Research directions in database security

Many commercial and defense applications require a database system that protects data of different sensitivities while still allowing users of different clearances to access the system. This book is a collection of papers covering aspects of the emerging security technology for multilevel database systems. It contains reports on such landmark systems as SeaView, LDV, ASD, Secure Sybase, the UNISYS secure distributed system, and the secure entity-relationship system GTERM. Much of the research is concerned with the relational model, although security for the entity-relationship and object-oriented models of data are also discussed. Because the field is so new, it has been extremely difficult to learn about the research going on in this area, until now. This book will be invaluable to researchers and system designers in database systems and computer security. It will also be of interest to data users and custodians who are concerned with the security of their information. This book can also be used as a text for an advanced topics course on computer security in a computer science curriculum.

1 Workshop Summary.- 1.1 Introduction.- 1.2 Labels.- 1.3 Aggregation.- 1.4 Discretionary Security.- 1.5 The Homework Problem.- 1.6 Classification Semantics.- 1.7 Assurance.- 1.7.1 Balanced Assurance.- 1.7.2 TCB Subsetting.- 1.7.3 Layered TCB.- 1.8 New Approaches.- 1.9 Classifying Metadata.- 1.10 Conclusions.- 1.11 References.- 2 SeaView.- 2.1 Introduction.- 2.2 Multilevel Security.- 2.3 Multilevel Relations.- 2.3.1 The Extended Relational Integrity Rules.- 2.3.2 Polyinstantiation.- 2.3.3 Constraints.- 2.4 Discretionary Security.- 2.5 Multilevel SQL.- 2.5.1 The Access Class Data Type.- 2.5.2 Dealing with Polyinstantiation.- 2.5.3 Creating Multilevel Relations.- 2.6 The SeaView Verification.- 2.7 The SeaView Design.- 2.8 Data Design Considerations.- 2.9 Conclusions.- 2.10 References.- 3 A1 Secure DBMS Architecture.- 3.1 Introduction.- 3.2 The A1 Secure DBMS Modes of Operation.- 3.3 The A1 Secure DBMS Security Policy Overview.- 3.4 A1 Secure DBMS Architecture.- 3.5 Why is ASD Needed.- 3.6 For Further Information.- 3.7 References.- 4 An Investigation of Secure Distributed DBMS Architectures.- 4.1 Introduction.- 4.1.1 Background.- 4.1.2 Requirements.- 4.2 Concept of Operation.- 4.2.1 Users.- 4.3 Security Policy Overview.- 4.3.1 Discretionary Access Control.- 4.3.2 Mandatory Access Control.- 4.4 Architecture Definition.- 4.4.1 Abstract Model.- 4.4.2 Architectural Parameters.- 4.4.3 Family of Architecture Generation.- 4.5 Discretionary Access Control Enforcement.- 4.6 Summary and Conclusions.- 4.7 References.- 5 LOCK Data Views.- 5.1 Introduction.- 5.1.1 Problem Statement.- 5.1.2 Security Policy Overview.- 5.2 LOCK Security Policy Overview.- 5.2.1 DBMS Policy Extension Needs.- 5.2.2 DBMS Policy Extensions.- 5.3 Pipelines.- 5.3.1 The Response Pipeline Design.- 5.3.2 LOCK Pipeline Organization.- 5.3.3 Response Pipeline Organization.- 5.3.4 Pipeline Implications.- 5.4 Conclusions.- 5.5 References.- 6 Sybase Secure SQL Server.- 6.1 Introduction.- 6.2 Terms and Definitions.- 6.3 Objectives.- 6.4 B2 Design Philosophy.- 6.4.1 Database Server On A Network.- 6.4.2 B2 Sybase Secure SQL Server.- 6.5 Flow of Control.- 6.5.1 Login.- 6.5.2 Parsing and Compilation.- 6.5.3 Description of Procedures.- 6.5.4 Execution of Procedures.- 6.6 Trusted Operations.- 6.6.1 SSO Trusted Interface.- 6.6.2 User - Trusted Interface.- 6.7 Auditing.- 6.8 Conclusions.- 7 An Evolution of Views.- 7.1 Introduction.- 7.2 References.- 8 Discussion: Pros and Cons of the Various Approaches.- 8.1 Introduction.- 8.2 Inference Problem.- 8.3 Aggregation Problem.- 8.3.1 Problem Instances.- 8.3.2 Two Approaches.- 8.4 Retrospective.- 8.5 References.- 9 The Homework Problem.- 10 Report on the Homework Problem.- 10.1 Introduction.- 10.2 The Example Database.- 10.3 Summary.- 11 Classifying and Downgrading: Is a Human Needed in the Loop.- 11.1 Introduction.- 11.1.1 Underlying Concepts.- 11.1.2 Classifying Outputs.- 11.1.3 Semantic Level Approach.- 11.1.4 Classifying and Downgrading.- 11.2 The Issue.- 11.3 The Answer.- 11.4 Structured Data.- 11.5 Security Semantics of an Application.- 11.6 Types of Security Semantics.- 11.7 Textual Data.- 11.8 Summary.- 11.9 References.- 12 Session Report: The Semantics of Data Classification.- 12.1 Introduction.- 12.2 References.- 13 Inference and Aggregation.- 13.1 Introduction.- 13.2 Database Inference.- 13.2.1 The Problem.- 13.2.2 A Solution Approach.- 13.3 The Inference Problem.- 13.4 Analysis of Logical Inference Problems.- 13.4.1 When Classifying a Rule is Worse than Useless.- 13.4.2 Sphere of Influence Analysis.- 13.4.3 Network of Constraints.- 13.4.4 Questions.- 13.5 General Discussion.- 13.6 References.- 14 Dynamic Classification and Automatic Sanitization.- 14.1 Introduction.- 14.2 Sanitization.- 14.3 Initial Overclassification.- 14.4 Initial Underclassification.- 14.5 Discovered Misclassification.- 14.6 Automatic Classification.- 14.7 References.- 15 Presentation and Discussion on Balanced Assurance.- 15.1 Introduction.- 15.2 References.- 16 Some Results from the Entity/Relationship Multilevel Secure DBMS Project.- 16.1 Project Goals and Assumptions.- 16.2 A Multilevel Entity/Relationship Model.- 16.2.1 Data Model Semantics.- 16.2.2 Multilevel Security Characteristics.- 16.3 Results of Research.- 16.3.1 The Underlying Abstraction.- 16.4 Conclusions.- 16.5 References.- 17 Designing a Trusted Application Using an Object-Oriented Data Model.- 17.1 Introduction.- 17.2 The Object-Oriented Data Model.- 17.3 The SMMS as an Object-Oriented Database.- 17.4 Conclusion and Future Directions.- 17.5 References.- 18 Foundations of Multilevel Databases.- 18.1 Introduction.- 18.2 Definitional Preliminaries.- 18.3 Model Theoretic Approach.- 18.3.1 Query Evaluation.- 18.3.2 Database Updates.- 18.4 Proof Theoretic Approach.- 18.4.1 Query Evaluation.- 18.4.2 Database Updates.- 18.5 Environments and Fixed Points.- 18.5.1 Environments.- 18.5.2 Mappings.- 18.5.3 Fixed Points.- 18.5.4 Least Environment.- 18.5.5 Declarative and Procedural Semantics.- 18.6 Environments and Inference.- 18.7 Handling Negative and Indefinite Information.- 18.7.1 Closed-World Assumption.- 18.7.2 Negation by Failure.- 18.8 Formal Semantics of Time.- 18.9 Other Related Topics.- 18.9.1 Theory of Relational Databases.- 18.9.2 Consistency and Completeness of Security Constraints.- 18.9.3 Assigning Security Levels to Data.- 18.10 Conclusion.- 18.11 References.- 19 An Application Perspective on DBMS Security Policies.- 19.1 Introduction.- 19.2 Problems with Automatic Polyinstantiation.- 19.2.1 Polyinstantiation and Entity Integrity.- 19.2.2 Polyinstantiation and Referential Integrity.- 19.2.3 Polyinstantiation verses Application Consistency.- 19.2.4 Problems with Simplistic Mandatory Policies.- 19.3 Problems with View-Based Controls and Constraints.- 19.4 Requirement for Transaction Authorizations.- 19.5 Summary.- 19.6 References.- 20 New Approaches to Database Security: Report on Discussion.- 20.1 Introduction.- 20.2 Report on Discussion.- 20.2.1 Open Problems in Computer Security.- 20.2.2 Old Problems for Operating Systems but New Problems for Database Systems.- 20.2.3 Database-Specific Problems.- 20.2.4 Challenge Posed by Advances in Database Technology.- 20.3 Conclusion.- 20.4 References.- 21 Metadata and View Classification.- 21.1 Introduction.- 21.2 Justification for Metadata Protection.- 21.3 Metadata Classification Approaches.- 21.3.1 Internal Schema.- 21.3.2 Conceptual Schema.- 21.3.3 External Schema.- 21.4 Metadata Protection Schemes.- 21.5 User Access to Metadata.- 21.6 Affect of User Session Level on Data Classification.- 22 Database Security Research at NCSC.- 22.1 Introduction.- 22.2 Sponsored Research Projects.- 22.3 The Future.- 22.4 Discussion Topics.- 23 Position Paper on DBMS Security.- 23.1 Introduction.- 23.2 Conclusions.

Many commercial and defence applications require a database system that protects data of different sensitivities while still allowing users of different clearances to access the system. This book is a collection of papers covering aspects of the emerging security technology for multilevel database systems. It contains reports on such landmark systems as SeaView, LDV, ADD, Secure Sybase, the UNISYS secure distributed system and the secure entity - relationship system GTERM. Much of the research is concerned with the relational model, although security for the entity-relationship and object-oriented models of data are also discussed. Because the field is so new, it is difficult to learn about the research going on in this area. This book will be useful to researchers and system designers in database systems and computer security. It will also be of interest to data users and custodians who are concerned with the security of their information. This book can also be used as a text for an advanced topics course on computer security in a computer science curriculum.