Mark R. Heckman

The SeaView security model

A formal security policy model that uses basic view concepts for a secure multilevel relational database system is described. The model is formulated in two layers, one corresponding to a security kernel of reference monitor that enforces mandatory security, and the other defining multilevel relations and formalizing policies for labeling new and derived data, data consistency, discretionary security, and transaction consistency. This includes the policies for sanitization, aggregation, and downgrading. The model also defines application-independent properties for entity integrity, referential integrity, and polyinstantiation integrity.<<ETX>>

Views for Multilevel Database Security

Because views on relational database systems mathematically define arbitrary sets of stored and derived data, they have been proposed as a way of handling context- and contenbdependent classification, dynamic classification, inference, aggregation, and sanitization in multilevel database systems. This paper describes basic view concepts for a multilevelsecure relational database model that addresses the above issues. The model treats stored and derived data uniformly within the database schema. All data in the database is classified according to views called classification constraints, which specify security levels for related data. In addition, views called aggregation constraints specifies classifications for aggregates that are classified higher than the constituent elements. All data accesses are confined to a third set of views called access views, which higher than their declared filter out all data classified view level.

A near-term design for the SeaView multilevel database system

The SeaView formal security policy model admits a range of designs for a multilevel secure relational database system. The requirement for a near-term implementation suggests that the design should utilize existing technology to the extent possible. Thus the design uses an existing database management system ported to an existing TCB (trusted computing base) environment. A preprocessor translates key constructs of the SeaView multilevel relational data model to those of the standard relational model used by the commercial database system. The underlying reference monitor enforces mandatory and basic discretionary controls with A1 assurance. By combining single-level data into a multilevel view, it is possible to use a commercial database system and classify data at the relation level to implement the SeaView model, with element-level classification.<<ETX>>

Reviewd articles: Element-level classification with A1 assurance

We describe our approach to multilevel database security and show that we can support element-level labeling in a Class A1 database system without the need to verify the entire database system, or even most of it. We achieve both the high degree of assurance required for Class A1 and the flexibility of element-level labeling by layering the TCB, where the lowest TCB layer is a reference monitor enforcing mandatory security; and by decomposing multilevel relations into single-level relations that are managed by the reference monitor. This decomposition means that multilevel relations are actually views over single-level base relations, which suggests that our multilevel relational system could be implemented on a standard (untrusted) relational system running on a reference monitor.

A high-assurance, virtual guard architecture

Although one senior security professional has emphasized that “it is unconscionable to use overly weak components” in a multilevel security (MLS) context, the majority of current transfer guards do exactly that. Basic guard technology is well-developed and has a long history, but most guards are built on low-assurance systems vulnerable to software subversion, and the lack of assurance limits the range of transfers. This paper describes a virtual guard architecture that leverages mature MLS technology previously certified and deployed across domains from TS/SCI to Unclassified. The architecture permits a single guard system to simultaneously and securely support many different transfer functions between many different domain pairs. Not only does this architecture substantially address software subversion, support adaptable information transfer policies, and have the potential to dramatically reduce (re)certification effort, the virtualized guard execution environment also promises to significantly enhance efficient and scalable use of resources.

Using Proven Reference Monitor Patterns for Security Evaluation

The most effective approach to evaluating the security of complex systems is to deliberately construct the systems using security patterns specifically designed to make them evaluable. Just such an integrated set of security patterns was created decades ago based on the Reference Monitor abstraction. An associated systematic security engineering and evaluation methodology was codified as an engineering standard in the Trusted Computer System Evaluation Criteria (TCSEC). This paper explains how the TCSEC and its Trusted Network Interpretation (TNI) constitute a set of security patterns for large, complex and distributed systems and how those patterns have been repeatedly and successfully used to create and evaluate some of the most secure government and commercial systems ever developed.

A multi-level secure file sharing server and its application to a multi-level secure cloud

Contemporary cloud environments are built on low-assurance components, so they cannot provide a high level of assurance about the isolation and protection of information. A “multi-level” secure cloud environment thus typically consists of multiple, isolated clouds, each of which handles data of only one security level. Not only are such environments duplicative and costly, data “sharing” must be implemented by massive, wasteful copying of data from low-level domains to high-level domains. The requirements for certifiable, scalable, multi-level cloud security are threefold: 1) To have trusted, high-assurance components available for use in creating a multi-level secure cloud environment; 2) To design a cloud architecture that efficiently uses the high-assurance components in a scalable way, and 3) To compose the secure components within the scalable architecture while still verifiably maintaining the system security properties. This paper introduces a trusted, high-assurance file server and architecture that satisfies all three requirements. The file server is built on mature technology that was previously certified and deployed across domains from TS/SCI to Unclassified and that supports high-performance, low-to-high and high-to-low file sharing with verifiable security.

Using a high assurance TCB for infrastructure security

The vulnerability of infrastructure systems to “hackers” and other outside threats is serious and widely reported. Even more dangerous is an increasing vulnerability to the insidious threat of software subversion – including intentional destruction or tampering with the very mechanism depended upon for security. Increased connectivity and use of commodity systems notorious for weak security only accelerates this trend. This presentation proposes to leverage technology developed for a Class A1, highassurance, trusted computing base (TCB) to protect infrastructure communications and security-critical processing. Class A1 significantly addresses the risk of subversion and other threats.