Skip site navigation (1) Skip section navigation (2)

Re: [PATCH] SE-PgSQL/tiny rev.2193

From: KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>
To: Greg Stark <gsstark(at)mit(dot)edu>
Cc: Joshua Brindle <method(at)manicmethod(dot)com>, Ron Mayer <rm_pg(at)cheapcomplexdevices(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Martijn van Oosterhout <kleptog(at)svana(dot)org>, Robert Haas <robertmhaas(at)gmail(dot)com>, Peter Eisentraut <peter_e(at)gmx(dot)net>, pgsql-hackers(at)postgresql(dot)org, KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>
Subject: Re: [PATCH] SE-PgSQL/tiny rev.2193
Date: 2009-07-20 23:35:38
Message-ID: (view raw, whole thread or download thread mbox)
Lists: pgsql-hackers
Greg Stark wrote:
> On Mon, Jul 20, 2009 at 8:44 PM, Joshua Brindle<method(at)manicmethod(dot)com> wrote:
>> I am capable of speaking for Tresys in this matter. We are very interested
>> in this work and our US DoD customers need the capabilities that this
>> project adds (assuming row level access controls are a possibility).
> I'm kind of curious about how these features get used. What specific
> problems do they solve?

I would like to introduce a key word: data flow control (DFC).

Most of mandatory access control system focuses on the direction
of data, and tries to control it when user/client gives a request
to object manager (such as OS-kernel, RDBMS, ...).

MAC system assigns a security label on all the objects managed to
identify its sensitivity level. It typically has hierarchical
relationship, such as "secret" is more sensitive than "classified",
and "classified" is more than "unclassified", for example.
  secret > classified > unclassified

When user requires the object manager to read a certain object
with a security label being equal or lower than user's security
label, MAC system within the object manager allows it.
In this case, the direction of data is from object to subject.
  (Object) ---(read)---> (Subject)

When user requires the object manager to write a certain object
with a security label being equal to user's security label, MAC
system allows it.
In this case, the direction of data is from subject to object.
  (Subject) ---(write)---> (Object)

This constraint enables to prevent to leak a sensitive data to
others with lower sensitive level.
Note that subject never has data with higher than himself, and
he cannot write his data to objects lower than himself (to prevent
information leaks, by malicious internals) and higher than himself
(to prevent manipulation).

The security certification (ISO/IEC15408) also contains DFC as a
part of functional requirements. (Please note that it does not
requires DFC all the producets; it depends on the environment to
be used.)

Oracle Label Security is a product which provides DFC mechanism
using row-level access controls based on security labels, and
its security certification report mentions its DFC features and
access control rules in the FDP_IFF section.

SE-PostgreSQL also tries to apply such kind of DFC policies.
In addition, its security policy is integrated with operating system.
It enables to handle multiple object manager seamlessly.

For example, we cannot prevent a user with classified security label
to insert a sensitive information into database and unclassified user
to see them later, without SE-PgSQL.

BTW, Oracle Label Security is priced at about $13,000/CPU in Japan.
I believe security sensitive customers feel it fair for their purpose.

OSS Platform Development Division, NEC
KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>

In response to

pgsql-hackers by date

Next:From: Josh BerkusDate: 2009-07-20 23:41:32
Subject: Re: [PATCH] SE-PgSQL/tiny rev.2193
Previous:From: Josh BerkusDate: 2009-07-20 23:20:04

Privacy Policy | About PostgreSQL
Copyright © 1996-2017 The PostgreSQL Global Development Group