1. Development and Implementation of Mandatory Access
Control Policy for RDBMS MySQL
Denis Kolegov, Nikolay Tkachenko, Dmitry Chernov
National Research Tomsk State University
Department of Information Security and Cryptography
(
)
1 / 18

2. Problem
Development and implementation of mandatory access control for
RDBMSs that originally based on discretionary access control is one of the
actual problem of computer security
The MLS policy restricts access to entities based on the sensitivity of the
information contained in its entities and the "clearance"of users to access
such information
MLS controls the flow of information across the entire system,
guaranteeing that users with lower clearance know nothing about the
existence or contents of data with higher sensitivities
(
)
2 / 18

3. Disadvantages of existence approaches
Absence of formal (mathematical) models for access control security
policies
Correctness of mandatory access control is not proved
Security requirements for information flows are not considered
Mandatory access control mechanisms are not implemented as
reference monitor of database kernel
(
)
3 / 18

4. Purpose of the work
Enforcement of MLS policy in DBMS MySQL based on the formal models
The following problems were solved for reaching the purpose:
Research and modelling of discretionary access control mechanisms in
MySQL
Develompent of MySQL security policy including initially DAC policy
and new MLS policy
Implementation of MLS mechanism based on the created formal
security model
Access control mechanism security testing
(
)
4 / 18

5. Research of access control in MySQL
Access control research was based on the documentation and source
code analysis and tests
The main storage and timing covert channels were identified and
assessed
Information flows arising from SQL statements execution and violating
MLS policy were identified
(
)
5 / 18

6. Research of access control in MySQL
The following types of SQL statements can lead to unauthorized access
and MLS policy violating information flows:
«INSERT INTO . . . VALUES((SELECT. . . ), . . . )»;
«INSERT . . . SELECT»;
«UPDATE . . . SET . . . = (SELECT . . . )».
(
)
6 / 18

7. Example of violating MLS policy information flow
user> insert tab2 values((select col1 from tab1 limit 1));
(
)
7 / 18

8. Policy restrictions
All information flows are considered within DBMS MySQL
Information flows generated by SELECT, INSERT, UPDATE and
DELETE operators are considered
Timing covert channels are out of scope
(
)
8 / 18

9. The DP-models theory
DP-models were developed by Peter Devyanin in «Access control and
information flow security analysis of Computer Systems» monography
DP-models are based on the elements of Take-Grant model,
Bell-LaPadula model, and Military Security Policy model
DP-models are proposed for mathematical proving of access control
security
(
)
9 / 18

10. Elements of developed MySQL DP-model
Object entities O: columns COL, procedures Op , triggers Ot , views Ov
and variables Ov
Container entities C : tables TAB, databases DB and root container C0
Session subjects S, users’ accounts U
Function of entity hierarchy H : C ∪ Op ∪ Ot ∪ S → 2O∪C
Function of security classification of object entities
fe : (O Ov ) ∪ C → L
Function of security clearance of user’s accounts
fs : U → L
Function determining user by session subject user : S → U
(
)
10 / 18

11. Elements of developed MySQL DP-model
Set of access rights Rr = {readr , writer , appendr , deleter , alterr ,
executer , creater , dropr , create_routiner , create_userr , triggerr ,
create_viewr }
Set of accesses Ra = {reada , writea , appenda }
Set of information flows Rf = {writem }
Set of access rights that can be granted Grant ⊆ U × (C ∪ O) × Rr
State of the model G = (U, S, E , R, A, H, (fs , fe ), user , Grant,
execute_as, triggers, owner , operations, var )
Σ(G ∗ , OP) – computer system
(
)
11 / 18

12. Examples of transformation rules
Rule
create_session(u, s)
Initial state
u ∈ U, s ∈ S
s
∈ S, user (s) ∈ Lu ,
u ∈ U, l ≤ fs (user (s)),
(user (s), c0 , create_userr ) ∈ R
grant_right(s, u, e, α, s ∈ S, u ∈ U, e ∈ C ∪O, α ∈ Rr ,
grant_option)
grant_option ∈ {true, false},
∃c ≥ e : (s, c , α) ∈ Rr , ∃c ≥
e : (user (s), c, α) ∈ Grant
access_read(s, e)
s ∈ S, e ∈ DB ∪ TAB ∪ COL,
∃c ∈ C ∪ O, that e < c or
e = c, fs (user (s)) ≥ fe (c) and
HLS(e, c) = true, e1 ∈ O ∪ C :
fe (e1 ) < fe (e) and (s, e1 , α) ∈
A, where α ∈ {writea , appenda }
create_user (s, u, l)
(
Final state
Ss = Ss ∪ {s}, fs (s) =
fs (u), user (s) = u
U = U ∪ {u}, fs (u) = l
R
= R ∪ {(u, e, α)},
if grant_option = true,
then Grant = Grant ∪
{(u, e, α)}
A = A ∪ {(s, e, reada )},
F = F ∪ {(e, s, writem )}
)
12 / 18

13. Theorem
Definition 1
In the state G of system Σ(G ∗, OP) access (s, e, α) ∈ A satisfy to
ss-property, if α = appenda or fs (user (s)) ≥ fe (e).
Definition 2
In the state G of system Σ(G ∗, OP) accesses (s, e1 , reada ), (s, e2 , α) ∈ A,
where α ∈ {writea , appenda } satisfy to *-property, if fe (e1 ) ≤ fe (e2 ).
Theorem
Let G0 – initial state of the system Σ(G ∗, OP, G0 ), that is secure in terms
of Bell-LaPadula, and A0 = F0 = ∅. Then system Σ(G ∗, OP, G0 ) is secure
in terms of Bell-LaPadula.
(
)
13 / 18

14. Security labels storing
(
)
14 / 18

15. Security labels processing
(
)
15 / 18

16. Mandatory access control scheme
(
)
16 / 18

17. Results
1) The implementation methods of violating MLS policy information
flows in DBMS MySQL were identified
2) The mathematical DP-model of mandatory access control policy of
DBMS MySQL was developed
3) The adaptation of developed model to access control mechanisms of
DBMS MySQL was performed
4) The mandatory access control mechanism of DBMS MySQL was
implemented as reference monitor on database kernel level
(
)
17 / 18

18. Thank you for your attention!!!
Denis Kolegov,
d.n.kolegov@gmail.com
Nikolay Tkachenko,
n.o.tkachenko@gmail.com
Dmitry Chernov,
dm.vl.chernov@gmail.com
(
)
18 / 18