A Unifying Approach to the Design of a Secure Database Operating

advertisement
A Unifying Approach to the Design of
a Secure
Database Operating System
Written By:
David L. Spooner
Ehud Gudes
DATABASE MANAGEMENT SYSTEM
• Database:
a very
large, integrated collection of data.
• Models a real-world enterprise
– Entities (e.g., teams, games)
– Relationships
(e.g., The
Forty-Niners are playing in The Superbowl)
– More recently, also includes active components , often called
“business logic”. (e.g., the BCS ranking system)
• A Database Management System (DBMS) is a software system
designed to store, manage, and facilitate access to databases.
PROBLEM
•
Tuning of the DBMS to enhance performance of database applications is difficult
because of incompatible tuning of the OS.
•
The OS file system and access methods are often insufficient for a DBMS, forcing
the DBMS to implement its own extensions.
•
This in turn can lead to much duplication between the DBMS and OS. The DBMS is
often forced to rely completely on the OS for some aspects of security.
An Approach to Solving These
Problems
•
•
•
•
The ideas of McDonnell and Gagliardi are used in the design of the database
operating system proposed here.
The I/O and file support features of the DBMS and OS are integrated into one
unified I/O subsystem, eliminating the duplication. The primary responsibility of
this subsystem is physical I/O between main memory and secondary storage. Both
the DBMS and OS make use of this subsystem as needed.
Successful security systems demand that security enforcement be a central design
issue
Security enforcement mechanisms must be integrated with basic object
addressing mechanisms to produce a reliable and secure system design
Overall System Organization
Using the concept of subsystems, the design of the database operating system
becomes that shown in the Fig.
THE LOGICAL OBJECT MODEL
•
•
Definition of the Model
-To design a unified model for the DBMS/OS interface, one must have a model for
the stored information in the computer system.
-The information in the database to be structured into objects which can be
handled identically to the physical objects in OS.
A logical object type is defined recursively as:
1 ) a single attribute (simple);
2) a set of logical object types (structured);
3)a set of between m and n repetitions of a single logical object type.
THE SECURITY SUBSYSTEM
•
•
•
•
•
The design of the security subsystem for the database operating system was done
with the following functional requirements in mind.
- a user should be granted access to an object only if he requires access.
- Access control must be a function of the object type, subject, and operation.
- It must be possible to implement simple content-dependent security policy
where access to an object depends on the value of the object.
-A user process must have the ability to spawn independent sub processes with a
subset of the privileges of the parent process.
THE I/O SUBSYSTEM
> The I/0 subsystem, with the cooperation of the security sub-system, is
responsible for implementing the logical object operations.
> The retrieve operation is used to create a capability for a particular object.
> The access and the modify operations each require a capability for a
simple object as an argument, and are used to obtain or to change,
respectively, the value of the simple object addressed by the capability.
> The create and delete operations are used to create and delete
occurrences of the repeating object.
DESIGN ISSUES
>Performance is an important issue in the design of the database operating
system.
>Many design issues can significantly affect performance.
-- Preauthorization of object
>Another important design issue concerns aggregates of objects.In the
present definition of the security subsystem, every object ttype has an
access list, and every access to an object involves a capability. If the
granularity of objects is small, this involves a lot of overhead.
Conclusion
•
Flexibility of the Design
- The mechanism is provided to define and manipulate complex
structures of objects.
-Field level security policies are possible with access time checking
of rights
-There is no facility in the model to provide access control between
different modules within
one process.Access control is only available
between processes.
-The object model is not powerful enough to support data structure such as
linked list
Future Research
Many open problems and extensions to the design remain to be investigated.
There are many other important areas in the DBMS/OS which need to be
studied.
Currency control mechanism
Design Flexibility
References
[1] G. Andrews and J. McGraw, "Language features for process interaction," in Proc. ACM Conf.
Language Design for Reliable Software, 1977, pp. 114-127.
[2] .J. Arditi and E. Zakovsky, "An authorization mechanism for a database," in Databases:
Improving Usability and Responsiveness, 1978, pp. 193-213
[3]., "System R: Relational approach to database Pennsylvania State University, University Park,
management," ACM Trans. DataBase Syst., vol. 1, pp. 97-137, Pennsylvania State university, ,
June 1976
THANK YOU
QUESTIONS?????
Download