Mandatory access controls

Mandatory access controls Introduction to Mandatory Access Control (Security Classes, MAC properties, Multilevel relation, Pros and cons of MAC); MAC in Oracle - Oracle Label Security, security classes, classification level.

M ANDATORY A CCESS C ONTROLS

Faculty of Computer Science &

Engineering HCMC University of Technology Information Systems of Technology

1

Introduction to Mandatory Access Control

MAC in Oracle: Oracle Label Security

OUTLINE

2

INTRODUCTION TO MAC

Mandatory Access Control (MAC):

MAC applies to large amounts of information requiring strong protect in environments where both the system

data and users can be classified clearly.

MAC is a mechanism for enforcing multiple level of

security.

Propose Model: Bell-LaPadula

4

A subject classification reflects the degree of trust

and the application area

A object classification reflects the sensitivity of

the information

5

Categories tend to reflect the system areas or

departments of the organization

Example: there are 3 departments of the

organization: Sales, Production, Delivery

7

SECURITY CLASSES

A security class is defined as follow:

SC = (A, C)

A: classification levelC: category

A relation of partial order on the security classes:

A relation of partial order on the security classes:

SC ≤ SC’ is verified, only if:

A ≤ A’ and C’ ⊇ C

Examples:

(2, Sales) ≤ (3, (Sales, Production))

(2, (Sales, Production)) ≤ (3, Sales)

8

MAC PROPERTIES

Simple security property: A subject S is not

allowed read access to an object O unless

class(S) ≥ class(O).



 No read-up

Star property (or * property): A subject S is

Star property (or * property): A subject S is

not allowed to write an object O unless

class(S) ≤ class(O)



 No write-down

These restrictions together ensure that there is

no direct flow of information from high to low

WHY STAR PROPERTY?

11

WHY STAR PROPERTY?

12

WHY STAR PROPERTY?

13

MULTILEVEL RELATION

Multilevel relation: MAC + relational

database model

Data objects: attributes and tuples

Each attribute A is associated with a

classification attribute C

A tuple classification attribute TC is to

A tuple classification attribute TC is to

provide a classification for each tuple as a

whole, the highest of all attribute

classification values.

R(A 1 ,C 1 ,A 2 ,C 2 , …, A n ,C n ,TC)

The apparent key of a multilevel relation is

the set of attributes that would have formed

the primary key in a regular (single-level)

relation.

15

SELECT * FROM EMPLOYEE

Multilevel relation

 A user with security level S

17

SELECT * FROM EMPLOYEE

Multilevel relation

 A user with security level C

18

SELECT * FROM EMPLOYEE

Multilevel relation

 A user with security level U

19

SELECT * FROM EMPLOYEE

Multilevel relation

 A user with security level U

20

Read and write operations: satisfy the No

Read-Up and No Write-Down principles.

Properties of Multilevel relation

21

Entity integrity: all attributes that are members

of the apparent key must not be null and must have the same security classification within

each individual tuple.

In addition, all other attribute values in the

tuple must have a security classification greater than or equal to that of the apparent key.

Properties of Multilevel relation

than or equal to that of the apparent key.

 This constraint ensures that a user can see the

key if the user is permitted to see any part of

the tuple at all.

22

PROPERTIES OF MULTILEVEL RELATION

Polyinstantiation: where several tuples

can have the same apparent key value but

have different attribute values for users at

different classification levels.

23

POLYINSTANTIATION EXAMPLE

(security level C)

 A user with security level C tries to update

the value of JobPerformance of Smith to

‘Excellent’:

UPDATE EMPLOYEE

SET JobPerformance = ‘Excellent’

WHERE Name = ‘Smith’;

24

POLYINSTANTIATION EXAMPLE

25

PROS AND CONS OF MAC

Pros:

Provide a high degree of protection – in a way of

preventing any illegal flow of information.

Suitable for military types of applications.

Cons:

Cons:

Not easy to apply: require a strict classification of

subjects and objects into security levels.

Applicable for very few environments.

27

Introduction to Mandatory Access Control

MAC in Oracle: Oracle Label Security

OUTLINE

28

Introduction to Mandatory Access Control

MAC in Oracle: Oracle Label Security (Lab)

OUTLINE

29