1 Polyinstantiation. 2 Definition and need for polyinstantiation Sea View model Jajodia – Sandhu model.

Slides:



Advertisements
Similar presentations
Rasool Jalili; 2 nd semester ; Database Security, Sharif Uni. of Tech. The Jajodia & Sandhu model Jajodia & Sandhu (1991), a model for the application.
Advertisements

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
1 Constraints, Triggers and Active Databases Chapter 9.
Relational Database Design UNIT II 1. 2 Advantages of Using Database Systems Centralized control of a firm’s data Redundancy can be reduced (avoid keeping.
Multilevel Security (MLS) Database Security and Auditing.
Jan. 2014Dr. Yangjun Chen ACS Database security and authorization (Ch. 22, 3 rd ed. – Ch. 23, 4 th ed. – Ch. 24, 6 th )
Security models The objective is to obtain a conceptual model of the desired security system. There are many security models, covering one or more of the.
Normalisation The theory of Relational Database Design.
Computer Science CSC 405 Introduction to Computer Security Topic 6.2 Multi-Level Databases.
Relational Databases Chapter 4.
Database Management System
Database Security - Farkas 1 Database Security and Privacy.
Access Control Intro, DAC and MAC System Security.
Monash University Week 7 Data Modelling Relational Database Theory IMS1907 Database Systems.
Security Fall 2009McFadyen ACS How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.
Security Fall 2006McFadyen ACS How do we protect the database from unauthorized access? Who can see employee salaries, student grades, … ? Who can.
1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.
CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.
Sicurezza Informatica Prof. Stefano Bistarelli
User Domain Policies.
View n A single table derived from other tables which can be a base table or previously defined views n Virtual table: doesn’t exist physically n Limitation.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #6-1 Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson.
Chapter 4 Relational Databases Copyright © 2012 Pearson Education 4-1.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
CS-550 (M.Soneru): Protection and Security - 2 [SaS] 1 Protection and Security - 2.
N. J. Taylor Database Management Systems (DBMS) 1.
Survey Presentation in Multilevel Secure Database : Security and Privacy on the Internet Instructor: Dr. A. K. Aggarwal Presented By: Vic Ho & Kashif.
Secure Data Architectures
Chapter 5 Normalization of Database Tables
CSC271 Database Systems Lecture # 6. Summary: Previous Lecture  Relational model terminology  Mathematical relations  Database relations  Properties.
Database Management System Lecture 6 The Relational Database Model – Keys, Integrity Rules.
1 Confidentiality Policies September 21, 2006 Lecture 4 IS 2150 / TEL 2810 Introduction to Security.
1 IS 2150 / TEL 2810 Information Security & Privacy James Joshi Associate Professor, SIS Lecture 6 Oct 2-9, 2013 Security Policies Confidentiality Policies.
3/16/2004Biba Model1 Biba Integrity Model Presented by: Nathan Balon Ishraq Thabet.
Database Security John Ortiz. Lecture 23Database Security2 Secure Passwords  Two main requirements for choosing a secure password:  1) MUST be easy.
Switch off your Mobiles Phones or Change Profile to Silent Mode.
Concepts and Terminology Introduction to Database.
Polyinstantiation Problem
CODD’s 12 RULES OF RELATIONAL DATABASE
Normalization (Codd, 1972) Practical Information For Real World Database Design.
Concepts of Relational Databases. Fundamental Concepts Relational data model – A data model representing data in the form of tables Relations – A 2-dimensional.
DAVID M. KROENKE’S DATABASE PROCESSING, 10th Edition © 2006 Pearson Prentice Hall, Modified by Dr. Mathis 3-1 David M. Kroenke’s Chapter Three: The Relational.
Lecture2: Database Environment Prepared by L. Nouf Almujally & Aisha AlArfaj 1 Ref. Chapter2 College of Computer and Information Sciences - Information.
Next-generation databases Active databases: when a particular event occurs and given conditions are satisfied then some actions are executed. An active.
Relational Database. Database Management System (DBMS)
System Design System Design - Mr. Ahmad Al-Ghoul System Analysis and Design.
Triggers. Why Triggers ? Suppose a warehouse wishes to maintain a minimum inventory of each item. Number of items kept in items table Items(name, number,...)
Exploring Microsoft Access Chapter 6 Many-to-Many Relationships: A More Complex System.
1 Functional Dependencies and Normalization Chapter 15.
Programming Logic and Design Fourth Edition, Comprehensive Chapter 16 Using Relational Databases.
UT DALLAS Erik Jonsson School of Engineering & Computer Science FEARLESS engineering Integrity Policies Murat Kantarcioglu.
Normalization. 2 u Main objective in developing a logical data model for relational database systems is to create an accurate representation of the data,
UT DALLAS Erik Jonsson School of Engineering & Computer Science FEARLESS engineering Database Security Overview Murat Kantarcioglu.
Academic Year 2014 Spring Academic Year 2014 Spring.
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 5 September 29, 2009 Security Policies Confidentiality Policies.
Chapter 10 Designing Databases. Objectives:  Define key database design terms.  Explain the role of database design in the IS development process. 
Archictecture for MultiLevel Database Systems Jeevandeep Samanta.
Database Management Systems, 2 nd Edition, R. Ramakrishnan and J. Gehrke1 Security Lecture 17.
1 CS 430 Database Theory Winter 2005 Lecture 7: Designing a Database Logical Level.
RELATIONAL TABLE NORMALIZATION. Key Concepts Guidelines for Primary Keys Deletion anomaly Update anomaly Insertion anomaly Functional dependency Transitive.
Slide #6-1 Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson model.
Database Security. Introduction to Database Security Issues (1) Threats to databases Loss of integrity Loss of availability Loss of confidentiality To.
Database Security Database System Implementation CSE 507 Some slides adapted from Navathe et. Al.
IST 210 Security. IST 210 Introduction to DB Security Secrecy: Users should not be able to see things they are not supposed to. E.g., A student can’t.
Database System Implementation CSE 507
Information Security Analytics
The Jajodia & Sandhu model
Chapter 6: Integrity Policies
The Jajodia & Sandhu model
IS 2150 / TEL 2810 Information Security & Privacy
Presentation transcript:

1 Polyinstantiation

2 Definition and need for polyinstantiation Sea View model Jajodia – Sandhu model

3 Definition and need for polyinstantiation Polyinstantiation is a database technique that allows the database to contain multiple instances of the same data but with different classifications Polyinstantiation occurs because of mandatory policy In relational DBMS it is possible to have different tuples with the same key but with different classifications

4 Definition and need for polyinstantiation Polyinstantiation can affect relations, tuples and data elements Polyinstantiation arises because subjects with different classes are allowed to operate on the same relations Polyinstantiated relations are relations with different access classes Polyinstantiated tuples (also called entity polyinstantiation) are tuples with the same primary key but with different access classes associated to the primary keys

5 Definition and need for polyinstantiation Polyinstantiated elements (also called attribute polyinstantiation) are elements of an attribute which have different access classes but are associated with the same primary key and key class Polyinstantiation occurs as one of: –Visible polyinstantiation –Invisible polyinstantiation

6 Definition and need for polyinstantiation Visible polyinstantiation occurs when a higher user attempts to insert data in a field that already contains low data. The high data is entered as a new tuple. Invisible polyinstantiation occurs when a low user attempts to insert data in a field that already contains high data. The low data is entered as a new tuple.

7 Example of polyinstantiated relation TS 30KTSCISTSSam TS 30KSCISSAnn SS10KSMathSBob TCC salary Salary C dept DeptC user User Figure 1

8 Example of polyinstantiated tuple SS10KSMathSSam TS 30KTSCISTSSam TS 30KSCISSAnn SS10KSMathSBob TCC salary Salary C dept DeptC user User Figure 2

9 Example of polyinstantiated element TS 30KTSCISTSSam SS20KSCISSAnn TS 30KSCISSAnn SS10KSMathSBob TCC salary Salary C dept DeptC user User Figure 3

10 Example of polyinstantiated element SS20KSCISSAnn SS10KSMathSBob TCC salary Salary C dept DeptC user User The view of the table for a subject with classification S based on the previous table for a polyinstantiated element Figure 4

11 Polyinstantiation For read operations, subjects have read access to instances of multilevel relations accessing data at their level or below For write (insert or update) operations, the effect depends on the access level of dominated by, dominates or incomparable

12 Polyinstantiation Suppose an S-subject (i.e., a subject with classification S) wants to execute the operation INSERT INTO EMPLOYEE VALUES ‘Sam’, ‘Math’, ‘10K’ The operation is applied to Figure 1 and the result will be Figure 2 In this example, the subject clearance is dominated by the access class of data

13 Polyinstantiation Suppose an S-subject (i.e., a subject with classification S) wants to execute the operation UPDATE EMPLOYEE SET Salary = ‘20K’ WHERE Name = ‘Ann’ The operation is applied to Figure 1 and the result will be Figure 3 In this example, the subject clearance is dominated by the access class of data

14 Polyinstantiation Suppose a TS-subject (i.e., a subject with classification TS) wants to execute the operation UPDATE EMPLOYEE SET Dept = ‘Math’ WHERE Name = ‘Ann’ The operation is applied to Figure 3 and the result will be Figure 5 given next, where multiple rows are added In this example, the subject clearance dominates the access class of data

15 Polyinstantiation TSS20KTSMathSAnn TS 30KTSMathSAnn TS 30KTSCISTSSam SS20KSCISSAnn TS 30KSCISSAnn SS10KSMathSBob TCC salary Salary C dept DeptC user User Figure 5

16 Polyinstantiation In Figure 5, the two rows added have the classification of TS for the Dept field for Ann because these tuples were added by a TS-subject. They should not be visible for an S-subject.

17 Polyinstantiation Suppose a TS-subject (i.e., a subject with classification TS) wants to execute the operation UPDATE EMPLOYEE SET Dept = ‘CIS’, Salary=‘20K’ WHERE Name = ‘Bob’ The operation is applied to Figure 3 and the result will be Figure 6 given next, where multiple rows are added In this example, the subject clearance dominates the access class of data

18 Polyinstantiation TS 20KTSCISSBob TS 20KSMathSBob TSS10KTSCISSBob TSS20KTSMathSAnn TS 30KTSMathSAnn TS 30KTSCISTSSam SS20KSCISSAnn TS 30KSCISSAnn SS10KSMathSBob TCC salary Salary C dept DeptC user User Figure 6

19 Polyinstantiation In Figure 6, the three rows added have the classification of TS for the tuple because these tuples were added by a TS-subject. They should not be visible for an S- subject.

20 Sea View Model SEcure dAta VIEW was developed by Lunt, Denning, et al in 1987 in California Sea View model actually improved upon the concept of polyinstantiation developed by Hinke and Schaefer Model has two layers: –MAC (Mandatory Access Control)‏ –TCB (Trusted Computing Base)‏ MAC enforces the security policy of the Bell- LaPadula and Biba models

21 Sea View Model TCB defines: –Concept of multilevel relations –Supports DAC –Formalizes supporting policies

22 Sea View Model Sea View model uses subjects, objects, and access classes Access class consists of: –Secrecy class –Integrity class Secrecy class corresponds to the security level of Bell-LaPadula model Integrity class corresponds to the integrity level of Biba model

23 Sea View Model Objects of the MAC are the files to which access must be granted Every object has a unique identifier and a unique access class The ID and access class assigned to an object cannot be modified later Objects are single-level files in a multi- level security system

24 Sea View Model Subjects of MAC are processes acting on behalf of users Each user is assigned a range of secrecy and integrity classes Subjects acting on behalf of the user are assigned the classification of that user Each user is assigned minimal secrecy (minsecrecy) and integrity (minintegrity) classes

25 Sea View Model The secrecy and integrity classes originally assigned to the user are denoted maxsecrecy and maxintegrity Writeclass of the subject uses (minsecrecy, maxintegrity)‏ Readclass of the subject uses (maxsecrecy, minintegrity)‏ For each subject the read class must dominate the write class

26 Sea View Model Subject is said to be trusted if the readclass strictly dominates the writeclass Trust is divided into two parts –Secrecy trust corresponds to strict inequality of secrecy classes –Integrity trust corresponds to strict inequality of integrity classes Subjects with secrecy trust could write data at a lower secrecy class than data read

27 Sea View Model Subjects that are not trusted is called untrusted Untrusted subjects have equal readclass and writeclass Access modes are: –Read –Write –Execute

28 Sea View Model TCB defines multilevel relations TCB includes supporting policies for: –Data consistency –Accountability –Labeling –Aggregation –Sanitization –Reclassification

29 Sea View Model Polyinstantiation integrity requires: –For every non-key attribute A i with classification C i there is a multivalued dependency A k, C k A i, C i Polyinstantiation integrity ensures that no two tuples will have the same primary key unless they represent polyinstantiated elements

30 Jajodia-Sandhu (J-S) Model A write operation in Sea View model could potentially generate z n new tuples where z is the number of elements in the access class and n is the number of non-key attributes Jajodia and Sandhu point out how these could lead to spurious tuples getting added This work led to changes in polyinstantiation integrity J-S model introduces entity integrity and null integrity

31 Jajodia-Sandhu (J-S) Model Entity integrity requires: –no tuple can have a null value for an attribute that is part of the primary key –all key attributes must have the same classification (an important addition that makes all key values entirely visible or entirely invisible)‏ –class of key attributes must dominate the class of non-key attributes

32 Jajodia-Sandhu (J-S) Model In multilevel relations, null values may have double meaning (either the value is null or the higher classification for that value makes the display null for low-classification subjects)‏ Null integrity requires: –null values be classified at the same level of the key attributes of the tuple –null value be subsumed by a non-null value independent of the classification of the non-null value

33 Jajodia-Sandhu (J-S) Model J-S model does not require the multivalued dependency of the Sea View model for polyinstantiation integrity J-S model handles the read operations using the Bell-LaPadula model security of No Read-up principle J-S model handles the write operation using the No Write-down principle (namely a user cannot affect instances of a relation with a lower or incomparable classification with his/her own clearance

34 Example of J-S model Write TS 30KTSCISTSSam TS 20KSCISSAnn SS10KSMathSBob TCC salary Salary C dept DeptC user User Figure 7

35 Example of J-S model Write Assume that an S-subject performs INSERT INTO EMPLOYEE VALUES “John, CIS, 20K” This produces the following S-instance SS20KSCISSJohn SSnullSCISSAnn SS10KSMathSBob TCC salary Salary C dept DeptC user User Figure 8

36 Example of J-S model Write TS 30KTSCISTSSam SS20KSCISSJohn TS 20KSCISSAnn SS10KSMathSBob TCC salary Salary C dept DeptC user User Figure 9 shows the TS-instance view of Figure 7 after the INSERT operation performed by the S-subject Figure 9

37 Example of J-S model Write Assume that a TS-subject performs INSERT INTO EMPLOYEE VALUES “Bob, CIS, 20K” on table in Figure 8 This produces the following S-instance: SS20KSCISSJohn SSnullSCISSAnn SS10KSMathSBob TCC salary Salary C dept DeptC user User Figure 10

38 Example of J-S model Write TS 20KTSCISTSBob TS 30KTSCISTSSam SS20KSCISSJohn TS 20KSCISSAnn SS10KSMathSBob TCC salary Salary C dept DeptC user User Figure 11 shows the TS-instance view after the INSERT operation on table in Figure 8 performed by the TS-subject Figure 11

39 Example of J-S model Write SS20KSCISSSam SS20KSCISSJohn SSnullSCISSAnn SS10KSMathSBob TCC salary SalaryC dept DeptC user User Assume now that an S-subject who is unaware of the existence of Sam wants to perform the following operation on table in Figure 11: INSERT INTO EMPLOYEE VALUES “Sam, CIS, 20K” To avoid down-channel signaling, a new tuple must be entered with S- classification with primary key Sam. This is called necessary polyinstantiation. The following is an S-instance of Figure 11 after the above INSERT operation Figure 12

40 Example of J-S model Write SS20KSCISSSam TS 20KTSCISTSBob TS 30KTSCISTSSam SS20KSCISSJohn TS 20KSCISSAnn SS10KSMathSBob TCC salary Salary C dept DeptC user User Figure 13 shows the TS-instance view after the INSERT operation on table in Figure 11 performed by the S-subject Figure 13

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.