Re: [PATCH] SE-PgSQL/tiny rev.2193 - Mailing list pgsql-hackers
| From | KaiGai Kohei |
|---|---|
| Subject | Re: [PATCH] SE-PgSQL/tiny rev.2193 |
| Date | |
| Msg-id | 4A64FF4A.8030802@ak.jp.nec.com Whole thread Raw |
| In response to | Re: [PATCH] SE-PgSQL/tiny rev.2193 (Greg Stark <gsstark@mit.edu>) |
| List | pgsql-hackers |
Greg Stark wrote: > On Mon, Jul 20, 2009 at 8:44 PM, Joshua Brindle<method@manicmethod.com> wrote: >> I am capable of speaking for Tresys in this matter. We are very interested >> in this work and our US DoD customers need the capabilities that this >> project adds (assuming row level access controls are a possibility). > > > I'm kind of curious about how these features get used. What specific > problems do they solve? I would like to introduce a key word: data flow control (DFC). Most of mandatory access control system focuses on the direction of data, and tries to control it when user/client gives a request to object manager (such as OS-kernel, RDBMS, ...). MAC system assigns a security label on all the objects managed to identify its sensitivity level. It typically has hierarchical relationship, such as "secret" is more sensitive than "classified", and "classified" is more than "unclassified", for example. secret > classified > unclassified When user requires the object manager to read a certain object with a security label being equal or lower than user's security label, MAC system within the object manager allows it. In this case, the direction of data is from object to subject. (Object) ---(read)---> (Subject) When user requires the object manager to write a certain object with a security label being equal to user's security label, MAC system allows it. In this case, the direction of data is from subject to object. (Subject) ---(write)---> (Object) This constraint enables to prevent to leak a sensitive data to others with lower sensitive level. Note that subject never has data with higher than himself, and he cannot write his data to objects lower than himself (to prevent information leaks, by malicious internals) and higher than himself (to prevent manipulation). The security certification (ISO/IEC15408) also contains DFC as a part of functional requirements. (Please note that it does not requires DFC all the producets; it depends on the environment to be used.) Oracle Label Security is a product which provides DFC mechanism using row-level access controls based on security labels, and its security certification report mentions its DFC features and access control rules in the FDP_IFF section. SE-PostgreSQL also tries to apply such kind of DFC policies. In addition, its security policy is integrated with operating system. It enables to handle multiple object manager seamlessly. For example, we cannot prevent a user with classified security label to insert a sensitive information into database and unclassified user to see them later, without SE-PgSQL. BTW, Oracle Label Security is priced at about $13,000/CPU in Japan. I believe security sensitive customers feel it fair for their purpose. Thanks, -- OSS Platform Development Division, NEC KaiGai Kohei <kaigai@ak.jp.nec.com>
pgsql-hackers by date: