DATABASE SECURITY - Database Design and Development: An Essential Guide for IT Professionals

Database Reference

In-Depth Information

Classes and Clearances

The mandatory access control model is based on the

following components:

Objects

Database objects such as tables, views, rows, and columns

Subjects

Users, programs, and modules that need access privileges

Classes

Security classes for objects

Clearances

Security clearances for subjects

Each database object is assigned a security class. Typical classes are (TS) top

secret, (S) secret, (C) confidential, and (U) unclassified. The data sensitivity

sequence is as follows: TS > S > C > U. Each subject is assigned clearance for a

specific security class. We may represent these by the following notation:

Class (O)

Security class for an object O

Class (S)

Security clearance for a subject S

How Mandatory Control Works

The model enforces two basic restrictions on all

reads and writes:

1. Simple Security Property

Subject S is not permitted to have read access to an object O unless Class (S)

Class (O).

2. *-Property (Star Property)

Subject S is not permitted to have write access to an object O unless Class (S)

Class (O).

Look at the first property, which is fairly intuitive. This property allows a

subject to read an object only if the subject's clearance level is higher than or equal

to that of the object. Try to understand what the second property is meant to

prevent. The second property prohibits a subject from writing to an object in a secu-

rity class lower than the clearance level of the subject. Otherwise, information may

flow from a higher class to a lower class. Consider a user with S clearance. Without

the enforcement of the star property, this user can copy an object in S class and

rewrite it as a new object with U classification so that everyone will be able to see

the object.

Get back to the case of Shady trying to access data from the EMPLOYEE table

by tricking Miller. The mandatory access control method would spoil Shady's plan

as follows:

• Classify EMPLOYEE table as S.

• Give Miller clearance for S.

• Give Shady lower clearance for C.

Shady can therefore create objects of C or lower classification. MYTABLE will

be in class C or lower. Miller's program will not be allowed to copy into MYTABLE

because

Class (MYTABLE) < Class (Miller), violation of star property.

Database Design and Development: An Essential Guide for IT Professionals

Search WWH ::

Custom Search

Home