Multilevel Secure Database System Architecture

Published Date: 02 Nov 2017

Multilevel Security (MLS) [1] allows the information with different classifications to be available with users having different security clearances and authorizations and at the same time disallowing them from accessing information for which they are not cleared or authorized. In particular, security checks are put to prevent users from gaining access to information for which they are not cleared or authorized through indirect means. Covert channels are examples of such indirect means.

MULTILEVEL SECURE DATABASE SYSTEM ARCHITECTURE:

Multilevel secure RDBMS architectures [38] can be divided into two types, the Woods Hole Architecture and the Trusted Subject Architecture. In Woods Hole architecture mandatory access control is enforced by the RDBMS itself and the Trusted Subject architecture, also known as integrated architecture, delegate the responsibility to a trusted operating system. The Woods Hole architecture is further subdivided into kernelized architectures and the distributed architectures also known as fragmented and replicated data architecture. The relational database products which are initially emerging are basically integrated data architectures. This approach requires considerable modification of an existing relational DBMS. It can be supported by DBMS vendors because they own the source code for their DBMS's, and are in a position to modify it in new products. The fragmented and replicated architectures have been demonstrated in laboratory projects. They offer possibly greater assurance of security than the integrated data architecture. Moreover, they can be constructed by using commercial off-the-shelf (COTS) DBMS's as components. This allows non-DBMS vendors to build these by integrating COTS trusted operating systems and non-trusted DBMS's.

MULTI LEVEL SECURITY RELATIONAL DATABASES :

As already stated, multilevel secure (MLS) relational data model was first given by Bell and La padula [1]. It assumes that individual attribute value is subject to security label assignment. The four sensitivity levels are denoted by top secret (TS), secret (S), confidential (C) and unclassified (U), where TS>S>C>U.

A multilevel relation schema corresponds to a collection of state-dependent relation instances R, for each access class c.

A relation instance is denoted by Rc (A1, C1, ... An, Cn, TC) and consists of a set of distinct tuples of the form (a1, c1, ..., an, cn, tc) where each ai ϵ domain (Ai), c ≥ ci, ci ϵ [Li, Hi], and tc = lub{ci, i=1..n}.

As the simple property of Bell LaPadula model suggests, t[Ai] is visible for subjects with clear(s) ≥ t[Ci] (where clear defines the clearance level of subject); otherwise t[Ai] is replaced with the null-value. In the MLS relational model a key is derived from the set of functional dependencies, called as apparent key. The relations in MLS databases satisfy entity integrity, null integrity, inter-instance integrity and poly-instantiation integrity

* Entity Integrity: Entity integrity states that the apparent key may not have the null value, must be uniformly classified and its classification must be dominated by all classifications of the other attributes.

* Null Integrity. Null integrity states that null values must be classified at the level of the key and that for subjects cleared for the higher security classes, the null values visible for the lower clearances are replaced by the proper values automatically.

* Inter-instance Integrity: The inter-instance property is concerned with consistency between relation instances of a multilevel relation R. A filter function maps R to different instances Rc (one for each c’<c). By using filtering a user may be restricted to that portion of the multilevel relation for which the user is cleared.

* Polyinstantiation Integrity: R satisfies polyinstantiation integrity if for every Rc and each attribute Ai the functional dependency A Ci →Ai (i=1..n) holds.

1.4.3 DECOMPOSITION OF MULTILEVEL RELATIONS:

Multilevel relations are decomposed into a collection of single-level base relations which are then physically stored and are reconstructed from these base relations on user's demand. For decomposition and recovery of multilevel relations from single level relations various algorithms are suggested by various authors.

Denning D. E. et. al. [9] developed multilevel database under the project called Secure Data Views (SeaView) Project. In this model the database security classifications are assigned to individual data elements of the tuples of a relation. A user having a clearance at an access class c sees only that data which lies at class c or below. Thus, a user with Top Secret clearance will see the entire relation (entire table) whereas a user having confidential clearance will not be able to view data at secret and top secret levels. In SeaView, the decomposition of multilevel relations into single-level ones is performed by applying two different types of fragmentation: horizontal and vertical fragmentations. The major change proposed by Jajodia and Sandhu [19] was to take all classification attributes with the primary key instead of with individual data attributes. Novel decomposition [37] algorithm breaks a multilevel relation into single-level ones by horizontal splitting of whole tuple rather than attribute-wise vertical splitting. This makes the splitting process quite simple. It then uses the recovery algorithm to reconstruct the original multilevel relation from the decomposed single-level relations.

QUERY PROCESSING IN MULTILEVEL DATABASES:

In multilevel database systems, security constraints are required to enforce the classification policy. These constraints can be considered as the integrity constraints and can be used to assign security levels to the data based on content, context, and time. Such constraints are useful for describing multilevel applications. The main step in processing a query is processing security constraints [25] for controlling unauthorised inferences. Various techniques are used for handling security constraints during query updates, query processing and database design. In centralized systems, the integrated architecture for constraint processing is shown in Figure 2.

Fig.2: Integrated architecture for centralized databases

This architecture is a loose coupling between a multilevel relational database management system and a deductive manager [41]. The deductive manager is also called as the query/update constraint processor. In this architecture, constraint and schema produced by the constraint generator are processed further by the Database design tool. The modified constraints are given to the Constraint Updater in order to update the constraint database and the schema is given to the MLS/DBMS to be stored in the Meta database. The constraints in the constraint database are used by the query and update constraint processors.

CONCURRENCY CONTROL IN MULTILEVEL SECURE DATABASES:

The multilevel secure databases (MLS), also has the additional requirements of concurrency control. In these databases, the scheduler must also be secure since malicious transactions could exploit a non secure scheduler to establish signaling channels [27]. Traditional algorithms, based on locks or timestamps, are not secure. Moreover, they suffer from starvation, i.e., transactions that are reading down may be indefinitely delayed. Rather than maintaining a single version of each data item, multiple versions are maintained. The use of multiple versions prevents high transactions from interfering with low transactions, in that high transactions are given older versions of low data. Therefore, a low transaction is never delayed or aborted because of the concurrent execution of a high transaction; thus, both signaling channels and starvation are eliminated. In this approach, transactions are prioritized according to their access class and a high transaction is always placed before all active low transactions.

2. LITERATURE REVIEW

The literature surveyed can be grouped into 5 parts:

Multilevel secure database system architecture

Multi level security relational database model

Decomposition of multilevel relations

Query processing in multilevel databases

Deadlock detection in distributed databases

Multilevel secure database system architecture:

Sandhu R.S., in [38], explained the three architectures for multilevel secure systems.

1. Integrated data architecture (also known as the trusted subject architecture).

2. Fragmented data architecture (also known as the kernelized architecture).

3. Replicated data architecture (also known as the distributed architecture).

Commercially available relational database products are basically integrated data architectures. The fragmented and replicated architectures offer more security and can be easily constructed by non DBMS vendors. While many different approaches have been pursued in the research community for high-assurance DBMSs, none of the approaches developed to date has been able to meet all of the high-assurance requirements and still provide the level of functionality provided by un-trusted commercial DBMS products.

Multi level security relational database model:

Bell and La Padula [1] explained the basic model of MLS. The model is stated in terms of objects and subjects. Any passive entity such as a data file, a record, or a field acts as object and the process that request access to the object is called a subject. Every object and subject is associated with the piece of information, termed as labels that consist of two components: A hierarchical component and a set of unordered compartments. The hierarchical component specifies the sensitivity of the data. For example, Top Secret, Secret, Confidential and Unclassified are the levels in the Military organization. The compartments components are nonhierarchical and are used to describe the sensitivity or category of the labeled data. Labels are partially ordered in a lattice. To improve the security they introduced following restrictions on all data accesses:

• The Simple Security Property or "No Read Up": A subject is allowed a read access to an object if and only if the subject’s label dominates the object’s label.

• The *-Property (pronounced the star property) or "No Write Down": A subject is allowed a write access to an object if and only if the object’s label dominates the subject’s label.

BLP model, although gave a remarkable model in world of security, but it was restricted to confidentiality and intended for the systems with static security levels. Moreover, it also contained covert channels.

Biba [4] formulated an exact mathematical dual of the Bell-LaPadula model, with integrity labels and two properties: no-write-up in integrity and no-read-down in integrity. That is, low integrity objects (including subjects) are not permitted to contaminate higher integrity objects, or in other words no resource is permitted to depend upon other resources unless the latter are at least as trustworthy as the former.

Decomposition of multilevel relations:

Denning D.E. et al [9] developed multilevel database under the project called Secure Data Views (SeaView) Project. They declared that multilevel relations exist only at the logical level. In reality multilevel relations are decomposed into a collection of single-level base relations which are then physically stored in the database in hard disc. The multilevel relations can be reconstructed from base relations. In SeaView, the decomposition of multilevel relations into single-level ones is performed by applying two different types of fragmentation: horizontal and vertical fragmentations.

The Sea View decomposition and recovery algorithms are suffered from repeated joins, Spurious Tuples, Incompleteness and Left outer joins.

Jajodia and Sandhu[19] proposed decomposition algorithm to take all classification attributes with the primary key instead of with individual data attributes. This helps in specifying the secure query to the database. In this approach poly instantiation is also considered.

Jajodia and Sandhu [37], proposed novel decomposition algorithm that breaks a multilevel relation into single-level ones by horizontal splitting of whole tuple rather than attribute-wise vertical splitting. This makes the splitting process quite simple. It then uses the recovery algorithm to reconstruct the original multilevel relation from the decomposed single-level relations.

Query processing in multilevel databases:

Keefe et al. in [25], provided that different security levels are provided by classification policies which are defined by security constraints. These constraints can be considered as the integrity constraints.

Thuraisingham et al. in [41], defined the integrated architecture for constraint processing, which was influenced by the Lock data Views [35]. This architecture was loose coupling between a multilevel relational database management system and a deductive manager. The deductive manager is actually the query/update constraint processor. This architecture assumed that there is a trusted constraint manager process which manages the constraints.

Issues in secure query processing in distributed databases:

Security constraints processing: security constraints are the rules with which data items and combinations of data items are classified based on their secrecy. To efficiently protect the database they should be processed carefully. The processing may be done during database design, query processing or database update. If they are considered during query processing and database update, they reduce the performance of system and if done during design, they add extra overhead to user. Therefore, it is necessary to process the constraints carefully.

Query acceleration: in the Kernelized architecture, data are separated and stored in different containers according to the classification level. Thus when a user at a higher clearance level needs to read low level data, he/she must access different containers. This results in delayed query response time. So query acceleration for high level users, in order to make a fast decision, is required.

Concurrency control: this is another area which needs attention in secure databases. In these databases, the scheduler must also be secure since malicious transactions could exploit a non secure scheduler to establish signaling channels [27]. Traditional algorithms, based on locks or timestamps, are not secure. Without a proper concurrency control mechanism, the query processing and acceleration mechanism may lead to covert channels.

The centralized databases, where we have only one copy of data that is stored in the database has the problems access control and transaction management such as user concurrent access control and deadlock detection and recovery. These problems come in severe form in the distributed databases, where the data is distributed and replicated over a network using horizontal and vertical fragmentation similar to projection and selection operations in Structured Query Language (SQL). DDBS also have other issues along with these problems.

If we add multilevel security to distributed databases then the system becomes more complicated and it becomes mandatory for us to resolve these problems.

Deadlock detection in distributed databases

Various algorithms are already proposed for deadlock detection in distributed databases which are as follows:

Chandy & Mishra [7], proposed an algorithm that uses transaction wait for graphs (TWFG) to represent the status of transactions at the local sites and uses probes to detect global deadlocks. The algorithm determines deadlock by a probe computation. The probes are meant only for deadlock detection and are distinct from requests and replies. A transaction sends at most one probe in any probe computation. If the initiator of the probe computation gets back the probe, then it is involved in a deadlock

Sinha’s Scheme[34], was based on priorities of transactions. Using priorities, the number of messages required for deadlock detection was reduced considerably. In this scheme, a transaction’s request for a lock on a data item is sent to the data manager for the item. If the request cannot be granted, the data manager initiates deadlock computation by sending a probe to the transaction that holds a lock on the data item, if the priority of the holder is greater than that of the requestor The probe is propagated only if the priority of the holder of the data item it manages is greater than that of the initiator. When a transaction begins to wait for a lock, all the probes from its queue are propagated. When a data manager gets back the probe it initiated, deadlock is detected. Since the probe contains the priority of the youngest transaction in the cycle, the youngest transaction is aborted.

Obermack’s Algorithm[30], builds and analyzes directed TWFG and uses a distinguished node at each site. The detection algorithm at each site firstly builds a TWFG and adds on all the information received from others sites also. Then it creates wait-for edges from "external" to each node representing agent of transaction that is expected to send on communication link and that is waiting to receive from communication link. Then it analyzes the TWFG and breaks down the youngest transaction creating the cycle.

Ho’s Algorithm [14], uses a resource table at each site and chooses a site as central controller to perform deadlock detection.

3. DESCRIPTION OF BROADER AREA

Database Management System runs above the operating system and provides the database security. Whenever sensitive information is exchanged, it must be transmitted over a secure channel and stored securely to prevent unauthorized access. So, secure system can be built with underlying secure operating system, secure databases, secure networks and secure distributed systems.

Secure database

Secure network

SECURE SYSTEMS

Secure Operating system

Secure distributed systems

The development of communication technologies and database technologies, have resulted into distributed databases, the databases that are distributed across the multiple databases. Distributed database system includes distributed database management system (DDBMS), a distributed database and a network for interconnection. The main functions include distributed query management, transaction processing, enforcing security and integrity across the multiple nodes. Transaction management in DDBMS involves the handling of distributed transactions. The transaction at a particular site is a sub transaction associated with that site. A coordinator controls the execution of sub transactions. Concurrency control techniques ensure the consistency of the distributed database when transactions execute concurrently. If a process in a distributed system needs a resource, which is located in other site, it sends a message to that site through a network connection to access required resource. If the required resource is available, it will be allocated to the process and if it doesn’t available, if it is being used by other process, the requester process will be blocked until the resource will be released and obtained. Deadlock occurs when a set of processes wait for each other for an indefinite period to obtain their intended resource. Detecting the deadlock is one of the important problems in distributed systems, and many solutions have been proposed for it. The technique proposed by Ahom et al. assumes that the global deadlock detection is independent of local deadlock detection. The technique uses transaction queue to store the priority id for all transactions which are in local deadlock cycles or in global deadlock cycles. Based on the priority id the youngest transactions are aborted to free the systems from deadlock cycles. The technique detects the deadlocks and recovers by the following steps:

Create Linear transaction Structure (LTSi) for each local site i.

Detect Local Deadlock cycle LDi.

Create Transaction Queue TQi corresponding to each LDi.

Abort the victim transaction.

Create Distributed Transaction Structure (DTSi) for global communication.

Detect Global Deadlock cycle GDi.

Create Transaction Queue TQi corresponding to each GDi.

Abort the victim transaction.

The proposed algorithm does not detect any false deadlocks and every detected deadlock really exists.

4. RESEARCH PERSPECTIVE AND OBJECTIVES

The main aim is to design a secure database, implement the proposed techniques for concurrency control in multilevel secure databases and finally draw the conclusions.

5. METHODOLOGY TO BE ADOPTED (TEN TATIVE)

The objectives can be reached out by implementing the various aspects of multilevel security in relational databases. The work will be covered in three phases:

Phase 1: To study various techniques available in literature.

Phase 2: based on some loopholes, propose a new technique.

Phase 3: draw the conclusions based on new techniques.

6. EXPECTED OUTCOME OF THE PROJECT

A new technique for resolving an issue in concurrency control in multilevel secure databases.