Report on the 9th IFIP WG 11.3 Working Conference on Database Security by David Spooner

The Ninth Annual IFIP WG 11.3 Working Conference on Database Security was held on August 13-16, 1995, in Rensselaerville, New York. The conference was organized into ten session, of which eight were paper sessions and two were panel discussions.

The opening session was highlighted with a presentation by T. C. Ting (University of Connecticut and the National Science Foundation) titled "How Secure is Secure?". In this presentation, he stressed that policy makers must take into consideration the value of data resources, the consequences of unauthorized access, and the tolerance and risk in securing data. He also stressed that management must be convinced to take responsibility for policy making. This session also included a presentation of a paper by J. Dobson (University of Newcastle) and M. J. Martin (University of Newcastle), titled "Messages, Communications, Information Security: Protecting the User from the Data." It was presented by Dobson who argued that there can never be fully secure systems and that it is important to analyze the failure modes of systems. He suggested an approach based on common abstractions (e.g., messages, communication) that can be instantiated to model and analyze a given system.

The second session was devoted to federated and replicated databases, and was chaired by E. Fernandez (Florida Atlantic University). The first paper presented was by M. S. Olivier (Rand Afrikaans University) titled "Self- Protecting Objects in a Secure Federated Database." He described the design of a secure object-oriented federated system in which the objects are self protecting via the use of a trusted extension within each object. A trusted common core provides a secure communication channel for the federated system, and a local trusted extension provides local support for objects at the nodes of the federated system. This was followed by a presentation by D. Jonscher (University of Zurich) of a paper by him and K. Dittrich (University of Zurich), titled "Argos - A Configurable Access Control System for Interoperable Environments." He described a federated system with a global access control model and local autonomous access control models. Propagation of authorizations from the global to the local models is required to maintain consistency between the global and local access control models. The details of a prototype implementation were discussed. The final paper in this session was titled "The Modulated- Input Modulated-Output Model," by I. S. Moskowitz (Naval Research Laboratory) and M. H. Kang (Naval Research Laboratory), and was presented by Moskowitz. Moskowitz discussed the problem of getting update messages to upper levels with acknowledgment in a replicated multilevel secure database. He described a "pump" mechanism to do this that is under development at the Naval Research Laboratory and an analysis of required buffer sizes for the pump so that no messages are lost.

The third session addressed secure object-oriented database systems and was chaired by P. Samarati (University of Milan). The first paper in this session, titled "User-Role Based Security Enforcement Mechanisms for Object-Oriented Systems and Applications," by S. A. Demurjian (University of Connecticut), M.-Y. Hu (IBM Corporation), T. A. Daggett (University of Connecticut), and T. C. Ting (University of Connecticut), was presented by Hu. The presentation described the continuation of the development of the ADAM system, which is an object-oriented design and code generation system using C++. The system uses a separate class hierarchy to model the roles required in an application system. The second paper in this session was titled "A Formal Specification of an Authorization Model for Object- Oriented Databases," by E. B. Fernandez (Florida Atlantic University), R. B. France (Florida Atlantic University) and D. Wei (Florida Atlantic University), and was presented by Fernandez. The presentation showed how the Z formal specification language can be used to formalize security policies. Fernandez argued that this would be useful to do for assurance purposes. One of the lessons learned was the difficulty of modeling the structure of a database with the Z language. The final paper in the session was "Multilevel Data Model for the Trusted ONTOS Prototype," by M. Schaefer (ARCA Systems, Inc.), P. Marte (ONTOS Inc.), T. Kanawati (ONTOS, Inc.), and V. Lyons (ONTOS, Inc.), and was presented by Kanawati. The presentation described a secure object-oriented database system under development at ONTOS, Inc. that attempts to balance confidentiality with integrity. It supports MAC without compartments, cover stories, and classifies methods as well as attributes.

The fourth session was on mandatory access controls and was chaired by M. Schaefer (ARCA Systems, Inc.). The first paper in the session was titled "Modeling Mandatory Access Control in Role-Based Security Systems," by M. Nyanchama (University of Natal-Durban) and S. L. Osborn (University of Western Ontario), and was presented by Nyanchama. Their approach studies information flows and uses constraints on these information flows to model the requirements for MAC. The second paper in the session was "Modeling a Multilevel Database with Temporal Downgrading Functionalities," by F. Cuppens (ONERA-CERT) and A. Gabillon (ONERA-CERT). It was presented by Cuppens. The paper addresses downgrading based on events, times, and delays. Since the last two types of downgrading require a temporal model, the paper proposes a temporal language for specifying downgrading rules. The final paper in the session was titled "Towards a MAC Policy Framework," by X. Qian (SRI International) and T. F. Lunt (ARPA/CSTO), and was presented by Qian. This paper looks at the problem of multilevel secure federated databases and whether semantic interoperation makes sense. It looks at such things as the semantics of object labels, upward information flows, and inference channels. It proposes as new components in a system, an interpretation policy, a view policy, and an update policy.

The next session focused on concurrency control issues and was chaired by T. Keefe (Pennsylvania State University). The first paper, titled "A Locking Protocol for Multilevel Secure Databases Providing Support for Long Transactions," was written and presented by S. Pal (Pennsylvania State University). Pal discussed a concurrency control approach for secure multilevel databases that is based on object versions and uses an untrusted scheduler at each level. The second paper, titled "An Adaptive Policy for Improved Timeliness in Secure Database Systems," by S. H. Son (University of Virginia), R. David (University of Virginia) and B. Thuraisingham (MITRE Corporation), was presented by Son. This paper explores secure two-phase locking schemes for real-time databases. Compromises are required between real-time requirements and security requirements, and the paper presents simulation results to compare several such compromises. The next paper, also presented by Son, was titled "A Secure Concurrency Control Protocol for Real-Time Databases," by R. Mukkamala (Old Dominion University) and S. H. Son (University of Virginia). This paper discusses a multiversion concurrency control method in which higher priority transactions can abort other transactions at the same level. The transaction scheduler and the lock manager must be trusted. The final paper in the session was titled "Providing Different Degrees of Recency Options to Transactions in Multilevel Secure Databases," by V. Atluri (Rutgers University), E. Bertino (University of Milan), and S. Jajodia (George Mason University), and was presented by Atluri. The idea presented in this paper is that a transaction should be able to specify a desired level of recency in the data it reads. The paper presents a protocol based on multiple versions and time stamps.

Design and implementation of access controls was the topic for the next session, chaired by X. Qian (SRI International). The first paper in this session was titled "Assured Discretionary Access Control for Trusted RDBMS," by M. Schaefer (ARCA Systems, Inc.) and G. Smith (ARCA Systems, Inc.), and was presented by Schaefer. The goal of the work is to investigate whether it is possible to implement DAC for a view-based secure relational database system with assurance above the B1 level. Schaefer proposed several potential approaches and concluded that a credible paradigm is to use primitive views (i.e., no joins). The second paper in the session was titled "A Formal Security Design Approach for Information Exchange in Organizations," by R. Holbein (University of Zurich), S. Teufel (University of Zurich), and K. Bauknecht (University of Zurich), and was presented by Holbein. Holbein argued that for need-to-know security design in organizations it is important to be able to trace a particular access right back to the need-to-know policy in an organization. He proposed a formal specification approach based on business process models to do this.

The next session was a panel discussion on role-based access control and next generation security models, chaired by R. Thomas (Odyssey Research Associates). The first panelist was H. H. Bruggemann (University of Essen) who discussed techniques for using object technology to reduce the complexity of access rights administration. The next panelist was D. Ferraiolo (Department of Commerce, NIST) who discussed how roles provide an ability to articulate and enforce enterprise-specific protection policies. B. Hartman (Odyssey Research Associates) was the next panelist to speak. He began by stating that security is critical for distributed object systems, but that no one solution is appropriate for all markets. He described an effort to develop a role-based security model for the Object Management Group (OMG) common architecture. P. Samarati (University of Milan) spoke as the next panelist and discussed how next generation authorization models must increase expressiveness and flexibility. Then R. Sandhu (George Mason University) argued that a problem with existing security models is that they do not adequately distinguish between users and subjects. He also suggested that role constraints will be important in the development of future systems. M. Schaefer (ARCA, Systems, Inc.) spoke next and suggested that one role does not fit all users who have that role, and a way is needed to selectively add and delete access rights given the context of a situation. He also warned that greater functionality probably implies greater side-effects. The final panelist was T. C. Ting (University of Connecticut) who suggested that no single security model works for everything, that MAC and DAC are both important, and that role- based access control is one solution for DAC. After the panelists spoke there was an extended discussion on whether the trend towards roles is appropriate. It was suggested that roles are close to what many users want, but are not a universal solution. It also became clear that there is not general agreement on the definition of role-based security.

The next session focused on inference controls and was chaired by Don Marks (Department of Defense). The first paper in this session was titled "Inference Analysis During Multilevel Database Design," by R. K. Burns (AGCS Inc.). Burns discussed a toolset for multilevel database design. The tool set uses Entity-Relationship diagrams augmented with a security lattice and a database inference tool to improve the design of a secure database schema. The second paper in the session was titled "A Tool for Inference Detection and Knowledge Discovery in Databases," by S. Rath (University of Tulsa), D. Jones (University of Tulsa), J. Hale (University of Tulsa) and S. Shenoi (University of Tulsa), and was presented by Shenoi. Shenoi described an imprecise inference model for a mixed database of precise relations, imprecise relations, and fuzzy relations. The approach uses sieves for filtering data chucks into equivalence classes based on the context. These equivalence classes are used to model functional dependencies and make inferences. The last paper in the session was presented by T. Hinke, and was titled "ILIAD: An Integrated Laboratory for Inference Analysis and Detection," by T. H. Hinke (University of Alabama in Huntsville), H. S. Delugach (University of Alabama in Huntsville) and R. P. Wolf (University of Alabama in Huntsville). Hinke described a software system composed of a database generator, a single-facet inference tool, and a multi-facet inference tool. He described how simulation can be used to generate data with a coherent cover story that can be used as a test database for the system. The inference tools in the system focus on transitive association type instances and are based on a semantic graph.

The next session was a panel session chaired by M. Schaefer (ARCA Systems, Inc.). The first panelist to speak was R. Henning (Harris Corporation) who discussed what system administrators want in a secure database product. She listed such things as single seat administration, accountability, confidentiality, integrity, and minimal duplication of services. She also warned that what works for one application may not necessarily work for all. The next speaker was R. Miller (IBM) who described the requirements for large (terabyte) secure databases. He stated that these databases are usually, multi-vendor, geographically distributed, and heterogeneous. Security goals for such systems are consistency across the systems, with single sign-ons and flexible audit functionality. The next panelist was T. Parenty (Sybase, Inc.) who suggested that it is necessary to think about security in a context larger than a single application or database and that user authentication is particularly important. He also felt that multilevel security is far down the road for what most business applications need now. The final panelist was J. Worthington (Informix, Inc.) who described a level B3 multilevel database product, but warned that sales may not be sufficient to continue the product. He also discussed what users want, including strong authentication, different privileges at different times and locations, and flexible encryption. In summary, he indicated that the requirements are not strictly role-based or task-based, and that there is a temporal component. The presentations were followed by a general discussion that focused on three major issues: (1) privacy concerns, (2) increasing communications between vendors and researchers in the security area, and (3) customer requirements.

The final session focused on the topic of storage jamming and a discussion of what was learned at the conference. This session was chaired by T. C. Ting (University of Connecticut). The session began with a presentation by J. McDermott (Naval Research Laboratory) of a paper titled "Storage Jamming," by J. McDermott (Naval Research Laboratory) and D. Goldschlag (Naval Research Laboratory). McDermott defined storage jamming as an attack on an organization by putting bogus values that satisfy integrity constraints into a database. He then discussed techniques for reducing susceptibility to such attacks within an organization (e.g., well designed and structured systems and data). This was followed by a summary and discussion of the conference led by J. Dobson (University of Newcastle). Some of the issues identified included: (1) technology is moving from research to engineering, (2) advanced information processing techniques are coming into use, (3) some problems are still open, but may not yet be relevant to customers (e.g., inference detection, connectionless communications), (4) new security models are required, but the conceptual basis for them is still a matter of debate, and (5) the problems and concerns of indirect stakeholders are not always being addressed.

An informal evening session organized by T. Y. Lin (San Jose State University) was also held during the conference and was focused on data mining and its relationship to database security. There was significant interest in this topic and the discussion will be continued at future conferences.

The next IFIP WG 11.3 Working Conference on Database Security will be held, July 22-24, 1996 in Como, Italy. The call for papers and details of the conference can be obtained on the World Wide Web at URL,