You are hereMultilevel Security / MLS OS-RDBMS Policy Integration

MLS OS-RDBMS Policy Integration


Trusted RUBIX fully integrates the MLS policy of the underlying secure operating system (OS) with that of the RDBMS. This results in coherent security behavior across both the OS and RDBMS domains.

 

With MLS policy integration, the RDBMS session label and the OS session label will be the same for every user. The string label representation and the set of valid label formats will also be the same for Trusted RUBIX and the secure operating system. Additionally, the dominance relationships (i.e., the security lattice) will be the same.

 

Other RDBMS products that implement MLS policy enforcement may not integrate with the underlying secure operating system or may be designed to operate on top of a non-MLS operating system. In these environments, illegal information flows may occur from the RDBMS, to the OS, and then to a user not cleared to access the information. Additionally, the security administrator may have to maintain and configure two MLS policies, each with differing label structures and security lattices.

 

The first of the following two diagrams demonstrates how a malicious user may illegally send information from Top Secret to Unclassified, by exploiting the lack of OS-RDBMS policy integration. The second diagram demonstrates how Trusted RUBIX prevents this illegal information flow by integrating with the underlying secure operating system.

 

In the first diagram, the malicious user Bob SELECT's Top Secret RDBMS data and redirects it to an Unclassified operating system file. Because there is no OS-RDBMS policy integration, Bob is able to connect to the RDBMS at Top Secret while remaining at Unclassified with respect to the operating system. Nancy then reads the Top Secret RDBMS data from the Unclassified operating system file, completing the illegal information flow.

 

Illegal Information Flow in Systems without OS-RDBMS Policy Integration

The second diagram demonstrates how Trusted RUBIX prevents such illegal information flows by integrating the MLS policies. Because Bob's Trusted RUBIX RDBMS and OS session labels are linked, he can only redirect the RDBMS data into a Top Secret operating system file. Nancy, being at Unclassified is unable to read from the Top Secret operating system file. Thus, the data remains protected by the same MLS policy in both the Trusted RUBIX RDBMS and operating system.

 

Preventing Illegal Information Flow using OS-RDBMS Policy Integration