development and implementation of mandatory access control policy for rdbms mysql
TRANSCRIPT
Development and Implementation of Mandatory AccessControl Policy for RDBMS MySQL
Denis Kolegov, Nikolay Tkachenko, Dmitry Chernov
National Research Tomsk State UniversityDepartment of Information Security and Cryptography
( ) 1 / 18
Problem
Development and implementation of mandatory access control forRDBMSs that originally based on discretionary access control is one of theactual problem of computer security
The MLS policy restricts access to entities based on the sensitivity of theinformation contained in its entities and the "clearance"of users to accesssuch information
MLS controls the flow of information across the entire system,guaranteeing that users with lower clearance know nothing about theexistence or contents of data with higher sensitivities
( ) 2 / 18
Disadvantages of existence approaches
Absence of formal (mathematical) models for access control securitypoliciesCorrectness of mandatory access control is not provedSecurity requirements for information flows are not consideredMandatory access control mechanisms are not implemented asreference monitor of database kernel
( ) 3 / 18
Purpose of the work
Enforcement of MLS policy in DBMS MySQL based on the formal models
The following problems were solved for reaching the purpose:
Research and modelling of discretionary access control mechanisms inMySQLDevelompent of MySQL security policy including initially DAC policyand new MLS policyImplementation of MLS mechanism based on the created formalsecurity modelAccess control mechanism security testing
( ) 4 / 18
Research of access control in MySQL
Access control research was based on the documentation and sourcecode analysis and testsThe main storage and timing covert channels were identified andassessedInformation flows arising from SQL statements execution and violatingMLS policy were identified
( ) 5 / 18
Research of access control in MySQL
The following types of SQL statements can lead to unauthorized accessand MLS policy violating information flows:
«INSERT INTO . . . VALUES((SELECT. . . ), . . . )»;«INSERT . . . SELECT»;«UPDATE . . . SET . . . = (SELECT . . . )».
( ) 6 / 18
Example of violating MLS policy information flow
user> insert tab2 values((select col1 from tab1 limit 1));
( ) 7 / 18
Policy restrictions
All information flows are considered within DBMS MySQLInformation flows generated by SELECT, INSERT, UPDATE andDELETE operators are consideredTiming covert channels are out of scope
( ) 8 / 18
The DP-models theory
DP-models were developed by Peter Devyanin in «Access control andinformation flow security analysis of Computer Systems» monographyDP-models are based on the elements of Take-Grant model,Bell-LaPadula model, and Military Security Policy modelDP-models are proposed for mathematical proving of access controlsecurity
( ) 9 / 18
Elements of developed MySQL DP-model
Object entities O: columns COL, procedures Op, triggers Ot , views Ovand variables Ov
Container entities C : tables TAB , databases DB and root container C0
Session subjects S , users’ accounts UFunction of entity hierarchy H : C ∪ Op ∪ Ot ∪ S → 2O∪C
Function of security classification of object entitiesfe : (O \ Ov ) ∪ C → LFunction of security clearance of user’s accountsfs : U → LFunction determining user by session subject user : S → U
( ) 10 / 18
Elements of developed MySQL DP-model
Set of access rights Rr = {readr , writer , appendr , deleter , alterr ,executer , creater , dropr , create_routiner , create_userr , triggerr ,create_viewr}Set of accesses Ra = {reada,writea, appenda}Set of information flows Rf = {writem}Set of access rights that can be granted Grant ⊆ U × (C ∪ O)× Rr
State of the model G = (U, S , E , R , A, H, (fs , fe), user , Grant,execute_as, triggers, owner , operations, var)Σ(G ∗,OP) – computer system
( ) 11 / 18
Examples of transformation rules
Rule Initial state Final statecreate_session(u, s) u ∈ U, s 6∈ S S ′
s = Ss ∪ {s}, fs(s)′ =fs(u), user ′(s) = u
create_user(s, u, l) s ∈ S , user(s) ∈ Lu ,u 6∈ U, l ≤ fs(user(s)),(user(s), c0, create_userr ) ∈ R
U′ = U ∪ {u}, f ′s (u) = l
grant_right(s, u, e, α,grant_option)
s ∈ S , u ∈ U, e ∈ C∪O, α ∈ Rr ,grant_option ∈ {true, false},∃c ′ ≥ e : (s, c ′, α) ∈ Rr , ∃c ≥e : (user(s), c, α) ∈ Grant
R′ = R ∪ {(u, e, α)},if grant_option = true,then Grant′ = Grant ∪{(u, e, α)}
access_read(s, e) s ∈ S , e ∈ DB ∪ TAB ∪ COL,∃c ∈ C ∪ O, that e < c ore = c, fs(user(s)) ≥ fe(c) andHLS(e, c) = true, @e1 ∈ O ∪C :fe(e1) < fe(e) and (s, e1, α) ∈A, where α ∈ {writea, appenda}
A′ = A ∪ {(s, e, reada)},F ′ = F ∪ {(e, s,writem)}
( ) 12 / 18
Theorem
Definition 1In the state G of system Σ(G∗,OP) access (s, e, α) ∈ A satisfy toss-property, if α = appenda or fs(user(s)) ≥ fe(e).
Definition 2In the state G of system Σ(G∗,OP) accesses (s, e1, reada), (s, e2, α) ∈ A,where α ∈ {writea, appenda} satisfy to *-property, if fe(e1) ≤ fe(e2).
TheoremLet G0 – initial state of the system Σ(G∗,OP,G0), that is secure in termsof Bell-LaPadula, and A0 = F0 = ∅. Then system Σ(G∗,OP,G0) is securein terms of Bell-LaPadula.
( ) 13 / 18
Security labels storing
( ) 14 / 18
Security labels processing
( ) 15 / 18
Mandatory access control scheme
( ) 16 / 18
Results
1) The implementation methods of violating MLS policy informationflows in DBMS MySQL were identified
2) The mathematical DP-model of mandatory access control policy ofDBMS MySQL was developed
3) The adaptation of developed model to access control mechanisms ofDBMS MySQL was performed
4) The mandatory access control mechanism of DBMS MySQL wasimplemented as reference monitor on database kernel level
( ) 17 / 18
Thank you for your attention!!!
Denis Kolegov,[email protected]
Nikolay Tkachenko,[email protected]
Dmitry Chernov,[email protected]
( ) 18 / 18