Thursday, 13 December 2018

Mandatory Access Control

Pyrrho now provides a free-to-use simulation of Bell-LaPadula security, similar to the US Department of Defense Orange Book. The basic idea is well-explained in Wikipedia and popular database textbooks and there corrent implementations of this security model in Oracle 18.
A feature of the system is that a table can contain rows with different security classifications, and users will be able to see a subset of these detemined by their security clearance. Users can create or modify data that matches their clearance.
The basic idea is that there are security levels D,C,B and A, and security is managed by the database owner (the security administrator SA). The SA can give users  a security clearance, and can give a classification based on these levels to objects such as tables and rows in the database.
By default all access to tables is then subject to security clearance, but the SA can limit enforcement in a table to any combination of read, insert, update and delete. In addition the SA can specify two sets of identifiers (Pyrrho calls these groups and references), so that security clearance and classification can be enhanced using subsets of these identifiers.
To whet your appetite, here is  a simple test script [as revised 5 January 2019]:

A. Logged in as database owner
1. Starting with empty database "mac"
create table A(B int,C char)
create table D(E char primary key) security level D groups Army Navy references Defence scope read
create table F(G char primary key,H char security level C)
revoke "mac" from public
2. Create some users with and without clearance. (On Windows prefix the user names with Domain\)
grant "mac" to "Student"
grant "mac" to "Fred"
grant security level B groups Army references Defence Cyber to "Student"
3. Add some rows with and without classification
insert into A values(2,'Two')
insert into A values(3,'Three') security level C
insert into D values('Test')
insert into F values('MI6','')
4. Check we can see two rows in A, one row in D and two columns in F
table A
table D
table F

B. Logged in as Fred
5. Check we can only see one row in A, one column in F, and nothing in D
table A
table D
table F
6. Check we can add a row in A, D and F
insert into A values(4,'Four')
insert into D values('Fred wrote this')
insert into F values('UWS')

C. Logged in as Student
7. Check we can see three rows in A, two rows in D and two columns in F
table A
table D
table F

8. Check we can' only make changes in table D (enforcement in D is only for read)
update A set c = 'No' where b=2
update A set c = 'No' where b=3
update A set c = 'No' where b=4
update D set E='Fred?' where E<>'Test'
update F set H='' where G='MI6'
update F set H='' where G='UWS'
9. Check we can add and update rows in all three tables
insert into A values(5,'Fiv')
update A set c='Five' where b=5
insert into D values('Another')
insert into F values('BBC','')
update F set H='' where G='BBC'
10. Check we can see our rows and changes
table A
table D
table F

D. Logged in as Fred
11. Check Fred can't see the new rows
table A
table D
table F

E. Logged in as database owner
12. Check all tables including the security information
select B,C,security from A
select E,security from D
select G,H,security from F
select * from A where security=level c
update A set security=level C where security=level B
update F set security=level D where G='BBC'
table "Sys$Classification"

F. Logged in as Student
13. Check we can still see our row in A
select * from a where b=5
14. Check we can no longer update our rows in A or F
delete from A where b=5
update F set H='' where G='BBC'

G. Logged in as Fred
15. Check we can see the row about the BBC

H. Logged in as database owner
16. Check that auditing has been happening
table "Sys$Audit"

Full details of Pyrrho's implementation are in the manual at section 3.4.2 and the syntax pages on have been updated to include the syntax extensions. The SA is able to manage all of this with the help of a set of system tables such as Sys$Classification. A commercial vendor such as Oracle provides many tools to assist in this process.
The implementation in Pyrrho is new and no doubt will evolve over the next weeks. Comments please to . Also follow me @MalcolmCrowe  #PyrrhoDBMS .
(Update 5 Jan 2019: the manual has been updated to remove an incorrect assertion about changes to security clearance. Such changes can have no effect on ongoing transactions.)