| Testing and evaluating the security level of a Database Management System is indispensable for guaranteeing the security of a DBMS. Security level evaluation refers to determining a credible level of security features of a DBMS according to its security standards. The automation or semi-automation of a database security level evaluation tool can improve the efficiency of the security level evaluation on a DBMS.Based on the analysis of existing architecture of the Information System security level evaluation tools, and combined with software testing automated framework(STAF), the architecture of the database security level evaluation tool is designed, which is composed mainly of a test preparation module, a data storage module, a test module and a evaluation module.Three sub-modules, i.e., user login module, test case input module and test item selection module, constitute the test preparation module, the test cases of which are written based on "Information Security Technology Security Techniques Requirement for Database Management System" and "Information Security Technology Security Evaluation Criteria for Database Management System". According to the information that user inputs, a test case document described by XML is generated by the test case input module automatically. The data storage module mainly stores the test case document, the expected result document and the actual test result document. In the test module, through a detailed analysis of the test items of the popular database management system(mainly for Oracle, Dameng and MySQL), the same type of test items of different DBMS can be tested by the same test procedure. Such as, the test items of communication encryption are tested by the methods of JpcapCaptor class. The test items of remote database access are tested by analyzing whether a clear-text user name or password in the data packets caught by methods in JpcapCaptor class are there or not. The test items of file operation are tested by the invocation of STAF's file service. In the evaluation module, the test results are compared with the expected ones. The test item passed if both results were the same. And then, the security level of the database is obtained by counting passing rate of test items.The experiment on Dameng and MySQL shows that, the database security level evaluation tool is capable of an semi-automated evaluation on the primary, secondary and tertiary safety level's security features of a DBMS according to its technical security requirement. |
PDF Full Text Request