Analysis of Oracle mandatory access and control functions

Oracle mandatory access control is a basic security feature that must be implemented by B1-level security products. We all know the mandatory access and control functions of DM-related database security edition, it studies and draws on some security implementation mechanisms of existing mainstream database products, including the LBAC (Label Based Access Control) of DB2 and the label secrurity of Oracle.

The following describes the models of DB2, Oracle, and DM from six aspects of tag Security: security elements, policy applications, access rules, access privileges, system conflicts, and system permissions.

1 DB2 LBAC

1.1 Security elements

(1) security tag Components

Three types of components are supported: array, set, and tree.

A) create an Array Component

 
 

  
  
CREATE SECURITY LABEL COMPONENT level ARRAY 
[ ’Top Secret’, ’Secret’, ’Employee’, ’Public’ ] 
 
 

B) Create a collection component

 
 

  
  
CREATE SECURITY LABEL COMPONENT project 
Set ={’A’, ’B’, ’C’, ’D’} 
 
 

C) Create a tree component

 
 

  
  
CREATE SECURITY LABEL COMPONENT department 
Tree={’G1’ ROOT, ’G2’ UNDER ’G1’, ’G2’ UNDER ’G1’} 
 
 

The names of each element cannot exceed 32 bytes, and the names of the same component cannot be repeated. An array can contain up to 65535 elements, and a set and tree can contain up to 64 elements.

(2) Security Policy

Create a security policy:

 
 

  
  
CREATE SECURITY POLICY DataAccess COMPONENTS level,department WITH DB2LABCRULES 
 
 

To define a policy, you must specify the tag component and access rule. Each policy can contain up to 16 tag components. Currently, the system only supports the mandatory Oracle access rule DB2LABCRULES, which is described in the access rules section.

(3) security tag

Create a security tag:

The following is a reference clip:

 
 

  
  
CREATE SECURITY LABEL DataAccess.ManagerLabel COMPONENT level ’secret’   
  
  
project ’A’, ’B’, ’C’   
  
  
department ’G1’;  
 
 

Security tags can be applied to users, rows, and columns. When inserting data, you can also specify the security tag string directly. The rule is to specify the component values in sequence according to the order of the components in the policy. Different values of the same component are separated by commas, different components are separated by colons.

1.2 Policy Application

(1) user security mark

You can specify the access permission when you grant a security flag to a user.

 
 

  
  
GRANT SECURITY LABEL DataAccess.ManagerLabel TO USER JOE FOR READ ACCESS; 
 
 

Three ACCESS permissions are available: read access, write access, and all access. If the read/write security tag exists at the same time, the following conditions must be met: the value of the array-type component, the two security tags must be the same; the value of the Set-type component, the write access permission security tag must be included in the Read access permission security tag; the value of the tree type component, the write access permission security tag must be the same as the Read access permission security tag or its child nodes.

One user can be granted multiple security tags, but a security policy can only be granted one read Oracle mandatory access security tag and one write access security tag.

(2) Row-level security mark

Use security tags to protect tables at the row level.

The following is a reference clip:

 
 

  
  
CREATE TABLE T1 (   
  
  
A DB2SECURITYLABEL,   
  
  
B INTEGER,   
  
  
C CHAR(5))   
  
  
SECURITY POLICY DataAccess  
 
 

DB2SECURITYLABEL is the type of label column, which is actually processed as VARBINARY (128) internally ). The hidden flag column is not null with default, and the DEFAULT value is the user's write security tag.

(3) column-level security tag

Use security tags to protect tables at the column level.

The following is a reference clip:

 
 

  
  
CREATE TABLE T1 (   
  
  
A CHAR(8) SECURED WITH ManagerLabel,   
  
  
B INTEGER,   
  
  
C CHAR(5))   
  
  
SECURITY POLICY DataAccess  
 
 

(4) Table-level security tag

Label Security labels are actually implemented using column-level security labels.

The following is a reference clip:

 
 

  
  
CREATE TABLE T1 (   
  
  
A CHAR(8) SECURED WITH ManagerLabel,   
  
  
B INTEGER SECURED WITH ManagerLabel,   
  
  
C CHAR(5) SECURED WITH ManagerLabel)   
  
  
SECURITY POLICY DataAccess  
 
 

Set the same security tag on all columns forcibly accessed by Oracle, and associate a table as a whole with a security tag, this saves the time overhead for Row-level security tag comparison and storage space overhead.

Note: A table can only have one security policy, and only one security policy tag can be used for one column. A table can only have one row-level tag column.