1. Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #6 Multilevel Secure Database Management Systems - II January 27, 2005

2. Outline l MLS/DBMS Designs and Prototypes l Challenges l Multilevel Secure Data Models l MLS/DBMS Functions l Directions

3. Overview of MLS/DBMS Designs Hinke-Schaefer (SDC Corporation) Introduced operating system providing mandatory access control Integrity Lock Prototypes: Two Prototypes developed at MITRE using Ingres and Mistress relational database systems SeaView: Funded by Rome Air Development Center (RADC) (now Air Force Rome Laboratory) and used operating system providing mandatory access control and introduced polyinstation Lock Data Views (LDV) : Extended kernel approach developed by Honeywell and funded by RADC and investigated inference and aggregation

4. Overview of MLS/DBMS Designs (Concluded) ASD, ASD-Views: Developed by TRW based on the Trusted subject approach. ASD Views provided access control on views SDDBMS: Effort by Unisys funded by RADC and investigated the distributed approach SINTRA: Developed by Naval Research Laboratory based on the replicated distributed approach SWORD: Designed at the Defense Research Agency in the UK and there goal was not to have polyinstantiation

5. Some MLS/DBMS Commercial Products Developed (late 1980s, early 1990s) l Oracle (Trusted ORACLE7 and beyond): Hinke-Schafer and Trusted Subject based architectures l Sybase (Secure SQL Server): Trusted subject l ARC Professional Services Group (TRUDATA/SQLSentry): Integrity Lock l Informix (Informix-On-LineSecure): Trusted Subject l Digital Equipment Corporation (SERdb) (this group is now part of Oracle Corp): Trusted Subject l InfoSystems Technology Inc. (Trusted RUBIX): Trusted Subject l Teradata (DBC/1012): Secure Database Machine l Ingres (Ingres Intelligent Database): Trusted Subject

6. Some Challenges: Inference Problem Inference is the process of forming conclusions from premises If the conclusions are unauthorized, it becomes a problem Inference problem in a multilevel environment Aggregation problem is a special case of the inference problem - collections of data elements is Secret but the individual elements are Unclassified Association problem: attributes A and B taken together is Secret - individually they are Unclassified

7. Some Challenges: Polyinstantiation Mechanism to avoid certain signaling channels Also supports cover stories Example: John and James have different salaries at different levels

8. Some Challenges: Covert Channel Database transactions manipulate data locks and covertly pass information Two transactions T1 and T2; T1 operates at Secret level and T2 operates at Unclassified level Relation R is classified at Unclassified level T1 obtains read lock on R and T2 obtains write lock on R T1 and T2 can manipulate when they request locks and signal one bit information for each attempt and over time T1 could covertly send sensitive information to T1

9. Multilevel Secure Data Model: Classifying Databases

10. Multilevel Secure Data Model: Classifying Relations

11. Multilevel Secure Data Model: Classifying Attributes/Columns

12. Multilevel Secure Data Model: Classifying Tuples/Rows

13. Multilevel Secure Data Model: Classifying Elements

14. Multilevel Secure Data Model: Classifying Views

15. Multilevel Secure Data Model: Classifying Metadata

16. MLS/DBMS Functions Overview

17. MLS/DBMS Functions Secure Query Processing

18. MLS/DBMS Functions Secure Transaction Management

19. MLS/DBMS Functions Secure Integrity Management

20. Status and Directions MLS/DBMSs have been designed and developed for various kinds of database systems including object systems, deductive systems and distributed systems Provides an approach to host secure applications Can use the principles to design privacy preserving database systems Challenge is to host emerging secure applications including e- commerce and biometrics systems