Slide 1

Distributed Database Security:Multilevel Security Issues in DDBMSLecturer : Assoc. Prof. Dang Tran KhahPresenter: Tran Thach Lam1OutlineDDBMSSystem architectureSecurity policyMultilevel Data/Metadata DistributionDistributed Query ProcessingTransaction ManagementSome Issues

2 multilevel security issues for a DDBMS. We first describe a system architecture, security policy, and data/metadata distribution issues for a multilevel secure DDBMS (MLSJDDBMS). Next we describe issues on query processing and transaction management based on the system architecture considered.2DDBMSA distributed database is a collection of data which is distributed over agerent computers of a computer network. Each site of the network has autonomous processing capability and can perform local applications.A distributed database management system supports the creation and maintenance of a distributed database33DDBMS

4front-end machine is connected to one or more back-end database systems. All requests to the database systems arc via the front-end machine. That is, the front-end machine controls the execution of all transactions. As a result the back-end machines cannot execute local applications. This feature is not strictly in accordance with the standard definition of a DDBMS given in Ceri and Pelagatti 4DDBMS

55System Architecture

6Trong bi bo ny cc vn an ninh a cp cho mt DDBMS da trn mt kin trc nh c m t. N ch yu l cc vn ny phi c xem xt trong thit k ca bt k MLS / DDBMS. Mi phng trong s cc vn c xem xt trong bo co ny c gii thiu tm tt di y.Chng ti s minh ha mt h thng kin trc cho mt MLS / DDBMS m c bt ngun t s la chn ca chng ta v kin trc cho mt DDBMS (a ra trong hnh. 2). Tt c nhng vn bo mt c m t trong bi vit ny s c da trn kin trc h thng ny.6System ArchitectureSecure distributed processor

77Secure PolicyAn effective mandatory security policy for an MLS/DDBMS should ensure that users only acquire the information at or below their levelConsists of a set of policies for mandatory security, discretionary security, integrity and authentication,

8we will discuss some issues for a mandatory security policy for an MLS/DDBMS. The security policy for a computing system consists of a set of policies for mandatory security, discretionary security, integrity and authenticationOur focus is on a mandatory security policy for an MLYDDBMS. An effective mandatory security policy for an MLS/DDBMS should ensure that users only acquire the information at or below their level. The basic mandatory security policy for the MLVDDBMS that we have considered has the following properties.

8Security PolicySubjects are the active entities (such as processes) and objects are the passive entities(such as tuples or relations).Subjects and objects are assigned security levels. (unclassified < confidential < secret < top secret).A subject has read access to an object if the subjects security level dominates the security level of the object.A subject has write access to an object if the subjects security level is the security level of the object. A subject S1 can send a message to another subject S2 if the security level of S2 dominates.

9Secure Policy

10The TCB is the part of the host that enforces the mandatory security policy at that host. The network TCB is responsible for enforcing the network security policy.The TCB hosts various trusted applications such as an MLS/DBMS and an SDP.10Secure PolicyTCB : Trusted Computing BaseThe TCB hosts various trusted applications such as an MLS/DBMS and an SDP. Additional security policy extensions may be enforced by these applications depending on their designs.Two DMMs (DQPs, DTMs, DCPs) at different nodes can communicate with each other only if they both operate at the same level. Additional security policy cxtensions are enforced by certain modules of the SDP.

11Multilevel Data/Metadata DistributionLocal Data DistributionDistribution Across SitesMetadata ManagementInference Problem12The functions of the SDP will depend on the way the data are distributed. In this section we describe multilevel data/metadata distribution issues. We first discuss data-modelling issues and then describe how data and metadata may be distributed within and across sites.12Local Data DistributionMultilevel relational data model that is used to represent the multilevel database at each local node.Each tuple is assigned a security level.

13A multilevel relational data model is the relational data model extended with constructs to support multilevel security.13Distribution Across SitesGlobal multilevel relations could be totally or partially replicated across sites.The global relation is partitioned into horizontal subsets. The subsets could be stored across several sites.

14Views

15 y tac gi ch trng n vn v PolyinstaC nhiu cc phn sau15Metadata Management

16Metadata at the global level are managed by the distributed metadata manager (DMM)Metadata are replicated at each node.The metadata at the global level include information on the schemata of the global relations, the way the relations are fragmented, the allocation of the fragments, and the various constraints enforced. 16Inference ProblemData mining, data warehouse.Now have sophisticated tools that they can employ to get data and deduce patterns that could be sensitive.Query processor of the MLS/DDBMS need examined and augmented with constraint processors1717Distributed Query ProcessingDistributed Query ProcessorStrategies1818Distributed Query Processor

19QT transform the parsed query at the logical level :global query into equivalent fragment queries.QO:QO, which determines the most efficient way to execute the query.DEM:DEM gim st the execution of the query.

19Strategies

2 query-processing strategies for the join operation.Non-distributed join:Fragments of each relation at or below the users level are mergedThe lower-level polyinstantiated tuples are eliminatedJoin operation is performed.Distributed join:Join operations are performed between various fragments. The results of the individual join operations are merged.

20Join theo D#20Nondistributed join

21Nondistributed join

2222Distributed join

2323Distributed join

24Gi all Dept Fragment n each site c Emp fragmentHp li, low-level polyinstantiated to thnh Dept*Join dept* v Emp. Nu c nhiu emp phi merge emp trc. Cc kt qu c c to thnh R1, R2, tng ng cc siteChuyn tt c v site ang chn. Merge li . Sau low-level polyinstatiated 1 ln na. Ra kq cui cng.24Transaction ManagementDistributed Transaction ManagementConcurrency Control25DTM : trans at multiple site. Each site = subtransactionEach distribute can exec 1 or more node.

Concurrency Control : do distribute nn c multiple transaction. C th c nhiu trans khc level. Concurency Contrl m bo cc transaction dc hot ng lin tc, lin tip m High-level trans ko nh hng n low-level trans.25Distributed Transaction Management

26Distributed transaction executes at the level of the user who requested its execution.At each node that the distributed transaction executes, there is an application agent. The agents operate at the same level as that of the transaction.-The agents of the same transaction communicate with each other. 1 trong l root agent. Root agent DTM (coordinator, nhn begin trans, pht commit ) truyn xung thng tin transaction cho LTM, ng thi thng bo vi DTM khc. Cc DTM khc cng truyn cho LTM ca n. Tt c same level

26Distributed Transaction ManagementPolicies :Each transaction is executed at the level of the user who requests the execution.A transaction does not change levels during its execution.Read /write into objects according to the mandatory security policy enforced by the system.

27security policy for the distributed transaction management (DTM) extends the security policy for local transaction management (LTM).Extension of DTM :A distributed transaction executes at the level of the user who requested the corresponding application to be executed.A distributed transactions subtransactions also execute at the same level.The subtransactions execute in accordance with the security policy enforced by the local systemTwo DTMs at different nodes communicate only if they both operate at the same security level

Cu hi : Trans khc Distributed trans ch no ?27Concurrency ControlTwo techniquesLockingTime stamping

The techniques can actually handle any number of security levels.2828Concurrency ControlLocking:2-phase locking : a transaction acquires all necessary locks first before releasing any.2 types of lock :shared lock : read requestexclusive lock: write request

29A shared lock for a data item is requested by a transaction for the read operation. Request grant nu ko cn transaction no request n cng data item .2 phase : 1 phase ch v 1 phase releaseExclusive lock is requested by a transaction for the write operation. Request grant nu ko cn transaction no cn share lock hoc exclusive. ( c th hiu nh 2 phase chia thnh 3 giai on, giai on 1 gn req cho trans n 1 data item, 2 th ch cho ht share lock n 1 item, 3 th sau khi ko cn gi share trn ton b .

29Concurrency ControlTime stamping:All transactions are given a time stamp when they begin.Data object : Read stamp & write stampTransactions read request: time stamp > Obj write stampTransactions write request: time stamp > Obj write & read stamp

30Time stamp : values of the time stamps increase with time.read stamp of an object is the time stamp of the transaction which last read. Write time : last wrote

30IssueCovert channels : a Secret users query could have sensitive information that is sent to an Unclassified DBMS. Unclassified data is replicated at the St and TS databases, Secret data is replicated at the TS database. This way, a users query is sent only to the DBMS at the users level=> Replicated approach31V theo c ch, 1 truy vn c th gi DBMS cng hoc low level hn, do c th v tnh gi info sensitive n DBMS nh hn31Other IssuesSecurity constraints in a distributed environmentNetwork securityIssues for heterogeneous database systemsInference problemDatabase design32Type of SecurityMultilevel SecurityDiscretionary Security33Multilevel : MAC + m hnh CSDL quan h c gn thm thuc tnh sensitiveC cc tnh c + ghi Ton vn a th hin 33Discretionary SecurityAccess control rules for specified type of access of user on data.An authenticator manage info of all users.Communicated each other .34ConclusionIdefined architecture for an MLS/DDBMS and discussed a security policy and multilevel data distribution issues. Issues on query processing, transaction management.

Investigating issues on processing security constraints in a distributed environment, network security issues for an MLS/DDBMS, and security issues for heterogeneous database systems. => Forthcoming papers.35- Mc ch ca bi bo ny l xc nh tc ng ca an ninh a cp v cc chc nng ca mt DDBMS. - nh ngha mt kin trc cho mt MLVDDBMS v tho lun v chnh sch an ninh v cc vn phn phi d liu a cp. Sau chng ti m t cc vn khc nhau v x l truy vn v qun l giao dch. Cng vic hin ti ca chng ti trn MLVDDBMS bao gm (1) pht trin mt nguyn mu cho phn phi ch bin truy vn an ton v (2) tin hnh nghin cu v m phng cho qun l giao dch an ton. Ngoi ra, chng ti cng ang iu tra (1) cc vn v x l hn ch bo mt trong mt mi trng phn phi, (2) cc vn an ninh mng cho mt MLVDDBMS, v (3) cc vn an ninh cho cc h thng c s d liu khng ng nht. Tc phm ny, s c bo co trong cc giy t sp ti, cui cng s dn hng ti vic thit k v pht trin cc hot ng MLS / DDBMSs cho cc ng dng khc nhau.35END36