Analysis of a Mandatory Access Restriction System for Oracle DBMS

This paper is devoted to the analysis of obligatory access restriction system for Soothsayer DBMS. As the result, distinct leakage channels are discovered.

For manifold information system based on DBMS it is often a problem to implement access restriction, which takes dossier value into account. It is usually crucial for large-scale information systems of government or corporate use (i.e. geographical information systems or document management systems). Such system usually imply mandatory access model. One of the features of the necessary model is prevention of either intentional or unforeseen decrease of news appraisal thanks to information flow control. Mandatory access mannequin is implemented by labeling all the subjects and objects belonging to the access restriction system.

Oracle DBMS is currently one of the most powerful and habitual industrial DBMS. Starting from Oracle9i version, Oracle Label Security (OLS) component is implemented, which makes it possible to organize mandatory access to stored data. OLS is a place of procedures and limitations built into database kernel, which allow implementation of record-level access control. In order to enable OLS it is necessary to create a security policy containing a allot of labels. Whenever this policy is created it should be applied to protected tables and users should arrogate rights to corresponding labels.
Review for possible leakage channels of confidential information seems interesting for the reviewed system.
We are offering the next common argument algorithm of the implemented binding access model.
1) Access object types are determined according to the published documentation and investigation of the DBMS (e.g., tables, strings, or columns).
2) Commands of SQL are analyzed in terms of how users can modify access objects.
3) Several objects with colorful confidentiality levels are created for everyone access object type.
4) Assorted user (access subject) accounts are created with contrasting mandatory access rights.
5) A sequence of SQL-queries is formed, which are executed with contradistinctive mandatory access restriction rights and objects with different confidentiality level. According to the analysis of execution of these queries it is possible to build an access model, and to conceive a result whether the system has vulnerabilities, which can lead to leakage or corruption of confidential information.
Let us consider access objects in OLS. These are table records, which have unique labels. It is much implied that tables are access objects in OLS in that security policy is applied to tables. However tables arrange not have labels themselves; they just contain labeled rows.
The following basic SQL operations handle individual records:
- Beget â " creation of a new record;
- SELECT â " reading of an existing record;
- Modernize â " refashioning of an existing record;
- DELETE â " deletion of a record.
Our experiments consisted of sequences of queries called by users with at variance essential access rights to objects of different confidentiality levels. These experiments made it possible to construct the mandatory access model of OLS to records. We define two variables: I and J. I is a value of objectâ s label. Smaller values of I exhibit higher confidentiality calm (the value of 0 corresponds to â top secretâ ). J is a value of subjectâ s access level.
The model can be presented in the following formalized view:


1. CREATE Hire UPDATE DELETE, j = i
2. SELECT, j < i
3. 0, j > i

Such mandatory access replica on record-level is quite correct and it meets criteria of Bell-La Padula security model. So OLS works correctly on the flat of table records.
However, beside records as representation of stored data, users can interact with other data representation, which are not affected by the mandatory access policy. Tables are an example of such objects. Users indeed can modify constitution of tables, i.e. add inexperienced fields, modify their names, and modify news types. OLS loses its command to drudge properly on table level.
For instance, a user with higher mandatory rights has a right to cause a different field in a table. The name of the field may be confidential itself, and OLS mechanism does not prevent this operation. A user with lower access rights has always a opportunity to questioning names of all the fields.
For example, a new field is created with the name new_password_xxx (where xxx is a top secret information) with the following sql-query:
ALTER TABLE user1.test_table ADD (new_password VARCHAR2(30));
Provided another user who does not have any imperative rights executes the following reservation (SELECT * FROM user1.test_table; ), he gets an empty data set, on the contrary all field names ofuser1.test_table are exposed to him. As it was shown above, column name can subsume classified information.
Operations shown in the exemplar create duplex channels of data exchange between subjects with higher and lower access rights, and so they can basis leakage of classified information.
In the issue of the foresaid, the mandatory access model implemented in Oracle is not complete, and this fact makes it possible to exchange classified information without any governance of the mandatory access system, which decreases break value.
Also you can read about actual methods of biometric keyboard signature authentication from our site: http://www.allmysoft.com/biometric-keyboard-signature-authentication.html

About the Author:

Fresh source, dirt about authors and contacts you can find on our page: Analysis of a mandatory access restriction system for Oracle DBMS

Keywords: