approach; Trusted subject approach and Distributed approachGroup 2 investigated security for military messaging systemsGroup 3 focused on longer-term issues such as inference and aggregation公司分部開關(guān)電源使用的Outcome of the Air Force Summer

6、 StudyReport published in 1983MITRE designed and developed systems based on Integrity Lock and Trust subject architectures 1984 - 1986Rome Air Development Center (RADC, now Air Force Research Lab) funded efforts to examine long-term approaches; example: SeaView and LDV both intended to be A1 systems

7、RADC also funded efforts to examine the distributed approachSeveral prototypes and products followed公司分部開關(guān)電源使用的TDITrusted Database Interpretation is the Interpretation of the Trusted Computer Systems Evaluation criteria to evaluate commercial productsClasses C1, C2, B1, B2, B3, A1 and BeyondTCB (Tru

8、sted Computing Base Subsetting) for MAC, DAC, etc. (mandatory access control, discretionary access control)Companion documents for Inference and Aggregation, Auditing, etc. 公司分部開關(guān)電源使用的Taxonomy for MLS/DBMSsIntegrity Lock Architecture: Trusted Filter; Untrusted Back-end, Untrusted Front-end. Checksum

9、 is computed by the filter based on data content and security level. Checksum recomputed when data is retrieved. Operating Systems Providing Access Control/ Single Kernel: Multilevel data is partitioned into single level files. Operating system controls access to the filedExtended Kernel: Kernel ext

10、ensions for functions such as inference and aggregation and constraint processingTrusted Subject: DBMS provides access control to its own data such as relations, tuples and attributesDistributed: Data is partitioned according to security levels; In the partitioned approach, data is not replicated an

11、d there is one DBMS per level. In the replicated approach lower level data is replicated at the higher level databases公司分部開關(guān)電源使用的Integrity Lock公司分部開關(guān)電源使用的Operating System Providing Mandatory Access Control公司分部開關(guān)電源使用的Extended Kernel公司分部開關(guān)電源使用的Trusted Subject公司分部開關(guān)電源使用的Distributed Approach - I公司分部開關(guān)電源

12、使用的Distributed Approach II公司分部開關(guān)電源使用的Overview of MLS/DBMS DesignsHinke-Schaefer (SDC Corporation) Introduced operating system providing mandatory access controlIntegrity Lock Prototypes: Two Prototypes developed at MITRE using Ingres and Mistress relational database systemsSeaView: Funded by Rome Ai

13、r Development Center (RADC) (now Air Force Rome Laboratory) and used operating system providing mandatory access control and introduced polyinstationLock Data Views (LDV) : Extended kernel approach developed by Honeywell and funded by RADC and investigated inference and aggregation公司分部開關(guān)電源使用的Overvie

14、w of MLS/DBMS Designs (Concluded)ASD, ASD-Views: Developed by TRW based on the Trusted subject approach. ASD Views provided access control on viewsSDDBMS: Effort by Unisys funded by RADC and investigated the distributed approachSINTRA: Developed by Naval Research Laboratory based on the replicated d

15、istributed approachSWORD: Designed at the Defense Research Agency in the UK and there goal was not to have polyinstantiation公司分部開關(guān)電源使用的Some MLS/DBMS Commercial Products Developed (late 1980s, early 1990s)Oracle (Trusted ORACLE7 and beyond): Hinke-Schafer and Trusted Subject based architecturesSybase

16、 (Secure SQL Server): Trusted subjectARC Professional Services Group (TRUDATA/SQLSentry): Integrity LockInformix (Informix-On-LineSecure): Trusted SubjectDigital Equipment Corporation (SERdb) (this group is now part of Oracle Corp): Trusted SubjectInfoSystems Technology Inc. (Trusted RUBIX): Trusted

17、 SubjectTeradata (DBC/1012): Secure Database MachineIngres (Ingres Intelligent Database): Trusted Subject公司分部開關(guān)電源使用的Some Challenges: Inference ProblemInference is the process of forming conclusions from premisesIf the conclusions are unauthorized, it becomes a problemInference problem in a multileve

18、l environmentAggregation problem is a special case of the inference problem - collections of data elements is Secret but the individual elements are UnclassifiedAssociation problem: attributes A and B taken together is Secret - individually they are Unclassified公司分部開關(guān)電源使用的Some Challenges: Polyinstan

19、tiationMechanism to avoid certain signaling channelsAlso supports cover storiesExample: John and James have different salaries at different levels公司分部開關(guān)電源使用的Some Challenges: Covert ChannelDatabase transactions manipulate data locks and covertly pass informationTwo transactions T1 and T2; T1 operates at Secret level and T2 operates at Unclassified levelRelation R is classified at Unclassified levelT1 obtains read lock on R and T2 obtains write lock on R T1 and T2 can manipulate when they request locks and signal one bit information for e