Research Directions in Database Security

Frontmatter

1. Workshop Summary

Abstract

On May 24–26, 1988, about 25 researchers working on multilevel security for database systems met at Vallombrosa Conference and Retreat Center in Menlo Park, California. The workshop was organized and led by Teresa Lunt of SRI International and was sponsored by the U.S. Air Force, Rome Air Development Center (RADC). The workshop’s focus was on multilevel security for database systems. It was the first extended technical interchange among those participating in the following projects, most of which were inspired by the 1982 Air Force Summer Study [AFSS83]: SRI’s and Gemini Computer’s SeaView A1 multilevel relational database system [LSS+88]; TRW’s A1 Secure Prototype DBMS [Gar88]; the Unisys B3 secure database system project; Honeywell’s LOCK Data Views (LDV) project [DOST88]; MITRE’s Kernelized Trusted DBMS project; the Naval Research Laboratory’s Secure Military Message System [LHM84]; AOG Systems’ secure entity-relationship (E/R) project [CI88]; MITRE’s Integrity Lock project [Gra84]; and the Hinke-Schaefer secure database project [HS75].

Teresa F. Lunt

2. SeaView

Abstract

SeaView is a multilevel secure database system targeted for Class A1. SeaView provides for individual data elements to be labeled with their classifications. SeaView has defined a query language called MSQL, for multilevel SQL, that allows data to be manipulated and controlled based on their classifications. The MSQL operations have been specified in a formal language and have been partially verified, using an automated theorem prover, to correspond to the SeaView security model. SeaView’s design makes use of existing security kernel and database technology so as to be quickly implementable.

Teresa F. Lunt

3. A1 Secure DBMS Architecture

Abstract

TRW’s A1 Secure Database Management System is a multilevel secure relational database management system (DBMS) that is currently being developed under the Advanced Secure DBMS (ASD) IR&D (Internal Research and Development) project by the Defense Systems Group of TRW. This paper will describe the security architecture of the A1 Secure DBMS.

Thomas H. Hinke, Cristi Garvey, Amy Wu

4. An Investigation of Secure Distributed DBMS Architectures

Abstract

The objective of this paper is to describe an architecture for a multilevel secure distributed database management system (SD-DBMS). This work was part of a project, funded by Rome Air Development Center (RADC), to design a multilevel secure (MLS) database management system (DBMS) capable of processing information at a minimum of three classification levels and/or categories. The SD-DBMS was designed in accordance with the Trusted Computer System Evaluation Criteria (TCSEC) requirements for a Class B3 trusted computer system [Cen85b].

James P. O’Connor, James W. Gray III, Catherine McCollum, LouAnna Notargiacomo

5. LOCK Data Views

Abstract

This paper describes the design of a Multilevel Secure Relational Database Management System (MLS/RDBMS), LOCK Data Views (LDV), being designed to run on SCTC’s LOgical Coprocessor Kernel (LOCK) Trusted Computing Base (TCB) [Hon87a]. This chapter presents the statement of the problem addressed by the design, an overview of the security policy enforced by the system, and an outline of the report.

Paul Stachour

6. Sybase Secure SQL Server

Abstract

Sybase and TRW have been working together to produce two secure relational database products that meet the guidelines set forth in the Department of Defense Trusted Computer System Evaluation Criteria (DoD TCSEC). A B1 version of the Sybase Secure SQL Server is being developed that will run on a B1 secure UNIX operating system. The B2 Sybase Secure SQL Server will run on bare hardware, avoiding the need for an underlying B2 operating system. The B1 and B2 systems contain the same security features, such as mandatory and discretionary access controls, auditing, and trusted paths for performing security relevant activity.

Helena Winkler

7. An Evolution of Views

Abstract

My work in the multilevel database security area began in 1982, when Marv Schaefer invited me to be on the steering committee for the Air Force Summer Study on Multilevel Data Management Security, to be held at Woods Hole. At the time, I was on the faculty at Purdue University, where I had spent the past several years working on the statistical database problem (protecting sensitive data released in the form of aggregate statistics). I had just finished my book and was glad to have the opportunity to see whether my earlier work would apply to the multilevel database problem. We had several committee meetings prior to the workshop, during which time we discussed the problem, determined whom to invite and how to structure the workshop, and listened to briefings from various government agencies. At first I found the meetings hard to follow; acronyms (RADC, CECOM, WWMCCS, Blacker, …) were flying by at a rate faster than I could catch them, but gradually I began to make some sense out of them.

Dorothy E. Denning

8. Discussion: Pros and Cons of the Various Approaches

Abstract

This report provides a summary of the issues raised in an afternoon discussion at the First Invitational Workshop on Database Security, hosted by SRI International in Menlo Park, CA. The topic of the discussion was to review the pros and cons of the various approaches to the design of secure database systems as described by the speakers that morning. However, the actual discussion quickly narrowed to the problems of aggregation and inference, particularly with regards to proposals for handling these problems in the systems described. Because these topics became primary areas of study throughout the workshop, the session described below must be regarded as only a preliminary discussion of issues that were explored in greater detail (and with greater collective insight!) in later sessions. For this reason, we have felt it appropriate to append a section entitled “retrospective,” relating the preliminary topics raised during our discussion session with the insights gained later in the workshop.

Dorothy E. Denning, William R. Shockley

9. The Homework Problem

Abstract

The following “homework problem,” phrased below as a take-home exam, was the centerpiece of the workshop. The workshop participants broke up into three groups and worked late into the night on this homework problem.

Rae K. Burns

10. Report on the Homework Problem

Abstract

One evening during the workshop, the participants divided up into three small groups to discuss and analyze a database security “homework problem”. The questions focused on the security requirements of an example database application. While the example itself is not particularly realistic, it exhibits a fairly typical database design and a set of security requirements that are characteristic of commercial and DoD applications. Its primary advantage over the examples that have been used in the security literature to date is that it represents a more complete application, and not just a single file or relation.

Rae K. Burns

11. Classifying and Downgrading: Is a Human Needed in the Loop?

Abstract

This paper asserts that output products from a multilevel secure database environment should be classified at a level which accurately reflects, at the data semantics level, the contents of the product. The paper further asserts that for certain classes of data, “the system” can effectively determine the classification of the output product such that no human is required in the loop. For other classes of data, the paper asserts that we can not explicitly state the database security requirement; therefore, we cannot hope to implement a system that enforces those requirements and a human is required in the loop.

Gary W. Smith

12. Session Report: The Semantics of Data Classification

Abstract

This session addressed classification of data from a semantic level. The object was to approach database security from a semantic level—to look at why data objects are classified. The importance of this approach is summed up by Bill Shockley’s comments after the session. Shockley believes that the current research efforts have reduced access control mechanisms to engineering problems. He believes that the next set of research problems to be attacked are at the semantic level, most of which involve database design issues.

Gary W. Smith

13. Inference and Aggregation

Abstract

The inference problem recognizes that sensitive information must be protected not only from direct retrieval but also from indirect disclosure. Information flow analysis addresses such indirect disclosure within the system, such as signaling, observation of resource utilization, and other covert channels.

Matthew Morgenstern, Tom Hinke, Bhavani Thuraisingham

14. Dynamic Classification and Automatic Sanitization

Abstract

This chapter contains a panel session summary of the panel entitled “Dynamic Classification and Automatic Sanitization.” This chapter includes an expansion of topics discussed during the panel session on Dynamic Classification and Automatic Sanitization, and is reproduced from personal notes and a tape-recorded transcript. The panel was conducted in association with a panel on the closely allied topic of Aggregation and Inference. Earlier discussions had focused on the “homework” problem. This chapter attempts to integrate related topics discussed earlier in the workshop with those mentioned during the actual panel. The taped record indicates that several topics from the other sessions were referenced in context, but without detailed expansion. An attempt has been made to expand on those references and thereby unify the overall discussion.

Marvin Schaefer

15. Presentation and Discussion on Balanced Assurance

Abstract

This discussion, conducted by William Shockley of Gemini Computers, Incorporated, consisted primarily of a discussion of what balanced assurance means and the technical and management motivations for choosing to interpret the Trusted Computing System Evaluation Criteria (hereinafter referred to as the Criteria) [Cen85b] in this way. The material presented below summarizes the contents of his presentation.

William R. Shockley

16. Some Results from the Entity/Relationship Multilevel Secure DBMS Project

Abstract

A multilevel secure version of the Entity/Relationship (E/R) data model has been developed. Its multilevel secure properties are based on three principles: the granularity principle, the dependency principle and the determinacy principle. These three principles are proposed as fundamental to the design of multilevel secure data models and databases. A comparison of the multilevel E/R model and the SeaView multilevel relational data model [LDN⁺88,DLS⁺87] reveals that the SeaView model violates determinacy. This violation, called referential ambiguity, comes from the interaction of polyinstantiation with the SeaView formulation of referential integrity. It is argued that referential ambiguity can produce undesirable side effects.

George E. Gajnak

17. Designing a Trusted Application Using an Object-Oriented Data Model

Abstract

Key problems in developing trusted application systems are defining the security requirements in a way that is comprehensible to the users and implementing the system in a way that makes it clear that these requirements are met. An object-oriented approach can help solve both of these problems because it permits describing the requirements in terms familiar to the users—objects can be mapped directly to real-world entities—and it permits identifying the parts of the system that enforce security requirements. In this paper we illustrate the usefulness of the object-oriented approach by considering from these two points of view the modeling of the NRL Secure Military Message System (SMMS) [Hei86,LHM84] as an object-oriented database system. Future work will address the problem of building such an application on top of a general-purpose trusted relational DBMS in much the same way that an object-oriented DBMS such as POSTGRES [Row87,SR87] is built on top of a relational database.

Catherine Meadows, Carl Landwehr

18. Foundations of Multilevel Databases

Abstract

In this paper, formal logic is used as a basis for establishing concepts in multilevel databases. Issues covered include: model and proof theoretic approaches to formalizing multilevel database concepts, environments associated with security levels, the inference problem, handling negative information and the inclusion of formal semantics of time. Finally, issues related to the theory of multilevel relational databases, consistency and completeness of security constraints and assigning security levels to data are also briefly addressed.

Bhavani Thuraisingham

19. An Application Perspective on DBMS Security Policies

Abstract

Any multilevel-secure (MLS) database management system (DBMS) requires a security policy that is sufficiently flexible to support the security requirements of a range of database applications. In general, the currently proposed DBMS security policies do not provide the types of features that are required by typical database applications. This paper discusses four major problems with current DBMS security policies:

1.

Automatic polyinstantiation

 

2.

Simplistic Bell-LaPadula interpretation

 

3.

View-based controls and constraints

 

4.

Lack of transaction authorization controls.

 

Rae K. Burns

20. New Approaches to Database Security: Report on Discussion

Abstract

Although multi-level secure operating systems have been a reality for several years, their use has yet to become widespread. This is due, in part, to the lack of secure software available for such systems, in particular to the lack of secure software for data-intensive applications, for which multi-level secure databases are a necessity.

Catherine Meadows

21. Metadata and View Classification

Abstract

The discussion during the metadata and view session centered on the proper classification rules to be applied to each metadata level and the relationship of the user’s operating level and the metadata level on the base data level.

LouAnna Notargiacomo

22. Database Security Research at NCSC

Abstract

I have been requested to enumerate what we are doing in database security, what we are interested in doing in the future, and to suggest items that we would like discussed at this meeting.

John R. Campbell

23. Position Paper on DBMS Security

Abstract

Database systems are an integral component of current and future Command, Control, Communications and Intelligence (C3I) information systems. It is predicted that today’s military commander or decision-maker will rely upon data and information stored in electronic databases for battle management functions. In the truest sense of the word, database technology has advanced to the point where it is being infused into operationally-oriented system environments. As more and more data is stored in databases the problem of protecting data and information arises. The recent West German hacker scandal is proof that our nation’s computer systems are inadequately protected against hostile and malicious attacks.

Joseph Giordano

Backmatter