MLS OS-DBMS Policy Integration

Trusted RUBIX fully integrates the MLS policy of the underlying secure operating system (OS) with that of the DBMS. This results in coherent security behavior across both the OS and DBMS domains.

With MLS policy integration, the DBMS session label and the OS session label will be the same for every user. The string label representation and the set of valid label formats will also be the same for Trusted RUBIX and the secure operating system. Additionally, the dominance relationships (i.e., the security lattice) will be the same.

Other DBMS products that implement MLS policy enforcement may not integrate with the underlying secure operating system or may be designed to operate on top of a non-MLS operating system. In these environments, illegal information flows may occur from the DBMS, to the OS, and then to an uncleared user. Additionally, the security administrator may have to maintain and configure two MLS policies, each with differing label structures and security lattices.

The first of the following two diagrams demonstrates how a malicious user may illegally send information from Top Secret to Unclassified, by exploiting the lack of OS-DBMS policy integration. The second diagram demonstrates how Trusted RUBIX prevents this illegal information flow by integrating with the underlying secure operating system.

In the first diagram, the malicious user Bob SELECT's Top Secret DBMS data and redirects it to an Unclassified operating system file. Because there is no OS-DBMS policy integration, Bob is able to connect to the DBMS at Top Secret while remaining at Unclassified with respect to the operating system. Nancy then reads the Top Secret DBMS data from the Unclassified operating system file, completing the illegal information flow.

Illegal Information Flow in Systems without OS-DBMS Policy Integration

The second diagram demonstrates how Trusted RUBIX prevents such illegal information flows by integrating the MLS policies. Because Bob's Trusted RUBIX DBMS and OS session labels are linked, he can only redirect the DBMS data into a Top Secret operating system file. Nancy, being at Unclassified is unable to read from the Top Secret operating system file. Thus, the data remains protected by the same MLS policy in both the Trusted RUBIX DBMS and operating system.

Preventing Illegal Information Flow using OS-DBMS Policy Integration