SlideShare ist ein Scribd-Unternehmen logo

The Security-Enhanced PostgreSQL - "system wide" consistency in access control

Kohei KaiGai
Kohei KaiGai

slides on Linux Conference Australia 2009 (presented by Russell Coker, thanks!)

Technologie
1 von 26
Downloaden Sie, um offline zu lesen
The Security-Enhanced PostgreSQL - "system wide" consistency in access controls - NEC OSS Promotion Center KaiGai Kohei <kaigai@ak.jp.nec.com> 1
Self Introduction Working for NEC, come from Tokyo, Japan Primary developer of SE-PostgreSQL I've forcused on the work for more than 2 years. 6 year's experience in Linux kernel development Especially, SELinux and security related region SMP Scalability improvement (2.6.11) XATTR Support in JFFS (2.6.18) SELinux support in busybox Type boundary and Multithreading (2.6.28) Page 2
The Background Price of Notebook : $10.00 Price of Individual Info: priceless What should it be protected from harms by security? Personal Info, Corporate secrets, Authentication data, ... They are called as Information-Assets. Information asset is not tangible. It always has to be stored in something. Filesystem, Database, IC Card, Paper, Brain, Lithograph, ... Page 3
I dislike a term of "Database Security" Information Asset What determines the value of information asset? Contents, not the way to store them How access control mechanism works? Filesystem Filesystem permission (combination of r,w,x) Database Database ACLs (GRANT and REVOKE) It completely depends on the way to store them! We should apply consistent access control rules for same information assets, independent from the way to store them! Page 4
Consistency in Access controls (1/2) Access control policy depends on the way to store information asset. They have a possibility to apply inconsistent access control policy. Classified users Unclassified users process Classified process Users Information Database Database Filesystem Filesystem ACLs Permission ACLs Permission Object Managers IPC objects Filesystem Network Database Objects Linux kernel PostgreSQL Page 5
Consistency in Access controls (2/2) Object manager queries SELinux about required actions. SELinux makes its consistent decision based on a unique policy. Classified users Unclassified users process Classified process Users Information Database Database Filesystem Filesystem ACLs Permission ACLs Permission Objects and Object Managers IPC objects Filesystem Network Database Objects Linux kernel PostgreSQL Reference Security Monitor Can I Iallow aared Policy Can I Iallow aablue Can allow red SELinux Can allow blue user to write? user to write? user to read? user to read? Page 6
The Feature of SE-PostgreSQL "System-wide" consistency in access controls A single unified security policy between OS and DBMS Common representation in security attributes Fine-grained Mandatory access controls Including column-/row-level access controls Non-bypassable, even if database super users The Goal of SE-PostgreSQL DBMS as a part of Data Flow Control schemes Prevention for leaking/manipulation by malicious ones Minimization of damages via SQL injections Page 7
"System-wide" consistency in Access Controls 8
SE-PostgreSQL system design A single unified security policy is applied, when user tries to read a file via system-calls when user tries to select a table via SQL-queries System Operating System Call Implementation of Entry point Files Filesystem System Calls Permission SELinux Subsystem Policy A single unified A single unified security policy security policy SE-PostgreSQL SE-PostgreSQL Sub System Tables Database ACL ------ ---- -- ------- Query Execution Engine *** *** * ***** SQL +++ ++ + +++ ## ### # ##### Page 9
How security policy works? (1/2) What is the security policy? A set of rules, managed by SELinux Individual rule describes who is allowed to do what operations for what objects. Any entities are identified by security context. What is the security context? A formatted text for security attribute Common representation for various kind of objects system_u : object_r : postgresql_db_t : Unclassified file:{read} Subject Action Object staff_u:staff_r:staff_t:Classified Page 10
How security policy works? (2/2) All the objects have its security context managed by Object managers. SELinux makes its decision, and Object managers follows it. ...:user_t:SystemLow ...:user_t:SystemLow ...:staff_t:SystemHigh ...:staff_t:SystemHigh Users Method System Calls SQL to access ...:postgresql_port_t:Unclassified ...:postgresql_port_t:Unclassified ...:user_home_t:Secret ...:user_home_t:Secret ...:sepgsql_table_t:Classified ...:sepgsql_table_t:Classified Objects Shared Memory and Object Network Managers File Socket File Table ...:var_log_t:Unclassified ...:var_log_t:Unclassified Linux ...:postgresql_t:Unclassified ...:postgresql_t:Unclassified SE-PostgreSQL Reference Security SELinux Policy Monitor Is the given request Is the given request to be allowed, or not? to be allowed, or not? Page 11
"security_label" system column p o s t g r e s = # S E L E C T s e c u r i t y _ l a b e l , * F R O M d r i n k ; s e c u r i t y _ l a b e l | i d | n a m e | p r i c e - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + - - - - + - - - - - - - - + - - - - - - - s y s t e m _ u : o b j e c t _ r : s e p g s q l _ r o _ t a b l e _ t | 1 | w a t e r | 1 0 0 s y s t e m _ u : o b j e c t _ r : s e p g s q l _ r o _ t a b l e _ t | 2 | c o k e | 1 2 0 s y s t e m _ u : o b j e c t _ r : s e p g s q l _ t a b l e _ t | 3 | j u i c e | 1 3 0 s y s t e m _ u : o b j e c t _ r : s e p g s q l _ t a b l e _ t | 4 | c o f f e e | 1 8 0 s y s t e m _ u : o b j e c t _ r : s e p g s q l _ t a b l e _ t : C l a s s i f i e d | 5 | b e e r | 2 4 0 s y s t e m _ u : o b j e c t _ r : s e p g s q l _ t a b l e _ t : C l a s s i f i e d | 6 | s a k e | 3 2 0 ( 6 r o w s ) It enables to export/import security context of tuples. Note: PostgreSQL has special relations called as system catalog. Security context of tuples within them shows ones of tables, columns, ... The "security_label" system column is writable. A default security context is assigned for newly inserted tuple. Page 12
Privileges of Clients Access controls, as if user reads files via system-calls But, queries come through networks Labeled Networking Technology getpeercon() API in SELinux It enables to obtain security context of the peer process. SE-PostgreSQL applies it as privileges of client. Labeled IPsec Networks ...:SystemHigh ...:SystemMiddle UNIX domain socket SE-PostgreSQL localhost Peer's context is delivered during key exchanging. Page 13
Fine-Grained Mandatory Access Controls 14
Mandatory Access Controls PostgreSQL has superuser It is allowed to bypass all the access controls Like a root in operating system, nightmare for security Resource owner can change its access rights Possibly, he can leak classified information assets. How does SE-PostgreSQL handle them? Is applies its security policy on all the queries, including ones come from superusers. It does not allow to bypass its access controls. Any DB objects are labeled based on security policy. Page 15
Row-level Access Controls SE-PostgreSQL filters any violated tuples from result set, as if they are not on scaned relations. It skips to modity violated ones on UPDATE/DELETE It checks a new tuple on INSERT. Example: Example: SELECT * FROM employee NATURAL JOIN division; IndexScan TABLE: employee JOIN SeqScan Clients TABLE: division SE-PostgreSQL Page 16
Column-level Access Controls SE-PostgreSQL checks any columns appeared in the queries. It aborts query execution, if violated one is found. All checks are applied before query execution. SELECT id, name, 2*price FROM drink WHERE alcohol = true; Walking on the query tree. Query parser Query Tree id name int4mul It aborts query booleq execution, if client does not have 2 price required permissions alcohol True Page 17
Case Study (1/2) SELECT name, price * 2 FROM drink WHERE id < 40; db_column:{select} for name and price column db_column:{use} for id column {use} permission means "referred but consumed internally" db_procedure:{execute} for int4mul and int4lt function db_table:{select use} for drink table Implementation of operators. Implementation of operators. It raises an error, if privileges are not enough. And db_tuple:{select use} for each tuples Any violated tuples are filtered from result set. Page 18
Case Study (2/2) UPDATE drink SET size = 500, price = price * 2 WHERE alcohol = true; db_column:{update} for size column db_column:{select update} for price column price column is also read, not only updated. db_column:{use} for alcohol column db_procedure:{execute} for booleq and int4mul function db_table:{select use update} for drink table It raises an error, if privilges are not enough. And db_tuple:{select use update} for each tuples Any violated tuples are excepted from the target of updating. Page 19
Demonstration 20
Performance CPU: Core2Duo E6400, Mem: 1GB, HDD: SATA CPU: Core2Duo E6400, Mem: 1GB, HDD: SATA 700 shared_buffer=512m, rest of options are in default. shared_buffer=512m, rest of options are in default. 600 $$pgbench -c 22-t 200000 pgbench -c -t 200000 Transactions per second 500 400 300 200 100 0 2 4 6 8 10 12 14 16 18 20 Scaling factor PostgreSQL 8.4devel SE-PostgreSQL 8.4devel about 10% security-tradeoff in maximum access vector cache (AVC) minimizes # of system-call invocation Page 21
PGACE Security Framework PGACE : PostgreSQL Access Control Extension A common framework for various security designs various security hooks in strategic points facilities to manage security attribute of DB objects Add enhanced security features with minimum impact Available features SE-PostgreSQL, Row-level ACLs, Trusted-Solaris (upcoming) core PostgreSQL pgace_feature = 'selinux'; pgace_feature = 'selinux'; sepgsqlHeapTupleInsert() heap_insert() pgaceHeapTupleInsert() rowaclHeapTupleInsert() A strategic function A strategic function yourHeapTupleInsert() is invoked is invoked Page 22
The current status of SE-PostgreSQL Upstreaming status Currently, we are working under PostgreSQL v8.4 development cycle. http://wiki.postgresql.org/wiki/CommitFest:2008-11 It has been unclear whether we can enjoy SE-PostgreSQL on the next version of vanilla PostgreSQL, or not :( Distribution Support sepostgresql package is available on Fedora 8 or later. The default security policy also support SE-PostgreSQL. Resources http://code.google.com/p/sepgsql/ http://wiki.postgresql.org/wiki/SEPostgreSQL Page 23
Future Visions SE-PostgreSQL as a foundation of secure web application stack. SELinux enables to controls whole of the LAPP stack. Security is a concept of whole of the system, not only individual conponents, so I dislike a term of "Database Security". AP servers AP servers AP servers (PHP, Tomcat) (PHP, Tomcat) (PHP, Tomcat) Web server Web server Web server (Apache) (Apache) (Apache/SELinux plus) RDBMS RDBMS RDBMS (PostgreSQL) (SE-PostgreSQL) (SE-PostgreSQL) Operating System Operating System Operating System (SELinux) (SELinux) (SELinux) Past Today Future Page 24
Any Question? 25
Thank you! 26

Empfohlen

Security Enhanced PostgreSQL - System-wide consistency in access control
Security Enhanced PostgreSQL - System-wide consistency in access controlSecurity Enhanced PostgreSQL - System-wide consistency in access control
Security Enhanced PostgreSQL - System-wide consistency in access controlKohei KaiGai
 
LAPP/SELinux - A secure web application stack using SE-PostgreSQL
LAPP/SELinux - A secure web application stack using SE-PostgreSQLLAPP/SELinux - A secure web application stack using SE-PostgreSQL
LAPP/SELinux - A secure web application stack using SE-PostgreSQLKohei KaiGai
 
Label based Mandatory Access Control on PostgreSQL
Label based Mandatory Access Control on PostgreSQLLabel based Mandatory Access Control on PostgreSQL
Label based Mandatory Access Control on PostgreSQLKohei KaiGai
 
Maemo Platform Security Fosdem
Maemo Platform Security FosdemMaemo Platform Security Fosdem
Maemo Platform Security FosdemElena Reshetova
 
Acl 6
Acl 6Acl 6
Acl 6darryllyrad
 
Writing A Foreign Data Wrapper
Writing A Foreign Data WrapperWriting A Foreign Data Wrapper
Writing A Foreign Data Wrapperpsoo1978
 
Kevin Kempter PostgreSQL Backup and Recovery Methods @ Postgres Open
Kevin Kempter PostgreSQL Backup and Recovery Methods @ Postgres OpenKevin Kempter PostgreSQL Backup and Recovery Methods @ Postgres Open
Kevin Kempter PostgreSQL Backup and Recovery Methods @ Postgres OpenPostgresOpen
 
PGEncryption_Tutorial
PGEncryption_TutorialPGEncryption_Tutorial
PGEncryption_TutorialVibhor Kumar
 

Empfohlen

Security Enhanced PostgreSQL - System-wide consistency in access control
Security Enhanced PostgreSQL - System-wide consistency in access controlSecurity Enhanced PostgreSQL - System-wide consistency in access control
Security Enhanced PostgreSQL - System-wide consistency in access controlKohei KaiGai
 
LAPP/SELinux - A secure web application stack using SE-PostgreSQL
LAPP/SELinux - A secure web application stack using SE-PostgreSQLLAPP/SELinux - A secure web application stack using SE-PostgreSQL
LAPP/SELinux - A secure web application stack using SE-PostgreSQLKohei KaiGai
 
Label based Mandatory Access Control on PostgreSQL
Label based Mandatory Access Control on PostgreSQLLabel based Mandatory Access Control on PostgreSQL
Label based Mandatory Access Control on PostgreSQLKohei KaiGai
 
Maemo Platform Security Fosdem
Maemo Platform Security FosdemMaemo Platform Security Fosdem
Maemo Platform Security FosdemElena Reshetova
 
Acl 6
Acl 6Acl 6
Acl 6darryllyrad
 
Writing A Foreign Data Wrapper
Writing A Foreign Data WrapperWriting A Foreign Data Wrapper
Writing A Foreign Data Wrapperpsoo1978
 
Kevin Kempter PostgreSQL Backup and Recovery Methods @ Postgres Open
Kevin Kempter PostgreSQL Backup and Recovery Methods @ Postgres OpenKevin Kempter PostgreSQL Backup and Recovery Methods @ Postgres Open
Kevin Kempter PostgreSQL Backup and Recovery Methods @ Postgres OpenPostgresOpen
 
PGEncryption_Tutorial
PGEncryption_TutorialPGEncryption_Tutorial
PGEncryption_TutorialVibhor Kumar
 
PostgresOpen 2013 A Comparison of PostgreSQL Encryption Options
PostgresOpen 2013 A Comparison of PostgreSQL Encryption OptionsPostgresOpen 2013 A Comparison of PostgreSQL Encryption Options
PostgresOpen 2013 A Comparison of PostgreSQL Encryption OptionsFaisal Akber
 
PostgreSQL replication from setup to advanced features.
PostgreSQL replication from setup to advanced features. PostgreSQL replication from setup to advanced features.
PostgreSQL replication from setup to advanced features.Pivorak MeetUp
 
Achieving Pci Compliace
Achieving Pci CompliaceAchieving Pci Compliace
Achieving Pci CompliaceDenish Patel
 
Security Best Practices for your Postgres Deployment
Security Best Practices for your Postgres DeploymentSecurity Best Practices for your Postgres Deployment
Security Best Practices for your Postgres DeploymentPGConf APAC
 
Linux tuning to improve PostgreSQL performance
Linux tuning to improve PostgreSQL performanceLinux tuning to improve PostgreSQL performance
Linux tuning to improve PostgreSQL performancePostgreSQL-Consulting
 
Backup recovery with PostgreSQL
Backup recovery with PostgreSQLBackup recovery with PostgreSQL
Backup recovery with PostgreSQLFederico Campoli
 
SE-PostgreSQL - System wide consistency of access control
SE-PostgreSQL - System wide consistency of access controlSE-PostgreSQL - System wide consistency of access control
SE-PostgreSQL - System wide consistency of access controlKohei KaiGai
 
LAPP/SELinux - A secure web application stack powered by SELinux
LAPP/SELinux - A secure web application stack powered by SELinuxLAPP/SELinux - A secure web application stack powered by SELinux
LAPP/SELinux - A secure web application stack powered by SELinuxKohei KaiGai
 
Se linux course1
Se linux course1Se linux course1
Se linux course1OWASP (Open Web Application Security Project)
 
SELinux_@gnu_group_meetup
SELinux_@gnu_group_meetupSELinux_@gnu_group_meetup
SELinux_@gnu_group_meetupJayant Chutke
 
Topic 7 access control
Topic 7 access controlTopic 7 access control
Topic 7 access controlKhawar Nehal khawar.nehal@atrc.net.pk
 
Introduction to SELinux Part-I
Introduction to SELinux Part-IIntroduction to SELinux Part-I
Introduction to SELinux Part-In|u - The Open Security Community
 
LCJ2010-KaiGai-sepgsql
LCJ2010-KaiGai-sepgsqlLCJ2010-KaiGai-sepgsql
LCJ2010-KaiGai-sepgsqlKohei KaiGai
 
Getting Memcached Secure
Getting Memcached SecureGetting Memcached Secure
Getting Memcached SecureKohei KaiGai
 
Safety LAMP: data security & agile languages
Safety LAMP: data security & agile languagesSafety LAMP: data security & agile languages
Safety LAMP: data security & agile languagesPostgreSQL Experts, Inc.
 
Week No 13 Access Control Part 1.pptx
Week No 13 Access Control Part 1.pptxWeek No 13 Access Control Part 1.pptx
Week No 13 Access Control Part 1.pptxXhamiiiCH
 
Lee oracle
Lee oracleLee oracle
Lee oracledhrumiljpatel
 
2014 04-03 xyratex event
2014 04-03 xyratex event2014 04-03 xyratex event
2014 04-03 xyratex eventShawn Wells
 
Novell File Management Suite Use Cases
Novell File Management Suite Use CasesNovell File Management Suite Use Cases
Novell File Management Suite Use CasesNovell
 
Novell File Management Suite Use Cases
Novell File Management Suite Use CasesNovell File Management Suite Use Cases
Novell File Management Suite Use CasesNovell
 
An Attribute-based Controlled Collaborative Access Control Scheme for Public ...
An Attribute-based Controlled Collaborative Access Control Scheme for Public ...An Attribute-based Controlled Collaborative Access Control Scheme for Public ...
An Attribute-based Controlled Collaborative Access Control Scheme for Public ...JAYAPRAKASH JPINFOTECH
 
Design for security in operating system
Design for security in operating systemDesign for security in operating system
Design for security in operating systemBhagyashree Barde
 

Weitere ähnliche Inhalte

Andere mochten auch

PostgresOpen 2013 A Comparison of PostgreSQL Encryption Options
PostgresOpen 2013 A Comparison of PostgreSQL Encryption OptionsPostgresOpen 2013 A Comparison of PostgreSQL Encryption Options
PostgresOpen 2013 A Comparison of PostgreSQL Encryption OptionsFaisal Akber
 
PostgreSQL replication from setup to advanced features.
PostgreSQL replication from setup to advanced features. PostgreSQL replication from setup to advanced features.
PostgreSQL replication from setup to advanced features.Pivorak MeetUp
 
Achieving Pci Compliace
Achieving Pci CompliaceAchieving Pci Compliace
Achieving Pci CompliaceDenish Patel
 
Security Best Practices for your Postgres Deployment
Security Best Practices for your Postgres DeploymentSecurity Best Practices for your Postgres Deployment
Security Best Practices for your Postgres DeploymentPGConf APAC
 
Linux tuning to improve PostgreSQL performance
Linux tuning to improve PostgreSQL performanceLinux tuning to improve PostgreSQL performance
Linux tuning to improve PostgreSQL performancePostgreSQL-Consulting
 
Backup recovery with PostgreSQL
Backup recovery with PostgreSQLBackup recovery with PostgreSQL
Backup recovery with PostgreSQLFederico Campoli
 

Andere mochten auch (6)

PostgresOpen 2013 A Comparison of PostgreSQL Encryption Options
PostgresOpen 2013 A Comparison of PostgreSQL Encryption OptionsPostgresOpen 2013 A Comparison of PostgreSQL Encryption Options
PostgresOpen 2013 A Comparison of PostgreSQL Encryption Options
 
PostgreSQL replication from setup to advanced features.
PostgreSQL replication from setup to advanced features. PostgreSQL replication from setup to advanced features.
PostgreSQL replication from setup to advanced features.
 
Achieving Pci Compliace
Achieving Pci CompliaceAchieving Pci Compliace
Achieving Pci Compliace
 
Security Best Practices for your Postgres Deployment
Security Best Practices for your Postgres DeploymentSecurity Best Practices for your Postgres Deployment
Security Best Practices for your Postgres Deployment
 
Linux tuning to improve PostgreSQL performance
Linux tuning to improve PostgreSQL performanceLinux tuning to improve PostgreSQL performance
Linux tuning to improve PostgreSQL performance
 
Backup recovery with PostgreSQL
Backup recovery with PostgreSQLBackup recovery with PostgreSQL
Backup recovery with PostgreSQL
 

Ähnlich wie The Security-Enhanced PostgreSQL - "system wide" consistency in access control

SE-PostgreSQL - System wide consistency of access control
SE-PostgreSQL - System wide consistency of access controlSE-PostgreSQL - System wide consistency of access control
SE-PostgreSQL - System wide consistency of access controlKohei KaiGai
 
LAPP/SELinux - A secure web application stack powered by SELinux
LAPP/SELinux - A secure web application stack powered by SELinuxLAPP/SELinux - A secure web application stack powered by SELinux
LAPP/SELinux - A secure web application stack powered by SELinuxKohei KaiGai
 
SELinux_@gnu_group_meetup
SELinux_@gnu_group_meetupSELinux_@gnu_group_meetup
SELinux_@gnu_group_meetupJayant Chutke
 
LCJ2010-KaiGai-sepgsql
LCJ2010-KaiGai-sepgsqlLCJ2010-KaiGai-sepgsql
LCJ2010-KaiGai-sepgsqlKohei KaiGai
 
Getting Memcached Secure
Getting Memcached SecureGetting Memcached Secure
Getting Memcached SecureKohei KaiGai
 
Safety LAMP: data security & agile languages
Safety LAMP: data security & agile languagesSafety LAMP: data security & agile languages
Safety LAMP: data security & agile languagesPostgreSQL Experts, Inc.
 
Week No 13 Access Control Part 1.pptx
Week No 13 Access Control Part 1.pptxWeek No 13 Access Control Part 1.pptx
Week No 13 Access Control Part 1.pptxXhamiiiCH
 
2014 04-03 xyratex event
2014 04-03 xyratex event2014 04-03 xyratex event
2014 04-03 xyratex eventShawn Wells
 
Novell File Management Suite Use Cases
Novell File Management Suite Use CasesNovell File Management Suite Use Cases
Novell File Management Suite Use CasesNovell
 
Novell File Management Suite Use Cases
Novell File Management Suite Use CasesNovell File Management Suite Use Cases
Novell File Management Suite Use CasesNovell
 
An Attribute-based Controlled Collaborative Access Control Scheme for Public ...
An Attribute-based Controlled Collaborative Access Control Scheme for Public ...An Attribute-based Controlled Collaborative Access Control Scheme for Public ...
An Attribute-based Controlled Collaborative Access Control Scheme for Public ...JAYAPRAKASH JPINFOTECH
 
Design for security in operating system
Design for security in operating systemDesign for security in operating system
Design for security in operating systemBhagyashree Barde
 
LAPP/SELinux - A secure web application platform powered by SELinux
LAPP/SELinux - A secure web application platform powered by SELinuxLAPP/SELinux - A secure web application platform powered by SELinux
LAPP/SELinux - A secure web application platform powered by SELinuxKohei KaiGai
 
Relational
RelationalRelational
Relationaldieover
 
Distributed file system
Distributed file systemDistributed file system
Distributed file systemAnamika Singh
 
Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...
Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...
Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...IBM Danmark
 

Ähnlich wie The Security-Enhanced PostgreSQL - "system wide" consistency in access control (20)

SE-PostgreSQL - System wide consistency of access control
SE-PostgreSQL - System wide consistency of access controlSE-PostgreSQL - System wide consistency of access control
SE-PostgreSQL - System wide consistency of access control
 
LAPP/SELinux - A secure web application stack powered by SELinux
LAPP/SELinux - A secure web application stack powered by SELinuxLAPP/SELinux - A secure web application stack powered by SELinux
LAPP/SELinux - A secure web application stack powered by SELinux
 
Se linux course1
Se linux course1Se linux course1
Se linux course1
 
SELinux_@gnu_group_meetup
SELinux_@gnu_group_meetupSELinux_@gnu_group_meetup
SELinux_@gnu_group_meetup
 
Topic 7 access control
Topic 7 access controlTopic 7 access control
Topic 7 access control
 
Introduction to SELinux Part-I
Introduction to SELinux Part-IIntroduction to SELinux Part-I
Introduction to SELinux Part-I
 
LCJ2010-KaiGai-sepgsql
LCJ2010-KaiGai-sepgsqlLCJ2010-KaiGai-sepgsql
LCJ2010-KaiGai-sepgsql
 
Getting Memcached Secure
Getting Memcached SecureGetting Memcached Secure
Getting Memcached Secure
 
Safety LAMP: data security & agile languages
Safety LAMP: data security & agile languagesSafety LAMP: data security & agile languages
Safety LAMP: data security & agile languages
 
Week No 13 Access Control Part 1.pptx
Week No 13 Access Control Part 1.pptxWeek No 13 Access Control Part 1.pptx
Week No 13 Access Control Part 1.pptx
 
Lee oracle
Lee oracleLee oracle
Lee oracle
 
2014 04-03 xyratex event
2014 04-03 xyratex event2014 04-03 xyratex event
2014 04-03 xyratex event
 
Novell File Management Suite Use Cases
Novell File Management Suite Use CasesNovell File Management Suite Use Cases
Novell File Management Suite Use Cases
 
Novell File Management Suite Use Cases
Novell File Management Suite Use CasesNovell File Management Suite Use Cases
Novell File Management Suite Use Cases
 
An Attribute-based Controlled Collaborative Access Control Scheme for Public ...
An Attribute-based Controlled Collaborative Access Control Scheme for Public ...An Attribute-based Controlled Collaborative Access Control Scheme for Public ...
An Attribute-based Controlled Collaborative Access Control Scheme for Public ...
 
Design for security in operating system
Design for security in operating systemDesign for security in operating system
Design for security in operating system
 
LAPP/SELinux - A secure web application platform powered by SELinux
LAPP/SELinux - A secure web application platform powered by SELinuxLAPP/SELinux - A secure web application platform powered by SELinux
LAPP/SELinux - A secure web application platform powered by SELinux
 
Relational
RelationalRelational
Relational
 
Distributed file system
Distributed file systemDistributed file system
Distributed file system
 
Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...
Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...
Ved du, hvor dine data er - og hvem, der har adgang til dem? Ron Ben Natan, I...
 

Mehr von Kohei KaiGai

20221116_DBTS_PGStrom_History
20221116_DBTS_PGStrom_History20221116_DBTS_PGStrom_History
20221116_DBTS_PGStrom_HistoryKohei KaiGai
 
20221111_JPUG_CustomScan_API
20221111_JPUG_CustomScan_API20221111_JPUG_CustomScan_API
20221111_JPUG_CustomScan_APIKohei KaiGai
 
20211112_jpugcon_gpu_and_arrow
20211112_jpugcon_gpu_and_arrow20211112_jpugcon_gpu_and_arrow
20211112_jpugcon_gpu_and_arrowKohei KaiGai
 
20210928_pgunconf_hll_count
20210928_pgunconf_hll_count20210928_pgunconf_hll_count
20210928_pgunconf_hll_countKohei KaiGai
 
20210731_OSC_Kyoto_PGStrom3.0
20210731_OSC_Kyoto_PGStrom3.020210731_OSC_Kyoto_PGStrom3.0
20210731_OSC_Kyoto_PGStrom3.0Kohei KaiGai
 
20210511_PGStrom_GpuCache
20210511_PGStrom_GpuCache20210511_PGStrom_GpuCache
20210511_PGStrom_GpuCacheKohei KaiGai
 
20210301_PGconf_Online_GPU_PostGIS_GiST_Index
20210301_PGconf_Online_GPU_PostGIS_GiST_Index20210301_PGconf_Online_GPU_PostGIS_GiST_Index
20210301_PGconf_Online_GPU_PostGIS_GiST_IndexKohei KaiGai
 
20201128_OSC_Fukuoka_Online_GPUPostGIS
20201128_OSC_Fukuoka_Online_GPUPostGIS20201128_OSC_Fukuoka_Online_GPUPostGIS
20201128_OSC_Fukuoka_Online_GPUPostGISKohei KaiGai
 
20201113_PGconf_Japan_GPU_PostGIS
20201113_PGconf_Japan_GPU_PostGIS20201113_PGconf_Japan_GPU_PostGIS
20201113_PGconf_Japan_GPU_PostGISKohei KaiGai
 
20201006_PGconf_Online_Large_Data_Processing
20201006_PGconf_Online_Large_Data_Processing20201006_PGconf_Online_Large_Data_Processing
20201006_PGconf_Online_Large_Data_ProcessingKohei KaiGai
 
20200828_OSCKyoto_Online
20200828_OSCKyoto_Online20200828_OSCKyoto_Online
20200828_OSCKyoto_OnlineKohei KaiGai
 
20200806_PGStrom_PostGIS_GstoreFdw
20200806_PGStrom_PostGIS_GstoreFdw20200806_PGStrom_PostGIS_GstoreFdw
20200806_PGStrom_PostGIS_GstoreFdwKohei KaiGai
 
20200424_Writable_Arrow_Fdw
20200424_Writable_Arrow_Fdw20200424_Writable_Arrow_Fdw
20200424_Writable_Arrow_FdwKohei KaiGai
 
20191211_Apache_Arrow_Meetup_Tokyo
20191211_Apache_Arrow_Meetup_Tokyo20191211_Apache_Arrow_Meetup_Tokyo
20191211_Apache_Arrow_Meetup_TokyoKohei KaiGai
 
20191115-PGconf.Japan
20191115-PGconf.Japan20191115-PGconf.Japan
20191115-PGconf.JapanKohei KaiGai
 
20190926_Try_RHEL8_NVMEoF_Beta
20190926_Try_RHEL8_NVMEoF_Beta20190926_Try_RHEL8_NVMEoF_Beta
20190926_Try_RHEL8_NVMEoF_BetaKohei KaiGai
 
20190925_DBTS_PGStrom
20190925_DBTS_PGStrom20190925_DBTS_PGStrom
20190925_DBTS_PGStromKohei KaiGai
 
20190909_PGconf.ASIA_KaiGai
20190909_PGconf.ASIA_KaiGai20190909_PGconf.ASIA_KaiGai
20190909_PGconf.ASIA_KaiGaiKohei KaiGai
 
20190516_DLC10_PGStrom
20190516_DLC10_PGStrom20190516_DLC10_PGStrom
20190516_DLC10_PGStromKohei KaiGai
 
20190418_PGStrom_on_ArrowFdw
20190418_PGStrom_on_ArrowFdw20190418_PGStrom_on_ArrowFdw
20190418_PGStrom_on_ArrowFdwKohei KaiGai
 

Mehr von Kohei KaiGai (20)

20221116_DBTS_PGStrom_History
20221116_DBTS_PGStrom_History20221116_DBTS_PGStrom_History
20221116_DBTS_PGStrom_History
 
20221111_JPUG_CustomScan_API
20221111_JPUG_CustomScan_API20221111_JPUG_CustomScan_API
20221111_JPUG_CustomScan_API
 
20211112_jpugcon_gpu_and_arrow
20211112_jpugcon_gpu_and_arrow20211112_jpugcon_gpu_and_arrow
20211112_jpugcon_gpu_and_arrow
 
20210928_pgunconf_hll_count
20210928_pgunconf_hll_count20210928_pgunconf_hll_count
20210928_pgunconf_hll_count
 
20210731_OSC_Kyoto_PGStrom3.0
20210731_OSC_Kyoto_PGStrom3.020210731_OSC_Kyoto_PGStrom3.0
20210731_OSC_Kyoto_PGStrom3.0
 
20210511_PGStrom_GpuCache
20210511_PGStrom_GpuCache20210511_PGStrom_GpuCache
20210511_PGStrom_GpuCache
 
20210301_PGconf_Online_GPU_PostGIS_GiST_Index
20210301_PGconf_Online_GPU_PostGIS_GiST_Index20210301_PGconf_Online_GPU_PostGIS_GiST_Index
20210301_PGconf_Online_GPU_PostGIS_GiST_Index
 
20201128_OSC_Fukuoka_Online_GPUPostGIS
20201128_OSC_Fukuoka_Online_GPUPostGIS20201128_OSC_Fukuoka_Online_GPUPostGIS
20201128_OSC_Fukuoka_Online_GPUPostGIS
 
20201113_PGconf_Japan_GPU_PostGIS
20201113_PGconf_Japan_GPU_PostGIS20201113_PGconf_Japan_GPU_PostGIS
20201113_PGconf_Japan_GPU_PostGIS
 
20201006_PGconf_Online_Large_Data_Processing
20201006_PGconf_Online_Large_Data_Processing20201006_PGconf_Online_Large_Data_Processing
20201006_PGconf_Online_Large_Data_Processing
 
20200828_OSCKyoto_Online
20200828_OSCKyoto_Online20200828_OSCKyoto_Online
20200828_OSCKyoto_Online
 
20200806_PGStrom_PostGIS_GstoreFdw
20200806_PGStrom_PostGIS_GstoreFdw20200806_PGStrom_PostGIS_GstoreFdw
20200806_PGStrom_PostGIS_GstoreFdw
 
20200424_Writable_Arrow_Fdw
20200424_Writable_Arrow_Fdw20200424_Writable_Arrow_Fdw
20200424_Writable_Arrow_Fdw
 
20191211_Apache_Arrow_Meetup_Tokyo
20191211_Apache_Arrow_Meetup_Tokyo20191211_Apache_Arrow_Meetup_Tokyo
20191211_Apache_Arrow_Meetup_Tokyo
 
20191115-PGconf.Japan
20191115-PGconf.Japan20191115-PGconf.Japan
20191115-PGconf.Japan
 
20190926_Try_RHEL8_NVMEoF_Beta
20190926_Try_RHEL8_NVMEoF_Beta20190926_Try_RHEL8_NVMEoF_Beta
20190926_Try_RHEL8_NVMEoF_Beta
 
20190925_DBTS_PGStrom
20190925_DBTS_PGStrom20190925_DBTS_PGStrom
20190925_DBTS_PGStrom
 
20190909_PGconf.ASIA_KaiGai
20190909_PGconf.ASIA_KaiGai20190909_PGconf.ASIA_KaiGai
20190909_PGconf.ASIA_KaiGai
 
20190516_DLC10_PGStrom
20190516_DLC10_PGStrom20190516_DLC10_PGStrom
20190516_DLC10_PGStrom
 
20190418_PGStrom_on_ArrowFdw
20190418_PGStrom_on_ArrowFdw20190418_PGStrom_on_ArrowFdw
20190418_PGStrom_on_ArrowFdw
 

Kürzlich hochgeladen

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 

Kürzlich hochgeladen (20)

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 

The Security-Enhanced PostgreSQL - "system wide" consistency in access control

  • 1. The Security-Enhanced PostgreSQL - "system wide" consistency in access controls - NEC OSS Promotion Center KaiGai Kohei <kaigai@ak.jp.nec.com> 1
  • 2. Self Introduction Working for NEC, come from Tokyo, Japan Primary developer of SE-PostgreSQL I've forcused on the work for more than 2 years. 6 year's experience in Linux kernel development Especially, SELinux and security related region SMP Scalability improvement (2.6.11) XATTR Support in JFFS (2.6.18) SELinux support in busybox Type boundary and Multithreading (2.6.28) Page 2
  • 3. The Background Price of Notebook : $10.00 Price of Individual Info: priceless What should it be protected from harms by security? Personal Info, Corporate secrets, Authentication data, ... They are called as Information-Assets. Information asset is not tangible. It always has to be stored in something. Filesystem, Database, IC Card, Paper, Brain, Lithograph, ... Page 3
  • 4. I dislike a term of "Database Security" Information Asset What determines the value of information asset? Contents, not the way to store them How access control mechanism works? Filesystem Filesystem permission (combination of r,w,x) Database Database ACLs (GRANT and REVOKE) It completely depends on the way to store them! We should apply consistent access control rules for same information assets, independent from the way to store them! Page 4
  • 5. Consistency in Access controls (1/2) Access control policy depends on the way to store information asset. They have a possibility to apply inconsistent access control policy. Classified users Unclassified users process Classified process Users Information Database Database Filesystem Filesystem ACLs Permission ACLs Permission Object Managers IPC objects Filesystem Network Database Objects Linux kernel PostgreSQL Page 5
  • 6. Consistency in Access controls (2/2) Object manager queries SELinux about required actions. SELinux makes its consistent decision based on a unique policy. Classified users Unclassified users process Classified process Users Information Database Database Filesystem Filesystem ACLs Permission ACLs Permission Objects and Object Managers IPC objects Filesystem Network Database Objects Linux kernel PostgreSQL Reference Security Monitor Can I Iallow aared Policy Can I Iallow aablue Can allow red SELinux Can allow blue user to write? user to write? user to read? user to read? Page 6
  • 7. The Feature of SE-PostgreSQL "System-wide" consistency in access controls A single unified security policy between OS and DBMS Common representation in security attributes Fine-grained Mandatory access controls Including column-/row-level access controls Non-bypassable, even if database super users The Goal of SE-PostgreSQL DBMS as a part of Data Flow Control schemes Prevention for leaking/manipulation by malicious ones Minimization of damages via SQL injections Page 7
  • 8. "System-wide" consistency in Access Controls 8
  • 9. SE-PostgreSQL system design A single unified security policy is applied, when user tries to read a file via system-calls when user tries to select a table via SQL-queries System Operating System Call Implementation of Entry point Files Filesystem System Calls Permission SELinux Subsystem Policy A single unified A single unified security policy security policy SE-PostgreSQL SE-PostgreSQL Sub System Tables Database ACL ------ ---- -- ------- Query Execution Engine *** *** * ***** SQL +++ ++ + +++ ## ### # ##### Page 9
  • 10. How security policy works? (1/2) What is the security policy? A set of rules, managed by SELinux Individual rule describes who is allowed to do what operations for what objects. Any entities are identified by security context. What is the security context? A formatted text for security attribute Common representation for various kind of objects system_u : object_r : postgresql_db_t : Unclassified file:{read} Subject Action Object staff_u:staff_r:staff_t:Classified Page 10
  • 11. How security policy works? (2/2) All the objects have its security context managed by Object managers. SELinux makes its decision, and Object managers follows it. ...:user_t:SystemLow ...:user_t:SystemLow ...:staff_t:SystemHigh ...:staff_t:SystemHigh Users Method System Calls SQL to access ...:postgresql_port_t:Unclassified ...:postgresql_port_t:Unclassified ...:user_home_t:Secret ...:user_home_t:Secret ...:sepgsql_table_t:Classified ...:sepgsql_table_t:Classified Objects Shared Memory and Object Network Managers File Socket File Table ...:var_log_t:Unclassified ...:var_log_t:Unclassified Linux ...:postgresql_t:Unclassified ...:postgresql_t:Unclassified SE-PostgreSQL Reference Security SELinux Policy Monitor Is the given request Is the given request to be allowed, or not? to be allowed, or not? Page 11
  • 12. "security_label" system column p o s t g r e s = # S E L E C T s e c u r i t y _ l a b e l , * F R O M d r i n k ; s e c u r i t y _ l a b e l | i d | n a m e | p r i c e - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + - - - - + - - - - - - - - + - - - - - - - s y s t e m _ u : o b j e c t _ r : s e p g s q l _ r o _ t a b l e _ t | 1 | w a t e r | 1 0 0 s y s t e m _ u : o b j e c t _ r : s e p g s q l _ r o _ t a b l e _ t | 2 | c o k e | 1 2 0 s y s t e m _ u : o b j e c t _ r : s e p g s q l _ t a b l e _ t | 3 | j u i c e | 1 3 0 s y s t e m _ u : o b j e c t _ r : s e p g s q l _ t a b l e _ t | 4 | c o f f e e | 1 8 0 s y s t e m _ u : o b j e c t _ r : s e p g s q l _ t a b l e _ t : C l a s s i f i e d | 5 | b e e r | 2 4 0 s y s t e m _ u : o b j e c t _ r : s e p g s q l _ t a b l e _ t : C l a s s i f i e d | 6 | s a k e | 3 2 0 ( 6 r o w s ) It enables to export/import security context of tuples. Note: PostgreSQL has special relations called as system catalog. Security context of tuples within them shows ones of tables, columns, ... The "security_label" system column is writable. A default security context is assigned for newly inserted tuple. Page 12
  • 13. Privileges of Clients Access controls, as if user reads files via system-calls But, queries come through networks Labeled Networking Technology getpeercon() API in SELinux It enables to obtain security context of the peer process. SE-PostgreSQL applies it as privileges of client. Labeled IPsec Networks ...:SystemHigh ...:SystemMiddle UNIX domain socket SE-PostgreSQL localhost Peer's context is delivered during key exchanging. Page 13
  • 15. Mandatory Access Controls PostgreSQL has superuser It is allowed to bypass all the access controls Like a root in operating system, nightmare for security Resource owner can change its access rights Possibly, he can leak classified information assets. How does SE-PostgreSQL handle them? Is applies its security policy on all the queries, including ones come from superusers. It does not allow to bypass its access controls. Any DB objects are labeled based on security policy. Page 15
  • 16. Row-level Access Controls SE-PostgreSQL filters any violated tuples from result set, as if they are not on scaned relations. It skips to modity violated ones on UPDATE/DELETE It checks a new tuple on INSERT. Example: Example: SELECT * FROM employee NATURAL JOIN division; IndexScan TABLE: employee JOIN SeqScan Clients TABLE: division SE-PostgreSQL Page 16
  • 17. Column-level Access Controls SE-PostgreSQL checks any columns appeared in the queries. It aborts query execution, if violated one is found. All checks are applied before query execution. SELECT id, name, 2*price FROM drink WHERE alcohol = true; Walking on the query tree. Query parser Query Tree id name int4mul It aborts query booleq execution, if client does not have 2 price required permissions alcohol True Page 17
  • 18. Case Study (1/2) SELECT name, price * 2 FROM drink WHERE id < 40; db_column:{select} for name and price column db_column:{use} for id column {use} permission means "referred but consumed internally" db_procedure:{execute} for int4mul and int4lt function db_table:{select use} for drink table Implementation of operators. Implementation of operators. It raises an error, if privileges are not enough. And db_tuple:{select use} for each tuples Any violated tuples are filtered from result set. Page 18
  • 19. Case Study (2/2) UPDATE drink SET size = 500, price = price * 2 WHERE alcohol = true; db_column:{update} for size column db_column:{select update} for price column price column is also read, not only updated. db_column:{use} for alcohol column db_procedure:{execute} for booleq and int4mul function db_table:{select use update} for drink table It raises an error, if privilges are not enough. And db_tuple:{select use update} for each tuples Any violated tuples are excepted from the target of updating. Page 19
  • 21. Performance CPU: Core2Duo E6400, Mem: 1GB, HDD: SATA CPU: Core2Duo E6400, Mem: 1GB, HDD: SATA 700 shared_buffer=512m, rest of options are in default. shared_buffer=512m, rest of options are in default. 600 $$pgbench -c 22-t 200000 pgbench -c -t 200000 Transactions per second 500 400 300 200 100 0 2 4 6 8 10 12 14 16 18 20 Scaling factor PostgreSQL 8.4devel SE-PostgreSQL 8.4devel about 10% security-tradeoff in maximum access vector cache (AVC) minimizes # of system-call invocation Page 21
  • 22. PGACE Security Framework PGACE : PostgreSQL Access Control Extension A common framework for various security designs various security hooks in strategic points facilities to manage security attribute of DB objects Add enhanced security features with minimum impact Available features SE-PostgreSQL, Row-level ACLs, Trusted-Solaris (upcoming) core PostgreSQL pgace_feature = 'selinux'; pgace_feature = 'selinux'; sepgsqlHeapTupleInsert() heap_insert() pgaceHeapTupleInsert() rowaclHeapTupleInsert() A strategic function A strategic function yourHeapTupleInsert() is invoked is invoked Page 22
  • 23. The current status of SE-PostgreSQL Upstreaming status Currently, we are working under PostgreSQL v8.4 development cycle. http://wiki.postgresql.org/wiki/CommitFest:2008-11 It has been unclear whether we can enjoy SE-PostgreSQL on the next version of vanilla PostgreSQL, or not :( Distribution Support sepostgresql package is available on Fedora 8 or later. The default security policy also support SE-PostgreSQL. Resources http://code.google.com/p/sepgsql/ http://wiki.postgresql.org/wiki/SEPostgreSQL Page 23
  • 24. Future Visions SE-PostgreSQL as a foundation of secure web application stack. SELinux enables to controls whole of the LAPP stack. Security is a concept of whole of the system, not only individual conponents, so I dislike a term of "Database Security". AP servers AP servers AP servers (PHP, Tomcat) (PHP, Tomcat) (PHP, Tomcat) Web server Web server Web server (Apache) (Apache) (Apache/SELinux plus) RDBMS RDBMS RDBMS (PostgreSQL) (SE-PostgreSQL) (SE-PostgreSQL) Operating System Operating System Operating System (SELinux) (SELinux) (SELinux) Past Today Future Page 24