Access Control in Database Management Systems


Daniel Cvrček
Department of Computer Science and Engineering, TU Brno
Božetěchova 2, Brno 612 66

e-mail: cvrcek@dcse.fee.vutbr.cz
Abstract. Stormy expansion of IT in recent years lead to the information systems spread into various public and private organizations. So database management systems (DBMS) arised in 70-s. Those systems have been able to ensure effective access to stored information. Very soon, however, they became inadequate. Distributed DBMS has been introduced with development of distributed computing. Those have been able to exploit new capabilities of computer nets. Everything looked just fine, but in that time first large information leaks appeared from large DBMSs. And so new conception appeared - data security. Database damage has not affected one user but information system of a whole organization and impacts have become unpredictable but surely very important. Development has not stopped and data has become available for various types of users. This fact has lead to another sharpening of security problems. First attempts for secure DBMS appeared. Today, we are using various techniques to secure data. Logical access control is one of necessary conditions for providing secure system. Talking about access control, there were two variants for a long time - mandatory and discretionary. New approaches appeared with recent post-relational DBMSs.   Abstrakt. Rychlý vývoj IT v minulých letech vedl ke vzniku databázových systémů (DBMS). Ovšem původní systémy velmi brzy nedostačovaly potřebám. S vývojem distribuovaného zpracování vznikly distribuované databázové systémy, které umožnily využít nových možností počítačových sítí. Všechno vypadalo v pořádku, ale najednou začalo docházet k “únikům informací” z rozsáhlých DB systémů - na řadu přišel nový pojem bezpečnost dat. Poškození databáze už neovlivnilo jednoho člověka, ale informační systém celého podniku a dopady se staly nepředvídatelnými, ale zcela jistě významnými. V této době vznikly první pokusy o vytvoření bezpečných DBMS. V současné době používáme rozmanité techniky pro zajištění bezpečnosti dat. Ukazuje se ovšem, že logické řízení přístupu k datům je jednou z nutných podmínek pro vytvoření bezpečného systému. Přístupy k této oblasti se postupem doby vyvíjely. Dlouhou dobu existovaly dva základní - povinné a nepovinné řízení přístupu. V poslední době, spolu s rozvojem postrelačních DBMS, se objevily nové principy pro logické řízení přístupu.

1. Introduction

Result of the database management systems use is existence of one data set on which are working all users and applications in an organization. On one side, hardly solved problems with duplication, inconsistency and application dependency of data disappear. On the other side much more dangerous security problems appear. There is a brief introduction to them on next lines.

Design of secure DBMS assumes identification of security risks and selection of right security policies (what is the security system supposed to do) and mechanisms (the way we are going to achieve that) for their neutralization.

Secure database system should satisfy three basic requirements on data protection: security, integrity and availability. What is the content of those words?

1.1. Security Policies

Security policies are guidelines describing all (if possible) actions pertinent to the information system. Logical access control belongs to that area and so security policies should define principles on which is design of secure DBMS based.

Generally, policies should give answers on basic security questions. Policies can be divided into two basic types - of minimal (army) and maximal (university) privilege. System with such a policy is called closed or opened, respectively.

Talking about access control, the way of administration of access rules should be determined.

1.2. Security Mechanisms

In the moment when politics are defined, mechanisms that fulfill them can be selected. Mechanisms are external: and internal that are part of information system itself:

1.3. Security Threat

This word has been used several times already. Security threat is any hostile agent which randomly or with use of specialized techniques can obtain or change information in the information system. Random security threats are: Intended security threats can be categorized according to their originator:

1.4. Requirements on DBMS Security

At this moment we have basic image of information system security and we can take a look at concrete aspects that should be covered with DBMS security mechanisms.
  1. Protection from improper access- only authorized users should be granted access to objects of DBMS. This control should be applied on smaller objects (record, attribute, value).
  2. Protection from inference - inference of confidential information from available data should be avoided. This regards mainly statistical DBMSs.
  3. Database integrity - partially is ensured with system controls of DBMS (atomic transactions) and various back-up and recovery procedures and partially with security procedures.
  4. Operational data integrity - logical consistence of data during concurrent transactions (concurrency manager), serializability and isolation of transactions (locking techniques).
  5. Semantic data integrity - ensuring that attribute values are in allowed ranges. This is ensured with integrity constraints.
  6. Accountability and auditing - there should be possibility to log all data accesses.
  7. User authentication - there should be unambiguous identification of each DBMS user. This is basis for all authorization mechanisms.
  8. Management and protection of sensitive data - access should be granted only to narrow round of users.
  9. Multilevel security - data may be classified according to their sensitivity. Access granting should then depend on that classification.
  10. Confinement (subject isolation) - there is necessity to isolate subjects to avoid uncontrolled data flow between programs (memory channels, covert channels).
At least five aspects from the previous list must be ensured with special techniques that do not exist in unsecure DBMSs. There are three basic ways to do it: Cryptographic techniques can be added to the controls.

1.4.1. Flow Control

Flow control regulates distribution (flow) of information among available objects. E.g. reading of information from object X and its direct writing into object Y.

Flow control policies need list of acceptable information flows and their constrains. Flow constraints are often based on classification of system elements and definition of acceptable flows between classification levels.

1.4.2. Inference Control

The aim of the inference control is to avoid indirect disclosure of information (set of data X that can be read by user can be used for determination of data set Y (Y=f(X)) ). Generally there are three ways to unauthorized data disclosure:
  1. correlated data - typical channel when visible data X are semantically related with invisible data Y
  2. missing data - result of query contains NULL values that mask sensitive data. Existence of that data may by detected that way.
  3. statistical inference - typical for databases that provide statistical information about entities.
Statistical databases do not allow direct access to data and user has to query only statistical data. Attacks in this DBMSs can be faced with two different approaches:
  1. data perturbation - concrete data are replaced with statistical results
  2. query controls - more frequently used, mostly it is based on minimal and maximal number of items that are concerned with query. Results are satisfactory but this technique is expensive and difficult for administration.

1.4.3. Access Control

Access control is responsible for control of rules determined by security policies for all direct accesses to the system. Traditional control systems work with notions subject, object and operation.

For better image look at the figure of secure DBMS.

Fig.1 Schema of secure database management system

2. Security Models

The aim of security modeling is to create abstract, software independent, conceptual model from requirements specification for system protection.

Security model should provide rich semantic representation which allows description of functional and structural properties of security system. It should also provide definitions for protection requirements and system policies. The proof of model properties should be available, too.

It is clear that level on which we decide to describe access control can greatly differ as we will see in the next paragraph. Description of basic approaches for access control is introduced in chapter 2.2. Description of concrete models follows.

2.1. Abstractions of Access Models

Access control models can be classified in several levels as proposed by LaPadula and Williams. Following levels proceed from general to more implementation dependent:
  1. trust objectives - definition of basic requirements on the system trustfulness
  2. requirements on external interface - security requirements on interface system-environments
  3. internal requirements - requirements that must be satisfied in system components
  4. operational rules - describe assurance of internal requirements
  5. functional design - functional description of behavior of system components
Models that are going to be described are on level 3. TBAC and RBAC model families partly interfere with level 2 because they are much more general and cover wider range of problems.

2.2 Types of Access Control Models

Security models can be classified according to many aspects. For example target system, type of security policy, addressed security aspects, type of control (direct or of flows) and so on. In the moment we will talk about type of security policy that is enforced by the model.

Two basic model types arised very soon - discretionary and mandatory access control. Owner of data governs access in the former one. This is the most common form of authorization administration - ownership based. That policy is very flexible but also very difficult for control from the global point of view. Models with mandatory access control enforce global policy by the flow control among security levels that are assigned to objects.

It seemed that nothing else would exist but OO technologies have encourage new approaches that reflect OO DBMSs and new requirements of commercial sphere. The first one is RBAC - access control based on roles and the second one is TBAC which is based on concept of task. TBAC brings absolutely new ideas and notion of active security.

We finish this introduction and try to describe policy types on concrete models.

2.3. HRU - Matrix Access Model

The HRU (Harrison-Ruzzo-Ullman) model covers security of data for DBMS and OS. It was proposed in 1971 and in 1976 was formalized.

2.3.1 Authorization State

Authorization state is derived from relations between objects and subjects. It is defined as triple Q=(S, O, A) where S is set of subjects, O is set of objects (contains also subjects) and A is access matrix (A[s, o]=r).

Authorization state for DBMS can be enriched by predicates of access rights. Those predicates may by data, time, context or history dependent.

Six primitive operations are defined for authorization state administration. They are granting and revoking of rights r from A[s, o], creating and deleting of subject s, creating and deleting of object o. Operations are used for composition of commands for authorization state modifications. Harrison assumes that modification commands have two parts; conditional and executive. The executive part is performed when the conditional is true.

Set of possible access rights depends on object. The model knows read, write, append, execute, own. The last one determines owner that administers access to it.

2.3.2 Administration of Authorizations

The owner of object may grant/revoke any rights (except own) to the given object for other subjects. Even those rights that he does not possess in the moment. This approach breaks principle of attenuation of privileges.

There are modifications of access rights in some systems that allow other subjects to administer access rights. This is expressed by explicit flag on access right that may have two forms.

2.3.3 Model Extensions

The HRU model is very flexible for expression and control of access rights for information. The most important problem is security question (Is there a reachable state to the given starting authorization state where a subject receives certain right for given object?) that is undecidable. This problem coheres with danger of Trojan horses in DAC.

The model has been extended several ways for security question decidability.

2.4. Bell-LaPadula Model

This model is extension of HRU model oriented on definition of security requirements in complex systems where system elements can be classified (security levels). The model was proposed in 1973 for operation systems. The model became referential for mandatory access control (MAC).

2.4.1 Classification of System Elements

The BLP model is based on classification of system elements that is expressed with security levels. Each security level has got two parts: classification and set of categories.

The classification is fully ordered set of four elements - {TS, S, C, U} (from the biggest). The set of categories is a subset of non-hierarchical set of elements that corresponds to application area and environment. The security levels with operation ? compose lattice that is defined by the following way:

L1=(C1, S1) ? L2=(C2, S2) ? C1 ? C2 ? S1 ? S2

Each user has got clearance and may work in the system on any level that is dominated (lower or equal) by clearance. Each object receives security level during its creation.

There are four access rights: read-only, append (can not see existing content), execute and read-write.

2.4.2. System State

System state is described with tuple (b, M, f, H) where: The system state changes with execution of operations gain/free access (starting and finishing of access), grant/revoke access right, create/destroy object, change subject’s security level and finally change object’s security level.

2.4.3. Axioms

The most important thing the model introduces is reference monitor and system of properties that validity is checked by the reference monitor.

Simple security (ss) property

Trusted subject can read or write an object just when its security clearance dominates security level of the object. System state v=(b, M, f, H) satisfies ss-property when each element of M[s, o] that keeps read or write access right satisfies fs(s) ? fo(o).

Star (*) property

Any subject may keep access right append on object when security level of the object dominates actual security level of subject. This subject may write the object just when level of object equals to level of security subject and subject may read the object when object’s security level is dominated by subject’s security level. The formal notation is as follows:

Let s Î S, SÍ S, where S is set of untrusted subjects; then

append Î M[s, o] ? fc(s) ? fo(o)
write Î M[s, o] ? fc(s) = fo(o)
read Î M[s, o] ? fc(s) ? fo(o) Note: Those relations imply two properties that are often used.

No read-up - I can read just objects that security level is dominated by my security level.

No write-down - I can write just objects that security level dominates my security level.

Discretionary security property (ds-property)

Each actual access must be in the access matrix. Subject may perform only those accesses that he has got access rights for. The system state guarantees the ds-property just when the following equation holds for all subjects, objects and access rights:

<s, o, m> Î b ? m Î M[s, o]

3. Conventional models for OO DBMS

With appearance of object oriented DBMSs arised need for new security models that would exploit new properties of OO technology. It is natural that first such models used principles that had been examined through years of practice in relational database systems.

Models have been accommodated by new definitions of objects, subjects and access rights and have employed some features of OO data models - inheritance, composite objects. Strong influence of relational data model however stayed. Above all, the access matrix that is ideal for relation data model but it has got nothing to do ”with objects” in my opinion. The ORION model belongs to that category. Next paragraphs introduce models that exploit other important features of OO data model - messaging and encapsulation.

3.1. Authorization model ORION

This model was introduced by Rabitti in 1991. It enforces discretionary access control and takes in mind some characteristics of OO systems - inheritance, composite objects and versioned objects.

3.1.1. System Elements

Subjects are groups of users (roles) into that are users added according to the position in organization. User can have more than one role. Roles compose lattice with operation implication (defined on basis of relations between sets of access rights). There is superuser on the top of the lattice and on the bottom is user (these notions may be only abstract but are necessary for complete lattice).

Objects are databases, classes in databases, instances of classes and their components and also sets of instances of a given class or sets of attributes. Objects compose a lattice (system, databases, classes, ...).

3.1.2. Access Rights

There are defined five access rights: write, write_any (allows object to be written), read, generate and read_definition. Access rights again compose a lattice from that are derived implicit access rights (operation ® ). Access rights are arranged into three groups:

A.up - rights are propagated from low objects upto high ones, A.up={WA, RD}
A.down - rights are propagated from high objects to low ones, A.down={W, R}
A.nill - access rights that are not propagated, A.nil={G}

Access rights are specified by users. Because there are no administration rights, the access right implies administration of itself.

The system automatically derives implicit authorizations from the explicit ones with use of relations among subjects, objects and access rights. Access rights can be positive/negative and strong/weak. The latter classification divides authorizations into two sets.

Strong authorization base (AB)
There is defined function i: S x O x A ® (True, False, Undecided), over the set. This function does not have to decide the access granting. Two properties must stay true:

Weak authorization base (WAB)
Access rights from this set may be overwritten with strong ones or more specific weak rights. There is defined function d: S x O x A ® (True, False) that decides access granting with the final force. There is another property between strong and weak authorization bases. coexistence property of AB and WAB
for " [s, o, a] Î WAB must not $ (s1, o1, a1) Î AB: [s1, o1, a1]® [s, o, ? a]

3.2 Message Filter Model

Jajodia and Kogan have proposed a variant of reference monitor from the BLP model for OO data models - message filter. This model exploits data encapsulation and messaging (it is the only one way of information exchange). The control of data flow is done by control of messages in the system.

3.2.1 Entities

All entities in the OO system are objects that contain information and that process actions. Each object obtains security level L(o) during creation. This level does not change. For proper function of the system, following conditions must be fulfilled:
  1. L(o) ? L(c), o is object of the class c
  2. L(cs) ? L(cp), cs is subclass of the class cp
The model assumes that all objects are single-level (all components have the same security level). This requirement is common for more security models and it gave birth to special methodologies for transformation of multi-level objects.

Special object type is user session, which represents a user. This object may, in contrast to other objects, execute methods from its own initiative.

3.2.2 Information Flow

There defined two basic types of data flows in the system: message sending and object creation. Receiving of a message is not data flow itself until data items of the receiver are not changed.

All messages can be decomposed down to three primitive messages that are sent by object to itself. They are read (g=(READ, (ai), r)), write (g=(WRITE, (aj, vj), r)) and create (g=(CREATE, ((v1, ..., vk), Sj), r)).

3.2.3 Algorithm of Message Filtering

All messages are controlled in the message filter that mediates all messages in the system. The message filter associates security level rlevel to the message (it is the highest L(o) of objects that the message has gone through).

This criterion is used for the filtering according to the following description:

1. non-primitive message, o1® o2

a) L(o1)=L(o2), message and answer are not restricted

b) L(o1)<>L(o2), message is blocked and answer is forced empty

c) L(o1)<L(o2), message is sent further and answer is forced empty

d) L(o1)>L(o2), message and answer are not restricted

 2. primitive message of object o to itself a) READ - without restriction

b) WRITE - execute only if rlevel = L(o)

c) CREATE - rlevel must be dominated by the security level of the new object

4. Role-Based Access Control

This model family has been proposed to satisfy requirements of the commercial sphere. The basic idea is notion of role. Users are granted roles that allow them to perform certain actions that are assigned to the roles. Roles are usually created according to the functions in organization. In the moment we decide to revoke or change access from a user, the only one thing we have to do is remove him from a group or reassign him to another one. This change is very easy for an administrator.

This approach offers very suitable abstraction for expression of security policies of large companies and seems to be promising alternative to the traditional MAC and DAC models. RBAC is suitable for environments where MAC models are too strict. It has been proofed that RBAC can simulate mandatory access models and, in addition, that MAC models are specific case of RBAC.

One may say that RBAC is based on something that is very similar to groups that are used in many older models. Groups of users are used to associate subjects with the same access rights. Such a group does not represent a role but common needs for execution of certain system actions. Roles in RBAC exploit groups to abstract access rights needed for some concrete actions that are later accessible for role members.

Narrow, specific meaning of roles can not exhaustively express status of users. It seems that for effective implementation of role-base access control we need to define three aspects. They are role, individuality and locality. I demonstrate it on an example when a firm engages a new person - Smith. His position is seller (it is his role). During the trial period you do not want him to do transactions with banks (individuality) and finally you do not want him to access your system elsewhere than in New York (locality).

What are the advantages of the system? You are not bound during the policy selection, model offers strict separation of duties, ease expression of organizational policy and of course easy access rights administration.

5. Task-Based Authorization Control (TBAC)

TBAC models, in contrast to classical relationship subject-object-access right, use new one oriented on tasks. Granting of access control is component of various phases of task execution with abidance of application logic. TBAC models compose basis for active security models that are needed for distributed computing and workflow management. These models approach the access rights administration from the view of task activity and offer abstractions and mechanisms for authorizations administration at run-time.

Disadvantages of all other models from the view of TBAC are centralistic oriented (central common resources), access rights are very primitive and without relation to actual system state. Also there are no records about use of access rights.

Clearance is expressed as signature of a form in the real world. The given person undertakes responsibility for actions that are allowed with the signature. All relevant actions are automatically disabled after the signature expirates. The aim of TBAC models is to decrease demands of administration in large and complex systems and shift this administration to the described idea.

New notion - authorization step has been introduced for this purpose. It is analogy of a form. Creation of the authorization step means change of system authorization state (a given subjects is granted access rights) for the given time and for the given authorization step. Authorization state can be expressed with the following equation:

P Í S x O x A x U x AS Beyond subjects (S), objects (O) and access rights (A) there are number of use (U) and authorization step (AS).

Each authorization step has got its own authorization state. The initial state contains set of access rights of maximal size. This size is decreasing during lifetime of the authorization state.

Because authorization steps are not in the system isolated there are defined relations that can be used for expression of security policy.

A1state1 ® A2state2 if A1 goes to state1, A2 must go to state2
A1state1 < A2state2 if A1 goes to state1 and A2 go to state2 then A1 must do it first
A1state1 # A2state2 if A1 is in state1 then A2 must not be in state2 and vice versa
A1state1 ||| A2state2 A1 must be in state1 if A2 is in state2

Note: A1, A2 are authorization steps and state1 and state2 are states of steps A1, A2.

6 References

[1] Castalo S., Fugini M.G., Martella G., Samarati P.:, Database security. Addison-Wesley & ACM Press, 1995
[2] Thomas R.K., Sandhu R.S.: Task-based Authorization Controls: A Family of Models for Active and Enterprise-oriented Authorization Management, Chapman & Hall, 1997
[3] Ferraiolo D.F., Cugini J.A., Kuhn R.D.: Role-Based Access Control: Features and Motivations. Proceedings of the 11th Annual Computer Security Applications Conference (CSAC '95), 1995
[4] Olivier M.S., Von Solms S.H.:, A Taxonomy for Secure Object-Oriented Databases, ACM Transactions on Database Systems, pgs. 3-46, March 1994
[5] Hilchenbach Burkhard: Observations on the Real-world implementation of Role-based Access Control, 20th National Information Systems Security Conference, 1997