Mandatory access controls

MANDATORY ACCESS CONTROLS Faculty of Computer Science & Engineering HCMC University of Technology Information Systems of Technology 1
Introduction to Mandatory Access Control
MAC in Oracle: Oracle Label Security OUTLINE 2
Security Classes
MAC properties
Multilevel relation
Pros and cons of MAC INTRODUCTION TOMAC 3 INTRODUCTION TOMAC
Mandatory Access Control (MAC):
MAC applies to large amounts of information requiring strong protect in environments where both the system data and users can be classified clearly.
MAC is a mechanism for enforcing multiple level of security.
Propose Model: Bell-LaPadula 4 SECURITY CLASSES
Classifies subjects and objects based on security classes.
Security class:
Classification level
Category
A subject classification reflects the degree of trust and the application area.
A object classification reflects the sensitivity of the information. 5 CLASSIFICATION LEVEL
Typical classification level are:
Top secret (TS)
Secret (S)
Confidential (C)
Unclassified (U) Where TS is the highest level and U is the lowest: TS ≥ S ≥ C ≥ U 6 CATEGORY
Categories tend to reflect the system areas or departments of the organization.
Example: there are 3 departments of the organization: Sales, Production, Delivery 7 SECURITY CLASSES
A security class is defined as follow: SC = (A, C) A: classification level C: category
A relation of partial order on the security classes: SC ≤ SC’ is verified, only if: A ≤ A’ and C’ ⊇ C
Examples: (2, Sales) ≤ (3, (Sales, Production)) (2, (Sales, Production)) ≤ (3, Sales) 8
Security Classes
MAC properties
Multilevel relation
Pros and cons of MAC INTRODUCTION TOMAC 9 MAC PROPERTIES
Simple security property: A subject S is not allowed read access to an object O unless class(S) ≥ class(O).  No read-up
Star property (or * property): A subject S is not allowed to write an object O unless class(S) ≤ class(O)  No write-down These restrictions together ensure that there is no direct flow of information from high to low subjects!!! 10 WHY STAR PROPERTY? 11 WHY STAR PROPERTY? 12 WHY STAR PROPERTY? 13
Security Classes
MAC properties
Multilevel relation
Pros and cons of MAC INTRODUCTION TOMAC 14 MULTILEVEL RELATION
Multilevel relation: MAC + relational database model
Data objects: attributes and tuples
Each attribute A is associated with a classification attribute C A tuple classification attribute TC is to
provide a classification for each tuple as a whole, the highest of all attribute classification values. R(A1,C1,A2,C2, , An,Cn,TC)
The apparent key of a multilevel relation is the set of attributes that would have formed the primary key in a regular (single-level) relation. 15 Multilevel relation 16 A multilevel relation will appear to contain different data to subjects (users) with different security levels SELECT * FROM EMPLOYEE Multilevel relation A user with security level S 17 SELECT * FROM EMPLOYEE Multilevel relation A user with security level C 18 SELECT * FROM EMPLOYEE Multilevel relation A user with security level U 19 SELECT * FROM EMPLOYEE Multilevel relation A user with security level U 20 Read and write operations: satisfy the No Read-Up and No Write-Down principles. Properties of Multilevel relation 21 Entity integrity: all attributes that are members of the apparent key must not be null and must have the same security classification within each individual tuple.
In addition, all other attribute values in the tuple must have a security classification greater than or equal to that of the apparent key. Properties of Multilevel relation  This constraint ensures that a user can see the key if the user is permitted to see any part of the tuple at all. 22 PROPERTIES OFMULTILEVEL RELATION Polyinstantiation: where several tuples can have the same apparent key value but have different attribute values for users at different classification levels. 23 POLYINSTANTIATION EXAMPLE (security level C) A user with security level C tries to update the value of JobPerformance of Smith to ‘Excellent’: UPDATE EMPLOYEE SET JobPerformance = ‘Excellent’ WHERE Name = ‘Smith’; 24 POLYINSTANTIATION EXAMPLE 25
Security Classes
MAC properties
Multilevel relation
Pros and cons of MAC INTRODUCTION TOMAC 26 PROS AND CONS OFMAC
Pros:
Provide a high degree of protection – in a way of preventing any illegal flow of information.
Suitable for military types of applications.
Cons:
Not easy to apply: require a strict classification of subjects and objects into security levels.
Applicable for very few environments. 27
Introduction to Mandatory Access Control
MAC in Oracle: Oracle Label Security OUTLINE 28
Introduction to Mandatory Access Control
MAC in Oracle: Oracle Label Security (Lab) OUTLINE 29