SeaView model
The Seaview model is a formal model of multi-level security relational database system. Its goal is to design a multi-level security database system that reaches DOD (US Department of Defense) Trusted Computer System Evaluation Guidelines (TCSEC) A1.
Multi-level security relationship database system refers to a variety of data stored in a database in a database to accommodate different security level users. According to the requirements of the forced security policy, users can read these data only when the security level of the user is higher or equal to (also known as "dominant") data.
First, multi-level relationship model and security tag
A multi-level security relationship database system, the particle size of the security level mark can be a relationship, or it can be a record or an attribute, but it is difficult to obtain a high security database system. Since the security levels of certain sensitive data are reduced by the above definition method, or if the security level of certain data is increased, the availability of security or reduction of data is sacrificed. Some models are defined before Seaview.
The user's operation of the database is actually a data item as its access object in many cases, and the sensitivity of these data is often very different. For example, in a person list, the health status of people over the age of 50 is queried. Some of these health is not anyone who can query, and there is a certain security level.
Therefore, the Seaview model sets the access control granularity as a data item, that is, there is security-level tags for each data item. To this end, it expands the standard relationship mode R (A1, A2, ..., AN) to R (A1, C1, A2, C2, ... AN, CN). There is also a security level attribute CI corresponding to each data attribute AI, that is, after each data item, there is a security tag of the data item. (A relationship property table name is a relational mode, the relationship mode is the table frame of the two-dimensional table, where R is the relationship name, A1, A2, ... AN a property name.)
Table I
D8
D7
D6
D5
D2
D3
D4
D1
E.g:
A1
C1
A2
C2
A3
C3
001
D2
twenty four
D5
x
D5
013
D3
15
D7
y
D8
005
D8
35
D8
z
D8
Di
R
K
di
r
Assuming that the security level of the prejudice relationship is in the following form, due to the complex relationship between the data object in the database,
Seaview
The model has defined security levels on the library, table, and records and requires the security level of these data objects.
Di
Indicates the database,
R
Indicates the relationship model of a sheet,
r
Representation record,
K
Indicate record
r
The primary keyword,
di
Indicate
r
Not any data item of the primary keyword):
Class (D) ≤ Class (R) ≤ Class (K) ≤ Class (D) ≤ Class (R)
Note: 1 The primary keyword k may consist of multiple properties. If multiple attribute values are composed, the security level of each attribute value is required.
2 In the standard relationship model, the attribute value is allowed to be empty, and the attribute value is also allowed in the multi-level relationship, and it is also necessary to define the security level, but the security level takes the lowest value in CI.
The reason for the relationship between the above security level is:
1. If Class (D) is higher than Class (R), the security level below Class (D) cannot know the presence of the library, and the library cannot be accessed with the data that matches its own security level.
2. Similarly, if Class (R) ≥ Class (R), the security stage is lower than the Class (R) user does not know that the relationship exists, so it is not possible to access the data that matches its own security level.
3. The primary keyword is used to uniquely mark the condition of the record, often as a query, and its security level should be lower than the security level of other attribute values. 4. The safety stage Class (R) of the whole record is higher than the security level of all data items in the record, often takes the minimum upper bound of Class (D). It allows the user's security level to see all the data items in the record when they dominate the Class (R), otherwise some data items can only be seen.
Review Mathematical Concept:
First, the sequence relationship and sequence diagram;
Second, the minimum upper bound and the largest lower bound;
Class (r) = Class (D1) ∨class (d2) ∨ ... ∨class (dn)
= LUB (Class (DI)) di∈R
Class (R) = GLB (Class (DI)) di∈R
Class (d) = GLB (Class (RI)) ri∈D
For example, for Table 1, Class (R1) = D5, Class (R2) = D8, Class (R3) = D8, CLASS (R) = GLB (D2, D3, D5, D7, D8) = D1.
That is, Class (R) takes the maximum lower boundary of each data item security level. (The D7 cannot be taken, and D7 cannot be taken because the above non-equivalent relationship cannot be satisfied, and if so, the D5 body or the D7 body does not see the existence of the relationship.
For a main body U, only when Class (U) ≥ Class (R), u is authorized to access R, but u does not necessarily access all the data in the relational R.
For example, if Class (U) = D1, u knows that table R exists (the mode of access to table R, can be inserted into R).
2 If Class (U) = D5, it is seen that the refined relationship is shown, as shown in Table 2.
Table II
A1
C1
A2
C2
A3
C3
001
D2
twenty four
D5
x
D5
013
D3
NULL
D3
NULL
D3
3 If Class (U) = D7, it is seen that the filtered relationship is shown, as shown in Table 3.
Table three
A1
C1
A2
C2
A3
C3
013
D3
15
D7
NULL
D3
4 If Class (U) = D8, you can see all data items (ie, the entire sheet).
So each user reads this table, it is seen that the view is filtered with its own security level.
Second, the security nature of the Seaview model (security policy)
1. If Class (U)
Class (R) (Class (U) 2. If Class (U) ≥ Class (R), u can access R, but not necessarily access all data in R, the specific rules are as follows: For each record R: 1 If Class (U) ≥ Class (R), then U can query R and can see all the data in R. 2 If Class (u) Class (R), (less than Class (R) or is not more than), then U can see some of the data in the record R. i) Class (U) ≥ Class (KR), then U can see data of the security level ≤ Class (U) in the primary keyword KR and R. And other data, u looks all empty values. II) Class (u) Class (KR) (less than Class (KR) or is not ratio), then u cannot see any data in R. 3U can insert and modify the R. If D1 to D8 can be inserted, the data can be modified to the data they can see. Modifying strategy is: low can not change (data integrity protection); High can not be changed (prevent information leakage); Only the same level can be changed. Third, multiple cases Under the security policy control of the Seaview model, such a phenomenon may occur in the database: the same name, there is a plurality of data entities. The Seaview model distinguishes these entities with different security levels - this phenomenon is called multiple cases. 1. Multi-case relationship (caused by "query") In either state, when the subject of the different security levels retrieves the same multi-level relationship, it will result in different relationships, these different relationships, called a multi-case relationship. The multi-case relationship is represented by the relationship name R and the security level Class (R). For example, the above table 1, Table 2 and Table 3 can be referred to as (R, D8), (R, D5), (R, D7), respectively. 2. Multi-case record (by "insertion") Has the same primary keyword, but different records of the security level of the primary keyword are called multiple case records. Since each data item and the safety level of each record are different, when the CLASS (U) ≥ Class (R) of the main body U is inserted into the relational R, the multi-instance record may result in a multi-instance record. The reason is that: 1. There may be a high-level or secure level of the same main keyword in R (the user is not visible). In order to prevent information leakage, it cannot be told him that the record has existed, and the original record is not covered. The method taken is to add a record with the original recording main keyword, but its security level. Different records. Multi-casement is not visible to this subject. But the high-level subject can also see these two records. 2. If there is a record of the same primary keyword in R, you can reject this operation, or you can produce a high security level. For example, the main body of the security stage is D7, add a record to the table three, then the main body of D8 sees Table 4, and the D7 body sees Table 5. Table 5 Table four A1 C1 A2 C2 A3 C3 001 D2 twenty four D5 x D5 013 D3 15 D7 y D8 005 D8 35 D8 z D8 005 D7 20 D7 w D7 A1 C1 A2 C2 A3 C3 013 D3 15 D7 NULL D3 005 D7 20 D7 w D7 3. Multi-case data items (caused by "modification") In the same record, the value of a data item and its security level present a variety of different values, such data items are called multi-case data items. When the main body U modify the data item in the relational R, it may result in a multi-case data item. 1 The main body u modifies the null value in the record, which is often hidden with high security level data, or the security level and u-u-U are not comparable data (the security level of the null value is very low, the user may be visible), low can Highly modified, but it cannot destroy its integrity. A1 C1 A2 C2 A3 C3 001 D2 twenty four D5 x D5 013 D3 15 D7 y D8 013 D3 15 D7 p D7 005 D8 35 D8 z D8 005 D7 20 D7 w D7 Table six Therefore, it is only possible to generate a record that generates multiple cases of data items with new records. For example, the main body of D7 should modify the NULL of the table 5, and the main body of D8 is as seen. The main body of D7 can only see article 3 and 5 records. Among them, "P D Seduce " For multiple cases data items. 2 Main body u Modify the low-level data existing in the record (high can be modified low, but will not cause leaks) Table seven At this point, the old value cannot be covered with the modified value to avoid information disclosure. Therefore, the same record must be created, but the corresponding data item is multiple cases. A1 C1 A2 C2 A3 C3 001 D2 twenty four D5 x D5 013 D3 15 D7 y D8 013 D3 15 D7 p D7 005 D8 35 D8 z D8 005 D7 20 D7 w D7 013 D3 48 D8 y D8 013 D3 48 D8 p D7 For example, D8 main body modification Table 6 record 013 A2, by " 15 " Change to " 48 " The system processing method is to create two new records (actually, D8 can also only modify one, but processed more complicated), as follows: D8 can be seen in Table 7. All data items. At this point, the D7 subject does not see these two records, and only three and five two of the above are still. Fourth, storage of multi-level relationships Multi-casement makes a large amount of data redundancy in multi-level relationships, and the Seaview model decomposes the standard relationship between the multi-level relationship into a relational model, and stores the multi-level data separately separately, so that redundancy and large extent Reduce the leakage of information. When the user queries the multi-stage relationship R, the corresponding level of the corresponding level is re-constructed. Its decomposition and recovery algorithms are complex. The Seaview model is a specific application on the BLP model on the database, but it has a modification. If a high security-level user can modify the data of a low security-level user, the low security-level user can also modify the data of the high security level (see empty value), but the respective views are different and will not cause leakage. Use multiple cases to solve the problem that the integrity may be corrupted. But the cost of pay is redundant data (or the efficiency of query and storage). Excellent: 1. The security level defined granularity is a data item level, which greatly implements the security and availability of data. 2. It is an example of multi-level security policies to implement on the database, and with a multi-instance method solves highly modified low, low modified problems, and does not cause damage to data integrity. 3. Data hierarchical storage is more conducive to protection of high security level data. Lakes: Data decomposition and recovery algorithms are complex, and pay the price in query time.
