Sunday 4 October 2020

Mandatory Access Control in Pyrrho V7

From December 2018 Pyrrho has offered a simulation of Bell-LaPadula security, following the Orange Book protocols for mandatory access control. The development of Pyrrho v8 alpha has now reached completed this stage. The current state of the source code and associated documentation is on GitHub as usual. There is a document describing Mandatory Access Control, and this post repeats some of those details.

Mandatory access control is based on the concepts of (a) classification of information and database objects from levels D (public) to A (top secret), (b) clearance of individual users to access classified information, and (c) enforcement of access rules on database tables (Select. Insert. Update, Delete). 

Classification can be applied at the level of database tables, table columns, and individual records, and both clearance and classification at levels above D can specify permitted groups and topics for access. The database has a security administrator (in Pyrrho this is the database owner) who can audit and modify any aspect of the security model. All access to classified information (i.e. above level D) is instantly recorded in the database's transaction log giving the user's identity, the time, the tables accessed, and the key if any, even if the user made no changes.

The document Detailed Mandatory Access Control includes a simple example. Here are some extracts:

A. Logged in with MALCOLM1\Malcolm (not the server account)

1. Starting with empty database mac

SQL> create table A(B int,C char)

SQL> create table D(E char primary key) security level D groups Army Navy references Defence scope read

SQL> create table F(G char primary key,H char security level C)

2. Create some users with and without clearance

SQL> grant "mac" to "MALCOLM1\Student"

SQL> grant "mac" to "MALCOLM1\Fred"

SQL> grant security level B groups Army references Defence Cyber to "MALCOLM1\Student"

SQL> table "Sys$User"


|Pos|Name            |SetPassword|InitialRole|Clearance              |


|26 |MALCOLM1\Malcolm|           |mac        |                       |

|366|MALCOLM1\Student|           |mac        | B{ARMY}[CYBER,DEFENCE]|

|416|MALCOLM1\Fred   |           |mac        |                       |


3. Add some rows with and without classification

SQL> insert into A values(2,'Two')

1 records affected in mac

SQL> insert into A values(3,'Three') security level C

1 records affected in mac

SQL> insert into D values('Test')

1 records affected in mac

SQL> insert into F values('MI6','')

1 records affected in mac

SQL> table "Sys$Classification"


|Pos|Type       |Classification        |LastTransaction|


|553|Record     | C                    |537            |

|154|Table      | D{ARMY,NAVY}[DEFENCE]|138            |

|313|TableColumn| C                    |248            |


Then Fred can see just one column in table F and cannot access table D, but can add new records to both tables A and F/ 

Student can see everything so can make changes just now only in table D, whose enforcement is only on read. But Student can add new records to all of the tables. The document gives the full story....