Analysis of formal models for access control and specific features of their applicability to databases

Authors

DOI:

https://doi.org/10.30837/rt.2021.2.205.05

Keywords:

security model, access control, information system, database

Abstract

An integral part of any project to create or assess the security of information systems and databases is the presence of a security model. The paper considers the main positions of the most common security models based on controlling the access of subjects to objects. The analysis of formal models for access control has revealed that each of them, having certain advantages and disadvantages, has the right to be used. The decisive factor in making a decision is an assessment of a specific situation, which will allow one to make the right choice. In this regard, the paper notes that security models based on discretionary policies are advisable to be applied when conducting formal verification of the correctness of building access control systems in well-protected information systems and databases. However, it is emphasized that these models have certain drawbacks that limit their use. The paper states that despite the fact that security models based on the mandatory access policy play a significant role in information security theory and their provisions have been introduced as mandatory requirements for systems that process secret information, as well as in the standards of secure systems, a number of problems may arise in the practical implementation of these models. Among these problems there are the problems associated with overestimating the security level, blind recordings, performing operations that do not fit into the framework of the model by privileged subjects. The paper also concludes that the use of security models based on role-based policy allows one to implement access control rules dynamically changing during the operation of information systems and databases, the effectiveness of which is especially noticeable when organizing access to the resources of systems with a large number of users and objects.

References

Tanenbaum A. S., Herbert Bos H. Modern Operating Systems. Fourth edition. Pearson, 2015. 1136 p.

Смирнов С. Н. Безопасность систем баз данных. Москва : Гелиос АРВ, 2007. 352 с.

Cunha M. M., Oliveira E. F., Tavares A. J., Ferreira L. G. Handbook of Research on Social Dimensions of Semantic Technologies and Web Services. Hershey, PA: IGI Global, 2009. 1180 p.

Зегжда Д. П., Ивашко А. М. Основы безопасности информационных систем. Москва : Горячая линия – Телеком, 2000. 452с.

Хоффман, Л. Дж. Современные методы защиты информации. Москва : Сов. радио, 1980. 264 с.

Гайдамакин H. A. Теоретические основы компьютерной безопасности. Екатеринбург : Изд-во Уральск. ун-та, 2008. 212 с.

Weissman C. Security controls in the ADEPT-50 time-sharing system // Proceedings of the November 18-20, 1969, fall joint computer conference. 1969. P. 119-133.

Hartson H. R., Hsiao D. K. A Semantic Model for Database Protection Languages. Systems for Large Data Bases. North-Holland, Amsterdam : Publishing Co., 1976. P. 27-42.

Harrison M. A., Ruzzo W. L., Ullman J. D. Protection in Operating Systems // Communications of the ACM, 1976. № 19(8). P. 461–471.

Lipton R. J., Snyder L. A linear time algorithm for deciding subject security // Journal of the ACM (JACM), 1977. № 24(3). P. 455-464.

Цирлов В. Л. Основы информационной безопасности автоматизированных систем. Ростов-на-Дону : Феникс, 2008. 173 с.

Sandhu R. S. The Typed Access Matrix Model // Proceedings of IEEE Symposium on Security and Privacy, Oakland, California, May 4-6, 1992, P. 122-136.

Девянин П. Н. Модели безопасности компьютерных систем. Управление доступом и информационными потоками. 2-е изд. Москва : Горячая линия – Телеком, 2013. 338 с.

Скакун В. В. Защита информации в базах данных и экспертных системах. Минск : БГУ, 2015. 140 с.

Frank J., Bishop M. Extending the take-grant protection system // Technical Report, Department of Computer Science, University of California at Davis, 1996. 14 p. URL: https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.51.907&rep=rep1&type=pdf. (accessed on: 04.02.2021).

Garcia-Molina H., Ullman J. D., Widom J. Database Systems. The Complete Book, 2th ed. Pearson Prentice Hall, 2009. 1203 p.

ISO/IEC 9075-2:2016 Information technology. Database languages. SQL. Part 2: Foundation (SQL/Foundation). URL: https://www.iso.org/standard/63556.html. (accessed on: 04.02.2021).

Грофф Д. Р., Вайнберг П. Н., Оппель Э. Д. SQL : полное руководство, 3-е изд. ; пер. с англ. Москва : Вильямс, 2015. 960 с.

Марков А. С., Цирлов В. Л., Барабанов А. В. Методы оценки несоответствия средств защиты информации. Москва : Радио и связь, 2012. 192 с.

Bell D. E., LaPadula L. J. Secure Computer Systems: Unified Exposition and Multics Interpretation (MTR-2997 Rev. 1). Bedford, Mass.: MITRE Corp., 1976. 129 p.

Date C. J. An Introduction to Database Systems, 8th ed. New York, USA : Pearson Education, Inc., 2004. 983 p.

Patent US 2004/0044655A1, United States, Row-level security in a relational database management system / Curt Cotner, Gilroy, CA (US); Roger Lee Miller, San Jose, CA (US); International Business Machines Corporation, Armonk, NY (US). N 10/233,397; Mar. 4, 2004.

Patent 8,131,664 B2, United States, Row-level security in a relational database management system / Curt Cotner, Gilroy, CA (US); Roger Lee Miller, San Jose, CA (US); International Business Machines Corporation, Armonk, NY (US). N 12/242,241; Mar. 6, 2012.

Patent 8.478,713 B2, United States, Row-level security in a relational database management system / Curt Cotner, Gilroy, CA (US); Roger Lee Miller, San Jose, CA (US); International Business Machines Corporation, Armonk, NY (US). N 15/343,568; Jan. 16, 2018.

Кайт Т. Oracle для профессионалов ; пер. с англ. СПб. : ООО «ДиаСофтЮП», 2003. 672 с.

Нанда А., Фейерштейн С. Oracle PL/SQL для администраторов баз данных ; пер. с англ. СПб : Символ-Плюс, 2008. 496 с.

Oracle Database 19c. Administrator's Guide. Understanding Data Labels and User Labels. URL: https://docs.oracle.com/en/database/oracle/oracle-database/19/olsag/understanding-data-labels-and-user-labels.html#GUID-2C0383D3-4AA5-4263-B938-827E2CCC40C0 (accessed on: 04.02.2021).

Щербаков А. Ю. Современная компьютерная безопасность. Теоретические основы. Практические аспекты. Москва : Книжный мир, 2009. 352 с.

McLean J. The specification and modeling of computer security // Computer. 1990. № 23(1). P. 9-16.

McLean J. Security models. Encyclopedia of software engineering, Vol. 2. Wiley, 1994. P. 1136-1145.

Sandhu R.S., Coyne E. J., Feinstein H. L., Youman C. E. Role-based access control models // IEEE Computer. 1996. № 2. P. 38-47.

Published

2021-07-02

How to Cite

Vilihura , V. . (2021). Analysis of formal models for access control and specific features of their applicability to databases. Radiotekhnika, 2(205), 53–70. https://doi.org/10.30837/rt.2021.2.205.05

Issue

Section

Articles