Development and Implementation of Mandatory AccessControl Policy for RDBMS MySQL

Denis Kolegov, Nikolay Tkachenko, Dmitry Chernov

National Research Tomsk State UniversityDepartment of Information Security and Cryptography

( ) 1 / 18

Problem

Development and implementation of mandatory access control forRDBMSs that originally based on discretionary access control is one of theactual problem of computer security

The MLS policy restricts access to entities based on the sensitivity of theinformation contained in its entities and the "clearance"of users to accesssuch information

MLS controls the flow of information across the entire system,guaranteeing that users with lower clearance know nothing about theexistence or contents of data with higher sensitivities

( ) 2 / 18

Disadvantages of existence approaches

Absence of formal (mathematical) models for access control securitypoliciesCorrectness of mandatory access control is not provedSecurity requirements for information flows are not consideredMandatory access control mechanisms are not implemented asreference monitor of database kernel

( ) 3 / 18

Purpose of the work

Enforcement of MLS policy in DBMS MySQL based on the formal models

The following problems were solved for reaching the purpose:

Research and modelling of discretionary access control mechanisms inMySQLDevelompent of MySQL security policy including initially DAC policyand new MLS policyImplementation of MLS mechanism based on the created formalsecurity modelAccess control mechanism security testing

( ) 4 / 18

Research of access control in MySQL

Access control research was based on the documentation and sourcecode analysis and testsThe main storage and timing covert channels were identified andassessedInformation flows arising from SQL statements execution and violatingMLS policy were identified

( ) 5 / 18

Research of access control in MySQL

The following types of SQL statements can lead to unauthorized accessand MLS policy violating information flows:

«INSERT INTO . . . VALUES((SELECT. . . ), . . . )»;«INSERT . . . SELECT»;«UPDATE . . . SET . . . = (SELECT . . . )».

( ) 6 / 18

Example of violating MLS policy information flow

user> insert tab2 values((select col1 from tab1 limit 1));

( ) 7 / 18

Policy restrictions

All information flows are considered within DBMS MySQLInformation flows generated by SELECT, INSERT, UPDATE andDELETE operators are consideredTiming covert channels are out of scope

( ) 8 / 18

The DP-models theory

DP-models were developed by Peter Devyanin in «Access control andinformation flow security analysis of Computer Systems» monographyDP-models are based on the elements of Take-Grant model,Bell-LaPadula model, and Military Security Policy modelDP-models are proposed for mathematical proving of access controlsecurity

( ) 9 / 18

Elements of developed MySQL DP-model

Object entities O: columns COL, procedures Op, triggers Ot , views Ovand variables Ov

Container entities C : tables TAB , databases DB and root container C0

Session subjects S , users’ accounts UFunction of entity hierarchy H : C ∪ Op ∪ Ot ∪ S → 2O∪C

Function of security classification of object entitiesfe : (O \ Ov ) ∪ C → LFunction of security clearance of user’s accountsfs : U → LFunction determining user by session subject user : S → U

( ) 10 / 18

Elements of developed MySQL DP-model

Set of access rights Rr = {readr , writer , appendr , deleter , alterr ,executer , creater , dropr , create_routiner , create_userr , triggerr ,create_viewr}Set of accesses Ra = {reada,writea, appenda}Set of information flows Rf = {writem}Set of access rights that can be granted Grant ⊆ U × (C ∪ O)× Rr

State of the model G = (U, S , E , R , A, H, (fs , fe), user , Grant,execute_as, triggers, owner , operations, var)Σ(G ∗,OP) – computer system

( ) 11 / 18

Examples of transformation rules

Rule Initial state Final statecreate_session(u, s) u ∈ U, s 6∈ S S ′

s = Ss ∪ {s}, fs(s)′ =fs(u), user ′(s) = u

create_user(s, u, l) s ∈ S , user(s) ∈ Lu ,u 6∈ U, l ≤ fs(user(s)),(user(s), c0, create_userr ) ∈ R

U′ = U ∪ {u}, f ′s (u) = l

grant_right(s, u, e, α,grant_option)

s ∈ S , u ∈ U, e ∈ C∪O, α ∈ Rr ,grant_option ∈ {true, false},∃c ′ ≥ e : (s, c ′, α) ∈ Rr , ∃c ≥e : (user(s), c, α) ∈ Grant

R′ = R ∪ {(u, e, α)},if grant_option = true,then Grant′ = Grant ∪{(u, e, α)}

access_read(s, e) s ∈ S , e ∈ DB ∪ TAB ∪ COL,∃c ∈ C ∪ O, that e < c ore = c, fs(user(s)) ≥ fe(c) andHLS(e, c) = true, @e1 ∈ O ∪C :fe(e1) < fe(e) and (s, e1, α) ∈A, where α ∈ {writea, appenda}

A′ = A ∪ {(s, e, reada)},F ′ = F ∪ {(e, s,writem)}

( ) 12 / 18

Theorem

Definition 1In the state G of system Σ(G∗,OP) access (s, e, α) ∈ A satisfy toss-property, if α = appenda or fs(user(s)) ≥ fe(e).

Definition 2In the state G of system Σ(G∗,OP) accesses (s, e1, reada), (s, e2, α) ∈ A,where α ∈ {writea, appenda} satisfy to *-property, if fe(e1) ≤ fe(e2).

TheoremLet G0 – initial state of the system Σ(G∗,OP,G0), that is secure in termsof Bell-LaPadula, and A0 = F0 = ∅. Then system Σ(G∗,OP,G0) is securein terms of Bell-LaPadula.

( ) 13 / 18

Security labels storing

( ) 14 / 18

Security labels processing

( ) 15 / 18

Mandatory access control scheme

( ) 16 / 18

Results

1) The implementation methods of violating MLS policy informationflows in DBMS MySQL were identified

2) The mathematical DP-model of mandatory access control policy ofDBMS MySQL was developed

3) The adaptation of developed model to access control mechanisms ofDBMS MySQL was performed

4) The mandatory access control mechanism of DBMS MySQL wasimplemented as reference monitor on database kernel level

( ) 17 / 18

Thank you for your attention!!!

Denis Kolegov,d.n.kolegov@gmail.com

Nikolay Tkachenko,n.o.tkachenko@gmail.com

Dmitry Chernov,dm.vl.chernov@gmail.com

( ) 18 / 18