💾 Archived View for gemini.spam.works › mirrors › textfiles › hacking › ncsc-tr-005-2.txt captured on 2023-01-29 at 07:52:29.
⬅️ Previous capture (2021-12-04)
-=-=-=-=-=-=-
NCSC TECHNICAL REPORT - 005 Volume 2/5 Library No. S-243,039 FOREWARD This report is the second of five companion documents to the Trusted Database Management System Interpretation of the Trusted Computer System Evaluation Criteria. The companion documents address topics that are important to the design and development of secure database management systems, and are written for database vendors, system designers, evaluators, and researchers. This report addresses entity and referential integrity issues in multilevel secure database management systems. ACKNOWLEDGMENTS The National Computer Security Center extends special recognition to the authors of this document. The initial version was written by Vinti Doshi and Sushil Jajodia of the MITRE Corporation. The final version was written by Bill Wilson and Stan Wisseman of Arca Systems, Inc. The documents in this series were produced under the guidance of Shawn P. O'Brien of the National Security Agency, LouAnna Notargiacomo and Barbara Blaustein of the MITRE Corporation, and David Wichers of Arca Systems, Inc. We wish to thank the members of the information security community who enthusiastically gave of their time and technical expertise in reviewing these documents and in providing valuable comments and suggestions. TABLE OF CONTENTS SECTION PAGE 1.0 INTRODUCTION 1 1.1 BACKGROUND AND PURPOSE 1 1.2 SCOPE 1 1.3 INTRODUCTION TO ENTITY AND REFERENTIAL INTEGRITY 2 1.4 AUDIENCES OF THIS DOCUMENT 3 1.5 ORGANIZATION OF THIS DOCUMENT 4 2.0 BACKGROUND 5 2.1 BASIC CONCEPTS OF ENTITY AND REFERENTIAL INTEGRITY 6 2.2 REFERENTIAL INTEGRITY RULES 10 2.2.1 DELETE 10 2.2.2 UPDATE of Referenced Relation 13 2.2.3 NSERT or UPDATE of Referencing Relation 17 2.2.4 Additional Rules 17 2.3 PROBLEMS WITH REFERENTIAL INTEGRITY CONSTRAINTS 17 3.0 ENTITY AND REFERENTIAL INTEGRITY IN MLS DATABASES 18 3.1 RELATED TCSEC REQUIREMENTS 18 3.2 BASIC CONCEPTS IN MULTILEVEL RELATIONS 19 3.3 THE CONCEPT OF PRIMARY KEY IN MULTILEVEL RELATIONS 21 3.4 ENTITY INTEGRITY IN MULTILEVEL RELATIONS 21 3.5 REFERENTIAL INTEGRITY IN MULTILEVEL RELATIONS 22 3.6 ENFORCEMENT OF INTEGRITY CONSTRAINTS 25 4.0 COVERT CHANNELS 27 4.1 PRIMARY KEY UNIQUENESS 27 4.2 ENFORCEMENT OF REFERENTIAL INTEGRITY RULES 28 4.2.1 Enforcement of Integrity Rules When C[FK] = C[PK] 29 4.2.2 Enforcement of Integrity Rules When C[FK] > C[PK] 30 4.3 RELATION TO DBMS ARCHITECTURE 36 5.0 SUMMARY 38 REFERENCES 39 LIST OF FIGURES FIGURE PAGE 2.1: RELATION SOD 6 2.2: RELATION PS 8 2.3: REFERENTIAL CONSTRAINTS IN RELATIONS PR, PS, AND SOD 9 2.4: RELATIONS SOD AND PS AFTER STARSHIP = "APOLLO" IS DELETED UNDER THE CASCADES-DELETE RULE 11 2.5: RELATIONS SOD AND PS AFTER STARSHIP = "APOLLO" IS DELETED UNDER THE NULLIFIES-DELETE RULE 12 2.6: RELATIONS SOD AND PS AFTER STARSHIP = "ENTERPRISE" IS UPDATED TO THE VALUE "USS ENTERPRISE" UNDER THE CASCADES-UPDATE RULE 15 2.7: RELATIONS SOD AND PS AFTER STARSHIP = "ENTERPRISE" IS UPDATED TO THE VALUE "USS ENTERPRISE" UNDER THE NULLIFIES-UPDATE RULE 16 3.1: DIFFERENT SOD VIEWS BASED ON ACCESS CLASS 21 3.2: TYPICAL RELATION INSTANCES FOR SOD AND PS 23 3.3: UNCLASSIFIED INSTANCES OF PS AND SOD RELATIONS 24 4.1: SOD AFTER INSERTION OF TUPLE CORRESPONDING TO STARSHIP = "VOYAGER" BY UNCLASSIFIED USER 28 4.2: RELATION PS AND SOD WHEN C[FK] = C[PK] 30 4.3: RELATIONS SOD AND PS WITHOUT POLYINSTANTIATION 32 4.4: RELATIONS WITH TUPLE-LEVEL GRANULARITY 34 4.5: RELATIONS WITH ATTRIBUTE-LEVEL GRANULARITY 35 LIST OF TABLES TABLE PAGE 4.1: SUMMARY OF COVERT CHANNELS IN REFERENTIAL INTEGRITY RULES 36 SECTION 1 INTRODUCTION This document is the second volume in the series of companion documents to the Trusted Database Management System Interpretation of the Trusted Computer System Evaluation Criteria [TDI 91; DoD 85]. This document examines entity and referential integrity issues in multilevel secure (MLS) database management systems and summarizes the research to date in these areas. 1.1 BACKGROUND AND PURPOSE In 1991 the National Computer Security Center published the Trusted Database Management System Interpretation (TDI) of the Trusted Computer System Evaluation Criteria (TCSEC). The TDI, however, does not address many topics that are important to the design and development of secure database management systems (DBMSs). These topics (such as inference, aggregation, and database integrity) are being addressed by ongoing research and development. Since specific techniques in these topic areas had not yet gained broad acceptance, the topics were considered inappropriate for inclusion in the TDI. The TDI is being supplemented by a series of companion documents to address these issues specific to secure DBMSs. Each companion document focuses on one topic by describing the problem, discussing the issues, and summarizing the research that has been done to date. The intent of the series is to make it clear to DBMS vendors, system designers, evaluators, and researchers what the issues are, the current approaches, their pros and cons, how they relate to a TCSEC/TDI evaluation, and what specific areas require additional research. Although some guidance may be presented, nothing contained within these documents should be interpreted as criteria. These documents assume the reader understands basic DBMS concepts and relational database terminology. A security background sufficient to use the TDI and TCSEC is also assumed; however, fundamentals are discussed whenever a common understanding is important to the discussion. 1.2 SCOPE This document addresses entity and referential integrity issues in multilevel secure DBMSs. It is the second of five volumes in the series of TDI companion documents, which includes the following documents: ? Inference and Aggregation Issues in Secure Database Management Systems [Inference 96] ? Entity and Referential Integrity Issues in Multilevel Secure Database Management Systems ? Polyinstantiation Issues in Multilevel Secure Database Management Systems [Poly 96] ? Auditing Issues in Secure Database Management Systems [Audit 96] ? Discretionary Access Control Issues in High Assurance Secure Database Management Systems [DAC 96] This series of documents uses terminology from the relational model to provide a common basis for understanding the concepts presented. For most of the topics covered in this series the concepts presented should apply to most database modeling paradigms, depending on the specifics of each model. For the entity and referential integrity constraints discussed in this document, however, there are important differences between different models. This is because the primary keys in a relational DBMS represent both unique identifiers for tuples and values of attributes in the tuple. They must be protected in accordance with the sensitivity of the data they represent and this can interfere with their role as a unique identifier of tuples. By contrast, the object identifier (OID) in an Object-Oriented DBMS is not a property or attribute of the object it identifies, and does not represent a user-visible data value. Khoshafian and Copeland provide a useful taxonomy of different ways of specifying object identity including the techniques used in relational and Object- Oriented DBMSs [Khoshafian 86]. Similarly, in a relational DBMS, foreign keys represent data values and serve as pointers to other tuples. In an Object-Oriented DBMS, pointers to other objects are not used to store data values, but rather to represent the inclusion of one object within another. As in relational databases, problems may occur if a reference is deleted and some references remain in objects. The implications of these distinctions for enforcement of secrecy in an Object-Oriented DBMS require further research. This document specifically addresses relational DBMSs. This document is related to the companion documents Inference and Aggregation Issues in Secure Database Management Systems and Polyinstantiation Issues in Multilevel Secure Database Management Systems. Much of the discussion of the relationship between enforcement of integrity constraints and multilevel security centers on the potential inference channels which integrity constraints can introduce. One way to avoid these channels for entity integrity is to use polyinstantiation. This is discussed later in more detail. 1.3 INTRODUCTION TO ENTITY AND REFERENTIAL INTEGRITY Secrecy and integrity are two key concepts in the community of database security researchers and users. Secrecy refers to the protection or safety of the data against unauthorized disclosure, and integrity refers to the unauthorized alteration or destruction of data. In the wider database research community, integrity refers more generally to the correctness, accuracy, and internal consistency of data. Preserving the accuracy of information is extremely important rn any database. In the relational model, one way in which accuracy of information is preserved is by preventing updates that violate integrity constraints. Entity integrity and referential integrity are two of the most important integrity constraints. They are defined on relations and are enforced by the DBMS. Entity integrity states that no primary key attribute of a relation is allowed to have null values. In addition, the primary key must have a unique value. These properties of a primary key correspond to the fact that entities in the real world are distinguishable (i.e., they have a unique identification of some kind). In the relational model, the primary key performs the function of unique identification. Referential integrity is an interrelation integrity constraint. In general, referential integrity defines existence relationships between entities in a database that need to be maintained by the DBMS. This document defines these integrity constraints formally and presents their importance in the context of security in detail. In multilevel applications, data are classified to control disclosure. It is important to realize the necessary trade-off to be made between secrecy and integrity because of the challenges in enforcing integrity constraints across multiple secrecy levels without disclosure of information. This document defines entity and referential integrity for a standard relational DBMS and then presents methods for resolving the inherent integrity/secrecy conflict in an MLS environment. 1.4 AUDIENCES OF THIS DOCUMENT This document is targeted at four primary audiences: the security research community, database application developers/system integrators, trusted product vendors, and product evaluators. In general, this document is intended to present a framework for understanding the nature of entity and referential integrity policies or requirements and how they conflict with the need to enforce an access control policy. This framework is used to describe the research that has been done to date and the approaches they present for providing solutions. Each of the specific audiences should expect to get the following from this document: Researcher This document describes the basic problems in simultaneously enforcing integrity constraints and MAC. Some important research contributions are discussed as various topics are covered. Related research on other aspects of integrity and the relationship to secrecy is discussed in Section 3.6. For additional relevant work, the researcher should consult two other companion documents, Inference and Aggregation Issues in Secure Database Management Systems [Inference 96] and Polyinstantiation Issues in Multilevel Secure Database Management Systems [Poly 96]. Database Application Developer/System Integrator This document describes various entity and referential integrity facilities which could be provided by an MLS DBMS. It discusses the implications of these facilities relative to the tradeoffs involved in meeting a system's requirements for secrecy and integrity. Trusted Product Vendor This document describes the conflicts between Mandatory Access Controls (MAC) and multilevel entity and referential integrity constraints. It then discusses approaches to entity and referential integrity enforcement in an MLS database and the benefits and drawbacks of these approaches. In particular, it considers how the issues with enforcement of entity and referential integrity constraints in an MLS database relate to the TCSEC access control and covert channel requirements. This is discussed in the context of tuple level as well as element level labeling. This document will provide a framework for understanding specific requirements interpretations as they are developed by the National Computer Security Center. Evaluator This document describes access control and covert channel issues related to entity and referential integrity. It provides a framework for analyzing specific vendor mechanisms and understanding Technical Review Board/Interpretations Working Group decisions. 1.5 ORGANIZATION OF THIS DOCUMENT The organization of the remainder of this document is as follows: ? Section 2 gives the definitions of entity and referential integrity with respect to single-level DBMSs and describes various important concepts related to referential integrity. ? Section 3 defines the basic concepts of entity and referential integrity with respect to multilevel relations. ? Section 4 discusses the issues associated with covert channels related to enforcing entity and referential integrity constraints. ? Section 5 presents conclusions. SECTION 2 BACKGROUND Entity integrity and referential integrity are two basic integrity requirements in a relational DBMS (RDBMS). They help prevent incorrect data from being entered into the database. Entity integrity guarantees a unique representation of each entity in the database through specification of primary key attributes for each relation. Referential integrity assures that if any references exist between two or more entities, then the related entities do exist in the database. Referential integrity places restrictions on foreign key attributes. Referential integrity is one of the most important interrelation integrity constraints for the relational data model. Although its basic concepts have been discussed over the past ten years, a successful referential integrity capability for a RDBMS is still a challenging implementation problem. While referential integrity appears to be a simple concept, the operational definitions that appear in the literature are imprecise and lead to a host of anomalies. A standard relational database can be perceived by its users as a collection of relations. A relation has well-defined mathematical properties and is used to store data. Each relation has two parts: 1. A state-invariant relation schema R (A1, A2, ..., An), where each Ai is an attribute over some domain Di, 1 ? i ? n, which is a set of acceptable values for Ai. 2. A state-dependent relation R over R, which is a set of distinct tuples of the form (a1, a2..., an), where each element ai; is a value in domain di, 1 ? i ? n. The following notation and conventions are used throughout this document. In definitions, relation schemes are denoted in bold fonts (such as R, R1, R2), and the corresponding relations are denoted using plain fonts (such as R, R1, R2). However, when clear in specific examples, the same symbol is used to denote the relation schema, as well as the corresponding relation. Let X denote one or more attributes of a relation R. If t is a tuple in a relation R, t [X] denotes the projection of t onto X. This section first defines entity and referential integrity, followed by terminology related to these concepts. The examples make use of Structured Query Language (SQL) syntax [ANSI 92, 94]. The section then gives various rules for enforcing referential integrity and discusses the problems associated with referential integrity in single-level relational databases. From this understanding of integrity, we can then better discuss the conflict with enforcement of a MAC policy in Section 3. 2.1 BASIC CONCEPTS OF ENTITY AND REFERENTIAL INTEGRITY Before defining entity integrity, it is necessary to define the concept of a primary key. In simple terms, the primary key of a relation is just a unique identifier of each tuple in the relation. More precisely, a primary key for a relation R is a set of attributes PK with the following properties: 1. The value of PK uniquely identifies each tuple in the relation R. That is, for any state of R, and any tuples t1 and t2, if t1[PK] = t2[PK] then t1 = t2. 2. PK is minimal. That is, there is no proper subset of PK satisfying property 1. It is possible there is more than one set of attributes satisfying these properties. Any such set is called a candidate key. Precisely one candidate must be chosen and designated as the primary key of R. Example 1. Consider the relation schema SOD (Starship, Objective, Destination), which contains for each starship its name (Starship), the purpose of the flight (Objective), and its destination (Destination). An example relation for relation schema SOD is given in Figure 2.1. STARSHIP OBJECTIVE DESTINATION Enterprise Exploration Talos Voyager Spying Mars Apollo Exploration Moon Saratoga Mining Moon Figure 2.1: Relation SOD Since the attribute Starship uniquely identifies each tuple of the relation SOD, it is a candidate key of the relation SOD. As Starship is the only candidate key of the relation SOD, it is also the primary key of relation SOD. In SQL syntax, the attribute(s) constituting the primary key can be specified when a relation schema is created, as the following shows: CREATE TABLE SOD (Starship CHAR(20) NOT NULL, Objective CHAR(15), Destination CHAR(10), PRIMARY KEY (Starship)) Notice that the ANSI syntax uses the term "TABLE" instead of the term "relation" used in this document. The entity integrity constraint requires that all attribute values of the primary key be defined for each tuple. Entity Integrity: If PK is the primary key for relation R, then for all states of R, for every tuple t in R and every attribute A in PK, t[A] is not null. A foreign key provides a basis for a tuple to refer to another tuple. Let R1 and R2 be two relation schemas, and let R1 and R2 denote the respective relations corresponding to these schemas. Referential Integrity: Let PK denote the primary key of R2, and let FK denote one or more attributes of the relational schema R1. FK is said to be a foreign key of R1 referencing R2 if given any tuple t1 in R1, the following two requirements are met: 1. t1 [FK] is either wholly null or wholly non-null, and 2. Whenever t1[FX] is non-null, there is a tuple t2 in R2 such that t1[FK] = t2[PK]. Here R1 is the referencing relation and R2 is the referenced relation. Sometimes PK is referred to as the target value of the foreign key FK. Notice that R1 and R2 need not be distinct. Example 2. In addition to the relation schema SOD given in Example 1, consider the relation schema PS (Person_Name, Starship), which contains the name of the employee (Person_Name) and the name of the ship assigned to the employee (Starship). An example relation for PS is given in Figure 2.2. Suppose Person_Name uniquely identifies each employee in the PS relation, then Person_Name becomes the primary key for the relation schema PS. If Starship is declared a foreign key for PS with the relation schema SOD as the referenced relation, a DBMS that supports referential integrity will automatically ensure that whenever an employee is assigned a (non-null) ship, there is a matching tuple in the relation schema SOD with an identical value for the attribute Starship. Notice that employee Mr. Spock, given in Figure 2.2, has not been assigned any starship. It seems from the definition of the PS relation that nulls are allowed. In some applications it may be desirable to prohibit this situation (i.e., every employee must be assigned a starship). The referencing relation's schema definition can specify whether or not the foreign key attribute can assume a null value. Using SQL syntax, foreign keys can be specified as follows: CREATE TABLE PS Person_Name CHAR(15) NOT NULL, Starship CHAR(20), PRIMARY KEY (Person_Name), FOREIGN KEY (Starship) REFERENCES SOD (Starship)). PERSON_NAME STARSHIP James Kirk Enterprise Mr. Spock <null> Tim McKelley Apollo Figure 2.2: Relation PS It follows from the definition of the foreign key that there is an identical matching primary key value in the referenced relation for every foreign key value in the referencing relation. It is important to maintain the integrity between the referencing values (foreign key values) and the referenced values (primary key values). Example 3. Consider the relation schema PR (Person_Name, Rank), which contains the employee name (Person_Name) and the rank of the employee (Rank). Person_Name is the primary key for the relation schema. Person_Name is also the foreign key referring to relation schema PS. The relation schema PR can be expressed in SQL as follows: CREATE TABLE PR (Person_Name CHAR(20) NOT NULL, Rank CHAR(15), PRIMARY KEY (Person_Name), FOREIGN KEY (Person_Name) REFERENCES PS (Person Name)) Here, the relation schema PR references the relation schema PS given in Example 2. In addition, the relation schema PS in Example 2 references the relation schema SOD. Since there is a referential constraint from PR to PS, and also from PS to SOD, relation schema PS becomes both a referencing relation and a referenced relation, see Figure 2.3. Figure 2.3: Referential Constraints in Relations PR, PS, and SOD This can be depicted as a referential path from PR to SOD as follows: PR > PS > SOD Referential Cycles: Closed referential paths, or referential paths that point back to the starting relation, are referred to as referential cycles. In general, the referential cycle including n relations (where n > 1) can be represented as follows [Date 86, 90]: Rn > Rn-1 > Rn-2 > ... > R2 > R1 > Rn. Referential cycles are of interest since they can cause insertion problems. In the presence of referential cycles, it is necessary that one of the following constraints be true; otherwise, it is impossible to insert the first tuple in any or each of the relations: 1. One of the foreign keys in the referential cycle must be allowed to have a null value, or 2. The constraint check should be done only at the end-of-transaction (i.e., when the transaction commits). A self-referencing relation is a special case of a referential cycle that includes exactly one relation: a relation can have multiple foreign keys corresponding to different relations. Some important concepts related to the terms defined in this section can be summarized as follows: ? A primary key of a relation cannot have a null value in any tuple within that relation (entity integrity) and each primary key must be unique (property of a primary key). ? Foreign keys can have null values. For example, in Figure 2.2 the employee Mr. Spock has not been assigned any starship as yet; therefore, the Starship value for Mr. Spock is null. (Note: If in a specific instance it is desired to prohibit null values for foreign keys, this can be done by using a NOT NULL clause for the attributes in the foreign key when the relation is created.) ? For referential integrity, every non-null value of a foreign key must be matched by an identical primary key value in the referenced relation. But the converse need not be true; for example, starship Saratoga in Figure 2.1 has no employee assigned to it in Figure 2.2. ? A relation can be a referenced relation, as well as a referencing relation. 2.2 REFERENTIAL INTEGRITY RULES Whenever two or more relations are related through referential constraints, it is necessary that references be kept consistent in the face of insertions, deletions, and updates to these relations. Date identifies several actions which can be taken to maintain consistency of references [Date 90]. Exactly which action is chosen for a particular relation depends on the behavior desired by the underlying application. These possible actions are discussed in the following subsections. 2.2.1 DELETE When the target of a foreign key is deleted it could result in a dangling reference. Some action is needed to make sure this does not happen. Four options that may be specified for the referenced relation are RESTRICTED-delete, CASCADES-delete, NULLIFIES-delete, and SET DEFALILT-delete. Each of these is explained in turn. RESTRICTED-delete If the RESTRICTED-delete option is specified, the primary key value in the referenced relation cannot be deleted as long as there exists at least one matching foreign key value in the referencing relation. The deletion of the referenced value is restricted to the case where there is no corresponding referencing value in the referencing relation. For instance, suppose an attempt is made to delete the starship Apollo from the relation SOD. Since the referencing relation PS refers to the relation SOD through the attribute Starship, under the RESTRICTED-delete rule, this deletion cannot be performed as there is a tuple in PS referencing starship Apollo. The delete is denied and the two relations would remain unchanged. The syntax for specifying the RESTRICTED-delete rule may be given as follows: CREATE TABLE PS (Person_Name CHAR(20) NOT NULL, Starship CHAR(15), PRIMARY KEY (Person_Name), FOREIGN KEY (Starship) REFERENCES SOD (Starship), ON DELETE RESTRICT) CASCADES-delete Under the CASCADES-delete option, whenever the target tuple of a foreign key is deleted, all referencing foreign key tuples are also deleted. In the previous example, if an attempt is made to delete the starship Apollo from the relation SOD, the delete would be cascaded to the relation PS and the employee tuples referencing the starship Apollo would also be deleted. After such a CASCADES-delete operation, the relations SOD and PD would change to the form given in Figure 2.4. SOD STARSHIP OBJECTIVE DESTINATION Enterprise Exploration Talos Voyager Spying Mars Saratoga Mining Rigel PS PERSON_NAME STARSHIP James Kirk Enterprise Mr. Spock <null> Figure 2.4: Relations SOD and PS after Starship = "Apollo" is Deleted under the CASCADES-Delete Rule In SQL, the CASCADES-delete rule can be specified as follows: CREATE TABLE PS (Person_Name CHAR(20) NOT NULL, Starship CHAR(15), PRIMARY KEY (Person_Name), FOREIGN KEY (Starship) REFERENCES SOD (Starship), ON DELETE CASCADE) NULLIFIES-delete Whenever the NULLIFIES-delete option is specified for a foreign key, the referencing foreign key attribute values will be set to a null value when the tuple containing the referenced value is deleted. In the example given earlier, when starship Apollo is deleted, the foreign key value, for all tuples referencing Apollo in relation PS, is set to null. The new state of the relations is as shown in Figure 2.5. SOD STARSHIP OBJECTIVE DESTINATION Enterprise Exploration Talos Voyager Spying Mars Saratoga Mining Rigel PS PERSON_NAME STARSHIP James Kirk Enterprise Mr. Spock <null> Tim McKelley <null> Figure 2.5: Relations SOD and PS after Starship = "Apollo" is Deleted under the NULLIFIES-Delete Rule Before setting the referencing value to null, it is important to make sure that the relation schema allows a null value for the foreign key attribute. Otherwise, there will be a conflict. The NULLIFIES-delete rule can be expressed in SQL as follows: CREATE TABLE PS (Person_Name CHAR(20) NOT NULL, Starship CHAR(15), PRIMARY KEY (Person_Name), FOREIGN KEY (Starship) REFERENCES SOD (Starship), ON DELETE SET NULL) SET DEFAULT-delete The SQL2 [ANSI 92] and SQL3 [ANSI 94] standards provide yet another referential action for the delete operation, called SET DEFAULT. This option is similar to the NULLIFIES delete rule given above. The only difference is that the SET DEFAULT option contains a default clause that specifies the default value for the attribute. The default value may be a null or a non-null value. If the referential action specifies the SET DEFAULT option, then each referencing attribute is defined by an implicit or explicit default clause. If the default value is null, then SET DEFAULT is equivalent to a SET NULL. The SQL syntax for the SET DEFAULT-delete rule is as follows: CREATE TABLE PS (Person_Name CHAR(20) NOT NULL, Starship CHAR(15), PRIMARY KEY (Person_Name), FOREIGN KEY (Starship) REFERENCES SOD (Starship), ON DELETE SET DEFAULT < option>) The default option is specified in the <option> field. 2.2.2 UPDATE of Referenced Relation Changing the primary key values in a referenced relation could violate referential integrity unless appropriate action is taken. There are different options which can be specified for the referencing relation whenever an update is made to the target primary key values of a referenced relation. The possible options are RESTRICTED-update, CASCADES-update, NULLIFIES-update, or SET DEFAULT-update. RESTRICTED-update Under the RESTRICTED-update option, an update to the target primary key values of a referenced relation cannot be made as long as there exists at least one matching foreign key value in the referencing relation. The update to the referenced tuple is restricted to the case where there are no matching referencing tuples. As an example, suppose an attempt is made to update the name of the starship from Enterprise to USS Enterprise in relation SOD shown in Figure 2.1. As there is an employee assigned to the ship, the update is rejected. The relations SOD and PS remain unchanged, and look like Figures 2.1 and 2.2. The syntax for specifying the RESTRICTED-update option may be specified as follows: CREATE TABLE PS (Person_Name CHAR(20) NOT NULL, Starship CHAR(15), PRIMARY KEY (Person_Name), FOREIGN KEY (Starship) REFERENCES SOD (Starship), ON UPDATE RESTRICT) CASCADES-update If the CASCADES-update option is specified for a referencing relation, whenever an update is made to the referenced attribute, all changes are cascaded to the matching referencing attributes. This means that whenever the target value of a foreign key is modified, all referencing foreign key values are also similarly modified. Consider the example where an attempt is made to update the name of the starship from Enterprise to USS Enterprise in the relation schema SOD. Under CASCADE-update, the update is cascaded to the matching referencing tuples in the relation schema PS. For the employee assigned to starship Enterprise, the name is updated to USS Enterprise. The new state of the two relations SOD and PS is shown in Figure 2.6. In SQL, the CASCADE-update option can be expressed as follows: CREATE TABLE PS (Person_Name CHAR(20) NOT NULL, Starship CHAR(15), PRIMARY KEY (Person_Name), FOREIGN KEY (Starship) REFERENCES SOD (Starship), ON UPDATE CASCADE) SOD STARSHIP OBJECTIVE DESTINATION USS Enterprise Exploration Talos Voyager Spying Mars Apollo Exploration Moon Saratoga Mining Rigel PS PERSON_NAME STARSHIP James Kirk USS Enterprise Mr. Spock Null Tim McKelley Apollo Figure 2.6: Relations SOD and PS after Starship = "Enterprise" is Updated to the Value "USS Enterprise" under the CASCADES-Update Rule NULLIFIES-update Under the NULLIFIES-update option, the referencing foreign key attribute values are set to null whenever the target primary key values in the referenced relation are updated. In the example given earlier, when the name of the starship is updated from Enterprise to USS Enterprise, the Starship for the employee assigned to Enterprise is set to null. The new state of the relations is shown in Figure 2.7. Before setting the referencing value to null, it is important to make sure that the schema definition allows a null value for the foreign key attribute. If the nulls rule does not allow a null value, then there will be a conflict between the two integrity rules. The NULLIFIES-update rule is expressed in SQL syntax as follows: CREATE TABLE PS (Person_Name CHAR(20) NOT NULL, Starship CHAR(I5), PRIMARY KEY (Person_Name), FOREIGN KEY (Starship) REFERENCES SOD (Starship), ON UPDATE SET NULL) SOD STARSHIP OBJECTIVE DESTINATION USS Enterprise Exploration Talos Voyager Spying Mars Apollo Exploration Moon Saratoga Mining Rigel PS PERSON_NAME STARSHIP James Kirk < null > Mr. Spock < null > Tim McKelley Apollo Figure 2.7: Relations SOD and PS after Starship = "Enterprise" is Updated to the Value "USS Enterprise" under the NULLIFIES Update Rule SET DEFAULT-update SQL2 and SQL3 define another referential constraint for update, which is SET DEFAULT. If the referential constraint specifies the SET DEFAULT option, then each referencing attribute is defined by an implicit or explicit default clause. The default clause specifies the default value for the attribute, and the default value may be a null or a non-null value. If the default value is null, then the SET DEFAULT option can be considered equivalent to the NULLIFIES update rule. The SQL syntax for the SET DEFAULT-update rule is as follows: CREATE TABLE PS (Person_Name CHAR(20) NOT NULL, Starship CHAR(15), PRIMARY KEY (Person_Name), FOREIGN KEY (Starship) REFERENCES SOD (Starship), ON UPDATE SET DEFAULT <option>) The default option is specified in the <option> field. 2.2.3 INSERT or UPDATE of Referencing Relation When a tuple is inserted into a relation with a foreign key or a tuple in the relation is updated, the insertion (or update) of a foreign key value should be in accordance with referential integrity. Each foreign key value must be NULL or have an identical matching primary key value in the referenced relation. This requirement can be enforced by disallowing the insert (or update) unless the condition is met or by setting the foreign key to a default value or null (if nulls are allowed) when the condition is not met. 2.2.4 Additional Rules In spite of the many integrity rules discussed in this section, the rules above are not exhaustive. Additional options include conversation with the end user and transferring information to some other files. For instance, an additional option in SQL3 is the PENDANT specification, which implies that each primary key value in the referenced relation is the same as some foreign key value in the referencing relation. For example, if the referential constraint for the relation EMP is as shown below, then as soon as the last employee in a particular department is deleted, the department will also be deleted. FOREIGN KEY (Starship) REFERENCES [PENDANT] SOD(Starship) 2.3 PROBLEMS WITH REFERENTIAL INTEGRITY CONSTRAINTS Referential integrity plays a major role in RDBMSs where it is employed to express existence dependencies. The concept of referential integrity seems to be simple, but it has been a topic of discussion for the past several years [Markowitz 90; Horowitz 92]. The operational definitions are not precise and, therefore, lead to some anomalies. Confusion surrounds both the concept itself and its implementation in RDBMSs. There is a need to carefully examine the data manipulation problems caused by certain referential integrity structures and to find ways to avoid these problems. In a RDBMS, a single update or delete can affect multiple tuples through the application of referential integrity rules (e.g., cascading deletes or updates). It is necessary for these processes to be deterministic. In other words, the final state of the database should be a function of the initial state of the database, and the specific statement to be executed. At times, certain referential constraints associated with relations may block update or deletion of some tuples because of conflicting referential constraint specifications, thus making the outcome of the update or delete statement unpredictable. Some of the problems that have been identified are dependency on the order in which referential integrity constraints are applied, referential cycles, and dependency on the order in which the tuples are processed in response to a query. Discussion of these problems in detail is outside the scope of this document. SECTION 3 ENTITY AND REFERENTIAL INTEGRITY IN MLS DATABASES Before entity and referential integrity can be defined for multilevel relations, it is necessary to extend the basic concepts of classical (single-level) relations to the multilevel context. In MLS databases, data are assigned different security levels and each user is assigned a clearance level. Each user can only access data they are cleared for based on the user's security clearance. As a consequence the meaning of relations becomes more complicated in the multilevel world, and there is no clear consensus regarding the exact definition of a multilevel relational model. To develop an MLS database, it is necessary to (1) define a security policy, (2) develop mechanisms that support the policy, and (3) get the necessary assurance that the system developed is secure. This section first reviews the basic concepts for the multilevel relational data model, then defines entity and referential integrity constraints for multilevel relations. 3.1 RELATED TCSEC REQUIREMENTS The TCSEC imposes two types of requirements which affect how entity and referential integrity can be enforced in a DBMS targeted to meet the TCSEC requirements at B1 and above. A DBMS targeted for Class B1 or above must enforce a MAC policy over all subjects and storage objects it controls. This places requirements on the sensitivity labels of elements of primary and foreign keys and on the relationships between sensitivity levels of foreign keys and the primary keys they reference. For a DBMS targeted at Class B2 or above, the TCSEC requires a thorough search for covert channels (storage channels only at Class B2). In the multilevel context, enforcement of the uniqueness of primary keys and enforcement of referential integrity can create significant covert channels. Guidelines on acceptable bandwidths for covert channels are given in Section 8 of the TCSEC. This section specifically addresses the implications of direct enforcement of MAC controls (as required at B1 and above). The implications of integrity enforcement on covert channels is covered in Section 4. A determination of precisely which approaches to enforcing entity and referential integrity will be considered compliant with the TCSEC requirements will evolve over time as the Evaluation Community publishes official interpretations on this subject. However, with the successful evaluation of Trusted Oracle7 DBMS MAC Mode with an unmodified integrity mechanism, precedence has been set for Class B1 DBMSs [Oracle 94]. 3.2 BASIC CONCEPTS IN MULTILEVEL RELATIONS The basic model for multilevel relations needs to be defined with a MAC policy in mind. The MAC policy for MLS databases is often based on the Bell-LaPadula model [Bell 76], which is stated in terms of subjects and objects. A subject is an active entity, such as a process that can request access to objects, whereas an object is a passive entity, such as a record, a file, or a field within a record. Every subject is assigned a clearance level and every object a classification level. Classification levels and clearances are collectively referred to as security levels, and form a lattice. Each security level has two components: a hierarchical component and a set (possibly empty) of unordered categories. A security level c1 is said to dominate security level c2, in the partial order, if (1) the hierarchical component of c1 is greater than or equal to that of c2, and (2) all categories in c2 are included in those of c1. A security level c1 strictly dominates security level c2, in the partial order, if (1) c1 dominates c2, and (2) c1 does not equal c2. The following are two necessary conditions in the Bell-LaPadula model [Bell 76; DoD 85]: 1. The Simple Security Condition or "No Read Ups": A subject can only read objects at a security level dominated by the subject's level, and 2. The *-Property (Star Property) or "No Write Downs": A subject can only write objects at a security level that dominates the subject's level. To apply these concepts to a DBMS it is necessary to determine the granularity of the objects protected by MAC, i.e., the storage objects. Security levels are then associated with these storage objects. Work on MLS databases has focused on four choices for assigning security levels to data stored in a relation. One can assign security levels to entire relations, to individual tuples (rows) of a relation, to individual attributes (columns) of a relation, or to individual elements of a relation. In the definitions below, the most general case is considered, in which security levels are assigned to individual data elements stored in relations. However, since tuple level labeling is used in all DBMS products evaluated to date, the concepts are also considered in the (simplified) context of tuple level labeling. A relation schema in the multilevel context not only contains all its data attributes, but also includes the corresponding security level for each data attribute. Formal definitions of a multilevel relation schema and multilevel relations are as follows [Denning 87]: Relation Schema: A multilevel relation schema has the following form: R(A1, C1, A2, C2, ... , An, Cn). Each Ai is a data attribute over some domain Di and Ci is the classification attribute of Ai. The domain of Ci, i = 1, ...,n is some set consisting of security levels. If tuple level labeling is used, there will only be one classification attribute for the entire tuple: R(A1, A2, ... , An, C). For a multilevel logical relation schema R, there is a corresponding relation Rc per security level in the security lattice. A user having a clearance at a security level c sees the relation Rc, which contains data at security level c or below. More formally, Relations: A relation at a security level c has the following form: Rc(A1, C1, A2, C2, ... , An, Cn) Rc consists of a set of tuples of the form (a1, c1, a2, .2.... ,an, cn), where each ai lies in the domain Di or ai is null, c > ci, ci, i = 1 ... ,n. Even if ai is null, its classification attribute ci is never null. When an attribute value ai is null, there are two reasonable possibilities for the corresponding security level value: ci could be assigned a value that is identical to c, or the security level of the attributes constituting the primary key. In this document, ci would be assigned a value consistent with the second possibility. If the security level of the primary key value is not dominated by c in a tuple, then that tuple is not shown in Rc at all. If the security level of the primary key value is dominated by c, then that tuple is shown in Rc; however, any attribute value with a security level not dominated by c, is shown having a null value with the corresponding security level the same as that of the primary key value. For tuple level labeling, Rc consists of those tuples whose security level is dominated by c. These concepts can be better explained with the help of an example taken from [Jajodia 91]. Example 4. Consider the relation schema SOD given in Example 1. Starship is the primary key of the relation schema SOD, and the security levels are assigned at the granularity of individual data elements. The hierarchical order usually followed is Top Secret (TS), Secret (S), Confidential (C), and Unclassified (U). A user with a Secret clearance will see the entire multilevel relation SODS, while a user with an Unclassified clearance will see the Unclassified instance SODU as shown in Figure 3.1. SODS STARSHIP OBJECTIVE DESTINATION Enterprise U Exploration U Talos U Voyager U Spying S Mars S SODU STARSHIP OBJECTIVE DESTINATION Enterprise U Exploration Talos U Voyager U <null> <nulls> U Figure 3.1: Different SOD Views Based on Access Class 3.3 THE CONCEPT OF PRIMARY KEY IN MULTILEVEL RELATIONS The notion of a primary key is a fundamental concept in the world of single-level relational databases. The primary key is used to maintain integrity of relations, it is used during the database design, and it is also used for storage and retrieval purposes. The primary key for a single-level relation must satisfy the uniqueness property and the minimality property, as discussed in Section 2.1. Entity integrity requires that the primary key serves as a unique identifier of each tuple in the relation and that it does not contain a null value. The uniqueness property can create covert channels as discussed in Section 4. One approach to avoiding these channels involves augmenting the user-defined primary key with security level attributes associated with the primary key attributes. However, in the remainder of this document it is assumed that there is a user-specified primary key consisting of a subset of the data attributes and not including the security level [Denning 87]. It is called the apparent primary key of the multilevel relation schema. 3.4 ENTITY INTEGRITY IN MULTILEVEL RELATIONS A relation schema R will be assumed to have a user-defined apparent primary key consisting of one or more data attributes of R. It will be denoted by PK. The entity integrity property of the standard relational model can be extended to the multilevel environment by defining the three requirements given below, which are applicable only to element level classification [Denning 87]. The three requirements are automatically met for tuple level classification. The first requirement is the same as for the standard relational model, that no tuple in an Rc have a null value for any attribute in PK. The second requirement states that the PK values should be uniformly classified; otherwise, the PK value would not be wholly non-null or wholly null for some security level. The third requirement states that the security level of values for the attributes not in PK must dominate the security level of the PK attributes; otherwise, there could be instances where non-null attributes would be associated with a null primary key when viewed below the level of the primary key. These three requirements can be more formally defined as follows: A multilevel relation schema R is said to satisfy entity integrity, if for all relation instances Rc of R and, tuple t ? Rc, 1. If Ai ? PK, then t[Ai] ?null, 2. If Ai, Aj ? PX, then t[Ci] = t[Cj], i.e., PK is said to be uniformly classified, and 3. If Ai ? PK, then t[Ci] t[C[PK]] (where C[PK] is the classification of the apparent primary key PK). 3.5 REFERENTIAL INTEGRITY IN MULTILEVEL RELATIONS As discussed in the previous section, a non-null foreign key value in a referencing relation should always have a matching primary key value in the referenced relation. In an MLS database, this requirement has implications for the relationship among the security levels of the attributes of the foreign key and the security level of the referenced primary key. In addition, the possible actions which could be taken to enforce referential integrity on update and deletion can introduce covert channels as discussed in Section 4. Relation schemas, in the following example, will be used to illustrate the different situations in which a security conflict may occur. Example 5. Consider the multilevel relation schema PS given in Example 2. Person_Name is the apparent primary key of the relation schema PS, and Starship is the foreign key of PS, which refers to the relation schema SOD. Typical relation instances for SOD and PS are given in Figure 3.2. Note that in the example schema only the attribute names are part of the primary key and the foreign key. The respective security levels are not a part of the key. Therefore, there are some tuples with the security level of the foreign key in relation PS higher or lower than the security level of the corresponding primary key in relation SOD. The example includes such tuples to explain the conflicts arising when the security levels are at different levels. SOD STARSHIP OBJECTIVE DESTINATION Enterprise U Exploration U Talos U Voyager U Spying S Mars S Apollo S Spying S Moon S PS PERSON_NAME STARSHIP James Kirk U Enterprise U Mr. Spock U Voyager S Tim McKelley U Apollo U Figure 3.2: Typical Relation Instances for SOD and PS Recall the definition of referential integrity for standard relational databases: Referential Integrity: If FK is a foreign key of R1 referencing R2, PK is the primary key of R2, t1 is a tuple of an instance R1 of R1, and t2 is a tuple of an instance R2 of R2, then 1. t1 [FK] is either wholly null or wholly non-null, and 2. Whenever t1[FK] is non-null, there is a tuple t2 in R2 such that t1[FK] = t2[PK]. For MLS databases we need to have this property be true for the database as seen from any security level. Assume tl [FK] is not wholly null as viewed from some security level. The first requirement above says that it must then be wholly non-null. If the attribute values making up FK did not all have the same security level, there would be some security level for which some of the attribute values in FK would be null and others non-null. Since this is not allowed, all attribute values in FK must have the same security level. If all attribute values of FK are null, then by convention they are assigned the same security level. This argument gives us the first rule for referential integrity. Rule 1. The foreign key of the referencing relation must be uniformly classified (i.e., all attribute values that make up the foreign key must be assigned an identical security level). This rule is automatically satisfied for tuple level labeling. The second part of referential integrity requires that if the foreign key FK is not null then there is a matching primary key PK in the referenced relation R2. For this to be true for the database as seen from the security level of FK, the matching PK must be visible at the security level of FK. Hence, the security level of FK must dominate the security level of the matching primary key PK. This gives us the second rule of referential integrity. Rule 2. The security level of the foreign key must dominate the security level of the primary key of the referenced tuple (i.e., C[FK] > C[PK]). For tuple level labeling, this rule reduces to the requirement that the security level of the referenced tuple must be dominated by the security level of the referencing tuple. PS PERSON_NAME STARSHIP James Kirk U Enterprise U Mr. Spock U Null U Tim McKelley U Apollo U SOD STARSHIP OBJECTIVE DESTINATION Enterprise U Exploration U Talos U Voyager U Null U Null U Figure 3.3: Unclassified Instances of PS and SOD Relations Example 6. Consider the relations SOD and PS as shown in Figure 3.2. An Unclassified user sees the two relations as given in Figure 3.3. For the Unclassified user, the referential integrity property has been violated because there is no Starship "Apollo" visible to the Unclassified user. From the Unclassified user's point of view either Starship "Apollo" does not exist, which is a referential integrity error, or it references a classified Starship that is not displayed to the user, which is a security error. 3.6 ENFORCEMENT OF INTEGRITY CONSTRAINTS Most of the research work on the topics covered in this document has either focused on polyinstantiation as a mechanism to deal with primary key requirements and entity integrity or has dealt with the broader question of inference. Meadows did some early work on the conflicts of integrity and security that mainly considered approaches for maximizing integrity while eliminating inference channels [Meadows 88]. Polyinstantiation and inference research are covered in the appropriate TDI companion documents. However, there are several works dealing with aspects of database integrity which go beyond just entity and referential integrity and do not fit into those areas. Notargiacomo and Wiseman have explored separation of duty as an approach to protect data from unauthorized modification within MLS databases [Notargiacomo 91; Wiseman 90]. The concept of applying separation of duty to integrity enforcement is to ensure that, before a modification to the state is made, sufficient people agree that it properly reflects the real world requirement. The fact that certain users are unlikely to collude with a particular change, an underlying assumption, is indicated by the way roles are assigned to users. Notargiacomo explores the issues of integrating an interpretation of the Clark-Wilson integrity model [Clark 87, 88] into a multilevel DBMS security policy. Her preliminary investigation raised issues on object granularity; interaction of MAC, DAC, and integrity policies; application of Clark-Wilson type controls to classes of users; and the need for nested transactions. Wiseman sees the high level abstract view of separation of duty as several people agreeing to change state. Integrity can be encouraged by enforcing constraints which ensure the state is always valid and by subjecting inputs to separation of duty. Reind van de Reit and Beukering describe how constraints involving integrity and security can be specified in MOXUM, their active object-oriented knowledge-base system [van de Reit 94]. Their premise is that changes to the database should be governed by rules in the form of integrity constraints and security checks. In this case, integrity constraints refer to the quality of the data, while security constraints refer to protection and access rights. Both kinds of constraints are specified in MOKUM as Prolog predicates and are not separated. Each time some manipulation on an object or a collection mentioned in a constraint is performed (create/change/inspect/destroy), some check has to be performed. The Prolog scripts regulate access to object collections and enforce integrity constraints through triggers. This implies a need to extend the Trusted Computing Base to include the Prolog compiler which is problematic with respect to assurance. In addition to considering the entity and referential integrity conflicts with security, Maimone and Allen provide alternatives to resolving problems that arise in maintaining transaction integrity and value constraints [Maimone 91]. A security conflict with transaction integrity may arise if a single transaction is designed so that some steps must perform write operations at different security levels. Value constraints are defined integrity rules that may restrict the valid values for a data element. A conflict arises when some existing data classified above the label of the user activating the constraint does not meet constraints defined after object creation. They make the distinction between the use of triggers and constraints for enforcing integrity rules. The utility of declarative constraints, including primary and foreign key and value or domain constraints, is that the constraint declares an invariant property, detailing the meaning of a consistent state. Marks and Jajodia [Jajodia 94] have developed a technique to enforce certain integrity constraints and minimize the amount of sensitive information disclosed. They transform multilevel constraints into constraints that can be enforced at individual levels and approximate enforcement of the multilevel constraint. SECTION 4 COVERT CHANNELS The B2 or higher MAC requirements of the TCSEC specify that an MLS system must additionally guard against indirect accesses through information flows. It is recognized that some covert channels will exist in any system. The TCSEC provides guidelines on what actions must be taken for channels depending on the bandwidth of the channel. Enforcement of integrity constraints can create covert channels. These channels are discussed in this section. Interpretations indicating precisely what channels will be deemed acceptable for systems evaluated against various TCSEC levels will be developed as the Evaluation Community deals with specific vendor implementations. 4.1 PRIMARY KEY UNIQUENESS Problems arise in multilevel relations when a user at a lower security level tries to enter a tuple with the same primary key value as that of an existing tuple at a higher security level or when a user tries to update the primary key attribute to a value that already exists at a higher level. This insert/ update cannot be allowed if primary key uniqueness is to be preserved. On the other hand, if the user is not allowed to insert the primary key value, then there exists a covert channel. The following example provides a concrete illustration. Example 7. Consider the multilevel relation schema SOD of Example 4 in Section 3.2; the actual relation is the same as the Secret instance shown in Figure 3.3. Suppose the Unclassified user, who sees the Unclassified instance in Figure 3.3, attempts to update the missing values in the second tuple corresponding to the starship "Voyager." If the user is allowed to do this update, then there will be two tuples corresponding to the primary key value of Starship "Voyager" in the Secret instance, leading to a violation of the primary key constraint, as shown in Figure 4.1. But if the Unclassified user's attempt is rejected, then there is a channel. Since this is unacceptable, a way must be found to deal with the existence of both tuples in the Secret instance. STARSHIP OBJECTIVE DESTINATION Enterprise U Exploration U Talos U Voyager U Spying S Mars S Voyager U Exploration U Moon U Figure 4.1: SOD After Insertion of Tuple Corresponding to Starship = "Voyager" by Unclassified User Since the user can infer that a Secret tuple exists with the same primary key the user is attempting to insert, this channel can be viewed as an example of inference. However, it also represents a covert channel because a Secret process can insert or delete tuples with a given primary key and this action could be detected by the Unclassified user. To avoid this channel, both the Secret tuple and the Unclassified tuple for the starship "Voyager" must somehow co-exist in the instance at the Secret level. These security considerations have led to the notion of polyinstantiation [Denning 87]. Polyinstantiation forces a relation to contain multiple tuples with the same primary key but distinguishable by their classification levels or by the non-primary key attributes of the relation [Lunt 91]. It is because the user designated primary key must be augmented with classification levels to maintain primary key uniqueness in a polyinstantiated database that we have used Denning'' term apparent primary key for the user-specified primary key. Jajodia contends that the use of polyinstantiation for cover stories needs to be confined to those cases where it is intended since uncontrolled use of polyinstantiation leads to further loss of integrity and confusion with the semantics of the relational data model [Jajodia 90]. The debate continues as to whether polyinstantiation is needed in multilevel relations or not [Sandhu 91]. If polyinstantiation is not required in multilevel relations, then there must be a solution to close channels. If polyinstantiation is used, then the question is how polyinstantiation should be managed. Burns maintains that as a result of the fundamental conflict with enforcing confidentiality and secrecy of information in an MLS database with integrity, DBMS products will have to be expanded to include the ability to correct the errors and inconsistencies introduced by polyinstantiation [Burns 90a]. A thorough discussion of all the issues associated with polyinstantiation is beyond the scope of this document, but is covered in another volume in this series: Polyinstantiation Issues in Multilevel Secure Database Management Systems [Poly 96]. For the purpose of this document, the discussion of polyinstantiation is confined to the impact it has on referential integrity. 4.2 ENFORCEMENT OF REFERENTIAL INTEGRITY RULES Section 3 showed that for referential integrity in an MLS database, the security level of the foreign key must dominate the security level of the primary key of the referenced tuple (C [FK] C[PX]). This requirement guarantees that the referenced primary key will be visible to any user who sees the foreign key as non-null. However, the situation is somewhat more complicated if the referenced relation is polyinstantiated. In this event, there may be more than one tuple with an apparent primary key matching FK. Some method must be used to uniquely and consistently determine which primary key will be considered to be the referenced primary key. One approach is to augment FK with the security level of its attributes (the tuple security level if tuple level labeling is used). If that approach is used, a matching PK will have the same security level as FX and the requirement on the relationship between security levels of PK and FK becomes C[FK] = C[PK]. Enforcement of referential integrity through the rules described in Section 2.2 can result in covert channels. These channels are discussed below. The discussion is divided into the two permitted cases: C[FK] = C[PK] and C[FK] > C[PK]. 4.2.1 Enforcement of Integrity Rules When C[FK] = C[PK] To study the enforcement of integrity rules when the security level of the referencing tuple and the security level of the referenced tuple are the same, we need to look at the cases of the four different levels of granularity in multilevel relations. For relations with relation level labeling or tuple level labeling, all the integrity rules are usable without modification because this case can be considered to be equivalent to relationships occurring in a single-level database. For attribute and element level labeling there is a potential channel for the CASCADFS-delete rule. All other rules can be enforced without any problem. This channel can be better explained with the help of an example. Example 8. Consider the two relations SOD and PS as given in Figure 4.2. The security level of the foreign key in relation PS in this example is the same as the security level of the referenced primary key in relation SOD. For the second tuple in relation PS, an Unclassified user oily sees the attribute Person_Name. The user is not cleared to see the value of Starship for this tuple and also the user cannot see the corresponding referenced tuple in relation SOD. Suppose a Confidential user comes in and attempts to delete the second tuple in relation SOD where Starship = "Saratoga." If the delete rule specified is a CASCADES-delete, then the referencing tuple in PS is also deleted. An Unclassified user now will not see the attribute value Person_Name = "Mr. Spock" any more, and this causes a channel. PS PERSON_NAME STARSHIP James Kirk U Enterprise U Mr. Spock U Saratoga C SOD STARSHIP OBJECTIVE DESTINATION Enterprise U Exploration C Talos C Saratoga C Mining C Rigel C Figure 4.2: Relation PS and SOD when C[FK] = C[PK] The channel in this case can be avoided if the equivalence of the security levels of the foreign key and the referenced primary key is extended. If the security level of the entire referencing tuple is the same as the security level of the entire referenced tuple, then no violations occur when enforcing the insert, delete, and update rules. This fact has been acknowledged in the SeaView model [Lunt 90] and the referential secrecy model given by Burns [Burns 90b]. Burns also suggests selective enforcement of referential integrity in those cases where the security level of both the referencing relation and the referenced relation are not the same, assuming that the channel either can be monitored or is deemed not to cause a serious threat. 4.2.2 Enforcement of Integrity Rules When C[FK] > C[PK] Now the final case will be considered where the security level of the referencing tuple dominates the security level of the referenced tuple. Each of the integrity rules for insert, delete, and update will be considered individually, and the effect of the dominance of the referencing tuple's security level over that of the referenced tuple will be investigated. The effect of different levels of labeling granularity in multilevel relations upon enforcement of integrity will also be considered. Throughout this discussion, we will assume that either the relations are not polyinstantiated or a consistent method is employed to determine the unique primary key referred to by a foreign key. 1. Element-Level Granularity - Each of the integrity rules for insert, delete, and update is examined individually for relations with element-level granularity, and conditions violating the security constraints are investigated. a. Delete Rule - As discussed in Section 2.2.1, the four delete rules for referential integrity in single-level relations are as follows: i. RESTRICTED-delete Rule ii. CASCADES-delete Rule iii. NULLIFIES-delete Rule iv. SET-DEFAULT-delete Rule Each of these rules is considered in turn for applicability to multilevel relations labeled at the element level. i. RESTRICTED-delete Rule - The RESTRICTED-delete rule states that the referenced primary key tuple cannot be deleted as long as there is a corresponding referencing tuple somewhere in the database. For instance, consider the relations SOD and PS given in Figure 4.3. In relation PS, the security level of the foreign key value Starship = "Voyager" dominates the security level of the primary key value in the relation SOD. According to the RESTRICTED-delete rule, as long as there is a tuple having foreign key value "Voyager" in PS, the tuple with primary key value "Voyager" cannot be deleted from the relation SOD. This gives rise to a channel, as there is a downward flow of information from the high-level referencing foreign key to the low-level subject attempting to delete the tuple containing the primary key. Therefore, the RESTRICTED-delete Rule violates secrecy when the security level of the foreign key dominates the security level of the primary key of the referenced tuple. ii. CASCADES-delete Rule - If the delete rule specified is the CASCADES-delete rule, then if the tuple in SOD with Starship = "Voyager" is deleted at the Unclassified level, then the tuple in PS with Starship = "Voyager" at the Secret level should also be deleted. In the relation instance of PS, given in Figure 4.3, Person_Name = "Mr. Spock" is at the Unclassified level in the tuple containing Starship = "Voyager" at the Secret level. Although the Unclassified user would not see any value for Starship in the PS tuple with Person_Name = "Mr. Spock," this tuple will be deleted as a result of the CASCADES-delete action. Therefore, the user will be able to infer that the tuple contained Starship = "Voyager." This is a channel. If the attribute value "Mr. Spock" were classified as Secret, there would have been no channel. Hence, the CASCADES- delete rule fails in relations with element-level labeling and C[FK] > C[PK], if any non-foreign key attribute value in the referencing tuple is at a lower security level than the foreign key attribute value. Even though the CASCADES-delete rule is not invalid for all the cases, channels exist that cannot be covered or be removed. Hence, CASCADES-delete cannot be used for defining an integrity constraint in relations with element-level labeling which allow a foreign key to strictly dominate its corresponding primary key. SOD STARSHIP OBJECTIVE DESTINATION Enterprise U Exploration U Talos U Voyager U Spying S Mars S Apollo S Spying S Moon S PS PERSON_NAME STARSHIP James Kirk U Enterprise U Mr. Spock U Voyager S Figure 4.3: Relations SOD and PS without Polyinstantiation iii. NULLIFIES-delete Rule - If the delete rule specified is NULLIFIES-delete, then the value of Starship = "Voyager" in relation PS is set to null when the tuple in SOD for Starship = "Voyager" is deleted. This does not conflict with the security constraints, as long as write-ups are allowed, since there would not be a downward flow of information. iv. SET DEFAULT-delete Rule - The argument for the SET DEFAULT-delete rule is the same as for the NULLIFIES-delete rule. As previously noted, the SET DEFAULT rule is equivalent to the NULLIFIES rule when null is specified as the default. In summary, when the foreign key value is higher than the security level of the primary key value, then the NULLIFIES-delete rule and the SET DEFAULT-delete do not create downward information flows. However, the RESTRICTED-delete and CASCADES- delete rules can result in covert channels. b. UPDATE Rule - As discussed in Section 2.2.2, the four update rules for referential integrity in single-level relations are as follows: i. RESTRICTED-update Rule ii. CASCADES-update Rule iii. NULLIFIES-update Rule iv. SET DEFAULT-update Rule The following paragraphs discuss the application of the update rules to multilevel relations labeled at the element level. i. RESTRICTED-update Rule - Consider the relations SOD and PS given in Figure 4.2. In relation PS, the security level of the foreign key value Starship = "Voyager" dominates that of the primary key value in the relation SOD. According to the RESTRICTED-update rule, as long as there is a tuple having foreign key value "Voyager" in PS, the primary key value "Voyager" cannot be updated in the relation SOD. This gives rise to a channel because there is flow of information from the high-level referencing foreign key to the low-level subject attempting to delete the tuple containing the primary key. Therefore, the RESTRICTED-update Rule will not work when updating a referenced tuple if the security level of the referencing tuple dominates the security level of the referenced tuple. ii. CASCADES-update Rule - The CASCADES-update Rule states that if the primary key value Starship = "Voyager" in SOD is updated, then the foreign key value Starship = "Voyager" in PS will also be updated. This does not conflict with the security constraints, as long as write-ups are allowed, since there would not be a downward flow of information. iii. NULLIFIES-update Rule - The NULLIFIES-update Rule specifies that the value of Starship = "Voyager" in relation PS be set to null if Starship = "Voyager" in SOD is updated. Again, this does not conflict with the security constraints, as long as write-ups are allowed, since there would not be a downward flow of information. iv. SET DEFAULT-update Rule - The SET DEFAULT-update Rule does not violate any security or integrity constraints when the security level of the foreign key dominates the security level of the primary key. The explanation is the same as for the NULLIFIES-update rule. In summary, CASCADES-update, NULLIFIES-update, and SET DEFAULT-update do not result in downward information flow. The RESTRICTED-update rule can result in a covert channel. c. INSERT Rule - The insert rule for integrity states that the insertion of a foreign key value should comply with the referential integrity rules; that is, each foreign key value in the referencing relation should have an identical primary key value in the referenced relation. In MLS databases, it is important to ensure that there is no downward flow of information when the insertion is made. If the security level of the referencing tuple (foreign key value) dominates the security level of the referenced tuple (primary key value), then there is no such possibility of a channel. If a higher user attempts to insert a foreign key value, the user's insertion is accepted or rejected based on the presence or absence of the referenced value at the lower security level. There will be only an upward flow of information, which means that both integrity and security rules are satisfied. It should be noted that, unlike with polyinstantiated relations, there is no confusion while inserting the tuples in the two relations. SOD No. STARSHIP OBJECTIVE DESTINATION TC 1 Enterprise Exploration Talos U 2 Enterprise Spying Mars S PS No. PERSON_NAME STARSHIP TC 3 James Kirk Enterprise U 4 Mr. Spock Enterprise S Figure 4.4: Relations with Tuple-Level Granularity 2. Tuple-Level Granularity - The argument for referential integrity control in relations with tuple-level granularity is the same as the discussion above for element-level granularity. The only difference is that instead of each data element having an individual security level, the entire tuple in the relation is assigned a security level as shown in Figure 4.4. As is the case for element-level granularity, a security conflict occurs when the RESTRICTED-update/delete option is enforced. There is a downward flow of information when a low user tries to update/delete a target value, and is allowed to do so depending on the absence of a matching referencing tuple at a higher level. All other integrity rules are valid for relations with tuple-level granularity. The problem with CASCADES-delete that occurs for element-level granularity does not occur with tuple-level granularity because, for tuple-level granularity, each element in the tuple is explicitly assumed to have the same security level as defined in the tuple class. As such, a user will never be in the situation where he can view some attributes of a tuple but not others and then witness the tuple vanish due to a cascading delete on attributes that the user is not cleared to see, which would be a covert channel due to the inference of the high attribute's value. 3. Attribute-Level Granularity - As described earlier, attribute-level granularity means that each attribute in a relation is assigned a single security level. All values of an attribute are classified at the same level of security across all tuples in the relation. From the discussion in Section 3.5, to maintain referential integrity, the security level of the foreign key attribute in the referencing relation must dominate the security level of the primary key attribute in the referenced relation. The case to be considered is where the security level of the foreign key attribute strictly dominates the security level of the apparent primary key attribute. In this case, the relations SOD and PS are as given in Figure 4.5. SOD No. STARSHIP U OBJECTIVE S DESTINATION U 1 Enterprise Exploration Talos 2 Voyager Spying Mars PS No. PERSON_NAME U STARSHIP S 3 James Kirk Enterprise 4 Mr. Spock Enterprise Figure 4.5: Relations with Attribute-Level Granularity Following the discussion earlier, it can be observed that all the integrity rules can be applied to the case above except for the RESTRICTED-delete or the RESTRICTED-update rule. Under RESTRICTED-update or delete, whenever a lower subject tries to update or delete the tuple containing a particular primary key attribute value, the attempt is accepted or rejected based on the presence of a matching value in the foreign key attribute at the higher security level. This gives rise to a channel. 4. Relation-Level Granularity - As defined earlier, a relation with relation-level granularity has a single classification level defined for the entire relation, or in other words, all data elements in the relation are at the same security level. For instance, consider the relation schema SOD, given in Example 4, and the relation schema PS, given in Example 6. Relation PS references relation SOD, with Starship being the foreign key attribute. The security level of the primary key "Starship" (i.e., C[PK]) is the same as the security level of the relation SOD, and the security level of the foreign key "Starship" (i.e., C[FK]) is the same as the security level of the relation PS. Based on the restrictions derived in rule 2 in Section 3.5, the security level of the foreign key should always dominate the security level of the primary key. Therefore, for relation-level granularity, the security level of the relation PS should dominate the security level of the relation SOD. Let the security level of relation SOD be Unclassified and of PS be Secret. Then C[FK] = Secret and C[PK] = Unclassified (i.e., C[FK] > C[PK]). From the discussion in Section 3.5, it can be seen that, if C[FK] > C[PK], then all integrity rules except RESTRICTED-delete and RESTRICTED-update can be used, without any covert channels. The table below gives a summary of the integrity rules that apply to different levels of granularity without compromising secrecy by permitting downward information flows. In the case of polyinstantiated relations it is necessary in all cases that there be a method to unambiguously determine which instance of the apparent key is referenced. Level of Granularity Element Tuple Attribute Relation Insert Rule OK OK OK OK Delete Rules: RESTRICTED-delete Channel Channel Channel Channel CASCADES-delete Channel OK OK OK NULLIFIES-delete OK OK OK OK SET-DEFAULT- delete OK OK OK OK Update Rules: RESTRICTED-update Channel Channel Channel Channel CASCADES-update OK OK OK OK NULLIFIES-update OK OK OK OK SET-DEFAULT- update OK OK OK OK Table 4.1: Summary of Covert Channels in Referential Integrity Rules for C[FK] > C[PK] 4.3 RELATION TO DBMS ARCHITECTURE A Trusted Computing Base (TCB) consists of one or more sub-elements that together enforce a security policy over a system. Complex systems distribute policy enforcement to various sub- elements. While determining the trust characteristics of a complex system on the basis of a collection of subparts is not well understood, there are approaches for arguing about composition of systems. The approach used in the TDI is to view the system as being composed of hierarchically-ordered systems. There is a "privilege" hierarchy characterized by dependency. The construct developed for dealing with layered systems is TCB subsets. A TCB subset enforces a security policy over a set of resources for that layer, and may or may not include hardware. If a TCB subset can be shown to be constrained and unprivileged relative to the more primitive TCB subset from which it obtains resources, then the scope of the covert channel analysis can be limited. An example of this approach is the SeaView prototype. SRI International developed the SeaView prototype multilevel RDBMS to validate the SeaView theoretical model and to demonstrate that the prototype is suitable for engineering development [Hsieh 93]. The design approach provides users with element-level labeling. SeaView constructs multilevel relations as views over stored single-level relations. The single-level relations are stored in files managed by an underlying multilevel operating system. Thus, individually labeled data elements need not be stored in individually labeled storage objects. The SeaView approach allows multilevel database operations to be decomposed into corresponding single-level operations on the single-level relations. The decomposition is transparent to the user, who considers the multilevel relations to be stored relations. Thus, the SeaView model extends entity and referential integrity to multilevel relations. It also allows application dependent integrity rules to be defined on multilevel relations; and it ensures that updates of multilevel relations are well defined. In addition, the SeaView model constrains multilevel relations with polyinstantiation integrity, which specifies consistency for polyinstantiated tuples and elements. In the SeaView approach, the underlying architecture guards against covert channels during enforcement of entity and referential integrity. This is because the DBMS instance operating on behalf of a subject is untrusted with respect to the underlying operating system MAC policy (i.e., it can only read data with a security level dominated by the subject's level and can only write data with a security level dominating the subject's level). SRI utilized Trusted Oracle OS MAC Mode, which has been evaluated as a constrained TCB subset architecture [Oracle 94]. On the other hand, a secure DBMS can be built with MAC enforcement done in the DBMS, not just the underlying operating system. In this approach, the DBMS will have the privilege to violate the operating system's MAC controls. With this architecture, called a trusted subject architecture, the DBMS designer has to make a tradeoff between channel free enforcement of entity and referential integrity constraints, or enforcement of the constraints in a manner which allows selected channels. In the latter case, the constraint enforcement mechanism must be carefully analyzed to make sure that the downward information flows are thoroughly understood and that they are acceptable for the target environment or evaluation class. For example, Trusted Oracle7 DBMS MAC Mode (which uses the trusted subject architecture) was successfully evaluated at Class B1 [Oracle 94]. In DBMS MAC Mode, entity and referential integrity can be enforced. An audit event was added to Trusted Oracle7 to detect use of potential covert channels. SECTION 5 SUMMARY Entity integrity and referential integrity are two important integrity constraints that should be enforced by the DBMS. While entity integrity is necessary for preserving correctness of data within a relation, referential integrity is required for maintaining interrelation integrity in the relational data model. In this document, these concepts have been extended to multilevel DBMSs. The extension of the concept of referential integrity from single-level relations to multilevel relations is not straightforward. This is because restrictions are needed to provide referential integrity control in multilevel DBMSs without compromising secrecy. The basic requirement for referential integrity is that each referencing foreign key value must have an identical target primary key value in the referenced relation. An additional requirement for multilevel relations is that each foreign key and primary key should be uniformly classified (i.e., all attributes included in a key should have the same security level) and each foreign key dominates its referenced primary key. From the discussion in the document, it can be concluded that enforcing referential integrity, when the security level of the foreign key is equal to the security level of the referenced primary key, is simple and without any ambiguity. All integrity rules apply in this case, whether the relations allow polyinstantiation or not. When polyinstantiation is allowed, some method such as including the security level of the primary and foreign key values as part of the key must be used to differentiate references, and allow the referential integrity rules to be enforced. Referential integrity completely fails when the security level of the foreign key does not dominate the security level of the primary key. When the security level of the foreign key strictly dominates the security level of the referenced primary key, some of the integrity rules for actions to be taken upon deletion or modification of a key value can be applied without channels, with some differences based on labeling granularity. Inclusion of a mechanism which enforces integrity across security levels in Class B2 and above DBMSs may not be feasible due to conflicts with the covert channel requirements. However, with the successful evaluation of Trusted Oracle7 DBMS MAC Mode with an unmodified integrity mechanism, precedence has been set for Class B1 DBMSs. REFERENCES [ANSI 92] ANSI. Database Language SQL2. In ANSI X3.135-1992, American National Standards Institute, New York. December 1992. [ANSI 94] ANSI. SQL3 - Working Draft. Draft Version, Available From X3 Secretariat, Computer and Business Equipment Manufacturers Association (CBEMA), 1250 Eye St. N.W., Suite 200 Washington, D.C. 20005-3992. September 1994. [Audit 96] National Computer Security Center, Auditing Issues in Secure Database Management Systems, NCSC Technical Report-005, Volume 4/5, May 1996. [Bell 76] D. E. Bell and L. J. LaPadula. Secure Computer Systems: Unified Exposition and Multics Interpretation, The MITRE Corporation. March 1976. [Burns 90a] R. K. Burns. Integrity and Secrecy: Fundamental Conflicts in the Database Environment. In Proceedings of the Third RADC Database Security Workshop, Castille, NY. 1990. [Burns 90b] R. K. Burns. Referential Secrecy. In Proceedings of the IEEE Symposium on Security and Privacy, IEEE Computer Society Press. May 1990. [Clark 87] D. D. Clark and D. R. Wilson. A Comparison of Commercial and Military Computer Security Policies. In Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA. May 1987. [Clark 88] D. D. Clark and D. R. Wilson. Evolution of a Model for Computer Integrity. In Proceedings of the 11th National Computer Security Conference, Baltimore, MD. October 1988. [DAC 96] National Computer Security Center, Discretionary Access Control Issues in High Assurance Secure Database Management Systems, NCSC Technical Report-005, Volume 5/5, May 1996. [Date 86] C. J. Date. An Introduction to Database Systems, Vol. I, 4th Edition, Addison- Wesley, Reading, MA. 1986. [Date 90] C. J. Date. Referential Integrity and Foreign Keys: Further Considerations. In Relational Database Writings 1985-1989, Addison-Wesley, pp. 99-184. 1990. [Denning 87] D. E. Denning, T. F. Lunt, R. R. Schell, M. Heckman, and W. R. Shockley. "A Multilevel Relational Data Model," Proceedings of the 1987 IEEE Symposium on Security and Privacy, IEEE Computer Society Press, pp. 220-234. 1987. [DoD 85] Department of Defense Trusted Computer System Evaluation Criteria, DoD 5200.28-STD, Washington, DC. December 1985. [Hsieh 93] D. Hsieh, T. Lunt, and P. Boucher. The SeaView Prototype. RL-TR-93-216 Final Technical Report, SRI International. November 1993. [Horowitz 92] B. M. Horowitz. A Run-Time Execution Model for Referential Integrity Maintenance. In Proceedings of the 8th International Conference on Data Engineering, Tempe, AZ, pp. 548-556. February 1992. [Inference 96] National Computer Security Center, Inference and Aggregation Issues in Secure Database Management Systems, NCSC Technical Report-005, Volume 1/5, May 1996. [Jajodia 90] S. Jajodia, and R. Sandhu. Polyinstantiation Integrity in Multilevel Relations. In Proceedings of the 1990 IEEE Symposium on Security and Privacy, Oakland, CA. May 1990. [Jajodia 91] S. Jajodia, and R. Sandhu. Toward a Multilevel Secure Relational Data Model. In Proceedings of ACM SIGMOD International Conference on Management of Data, Denver, CO, pp. 50-59. May 1991. [Jajodia 94] S. Jajodia and D. G. Marks. Maintaining Secrecy and Integrity in Multilevel Databases: A Practical Approach. In Proceedings of the 18th National Information Systems Security Conference, Baltimore, MD. Oct. 10-13 1995. [Khoshafian 86] S. N. Khoshafian and G. P. Copeland. Object Identity. In Proceedings for OOPSLA 1986. pp. 406-416. September 1986. [Lunt 90] T. F. Lunt, D. E. Denning, R. R. Schell, M. Heckman, and W. R. Shockley. The SeaView Security Model. In IEEE Transactions on Software Engineering, Vol. 16, No. 6, pp. 593-607. June 1990. [Lunt 91] T. F. Lunt, and D. Hsieh. Update Semantics for a Multilevel Relational Database System. In Database Security, IV: Status and Prospects, S. Jajodia and C. E. Landwehr (editors), Elsevier Science Publishers B. V. (North Holland), IFIP, pp. 281-296.1991. [Maimone 91] B. Maimone and R. Allen. Methods for Resolving the Security vs. Integrity Conflict. In Research Directions in Database Security, IV: Proceedings of the Fourth RADC Workshop, Rae Burns (editor). April 1991. [Markowitz 90] V. M. Markowitz. Referential Integrity in Relational Database Management Systems: A Comparative Study. Preprint. 1990. [Meadows 88] C. Meadows and S. Jajodia. Integrity Versus Security in Multi-Level Secure Databases. In Database Security Status and Prospects, ed. C. Landwehr, North Holland. 1988. [Notargiacomo 91] L. Notargiacomo. Database Integrity: Based on the Clark-Wilson Integrity Model. In Proceedings of the 3rd RADC Database Security Workshop. 1991. [Oracle 94] Oracle7 and Trusted Oracle7 Final Evaluation Report, NCSC-EPL-94/004, C- Evaluation Report No. 07-95, Library No. S242,198, National Computer Security Center, 5 April 1994. [Poly 96] National Computer Security Center, Polyinstantiation Issues in Multilevel Secure Database Management Systems, NCSC Technical Report-005, Volume 3/5, May 1996. [Sandhu 91] R. Sandhu and S. Jajodia. Honest Databases That can Keep Secrets. In Proceedings 14th National Computer Security Conference, Washington, D.C. Oct. 1991. [TDI 91] Trusted Database Management System Interpretation of the Trusted Computer System Evaluation Criteria, NCSC-TG-021, National Computer Security Center. April 1991. [van de Reit 94] R. van de Reit and J. Beukering. The Integration of Security and Integrity Constraints in MOKUM. In Proceedings of the 8th IFIP 11.3 WG on Database Security. Bad Sdzdetfurth, Germany, 23-26 August 1994. [Wiseman 90] S. Wiseman. The Control of Integrity in Databases. In Proceedings of the 4th IFIP 11.3 WG on Database Security, Halifax, England, 18-21 September 1990. Rank Person_Name Primary key PR Foreign key Primary key Starship Person_Name Foreign key PS Primary key Starship Objective Destination SOD Keith F. Brewster Acting Chief, Partnerships and Processes May 1996