os database security chapter 6

11

CHAPTER 6CHAPTER 6

OPERATING SYSTEM & OPERATING SYSTEM & DATABASE SECURITYDATABASE SECURITY

22

Operating System SecurityOperating System Security

33

INTRODUCTIONINTRODUCTION

What is an operating system?What is an operating system? In simple words, OS is a computer program that manages all In simple words, OS is a computer program that manages all

other programs on the machine.other programs on the machine.

Every general-purpose computer must have an operating Every general-purpose computer must have an operating system to run other programs. system to run other programs.

OS performs basic tasks, such as recognizing input from the OS performs basic tasks, such as recognizing input from the keyboard, sending output to the display screen, keeping track keyboard, sending output to the display screen, keeping track of files and directories on the disk, and controlling peripheral of files and directories on the disk, and controlling peripheral devices such as disk drives and printers.devices such as disk drives and printers.

44

INTRODUCTIONINTRODUCTION

What is Multiprogramming?What is Multiprogramming? The concurrent execution of multiple programs by a single The concurrent execution of multiple programs by a single

processing unit.processing unit.

Concurrent execution of several different programs by sharing Concurrent execution of several different programs by sharing the same central processing unit (CPU).the same central processing unit (CPU).

A form of processing in which a computer holds more than A form of processing in which a computer holds more than one program in memory and works on them in round-robin one program in memory and works on them in round-robin fashion that is, by sharing out the processor's time so that each fashion that is, by sharing out the processor's time so that each program receives some attention some of the time. This way program receives some attention some of the time. This way of working is in contrast to using the processor to run one of working is in contrast to using the processor to run one program at a time.program at a time.

55

SECURITY METHODS OF SECURITY METHODS OF OPERATING SYSTEMSOPERATING SYSTEMS

The basis of protection is The basis of protection is separationseparation – keeping one – keeping one user’s objects separate from other users.user’s objects separate from other users.

According to Rushby and Randell (1983) separation According to Rushby and Randell (1983) separation in OS can occur in several ways:in OS can occur in several ways: Physical separationPhysical separation – processes use different physical – processes use different physical

objects such as separate printers for output requiring objects such as separate printers for output requiring different level of security.different level of security.

Temporal separationTemporal separation – processes having different security – processes having different security requirements are executed at different times.requirements are executed at different times.

66


According to Rushby and Randell (1983) separation According to Rushby and Randell (1983) separation in OS can occur in several ways:in OS can occur in several ways: Logical separationLogical separation – users operate under the illusion that – users operate under the illusion that

no other processes exist as when an OS constraints a no other processes exist as when an OS constraints a program accesses so that it cannot access objects outside its program accesses so that it cannot access objects outside its permited domain. permited domain.

Cryptographic separationCryptographic separation – processes conceal their data – processes conceal their data and computations in such a way that they are unintelligible and computations in such a way that they are unintelligible outside processes. outside processes.

But separation is only half of the answer – although we want to separate users and their objects, at the same time we want to be able to provide

sharing for some of those objects.

77


Besides separation, OS may offer protection at any of Besides separation, OS may offer protection at any of several levels:several levels: No protectionNo protection – these systems are appropriate when – these systems are appropriate when

sensitive procedures are being run at separate time. sensitive procedures are being run at separate time. IsolationIsolation – different processes running concurrently are – different processes running concurrently are

unaware of the presence of each other. Each process has its unaware of the presence of each other. Each process has its own address space, files and other objects. own address space, files and other objects.

Share all or share nothingShare all or share nothing – with this form of protection – with this form of protection the owner of an object declares it to be public (available to the owner of an object declares it to be public (available to all users) or private (available only to its owner).all users) or private (available only to its owner).

88


Besides separation, OS may offer protection at any of several levels:Besides separation, OS may offer protection at any of several levels: Share via access limitation Share via access limitation – the OS checks the allowability of – the OS checks the allowability of

each potential access. Access control is implemented for a each potential access. Access control is implemented for a specific user and a specific object – the OS acts as a guard specific user and a specific object – the OS acts as a guard between users and objects ensuring that only authorized accesses between users and objects ensuring that only authorized accesses occur. occur.

Share by capabilityShare by capability – an extension of limited access sharing, – an extension of limited access sharing, where it allows dynamic creation of sharing rights for objects. where it allows dynamic creation of sharing rights for objects. The degree of sharing can depend on the owner or on the object The degree of sharing can depend on the owner or on the object itself.itself.

Limit use of and objectLimit use of and object – it limits not just the access to an object – it limits not just the access to an object but the use made of that object after it has been accessed. For but the use made of that object after it has been accessed. For example : a user may have the right to view a sensitive document example : a user may have the right to view a sensitive document but not allow to print a copy of it.but not allow to print a copy of it.

99

Protecting Access to General ObjectsProtecting Access to General Objects

The term object and subject will be used The term object and subject will be used interchangeably where subject will refer to the user (a interchangeably where subject will refer to the user (a programmer, a program, etc.) who uses the programmer, a program, etc.) who uses the computing system objects.computing system objects.

Here are some examples of the kinds of objects for Here are some examples of the kinds of objects for which protection is desirable:which protection is desirable: MemoryMemory A file or data set on an auxiliary storage deviceA file or data set on an auxiliary storage device Directory filesDirectory files InstructionsInstructions Passwords and the user authentication mechanismsPasswords and the user authentication mechanisms

1010


There are several ways to protect access to There are several ways to protect access to general object:general object: DirectoryDirectory Access Control ListAccess Control List Access Control MatrixAccess Control Matrix CapabilityCapability

1111


DirectoryDirectory Each user has a file directory which lists all Each user has a file directory which lists all

the files to which that users has access.the files to which that users has access. No user can be allowed to write in the file No user can be allowed to write in the file

directory because that would be a way to forge directory because that would be a way to forge access to a file.access to a file.

1212


Access Control ListAccess Control List This differs from the directory list because there is This differs from the directory list because there is

one access control list per one access control list per objectobject while a directory is while a directory is created for each created for each subjectsubject..

Although this difference seems small, there are some Although this difference seems small, there are some significant advantages.significant advantages.

For example if subjects A and S both have access to For example if subjects A and S both have access to object F, the OS will maintain just one access list for object F, the OS will maintain just one access list for F showing the access rights for A and S.F showing the access rights for A and S.

1313

Access Control List - ACL

An access list which specifies for each object, the list of valid subjects which can access it.

E.g. For objects X, Y and Z with subjects A, B and C

X : A (read), B (read, execute)

Y : A (write)

Z : A (read, execute), B (read), C (read, execute)

A: r

B: r

B: x

A: w A: r

A: x

B: r

C: r

C: x

X Y Z

Each column is stored with the object corresponding to that column

1414


Access Control MatrixAccess Control Matrix It is a table in which each row represents a subject, It is a table in which each row represents a subject,

each column represents an object and each entry is each column represents an object and each entry is the set of rights for that subject to that object.the set of rights for that subject to that object.

Data 1Data 1 Data 2Data 2 Prog 1Prog 1 Prog 2Prog 2

AliceAlice RWRW RWRW EE XX

BobBob XX RR RWERWE RWRW

CarolCarol XX WW XX EE

1515


CapabilityCapability A capability is analogous to a ticket to a movie or an A capability is analogous to a ticket to a movie or an

ID card that cannot be duplicatedID card that cannot be duplicated Is an unforgeable token giving the possessor certain Is an unforgeable token giving the possessor certain

rights to an object.rights to an object. One way to make an unforgeable ticket is not to give One way to make an unforgeable ticket is not to give

the ticket directly to the user – instead the OS holds the ticket directly to the user – instead the OS holds all the tickets on behalf of the users.all the tickets on behalf of the users.

A capability can be created only by specific request A capability can be created only by specific request from a user to the OS.from a user to the OS.

1616

..Capabilities

e.g. for objects X, Y and Z with subjects A, B and C

A: X (read), Y (read), Z (write, execute)

B: X (read, execute), Z (read)

C: Z (read, execute)

X/r, Y/r, Z/w, Z/x

X/r, X/x, Z/r

Z/r, Z/x

A

B

C

Each row is stored with the subject corresponding to that row.

1717

PROTECTING MEMORY & PROTECTING MEMORY & ADDRESSINGADDRESSING

The most obvious problem of multiprogramming is The most obvious problem of multiprogramming is preventing one program from affecting the memory preventing one program from affecting the memory of other programs.of other programs.

There are several ways to protect memory and There are several ways to protect memory and addressing :addressing : FenceFence RelocationRelocation Base and Bound RegistersBase and Bound Registers Tagged ArchitectureTagged Architecture SegmentationSegmentation PagingPaging

1818


FenceFence Is a method to confine users to one side of the boundary.Is a method to confine users to one side of the boundary. The fence is a predefine memory address, so that the OS The fence is a predefine memory address, so that the OS

resided on one side and the user on the other.resided on one side and the user on the other. The implementation is very restrictive because a predefined The implementation is very restrictive because a predefined

amount of space was reserved for the OS – and if less than that amount of space was reserved for the OS – and if less than that amount of space was required, the excess space was wasted amount of space was required, the excess space was wasted and the OS could not grow beyond the fence boundary.and the OS could not grow beyond the fence boundary.

Another alternative is to implement the fence register.Another alternative is to implement the fence register.

1919


Fence RegisterFence Register Contained the address of the end of the OS.Contained the address of the end of the OS. This location of this fence could be changed. This location of this fence could be changed. Each time a user program generated an address for data Each time a user program generated an address for data

modification, the address was automatically compared against modification, the address was automatically compared against the fence address – the address was greater than the fence the fence address – the address was greater than the fence address (in the user area) the instruction was executed – if it address (in the user area) the instruction was executed – if it was less than the fence address (in the OS area) an error was less than the fence address (in the OS area) an error condition was raised.condition was raised.

2020


RelocationRelocation Is the process of taking a program written as if it Is the process of taking a program written as if it

began at address 0 and changing all addresses to began at address 0 and changing all addresses to reflect the actual address at which the program is reflect the actual address at which the program is located in memory. located in memory.

Conveniently, the fence register can be used in this Conveniently, the fence register can be used in this situation to provide an important extra benefit.situation to provide an important extra benefit.

2121


Base and Bound RegistersBase and Bound Registers The concept is similar to fence register but have The concept is similar to fence register but have

additional value since fence registers only acts as additional value since fence registers only acts as base registers (stating the starting address but not the base registers (stating the starting address but not the upper address).upper address).

Bound registers are often added to indicate the upper Bound registers are often added to indicate the upper address limit. address limit.

In this way, a program’s addresses are neatly In this way, a program’s addresses are neatly confined to the space between the base and the bound confined to the space between the base and the bound register.register.

2222


Tagged ArchitectureTagged Architecture Error in coding is bound to happen and this Error in coding is bound to happen and this

easily compromise the security based on easily compromise the security based on base/bound registers techniques.base/bound registers techniques.

Solve with tagged architecture – every word of Solve with tagged architecture – every word of machine memory has one or extra bits to machine memory has one or extra bits to identify the access rights to that word.identify the access rights to that word.

These access bit are tested every time an These access bit are tested every time an instruction accesses that location. instruction accesses that location.

2323


SegmentationSegmentation The notation of dividing a program into The notation of dividing a program into

separate pieces.separate pieces. Each segment has a unique name. Each segment has a unique name. A code or data item within a segment is A code or data item within a segment is

addressed as a pair of <addressed as a pair of <name, offsetname, offset> where > where namename is the name of the segment and is the name of the segment and offset offset is is its location within the segment.its location within the segment.

2424


PagingPaging Alternative to segmentationAlternative to segmentation Each address is a two part object <Each address is a two part object <page, offsetpage, offset>> The program is divided into equal size pieces The program is divided into equal size pieces

called pages and memory is divided into the called pages and memory is divided into the same sized units called page frames. same sized units called page frames.

2525

Designing Trusted Operating SystemDesigning Trusted Operating System

What is a trusted system?What is a trusted system? Security professionals speak of trusted rather Security professionals speak of trusted rather

than secure OS – connecting the ones that than secure OS – connecting the ones that meet their intended security requirements and meet their intended security requirements and justify confidence in the quality. justify confidence in the quality.

2626


SecureSecure versus versus TrustedTrusted

SecureSecure TrustedTrusted Either-or conceptEither-or concept Graded – there are degree of Graded – there are degree of

“trustedness”“trustedness” Property of presenterProperty of presenter Property of receiverProperty of receiver Asserted: based on product Asserted: based on product characteristicscharacteristics

Judged: based on evidence and Judged: based on evidence and analysis analysis

Absolute: not qualified as to Absolute: not qualified as to how, where, when or by whom how, where, when or by whom usedused

Relative: viewed in context of Relative: viewed in context of useuse

A goalA goal A characteristicsA characteristics

2727


Among the components underpinning Among the components underpinning trusted OStrusted OS are: are: Security policySecurity policy: a statement of the security we expect the : a statement of the security we expect the

system to enforce.system to enforce. ModelModel: the representation of the policy that the OS will : the representation of the policy that the OS will

enforce.enforce. DesignDesign: covers both what the trusted OS is and how it is : covers both what the trusted OS is and how it is

to be constructedto be constructed TrustTrust: based on two aspects that is: based on two aspects that is features features (the OS has (the OS has

all the necessary functionality needed to enforce the all the necessary functionality needed to enforce the expected security policy) and expected security policy) and assuranceassurance (the OS has (the OS has been implemented in a such a way that we have been implemented in a such a way that we have confidence it will enforce the security policy).confidence it will enforce the security policy).

2828

Security PoliciesSecurity Policies

A Security policy is a statement of the A Security policy is a statement of the security we expect the system to enforcesecurity we expect the system to enforce

2929

Military Security Policies Military Security Policies (MSP)(MSP)

MSP is based on protecting classified informationMSP is based on protecting classified information Five Levels-Five Levels-

1-unclassified1-unclassified

2-restricted2-restricted

3-confidential3-confidential

4-secret 4-secret

5-top secret5-top secret

3030

Classified information may be associated with one Classified information may be associated with one or more projects called compartmentor more projects called compartment

The combination of rank and compartment is The combination of rank and compartment is called the class or classification of a piece of called the class or classification of a piece of informationinformation

Clearance - a person is trusted to access certain Clearance - a person is trusted to access certain information up to a level of sensitivity called information up to a level of sensitivity called dominancedominance

3131

A subject can read an object only ifA subject can read an object only if

a)a) The clearance level of the subject is at least as The clearance level of the subject is at least as high as that of the informationhigh as that of the information

b)b) The subject has a need to know about all The subject has a need to know about all compartments for which the information is compartments for which the information is classifiedclassified

3232

Military Security Policy

Information classified <secret, {sweden}> can access/read by

• <top secret, {sweden, crypto> or

• <secret, {sweden, crypto}>

But can’t access/read by

• <top secret, {crypto}> or

• <confidential, {sweden}>

3333

Chinese Wall Security PolicyChinese Wall Security Policy

A conflict of interest exists when one person can obtain sensitive A conflict of interest exists when one person can obtain sensitive information on competing companies.information on competing companies.

3 Levels of Abstraction:-3 Levels of Abstraction:-i) Objects- lowest levels are elementary objects example:-filesi) Objects- lowest levels are elementary objects example:-files each file contains information concerning only one group each file contains information concerning only one group

companycompanyii) Company group- all object concerning each company are ii) Company group- all object concerning each company are

grouped togethergrouped togetheriii) Conflict classes- at the highest level, all groups of objective iii) Conflict classes- at the highest level, all groups of objective

for competing companies are clustered. for competing companies are clustered. Each object thus belonging to a unique company group,and Each object thus belonging to a unique company group,and

each company group contained in a unique conflict classeach company group contained in a unique conflict class

3434

A conflict class may contain one or more A conflict class may contain one or more company groupcompany group

Chinese wall policy is a commercially inspired Chinese wall policy is a commercially inspired confidentiality policy where as commercial confidentiality policy where as commercial policies focus on integritypolicies focus on integrity

3535

Air Asia

MAS

Cadbury

Vochele

Hershey

TNB

Company group

Conflict class

Someone have a data on six company groups

ACCESS SCHEME – a person can access any information as long as person as never accessed information from different company in the same conflict class

Inspired confidentiality policy

3636

Security Features of Trusted Security Features of Trusted Operating SystemsOperating Systems

The features of trusted operating systems include:The features of trusted operating systems include: User identificationUser identification: Trusted OS requires identification of : Trusted OS requires identification of

individuals and each individual must be uniquely identified.individuals and each individual must be uniquely identified. Mandatory access controlMandatory access control: access control policy decisions : access control policy decisions

are made beyond the control of the individual owner of an are made beyond the control of the individual owner of an object – a central authority determines what information is to object – a central authority determines what information is to be accessible by whom and the user cannot change the be accessible by whom and the user cannot change the access rights.access rights.

Discretionary access controlDiscretionary access control: the owner can determine who : the owner can determine who should have access rights to an object and what those rights should have access rights to an object and what those rights should be. should be.

3737


The features of trusted operating systems The features of trusted operating systems include:include: Object reuse protectionObject reuse protection: to prevent object reuse : to prevent object reuse

leakage, OS clear (overwrite) all space to be leakage, OS clear (overwrite) all space to be reassigned. reassigned.

Complete mediationComplete mediation: all accesses are checked.: all accesses are checked. Trusted pathTrusted path: for critical operations such as setting : for critical operations such as setting

a password or changing access permission – users a password or changing access permission – users would required communication through a trusted would required communication through a trusted path.path.

3838


The features of trusted operating systems The features of trusted operating systems include:include: Accountability and auditAccountability and audit: maintaining a log of : maintaining a log of

security-relevant events that have occurred, listing security-relevant events that have occurred, listing each event and the person responsible.each event and the person responsible.

Intrusion detection systemIntrusion detection system: software builds usage : software builds usage patterns of the normal system and triggers an patterns of the normal system and triggers an alarm anytime the usage is abnormal.alarm anytime the usage is abnormal.

3939

Hardening Your OSHardening Your OS

Operating System HardeningOperating System Hardening Hardening of operating systems is the first step towards safeguarding Hardening of operating systems is the first step towards safeguarding

systems from intrusion. Workstations and servers typically arrive from the systems from intrusion. Workstations and servers typically arrive from the vendor, installed with a multitude of development tools and utilities, vendor, installed with a multitude of development tools and utilities, which, although beneficial to the new user, also provide potential back-which, although beneficial to the new user, also provide potential back-door access to an organisation's systems. door access to an organisation's systems.

Hardening of an operating system involves the removal of all non essential Hardening of an operating system involves the removal of all non essential tools, utilities and other systems administration options, any of which tools, utilities and other systems administration options, any of which could be used to ease a hacker's path to your systems. Following this, the could be used to ease a hacker's path to your systems. Following this, the hardening process will ensure that all appropriate security features are hardening process will ensure that all appropriate security features are activated and configured correctly. Again, 'out of the box' systems will activated and configured correctly. Again, 'out of the box' systems will likely be set up for ease of access with access to 'root' / Administrator likely be set up for ease of access with access to 'root' / Administrator account. Some vendors have now recognised that a market exists for pre-account. Some vendors have now recognised that a market exists for pre-hardened systems. hardened systems.

4040

Database SecurityDatabase Security

4141

IntroductionIntroduction

Database is a collection of data and set of rules that Database is a collection of data and set of rules that organize the data by specifying certain relationships organize the data by specifying certain relationships among data.among data.

Through these rules, the user describes a logical Through these rules, the user describes a logical format for the data.format for the data.

The user interacts with the data base through a The user interacts with the data base through a program called a database manager or database program called a database manager or database management system (DBMS) informally known as a management system (DBMS) informally known as a front end.front end.

4242

IntroductionIntroduction

Advantages of Using DatabasesAdvantages of Using Databases Shared AccessShared Access – so that many users can use one common, – so that many users can use one common,

centralized set of data.centralized set of data. Minimal RedundancyMinimal Redundancy – so that individual users do not have to – so that individual users do not have to

collect and maintain their own sets of data.collect and maintain their own sets of data. Data consistencyData consistency – so that a change to a data value affects all – so that a change to a data value affects all

users of the data value.users of the data value. Data integrityData integrity – so that data values are protected against – so that data values are protected against

accidental or malicious incorrect changes.accidental or malicious incorrect changes. Controlled accessControlled access – so that only authorized users allowed to – so that only authorized users allowed to

view or modify data values.view or modify data values.

4343

Security RequirementsSecurity Requirements

Physical data base integrityPhysical data base integrity – so that the data of a – so that the data of a database is immune to physical problems such as database is immune to physical problems such as power failures and so that someone can reconstruct power failures and so that someone can reconstruct the database if it is destroy through a catastrophe.the database if it is destroy through a catastrophe.

Logical database integrityLogical database integrity – so that the structure of – so that the structure of the database is preserved. With logical integrity of a the database is preserved. With logical integrity of a database, a modification to the value of one field does database, a modification to the value of one field does not affect other fields. not affect other fields.

4444


Element integrityElement integrity – so that the data contained – so that the data contained in each element is accurate.in each element is accurate.

AuditabilityAuditability – to be able to track who has – to be able to track who has accessed (or modified) the elements in the accessed (or modified) the elements in the database.database.

Access controlAccess control – so that a user is allowed to – so that a user is allowed to access only authorized data and so that access only authorized data and so that different users can be restricted to different different users can be restricted to different modes of access (such as read or write).modes of access (such as read or write).

4545


User authenticationUser authentication – to ensure that every user – to ensure that every user is positively identifed, both for the audit trail is positively identifed, both for the audit trail and for permission to access certain data.and for permission to access certain data.

Availability Availability – meaning that users can access – meaning that users can access the database in general and all the data for the database in general and all the data for which they are authorized.which they are authorized.

4646

Sensitive DataSensitive Data

Sensitive data is data that should not made Sensitive data is data that should not made public.public.

Determining which data items are sensitive Determining which data items are sensitive depends on the individual database and the depends on the individual database and the underlying meaning of the data.underlying meaning of the data.

Example: Library Public Catalog (no sensitive Example: Library Public Catalog (no sensitive data) Military and Defense Databases (all data) Military and Defense Databases (all sensitive data), a university Databases (some sensitive data), a university Databases (some but not all sensitive).but not all sensitive).

4747

Types of DisclosureTypes of Disclosure

Exact DataExact Data – the most serious disclosure is the exact – the most serious disclosure is the exact value of the sensitive data itself.value of the sensitive data itself.

BoundsBounds – indicating that a sensitive value (y) is – indicating that a sensitive value (y) is between values L and H.between values L and H.

Negative resultNegative result – Sometimes one can word a query to – Sometimes one can word a query to determine a negative results (determine a negative results (zz is not the value of is not the value of yy).).

ExistenceExistence – the existence of data itself a sensitive – the existence of data itself a sensitive piece of data regardless of the actual value.piece of data regardless of the actual value.

Probable valueProbable value – it may be possible to determine the – it may be possible to determine the probability that a certain element has a certain value. probability that a certain element has a certain value.

4848

Proposals for Secure Multilevel Proposals for Secure Multilevel DatabasesDatabases

PartitioningPartitioning The database is divided into separate The database is divided into separate

databases, each at its own level of sensitivity.databases, each at its own level of sensitivity. This approach is similar to maintaining This approach is similar to maintaining

separate files in separate file cabinets.separate files in separate file cabinets.

4949

Proposals for Secure Multilevel Proposals for Secure Multilevel DatabasesDatabases

EncryptionEncryption If sensitive data is encrypted, a user who If sensitive data is encrypted, a user who

accidentally receives sensitive data cannot accidentally receives sensitive data cannot interpret the data.interpret the data.

os database security chapter 6

Technology

different security processes

different programs

different physical processes

users objects

different level of security

separate time

different physical objects

different times