Modeling Security-Relevant Data Semantics Xue Ying Chen Department of Computer Science

The Structure of Presentation Brief review on the inference problem in a multilevel database Modeling security-relevant data semantics  Security-relevant data semantics  The semantic data model for security An example

Brief Review on the inference problem Definition: In a multilevel database, users are be able to infer information classified at higher security level(s) from the knowledge of data classified at lower security level(s) Methods proposed to deal with the inference problem can be grouped into two categories according to their processing phase  During the database design  During processing the queries

Comparison among methods applied during the database design Previous effort only address integrity properties of data SDMS (Semantic Data Model for Security) represents both integrity and secrecy aspects of data  It can be used to precisely define the security requirements for an application system by domain experts, database designers and security officers  It is a comprehensive taxonomy of security-relevant data semantics that must be captured and understood to implement a multilevel secure database system

Security-Relevant Data Semantics Ⅰ Data Integrity Semantics -- integrity constraints, which specify the valid relationship between the data and the rules for ensuring the validity of the data Constraints on entities Constraints on attributes Constraints on Relationships

Security-Relevant Data Semantics Ⅱ Data integrity constraints on entities( ⅰ ) Uniqueness: each instance of an entity is unique Minimum cardinality: the minimum number of instances that must exist in the database Maximum cardinality: the maximum number of instances of an entity allowed in the database Key(s): attribute(s) or set of attributes that is a key

Security-Relevant Data Semantics Ⅲ Data integrity constraints on entities( ⅱ ) Value-type for a key, such as real, integer, string, etc. Value-type string is extended to : A-String: the value reveals all semantic information P-String: the value reveals partial information N-String: the value contains no semantic information Value-set for a key: the set of valid values for an attribute that is a key Key size: maximum size of a key field

Security-Relevant Data Semantics Ⅳ Data integrity constraints on attributes Value-type Value-set Size Transition compatibility: relationship between the old and new values of the attribute

Security-Relevant Data Semantics Ⅴ Data integrity constraints on relationship between entity/attribute A and entity/attribute B include Minimum cardinality: the minimum number of instances of B required for each instance of A Maximum cardinality: the maximum number of instances of B for each instance of A Uniqueness: for each instance of A there must be a unique instance of B Internal compatibility: the values of A must meet a specified relationship with the values of B (based solely on A and B) External compatibility: the values of A must meet a specified relationship with the values of B (based on some external constant or data object)

Security-Relevant Data Semantics Ⅵ Data secrecy semantics -- secrecy constraints, by which data and combinations of data must be classified Constraints on entities Constraints on raw data Constraints on attributes Constraints on Relationships

Security-Relevant Data Semantics Ⅶ Secrecy constraints on entities( ⅰ ) Classification of an instance: based on one or more of the following conditions Uniform for all instances Conditional, based on a range of values Conditional, based on an enumerated set of values Conditional, based on external criteria User specified at insertion time Classification of entity name (only uniform classification is allowed) Cardinality of aggregation: the aggregation of N instances of an entity are unclassified, but N+1 instances are classified

Security-Relevant Data Semantics Ⅷ secrecy constraints on entities( ⅱ ) Hiding the existence of instances, based on one or more of the following criteria Uniform for all instances Conditional, based on the instance And/or conditional, based on the classification level Identificate: the set of all identificates of an entity. (The concept of identificate will be discuss later)

Security-Relevant Data Semantics Ⅸ Secrecy constraints on raw data: are rarely classified, but are included for completeness Secrecy constraints on attributes: the same as constraints on entities, except the notion identificate

Security-Relevant Data Semantics Ⅹ Secrecy constraints on relationships: the association of two data objects is classified at a level independent of the two data objects Internal criteria: similar to integrity compatibility constraints, base upon either a uniform or conditional selection of instances based on one or both data objects Hiding the existence of a relationship: based on one or more of the following conditions Uniform for all instances Conditional, based on the value of instances of A or B And/or conditional, on the classification of A or B

SDMS Ⅰ The semantic data model for security includes two levels of representation The top level is a graphical representation to show inherent constraints and a language, the Assertion Language for Integrity Constraint Expression (ALICE), for stating explicit constraints Underlying the top level is a logic-based representation which will facilitate the analysis of the application requirements in terms of security

SDMS Ⅱ identificate – an attribute of an object which, from a secrecy perspective, allows the object to be identified Key Near-key

SDMS Ⅲ Structural and integrity constraints The secrecy constructs An example

Reference Modeling Security-Relevant Data Semantics Gary W. Smith