Data Security And Privacy

Most important feature: user can modify the authorization base (auth in the sys)

Enforce AC on the basis of:

• Identity of the requestors
• A set of authorizations explicity specified by users
• Reference monitor check the authorization to determine if can access

Advantages:

• Very flexible: user can explicity modify the authorization base
• Supported by almost all DBMS, Oss and SQL, Social Network (change the privacy setting)

Weaknesses:

• No control of what happen to information once released
• Vulnerable from trojan horse (application that contain hidden code to transfer info without violating policies)

Data Security And Privacy Page 6

MAC and RBAC - Lecture 4.3

mercoledì 18 marzo 2020 15:44

Mandatory Access Model

Restrisct access of subject to object

Prevent Trojan Horse

System security policy is managed by set of administrator (not possible for user to change- authorization base)

Based on subject and object classification

• Multilevel security (MLS)
• DB system that implement MAC are

RBAC is the same of DAC but the authorization is assigned to the role instead to user.

Advantages:

• Role is small number than users ---> less authorization
• Roles are more stable in the sys than users
• RBAC models have been shown to be policy-neutral

Limitations:

• Role explosion (number of roles can be very high)
• Data Security And Privacy Page 7Advanced AC Models - Lecture 4.4mercoledì 18 marzo 2020 17:07

PBAC (Purpose based ac)

When privacy should be protected

• Purpose for which the data is acquired (address for shipping purpose)
• Authorization are based on the purpose for which a data is used
• (io posso leggere i dati solamente per quella funzione specifica /es un venditore può vedere l'indirizzo del cliente solo per motivi di spedizione)

TBAC (Time based ac)

Access are linked to temporal dimension

• Authorization as a temporal limit

LBAC (Location based ac)

Allow authorization only when access is requested from a target location

ABAC (Attribute based ac)

More general

then previous, in the sense that it can model all this kind of access control- More and more attention- Uses attributes as building blocks to define authorization- Attribute are name, value pair (role = manager)

Data Security And Privacy Page 8

Administrative Policies - Lecture 5.1giovedì 19 marzo 2020 10:10

Define who can specify authorization and revoke them BottleNeck: si verifica quando la capacità di applicazione o di un sistema informatico èCentralized: a privileged authority is in charge of granting / revoking auth (MAD) limitato da un singolo componenteAdvantages: only one person the handle auth- Disadvantages: can become BottleNeck in term of efficiency and security-Ownership-based: the creator of objects become Security Administrator (can grant and revoke)Authority to specify authorizations can be delegated (SQL - Grant options)- Advantage: being more flexible- Disadvantage: delegation complicate scenario (if many user are delegate to grant access- on

my object i can lose control)Cooperative: granting and revoking authorization requires the consent of different admin

Good fit for specific scenarios-Design Principles

Need to know principe: give each subject only the necessary access to complete its task- If some data aren't covered by any auth, a system is denoted as:

• Closed: if it prohibits access for these object (default)
  Stronger security
• Open: if it authorize access for these object
  Less secure

Data Security And Privacy Page 9

Bell and LaPadula model (1) - Lecture 5.2giovedì 19 marzo 2020 10:47

Reference Access Control Models

• MAC - Bell and LaPadula model
• DAC - Grant-Revoke (System R) model
• RBAC - NIST model

Bell and LaPadula model

Defined for operating system and the military domain

Basic component

• 3 main component: subject, object, access modes
• Object: passive entities with info to be protected
• Subject: active entities
• Access modes: type of operation performed by subject on objects
• Read (read)
• Append

• Object and subject are assigned security level
• Security level are ordered
• Top secret
• Secret
• Confidential
• Unclassified
• The security level in case of subject is called security clearance, how much user is trusted
• The security level in case of objects is called security classification, how much you have to protect the object
• Security mechanism should avoid that a subject with a given security level read object with higher classification level
• Access control should allow flows up information, not down (no read-up / yes read down)
• Categories, because the classification are not flexible enough
• Set of element, dependent from the application area and scenario where operate
• Enforce need to know principle
• Define the areas of competence for
• Access Classes
• In Bell and La Padula model subject and object are assigned an access class which consist of a security level and a set of category (not ordered)
• Access Class (security level (obj), category set)

1. Can be order according to partial order (some of access classes, but not all)
2. Use to enforce access control (information can flow up but not down)

Dominant Relationship --- with this they can be partial ordinated

Ci = (Li, SCi) dominates Ck = (Lk, SCk) denoted as Ci >= Ck if:

• Li >= Lk (security level is greater or equal than Ck)
• SCi ⊃= SCk (include)
• If Li > Lk , SCi ⊃ SCk ---> Ci strictly dominates Ck
• If neither Ci dominates Ck or Ck dominates Ci --> incomparable (Ci <> Ck)

Attenzione

Set of current access A ha la stessa tripla State of the System dell'autorizzazione, ma non indica i permessi, The state of the sys is describer by the pair (A, L) bensi il fatto che il soggetto ha avuto accesso

A = set of current accesses: triple of (s, o, m) - all'oggeto

L = level function - Es: (bob, o1, read) -> bob sta leggendo o1

Simple security property

Prevents subjects from reading data with access classes dominating or incomparable with respect to

The subject access class ensures that subjects have access only to information for which they have the necessary access class. It does not prevent declassification and making an object readable at a lower class (which requires another property).

A state (A, L) satisfies the Simple Security Property (SSP) if, for each element a = (s, o, m), one of the following conditions holds:

• Data Security And Privacy Page 10
• A state (A, L) satisfies the SSP if, for each element a = (s, o, m), one of the following conditions holds:
• m = append
• m = read or m = write and L(s) >= L(o)

Writing operation:

• Write up allowed, write down disallowed
• Star (*) property (also called no write down rule)
• A state (A, L) satisfies the *-property if, for each element a = (s, o, m), one of the following conditions holds:
• m = read
• m = append, write and L(o) >= L(s)

System security:

• A state is secure if all the current accesses satisfy the two BPL properties
• An access is granted only if the resulting state is secure
• Data Security And Privacy Page 11

BLP Model - Lecture 6.1

giovedì 19 marzo 2020 14:08

Problem of BLP

modelSubject at higher level need to write down to lover level- |VResolution: Subject have max and current access class (max must dominate current)Subject can decrease thei clearance level- No violation of "no writes down"-Problem of BLP modelBlind write: subject can write on a higher security object but cannot read it- Security properties are not enough (need to control how access classes are modified)-BLP is made secure by the addition of the (strong) tranquillity principleAccess class of objects and subject cannot change- Not applicale in real word scenarios-Tranquillity principleLossing up tranquillity restrictionsSecurity admin able to change access classes but in controlled way- Trusted subjects can be allowed for downgrading- ○ Allowed to bypass some restriction imposed by MACPREVENT TROJAN HORSE - beacuse it's not possible write down operationDAC and MAC can work togheter, for better protection of data. In fact both aren't mutuallyexclusive.System with

DAC and MAC are called multipolicies system and are the best security system

Oracle Database is at the moment the only reletional database system that implements nativally

MAC Data Security And Privacy Page 12

Grant - Revoke AC - Lecture 6.3

giovedì 19 marzo 2020 16:10

For DAC

Most commercial DBMS adopt DAC, on this days current DAC are based on the system Rauthorization model

The System R AC Model

Objects to be protected are table and views

• Priviliges include : select , update , insert, …..
• Gruops are supported, roles are not
• Privilege delegation
• Grant option (access the objects and can grant other user the priviliges)
• User can grant a privilege only if
• The owner of the object
• Had received privilege with grant option

Each time a grant operation is issued the sys keeps track in a auth catalog (sys table) of the grantedauthorization. It's also important that the sys catalog keeps track of 2 different categories ofprivilegies:

1. Those that can be delegated (received

• Those that can be delegated (received with grant option)
• Those that can't be delegated (received without grant option)

What happens when a user runs a GRANT command?

The system (Reference monitor) queries the authorization catalog to decide if the command can be authorized or denied.

a. Check the delegable privileges (3 output)

1. If the intersection is empty, the command is not executed
2. If the intersection is equal to the set of delegable privileges, the command is executed