This paper addresses the threat to multdevel security that arises from logical inference and the semantics of the apphcatlon Such compromises of security are particularly challengmg since they circumvent tradltlonal security mechamsms and rely on a user's knowledge of the apphcatlon The problems of inference and security have heretofore been amorphous and difficult to clrcumscrlbe We focus on these problems m the context of a multilevel database system and show their relevance to knowledge-based systems, sometimes referred to as expert systems Here we estabhsh a framework for studying these mference control problems, describe a representation for relevant semantics of the apphcatlon, develop crlterla for safety and security of a system to prevent these problems, and outline algorithms for enforcing these crlterla
Because views on relational database systems mathematically define arbitrary sets of stored and derived data, they have been proposed as a way of handling context-and contenbdependent classification, dynamic classification, inference, aggregation, and sanitization in multilevel database systems. This paper describes basic view concepts for a multilevelsecure relational database model that addresses the above issues. The model treats stored and derived data uniformly within the database schema. All data in the database is classified according to views called classification constraints, which specify security levels for related data. In addition, views called aggregation constraints specifies classifications for aggregates that are classified higher than the constituent elements. All data accesses are confined to a third set of views called access views, which higher than their declared 1.Introduction filter out all data classified view level.The objective of this paper is to describe basic view concepts for a multilevel-secure relational database model. The model is being developed as part of three-year project to design a system that will meet the criteria for class A1l. The project goals include producing a security policy, formal model, formal top level specifications, and implementation specifications.The concept of secure views originated in IBMs System R database system (now called SQL/DS), which was inspired by Codd's fundamental work on relational databaaes2. System R introduced a view as a stored or derived relation expressed in the query language SQL. It then tied its access control mechanism to views by making views the objects of authorization (see also Date' and Dennings). The rationale for this decision was that views, being at a CH2292-l/861X100/01 56$01.0001986IEEE higher level of abstraction than the physical data, simplify the spectlcation and enforcement of contextand content-dependent constraints. For the same reason, Stonebraker6 adopted a high-level approach in the INGRES relational system, though the strategy there uses query modification rather than views. The model we will describe uses features from both System R and INGRES. Concurrent with the development work at IBM, Neumann obsewed that views provided an attractive method for implementing a secure relational data management system on top of SRI's Provably Secure Operating System (PSOS)7. In the PSOS approach, a view is restricted to a subset of a single relation and serves as a capability for selective access to the relation.Neither the IBM nor SRI projects addressed the issues that would be raised if views were used to classify data and enforce mandatory security. Proposals to use secure views as a basis for multilevelsecure database systems were independently made by Clay brook8 and by Denning", who at that time was helping to organize the 1982 Woods Hole Summer Study on Multilevel Database Management Security sponsored hy the National Academy of Sciences, Air Force Studies Board. Denning observed that because views can define arbitr...
The potential for logical inference of high level information based upon lower level visible data presents an interesting and challenging threat to multilevel security. Such compromises of security are rather novel since they circumvent traditional security mechanisms and rely on a user's knowledge of the application, which is external to the security layers of the system. The potential for such inferences, and the multiple consequences of a corrective action, substantially complicate the task of classifying the data in a secure manner. Computer-based tools will be needed to assist in this process, especially when multilevel databases of substantial size and complexity are considered. He:etofore, the problems of inference and security have been amorphous and difficult to circumscribe. This paper proposes a framework for studying these inference control problems, describes a representation for relevant semantics of the application, develops criteria for safety and security of a system to prevent these problems, and describes the functionality of the proposed classification tool in terms of a scenario for its use.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
customersupport@researchsolutions.com
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.