Databases Reference
In-Depth Information
administrator roles. The current release of the server supports a trusted-path
capability, but it is our understanding that Sybase is planning to do away
with this capability in future releases of the system to allow for compatibility
with the nonsecure versions of Sybase.
Secure Sybase supports polyinstantiation for insertion, updating, and
deletion. Polyinstantiation can be turned off for deletions and updates, but it
cannot be turned off for insertions. Secure Sybase allows for downgrading of
the entire content of a relation. Subjects create empty relations at the desired
lower level, and then the contents of the original relation are copied into the
new relation. Downgrading selected tuples is more difficult. The selected
tuples are copied into a new relation at the lower security level. The selected
tuples in the original relation are then deleted. The selected tuples in the new
relation are then copied into the old relation. Finally, the new relation (now
empty) is deleted. Sybase intends to provide a less awkward means of reclassi-
fying data in future releases. The new approach will entail copying tuples
from one level to another and then deleting the original tuple, but unlike
the current approach, only the tuples that are being reclassified need to be
copied.
11.4.4.3 Trusted Oracle
Oracles MLS/DBMS effort is unique in that Oracle had pursued both a
Hinke-Schaefer approach and a trusted-subject approach. The Hinke-
Schaefer approach draws heavily from the SeaView model. The early releases
of trusted Oracle were targeted to run on the SE/VMS and the HP/UX oper-
ating systems. Also, Oracle has tried to maintain its trusted product to keep
up with the nontrusted releases of Oracle.
The system enforces tuple-level MAC granularity. In the Hinke-
Schaefer version, that is done by storing the tuples in the underlying trusted
operating system storage object. Under both approaches, the number of
security levels is the same as that enforced by the underlying operating
system. Trusted Oracle provides polyinstantiation on insertions. The poly-
instantiation is on a relation basis and can be turned on and off as desired.
The system enforces a write-equal policy for updates and deletes. Subjects
who have the appropriate privilege may change the sensitivity labels associ-
ated with tuples (label changes occur in place, as opposed to inserting new
tuples at a different level and deleting the old tuple).
We discussed discretionary security for Oracle in Section 11.3.5.1.
Here, we briefly discuss how DAC was handled in the early release of the
trusted version. Trusted Oracle provides its own DAC mechanism (i.e., a
