Research And Implementation On Mandatory Access Control Of Secure Database

With the rapid development of information technology, and now information security has become an increasingly important technology in branches and fields, and as one of the core foundation of information systems database management system, its security is also increasingly under pressure from various aspects of attention. Access control is an important mechanism to achieve the security database. The basic task of access control is to protect the information stored in the database, preventing non-authorized users access to information, as well as authorized users access the database over its power. It can ensure data confidentiality, integrity and availability. Mandatory access control mechanism is the core content of third-level secure database.Access control technology can be divided into two categories: one is called discretionary access control, and the other is called mandatory access control. Mandatory access control is an important way of access control. It is much stricter discretionary access control. It calls for marking the subject and object of the database, and assigning security levels to them. When the subject is to access the object, MAC will check the security level of the subject and object, to decide whether this operation can be done. Mandatory access control usually requires strict control to database administrators, security administrators and the audit administrator in accordance with the principle of least privilege. MAC can effectively prevent "Trojan horse" attacks. Its main features are:Mandatory: The security properties of all entities within the database system must be marked by the security administrator.Strictness: The access control can not be avoided; even the database information is accessed by its owner.Multi-level database is the basis for mandatory access control. The common multi-level database models include Bell & La Padula (BLP) model, extended BLP model, Sea View mode and Jajodia-Sandhu (JS) model. The common feature of these models that, subject and object in the database is divided into different security levels. Then take different strategies to carry out access control.The Bell & La Padula model proposed in 1976, is the first proposed mandatory access control model, and it is a typical representative of mandatory access control security model. Currently, numbers of mandatory access models are directly or indirectly on the BLP model improvements. Bell & La Padula model is well-known multi-level security policy model.The security level of BLP model has a security and a non-hierarchical category, in the form of . Security level from low to high, including non-confidential (U), confidential (C), secret (S), top secret (TS), security level is a total order, and can be expressed in figures 1, 2,3,4,5. Category is a subset of the collection in a system, it usually depends on application scenarios, for example, different departments, there is no hierarchy, and the main effect is isolation.This paper first analyzes the various security mechanisms of security database, including: authentication, discretionary access control, mandatory access control, storage encryption, security audit, separation of powers, reasoning control. On this basis, leads to a multi-level secure database, introduced the multi-level security strategies and common models of multi-level secure database, then analyze the characteristics of various models and their respective advantages and disadvantages.Then, this paper focuses on the basic concepts and requirements of access control. It describes several common access control policies: discretionary access control, mandatory access control and role-based access control. It analyzes the characteristics of these access control policies and their advantages and disadvantages. On this basis, proposed agent-based mandatory access control concept. It introduces the proxy between subject and object. It marks objects and agents, and assigns security level to the objects and agents and then assigns an agent to each subject. One subject can only be corresponding with one proxy,. This can reduce the workload of the security-level management to facilitate the increasing of the subject and the changing of security level, to facilitate the maintenance of the security level.Then, this paper studies how access control is implemented in the MySQL database. First introduced the MySQL database, MySQL database is the most commonly used in large-scale general-purpose database, it has the characteristics of high performance, high reliability, support multi-user, multi-threaded, supporting C/S structure,. MySQL can provide open-source version, so many universities and research institutions add new features to MySQL based on its prototype. And then analyzed the MySQL system architecture and the implementation flow of SQL statements. Introduced the various modules of MySQL, including server initialization module, the connection manager, thread manager, user authentication module, access control module, parser, command distribution device, query cache module, optimizer, table manager, the table modification module, table maintenance module, status reporting module, an abstract storage engine interfaces, storage engine implementation, the log module, redundant main module, redundant backup modules, client/server protocol API, the Low-Level network I/O API, the core API modules. On this basis, mandatory access control modules are implemented. Mandatory access control module is divided into three sub-modules, including: the information of subject and object management module, the information of subject and object retrieval module, the security level comparison module. The information of subject and object management module is responsible for management and maintenance of the system tables which record the security level of subject and object, importing the data when the server is started , and updating data when the server is running. The information of subject and object retrieval module is responsible for obtaining the security level of the specified subject and object. The security level comparison module is responsible for comparing the security level of subject and object, to determine whether the access is to be executed. Finally, have a test of the database, the result of the test meet the expected results, largely achieved the security database with the feature of mandatory access control.So far, this paper completed the development of mandatory access control based on the MySQL database, but there are still some shortcomings. It only supports simple SQL statement ,including select, insert, update, only supports single table treatment, can not handle multi-table queries, does not support the functions and storage procedures, the integrated of mandatory access control and MySQL is not flexible enough. These will be the next research focus.