Featured

Analysis of a Mandatory Access Restriction System for Oracle DBMS

Analysis of a Mandatory Access Restriction System for Oracle DBMS

This paper is devoted to the analysis of mandatory access restriction system for Oracle DBMS. As the result, several leakage channels are discovered.

For many information system based on DBMS it is often a problem to implement access restriction, which takes information value into account. It is usually crucial for large-scale information systems of government or corporate use (i.e. geographical information systems or document management systems). Such system usually imply mandatory access model. One of the features of the mandatory model is prevention of either intentional or accidental decrease of information value thanks to information flow control. Mandatory access model is implemented by labeling all the subjects and objects belonging to the access restriction system.

Oracle DBMS is currently one of the most powerful and popular industrial DBMS. Starting from Oracle9i version, Oracle Label Security (OLS) component is implemented, which makes it possible to organize mandatory access to stored data. OLS is a set of procedures and limitations built into database kernel, which allow implementation of record-level access control. In order to enable OLS it is necessary to create a security policy containing a set of labels. Whenever this policy is created it should be applied to protected tables and users should receive rights to corresponding labels.
Analysis for possible leakage channels of confidential information seems interesting for the reviewed system.
We are offering the following common analysis algorithm of the implemented mandatory access model.
1) Access object types are determined according to the published documentation and investigation of the DBMS (e.g., tables, strings, or columns).
2) Commands of SQL are analyzed in terms of how users can modify access objects.
3) Several objects with different confidentiality levels are created for each access object type.
4) Several user (access subject) accounts are created with different mandatory access rights.
5) A sequence of SQL-queries is formed, which are executed with different mandatory access restriction rights and objects with different confidentiality level. According to the analysis of execution of these queries it is possible to build an access model, and to make a conclusion whether the system has vulnerabilities, which can lead to leakage or corruption of confidential information.
Let us consider access objects in OLS. These are table records, which have unique labels. It is often implied that tables are access objects in OLS because security policy is applied to tables. However tables do not have labels themselves; they just contain labeled rows.
The following basic SQL operations handle individual records:
– CREATE creation of a new record;
– SELECT reading of an existing record;
– UPDATE modification of an existing record;
– DELETE deletion of a record.
Our experiments consisted of sequences of queries called by users with different mandatory access rights to objects of different confidentiality levels. These experiments made it possible to construct the mandatory access model of OLS to records. We define two variables: I and J. I is a value of objects label. Smaller values of I indicate higher confidentiality level (the value of 0 corresponds to top secret). J is a value of subjects access level.
The model can be presented in the following formalized view:

1. CREATE SELECT UPDATE DELETE, j = i
2. SELECT, j i

Such mandatory access model on record-level is quite correct and it meets criteria of Bell-La Padula security model. So OLS works correctly on the level of table records.
However, beside records as representation of stored data, users can interact with other data representation, which are not affected by the mandatory access policy. Tables are an example of such objects. Users indeed can modify structure of tables, i.e. add new fields, change their names, and modify data types. OLS loses its ability to work properly on table level.
For instance, a user with higher mandatory rights has a right to create a new field in a table. The name of the field may be confidential itself, and OLS mechanism does not prevent this operation. A user with lower access rights has always a possibility to query names of all the fields.
For example, a new field is created with the name new_password_xxx (where xxx is a top secret information) with the following sql-query:
ALTER TABLE user1.test_table ADD (new_password VARCHAR2(30));
If another user who does not have any mandatory rights executes the following query (SELECT * FROM user1.test_table; ), he gets an empty data set, however all field names ofuser1.test_table are exposed to him. As it was shown above, column name can contain classified information.
Operations shown in the example create duplex channels of data exchange between subjects with higher and lower access rights, and therefore they can cause leakage of classified information.
In the issue of the foresaid, the mandatory access model implemented in Oracle is not complete, and this fact makes it possible to exchange classified information without any control of the mandatory access system, which decreases information value.

Featured

Prepaid calling cards are the future of global communication, and

Prepaid calling cards are the future of global communication, and they are getting cheaper than ever.

Though Complementary prepaid phone calling cards are very liable , consumers need to be cautious of fraudulent offers. As mentioned beforehand, the prepaid calling card marketplace is a crammed market. In other words, in order to be successful in this business, prepaid card providers need to focus on achieving price leadership. However, some of these so-called providers subordinate their offers by lowering the quality of their calling cards. Quality-sensuous consumers need to spend a large amount of time to avoid fall into this clinch. But, when they find a truly good deal, consumers can looking forward to saving as much as 38% on their house phone bills.

Now, if you are expectant to make a few long distance calls every week, then you somewhat have two options: You can either find oneself rich enough to be able to pay your phone bills, or you can use an Interchangeable prepaid phone calling card. The Internet is one of the utmost and influential technologies in the history. Howsoever, the Internet has yet to wholly solve the need for harmonious communications. That’s where prepaid international calling cards come in. Phone cards are much cheaper than some of the phone companies out there. Plus, companies realize that an International calling card moocher is more price sensuous, so consumers are lesser likely to end up paying extra. Hence, phone card service providers evermore assay to lower their costs and predicament those savings to their customers. Also, the Internet has made using prepaid phone cards easier than before. Some phone card service providers offer pin-less services, which makes using prepaid cards more acceptable.

Integral of the issues that almost everyone has to assort with these days is what is called the cost of communication. Almost every day we hear horrible stories about mammoth phone bills in the media. Of course, some of these stories are overwrought. Nevertheless, the deep cost of communication is very current. World-wide phone service providers charge a lot for long distance calls. These companies hyperbolize for calls to outside the U.S. For example, if someone has a colleague in Europe, and she decides to call her friend, she might end up paying 75 cents a minute for that call. That is a very high price to pay for just a mere call. And also, a lot of these so called phone service providers charge extra due to their scorch fame. That leaves the consumers in an even more aggravating circumstance. They have to pay extra for the celebrity that they helped the phone service provider build over the years.

So there you have it, no longer consumers have to take the prices that their phone service providers are proffer them. By noticing a good deal on a calling card, consumers can lower their cost of communication considerably.

Perform Conference Calls Without Having Prior Reservations

Other teleconferencing services allow subscribers to perform conference calls without having prior reservations. If you’re looking for conference bridgeline services or conference recording services, I highly recommend e-Teleconferencing. Unlike other automated teleconferencing services, ReadyConference gives you a permanent dial-in number and passcode you can use any time, from anywhere – 24/7. Don’t be embarrassed anymore … Continue reading Perform Conference Calls Without Having Prior Reservations

Other teleconferencing services allow subscribers to perform conference calls without having prior reservations. If you’re looking for conference bridgeline services or conference recording services, I highly recommend e-Teleconferencing. Unlike other automated teleconferencing services, ReadyConference gives you a permanent dial-in number and passcode you can use any time, from anywhere – 24/7. Don’t be embarrassed anymore when you need to conference or, or worse yet, waste valuable time by avoiding the use of teleconferencing services altogether. Unlike other audio teleconferencing services, ReadyConference gives you a permanent dial-in number and passcode you can use any time, from anywhere – 24/7.

Both standard reservationless and full-service operator-assisted teleconferencing services are available with no contracts or extra fees.Bow Communications Your complete conference call resource center. In general, the OIT does not charge for teleconferencing services, but specific charges may apply, depending upon the configuration of your conference. With these teleconferencing services you will have the same operator for the entire conference. Some teleconferencing services have the added feature of including video to your conference. Other organizations rely on commercial bridging services for their audio teleconferencing requirements where they “buy” time for specific conferences and applications.

Developments that have affected voice communications and audio teleconferencing include the following: Commercial bridging services that interconnect multiple locations for audio conferences. of teleconferencing services, including toll-free dial-in, toll dial-in, operator assisted conference calls, queues for Q&A, transcription, tape recordings and … Our teleconferencing services include everything from 800 conference calls and the flat rate conference call to web conferencing and video conferencing. WebConferenceCall’s teleconferencing services are great for any domestic or international conferencing use, and can be used for small and medium sized groups.

e-Teleconferencing flat rate conferencing is a full featured, reservationless, automated conference service with the highest of audio quality available for your conferencing needs. Web conferences for video conferencing and audio teleconferencing. Enhanced teleconferencing functionality is available both as an integrated feature of a web meeting or as a standalone audio conference. video or audio conferences conducted over telecommunications channels such as telephone lines, local area networks, and the Internet is also defined as teleconferencing.

Bow Communications is a teleconferencing company that specializes in reservationless, unattended conference calling for commercial and non-profit organizations. Web teleconferencing, conference calling all low cost conferencing at Theconferencedepot.com. calling teleconference, tleeconferance, teleconferencing, taleconferensint. Remember, teleconferencing and conference calling are great but now you have more options. We specialize in promotional discounted teleconferencing and flatrate conference calling at its best.