3. 33
INTRODUCTIONINTRODUCTION
What is an operating system?What is an operating system?
In simple words, OS is a computer program that manages allIn simple words, OS is a computer program that manages all
other programs on the machine.other programs on the machine.
Every general-purpose computer must have an operatingEvery general-purpose computer must have an operating
system to run other programs.system to run other programs.
OS performs basic tasks, such as recognizing input from theOS performs basic tasks, such as recognizing input from the
keyboard, sending output to the display screen, keeping trackkeyboard, sending output to the display screen, keeping track
of files and directories on the disk, and controlling peripheralof files and directories on the disk, and controlling peripheral
devices such as disk drives and printers.devices such as disk drives and printers.
4. 44
INTRODUCTIONINTRODUCTION
What is Multiprogramming?What is Multiprogramming?
The concurrent execution of multiple programs by a singleThe concurrent execution of multiple programs by a single
processing unit.processing unit.
Concurrent execution of several different programs by sharingConcurrent execution of several different programs by sharing
the same central processing unit (CPU).the same central processing unit (CPU).
A form of processing in which a computer holds more thanA form of processing in which a computer holds more than
one program in memory and works on them in round-robinone program in memory and works on them in round-robin
fashion that is, by sharing out the processor's time so that eachfashion that is, by sharing out the processor's time so that each
program receives some attention some of the time. This way ofprogram receives some attention some of the time. This way of
working is in contrast to using the processor to run oneworking is in contrast to using the processor to run one
program at a time.program at a time.
5. 55
SECURITY METHODS OFSECURITY METHODS OF
OPERATING SYSTEMSOPERATING SYSTEMS
The basis of protection isThe basis of protection is separationseparation – keeping one– keeping one
user’s objects separate from other users.user’s objects separate from other users.
According to Rushby and Randell (1983) separationAccording to Rushby and Randell (1983) separation
in OS can occur in several ways:in OS can occur in several ways:
Physical separationPhysical separation – processes use different physical– processes use different physical
objects such as separate printers for output requiringobjects such as separate printers for output requiring
different level of security.different level of security.
Temporal separationTemporal separation – processes having different security– processes having different security
requirements are executed at different times.requirements are executed at different times.
6. 66
SECURITY METHODS OFSECURITY METHODS OF
OPERATING SYSTEMSOPERATING SYSTEMS
According to Rushby and Randell (1983) separationAccording to Rushby and Randell (1983) separation
in OS can occur in several ways:in OS can occur in several ways:
Logical separationLogical separation – users operate under the illusion that– users operate under the illusion that
no other processes exist as when an OS constraints ano other processes exist as when an OS constraints a
program accesses so that it cannot access objects outside itsprogram accesses so that it cannot access objects outside its
permited domain.permited domain.
Cryptographic separationCryptographic separation – processes conceal their data– processes conceal their data
and computations in such a way that they are unintelligibleand computations in such a way that they are unintelligible
outside processes.outside processes.
But separation is only half of the answer – although we want to separate
users and their objects, at the same time we want to be able to provide
sharing for some of those objects.
7. 77
SECURITY METHODS OFSECURITY METHODS OF
OPERATING SYSTEMSOPERATING SYSTEMS
Besides separation, OS may offer protection at any ofBesides separation, OS may offer protection at any of
several levels:several levels:
No protectionNo protection – these systems are appropriate when– these systems are appropriate when
sensitive procedures are being run at separate time.sensitive procedures are being run at separate time.
IsolationIsolation – different processes running concurrently are– different processes running concurrently are
unaware of the presence of each other. Each process has itsunaware of the presence of each other. Each process has its
own address space, files and other objects.own address space, files and other objects.
Share all or share nothingShare all or share nothing – with this form of protection– with this form of protection
the owner of an object declares it to be public (available tothe owner of an object declares it to be public (available to
all users) or private (available only to its owner).all users) or private (available only to its owner).
8. 88
SECURITY METHODS OFSECURITY METHODS OF
OPERATING SYSTEMSOPERATING SYSTEMS
Besides separation, OS may offer protection at any of severalBesides separation, OS may offer protection at any of several
levels:levels:
Share via access limitationShare via access limitation – the OS checks the– the OS checks the
allowability of each potential access. Access control isallowability of each potential access. Access control is
implemented for a specific user and a specific object – theimplemented for a specific user and a specific object – the
OS acts as a guard between users and objects ensuring thatOS acts as a guard between users and objects ensuring that
only authorized accesses occur.only authorized accesses occur.
Share by capabilityShare by capability – an extension of limited access– an extension of limited access
sharing, where it allows dynamic creation of sharing rightssharing, where it allows dynamic creation of sharing rights
for objects. The degree of sharing can depend on the ownerfor objects. The degree of sharing can depend on the owner
or on the object itself.or on the object itself.
Limit use of and objectLimit use of and object – it limits not just the access to an– it limits not just the access to an
object but the use made of that object after it has beenobject but the use made of that object after it has been
accessed. For example : a user may have the right to view aaccessed. For example : a user may have the right to view a
sensitive document but not allow to print a copy of it.sensitive document but not allow to print a copy of it.
9. 99
Protecting Access to General ObjectsProtecting Access to General Objects
The term object and subject will be usedThe term object and subject will be used
interchangeably where subject will refer to the user (ainterchangeably where subject will refer to the user (a
programmer, a program, etc.) who uses theprogrammer, a program, etc.) who uses the
computing system objects.computing system objects.
Here are some examples of the kinds of objects forHere are some examples of the kinds of objects for
which protection is desirable:which protection is desirable:
MemoryMemory
A file or data set on an auxiliary storage deviceA file or data set on an auxiliary storage device
Directory filesDirectory files
InstructionsInstructions
Passwords and the user authentication mechanismsPasswords and the user authentication mechanisms
10. 1010
Protecting Access to General ObjectsProtecting Access to General Objects
There are several ways to protect access toThere are several ways to protect access to
general object:general object:
DirectoryDirectory
Access Control ListAccess Control List
Access Control MatrixAccess Control Matrix
CapabilityCapability
11. 1111
Protecting Access to General ObjectsProtecting Access to General Objects
DirectoryDirectory
Each user has a file directory which lists allEach user has a file directory which lists all
the files to which that users has access.the files to which that users has access.
No user can be allowed to write in the fileNo user can be allowed to write in the file
directory because that would be a way to forgedirectory because that would be a way to forge
access to a file.access to a file.
12. 1212
Protecting Access to General ObjectsProtecting Access to General Objects
Access Control ListAccess Control List
This differs from the directory list because there isThis differs from the directory list because there is
one access control list perone access control list per objectobject while a directory iswhile a directory is
created for eachcreated for each subjectsubject..
Although this difference seems small, there are someAlthough this difference seems small, there are some
significant advantages.significant advantages.
For example if subjects A and S both have access toFor example if subjects A and S both have access to
object F, the OS will maintain just one access list forobject F, the OS will maintain just one access list for
F showing the access rights for A and S.F showing the access rights for A and S.
13. 1313
Access Control List - ACL
An access list which specifies for
each object, the list of valid
subjects which can access it.
E.g. For objects X, Y and Z with
subjects A, B and C
X : A (read), B (read, execute)
Y : A (write)
Z : A (read, execute), B (read), C
(read, execute)
A: r
B: r
B: x
A: w A: r
A: x
B: r
C: r
C: x
X Y Z
Each column is stored with the
object corresponding to that
column
14. 1414
Protecting Access to General ObjectsProtecting Access to General Objects
Access Control MatrixAccess Control Matrix
It is a table in which each row represents a subject,It is a table in which each row represents a subject,
each column represents an object and each entry iseach column represents an object and each entry is
the set of rights for that subject to that object.the set of rights for that subject to that object.
Data 1Data 1 Data 2Data 2 Prog 1Prog 1 Prog 2Prog 2
AliceAlice RWRW RWRW EE XX
BobBob XX RR RWERWE RWRW
CarolCarol XX WW XX EE
15. 1515
Protecting Access to General ObjectsProtecting Access to General Objects
CapabilityCapability
A capability is analogous to a ticket to a movie or anA capability is analogous to a ticket to a movie or an
ID card that cannot be duplicatedID card that cannot be duplicated
Is an unforgeable token giving the possessor certainIs an unforgeable token giving the possessor certain
rights to an object.rights to an object.
One way to make an unforgeable ticket is not to giveOne way to make an unforgeable ticket is not to give
the ticket directly to the user – instead the OS holdsthe ticket directly to the user – instead the OS holds
all the tickets on behalf of the users.all the tickets on behalf of the users.
A capability can be created only by specific requestA capability can be created only by specific request
from a user to the OS.from a user to the OS.
16. 1616
..Capabilities
e.g. for objects X, Y and Z with
subjects A, B and C
A: X (read), Y (read), Z (write,
execute)
B: X (read, execute), Z (read)
C: Z (read, execute)
X/r, Y/r, Z/w, Z/x
X/r, X/x, Z/r
Z/r, Z/x
A
B
C
Each row is stored with the
subject corresponding to
that row.
17. 1717
PROTECTING MEMORY &PROTECTING MEMORY &
ADDRESSINGADDRESSING
The most obvious problem of multiprogramming isThe most obvious problem of multiprogramming is
preventing one program from affecting the memorypreventing one program from affecting the memory
of other programs.of other programs.
There are several ways to protect memory andThere are several ways to protect memory and
addressing :addressing :
FenceFence
RelocationRelocation
Base and Bound RegistersBase and Bound Registers
Tagged ArchitectureTagged Architecture
SegmentationSegmentation
PagingPaging
18. 1818
PROTECTING MEMORY &PROTECTING MEMORY &
ADDRESSINGADDRESSING
FenceFence
Is a method to confine users to one side of the boundary.Is a method to confine users to one side of the boundary.
The fence is a predefine memory address, so that the OSThe fence is a predefine memory address, so that the OS
resided on one side and the user on the other.resided on one side and the user on the other.
The implementation is very restrictive because a predefinedThe implementation is very restrictive because a predefined
amount of space was reserved for the OS – and if less than thatamount of space was reserved for the OS – and if less than that
amount of space was required, the excess space was wastedamount of space was required, the excess space was wasted
and the OS could not grow beyond the fence boundary.and the OS could not grow beyond the fence boundary.
Another alternative is to implement the fence register.Another alternative is to implement the fence register.
19. 1919
PROTECTING MEMORY &PROTECTING MEMORY &
ADDRESSINGADDRESSING
Fence RegisterFence Register
Contained the address of the end of the OS.Contained the address of the end of the OS.
This location of this fence could be changed.This location of this fence could be changed.
Each time a user program generated an address for dataEach time a user program generated an address for data
modification, the address was automatically compared againstmodification, the address was automatically compared against
the fence address – the address was greater than the fencethe fence address – the address was greater than the fence
address (in the user area) the instruction was executed – if itaddress (in the user area) the instruction was executed – if it
was less than the fence address (in the OS area) an errorwas less than the fence address (in the OS area) an error
condition was raised.condition was raised.
20. 2020
PROTECTING MEMORY &PROTECTING MEMORY &
ADDRESSINGADDRESSING
RelocationRelocation
Is the process of taking a program written as if itIs the process of taking a program written as if it
began at address 0 and changing all addresses tobegan at address 0 and changing all addresses to
reflect the actual address at which the program isreflect the actual address at which the program is
located in memory.located in memory.
Conveniently, the fence register can be used in thisConveniently, the fence register can be used in this
situation to provide an important extra benefit.situation to provide an important extra benefit.
21. 2121
PROTECTING MEMORY &PROTECTING MEMORY &
ADDRESSINGADDRESSING
Base and Bound RegistersBase and Bound Registers
The concept is similar to fence register but haveThe concept is similar to fence register but have
additional value since fence registers only acts asadditional value since fence registers only acts as
base registers (stating the starting address but not thebase registers (stating the starting address but not the
upper address).upper address).
Bound registers are often added to indicate the upperBound registers are often added to indicate the upper
address limit.address limit.
In this way, a program’s addresses are neatlyIn this way, a program’s addresses are neatly
confined to the space between the base and the boundconfined to the space between the base and the bound
register.register.
22. 2222
PROTECTING MEMORY &PROTECTING MEMORY &
ADDRESSINGADDRESSING
Tagged ArchitectureTagged Architecture
Error in coding is bound to happen and thisError in coding is bound to happen and this
easily compromise the security based oneasily compromise the security based on
base/bound registers techniques.base/bound registers techniques.
Solve with tagged architecture – every word ofSolve with tagged architecture – every word of
machine memory has one or extra bits tomachine memory has one or extra bits to
identify the access rights to that word.identify the access rights to that word.
These access bit are tested every time anThese access bit are tested every time an
instruction accesses that location.instruction accesses that location.
23. 2323
PROTECTING MEMORY &PROTECTING MEMORY &
ADDRESSINGADDRESSING
SegmentationSegmentation
The notation of dividing a program intoThe notation of dividing a program into
separate pieces.separate pieces.
Each segment has a unique name.Each segment has a unique name.
A code or data item within a segment isA code or data item within a segment is
addressed as a pair of <addressed as a pair of <name, offsetname, offset> where> where
namename is the name of the segment andis the name of the segment and offsetoffset isis
its location within the segment.its location within the segment.
24. 2424
PROTECTING MEMORY &PROTECTING MEMORY &
ADDRESSINGADDRESSING
PagingPaging
Alternative to segmentationAlternative to segmentation
Each address is a two part object <Each address is a two part object <page, offsetpage, offset>>
The program is divided into equal size piecesThe program is divided into equal size pieces
called pages and memory is divided into thecalled pages and memory is divided into the
same sized units called page frames.same sized units called page frames.
25. 2525
Designing Trusted Operating SystemDesigning Trusted Operating System
What is a trusted system?What is a trusted system?
Security professionals speak of trusted ratherSecurity professionals speak of trusted rather
than secure OS – connecting the ones thatthan secure OS – connecting the ones that
meet their intended security requirements andmeet their intended security requirements and
justify confidence in the quality.justify confidence in the quality.
26. 2626
Designing Trusted Operating SystemDesigning Trusted Operating System
SecureSecure versusversus TrustedTrusted
SecureSecure TrustedTrusted
Either-or conceptEither-or concept Graded – there are degree ofGraded – there are degree of
“trustedness”“trustedness”
Property of presenterProperty of presenter Property of receiverProperty of receiver
Asserted: based on productAsserted: based on product
characteristicscharacteristics
Judged: based on evidence andJudged: based on evidence and
analysisanalysis
Absolute: not qualified as toAbsolute: not qualified as to
how, where, when or by whomhow, where, when or by whom
usedused
Relative: viewed in context ofRelative: viewed in context of
useuse
A goalA goal A characteristicsA characteristics
27. 2727
Designing Trusted Operating SystemDesigning Trusted Operating System
Among the components underpinningAmong the components underpinning trusted OStrusted OS are:are:
Security policySecurity policy: a statement of the security we expect the: a statement of the security we expect the
system to enforce.system to enforce.
ModelModel: the representation of the policy that the OS will: the representation of the policy that the OS will
enforce.enforce.
DesignDesign: covers both what the trusted OS is and how it is: covers both what the trusted OS is and how it is
to be constructedto be constructed
TrustTrust: based on two aspects that is: based on two aspects that is featuresfeatures (the OS has(the OS has
all the necessary functionality needed to enforce theall the necessary functionality needed to enforce the
expected security policy) andexpected security policy) and assuranceassurance (the OS has(the OS has
been implemented in a such a way that we havebeen implemented in a such a way that we have
confidence it will enforce the security policy).confidence it will enforce the security policy).
28. 2828
Security PoliciesSecurity Policies
A Security policy is a statement of theA Security policy is a statement of the
security we expect the system to enforcesecurity we expect the system to enforce
29. 2929
Military Security PoliciesMilitary Security Policies
(MSP)(MSP)
MSP is based on protecting classified informationMSP is based on protecting classified information
Five Levels-Five Levels-
1-unclassified1-unclassified
2-restricted2-restricted
3-confidential3-confidential
4-secret4-secret
5-top secret5-top secret
30. 3030
Classified information may be associated with oneClassified information may be associated with one
or more projects called compartmentor more projects called compartment
The combination of rank and compartment isThe combination of rank and compartment is
called the class or classification of a piece ofcalled the class or classification of a piece of
informationinformation
Clearance - a person is trusted to access certainClearance - a person is trusted to access certain
information up to a level of sensitivity calledinformation up to a level of sensitivity called
dominancedominance
31. 3131
A subject can read an object only ifA subject can read an object only if
a)a) The clearance level of the subject is at least asThe clearance level of the subject is at least as
high as that of the informationhigh as that of the information
b)b) The subject has a need to know about allThe subject has a need to know about all
compartments for which the information iscompartments for which the information is
classifiedclassified
32. 3232
Military Security Policy
Information classified <secret, {sweden}> can access/read
by
• <top secret, {sweden, crypto> or
• <secret, {sweden, crypto}>
But can’t access/read by
• <top secret, {crypto}> or
• <confidential, {sweden}>
33. 3333
Chinese Wall Security PolicyChinese Wall Security Policy
A conflict of interest exists when one person can obtain sensitiveA conflict of interest exists when one person can obtain sensitive
information on competing companies.information on competing companies.
3 Levels of Abstraction:-3 Levels of Abstraction:-
i) Objects- lowest levels are elementary objects example:-filesi) Objects- lowest levels are elementary objects example:-files
each file contains information concerning only one groupeach file contains information concerning only one group
companycompany
ii) Company group- all object concerning each company areii) Company group- all object concerning each company are
grouped togethergrouped together
iii) Conflict classes- at the highest level, all groups of objectiveiii) Conflict classes- at the highest level, all groups of objective
for competing companies are clustered.for competing companies are clustered.
Each object thus belonging to a unique company group,andEach object thus belonging to a unique company group,and
each company group contained in a unique conflict classeach company group contained in a unique conflict class
34. 3434
A conflict class may contain one or moreA conflict class may contain one or more
company groupcompany group
Chinese wall policy is a commercially inspiredChinese wall policy is a commercially inspired
confidentiality policy where as commercialconfidentiality policy where as commercial
policies focus on integritypolicies focus on integrity
35. 3535
Air Asia
MAS
Cadbury
Vochele
Hershey
TNB
Company group
Conflict class
Someone have a data on six
company groups
ACCESS SCHEME – a
person can access any
information as long as person
as never accessed
information from different
company in the same conflict
class
Inspired confidentiality policy
36. 3636
Security Features of TrustedSecurity Features of Trusted
Operating SystemsOperating Systems
The features of trusted operating systems include:The features of trusted operating systems include:
User identificationUser identification: Trusted OS requires identification of: Trusted OS requires identification of
individuals and each individual must be uniquelyindividuals and each individual must be uniquely
identified.identified.
Mandatory access controlMandatory access control: access control policy decisions: access control policy decisions
are made beyond the control of the individual owner of anare made beyond the control of the individual owner of an
object – a central authority determines what information isobject – a central authority determines what information is
to be accessible by whom and the user cannot change theto be accessible by whom and the user cannot change the
access rights.access rights.
Discretionary access controlDiscretionary access control: the owner can determine who: the owner can determine who
should have access rights to an object and what those rightsshould have access rights to an object and what those rights
should be.should be.
37. 3737
Security Features of TrustedSecurity Features of Trusted
Operating SystemsOperating Systems
The features of trusted operating systemsThe features of trusted operating systems
include:include:
Object reuse protectionObject reuse protection: to prevent object reuse: to prevent object reuse
leakage, OS clear (overwrite) all space to beleakage, OS clear (overwrite) all space to be
reassigned.reassigned.
Complete mediationComplete mediation: all accesses are checked.: all accesses are checked.
Trusted pathTrusted path: for critical operations such as setting: for critical operations such as setting
a password or changing access permission – usersa password or changing access permission – users
would required communication through a trustedwould required communication through a trusted
path.path.
38. 3838
Security Features of TrustedSecurity Features of Trusted
Operating SystemsOperating Systems
The features of trusted operating systemsThe features of trusted operating systems
include:include:
Accountability and auditAccountability and audit: maintaining a log of: maintaining a log of
security-relevant events that have occurred, listingsecurity-relevant events that have occurred, listing
each event and the person responsible.each event and the person responsible.
Intrusion detection systemIntrusion detection system: software builds usage: software builds usage
patterns of the normal system and triggers an alarmpatterns of the normal system and triggers an alarm
anytime the usage is abnormal.anytime the usage is abnormal.
39. 3939
Hardening Your OSHardening Your OS
Operating System HardeningOperating System Hardening
Hardening of operating systems is the first step towards safeguardingHardening of operating systems is the first step towards safeguarding
systems from intrusion. Workstations and servers typically arrive from thesystems from intrusion. Workstations and servers typically arrive from the
vendor, installed with a multitude of development tools and utilities,vendor, installed with a multitude of development tools and utilities,
which, although beneficial to the new user, also provide potential back-which, although beneficial to the new user, also provide potential back-
door access to an organisation's systems.door access to an organisation's systems.
Hardening of an operating system involves the removal of all non essentialHardening of an operating system involves the removal of all non essential
tools, utilities and other systems administration options, any of whichtools, utilities and other systems administration options, any of which
could be used to ease a hacker's path to your systems. Following this, thecould be used to ease a hacker's path to your systems. Following this, the
hardening process will ensure that all appropriate security features arehardening process will ensure that all appropriate security features are
activated and configured correctly. Again, 'out of the box' systems willactivated and configured correctly. Again, 'out of the box' systems will
likely be set up for ease of access with access to 'root' / Administratorlikely be set up for ease of access with access to 'root' / Administrator
account. Some vendors have now recognised that a market exists for pre-account. Some vendors have now recognised that a market exists for pre-
hardened systems.hardened systems.
41. 4141
IntroductionIntroduction
Database is a collection of data and set of rules thatDatabase is a collection of data and set of rules that
organize the data by specifying certain relationshipsorganize the data by specifying certain relationships
among data.among data.
Through these rules, the user describes a logicalThrough these rules, the user describes a logical
format for the data.format for the data.
The user interacts with the data base through aThe user interacts with the data base through a
program called a database manager or databaseprogram called a database manager or database
management system (DBMS) informally known as amanagement system (DBMS) informally known as a
front end.front end.
42. 4242
IntroductionIntroduction
Advantages of Using DatabasesAdvantages of Using Databases
Shared AccessShared Access – so that many users can use one common,– so that many users can use one common,
centralized set of data.centralized set of data.
Minimal RedundancyMinimal Redundancy – so that individual users do not have to– so that individual users do not have to
collect and maintain their own sets of data.collect and maintain their own sets of data.
Data consistencyData consistency – so that a change to a data value affects all– so that a change to a data value affects all
users of the data value.users of the data value.
Data integrityData integrity – so that data values are protected against– so that data values are protected against
accidental or malicious incorrect changes.accidental or malicious incorrect changes.
Controlled accessControlled access – so that only authorized users allowed to– so that only authorized users allowed to
view or modify data values.view or modify data values.
43. 4343
Security RequirementsSecurity Requirements
Physical data base integrityPhysical data base integrity – so that the data of a– so that the data of a
database is immune to physical problems such asdatabase is immune to physical problems such as
power failures and so that someone can reconstructpower failures and so that someone can reconstruct
the database if it is destroy through a catastrophe.the database if it is destroy through a catastrophe.
Logical database integrityLogical database integrity – so that the structure of– so that the structure of
the database is preserved. With logical integrity of athe database is preserved. With logical integrity of a
database, a modification to the value of one field doesdatabase, a modification to the value of one field does
not affect other fields.not affect other fields.
44. 4444
Security RequirementsSecurity Requirements
Element integrityElement integrity – so that the data contained– so that the data contained
in each element is accurate.in each element is accurate.
AuditabilityAuditability – to be able to track who has– to be able to track who has
accessed (or modified) the elements in theaccessed (or modified) the elements in the
database.database.
Access controlAccess control – so that a user is allowed to– so that a user is allowed to
access only authorized data and so thataccess only authorized data and so that
different users can be restricted to differentdifferent users can be restricted to different
modes of access (such as read or write).modes of access (such as read or write).
45. 4545
Security RequirementsSecurity Requirements
User authenticationUser authentication – to ensure that every user– to ensure that every user
is positively identifed, both for the audit trailis positively identifed, both for the audit trail
and for permission to access certain data.and for permission to access certain data.
AvailabilityAvailability – meaning that users can access– meaning that users can access
the database in general and all the data forthe database in general and all the data for
which they are authorized.which they are authorized.
46. 4646
Sensitive DataSensitive Data
Sensitive data is data that should not madeSensitive data is data that should not made
public.public.
Determining which data items are sensitiveDetermining which data items are sensitive
depends on the individual database and thedepends on the individual database and the
underlying meaning of the data.underlying meaning of the data.
Example: Library Public Catalog (no sensitiveExample: Library Public Catalog (no sensitive
data) Military and Defense Databases (alldata) Military and Defense Databases (all
sensitive data), a university Databases (somesensitive data), a university Databases (some
but not all sensitive).but not all sensitive).
47. 4747
Types of DisclosureTypes of Disclosure
Exact DataExact Data – the most serious disclosure is the exact– the most serious disclosure is the exact
value of the sensitive data itself.value of the sensitive data itself.
BoundsBounds – indicating that a sensitive value (y) is– indicating that a sensitive value (y) is
between values L and H.between values L and H.
Negative resultNegative result – Sometimes one can word a query to– Sometimes one can word a query to
determine a negative results (determine a negative results (zz is not the value ofis not the value of yy).).
ExistenceExistence – the existence of data itself a sensitive– the existence of data itself a sensitive
piece of data regardless of the actual value.piece of data regardless of the actual value.
Probable valueProbable value – it may be possible to determine the– it may be possible to determine the
probability that a certain element has a certain value.probability that a certain element has a certain value.
48. 4848
Proposals for Secure MultilevelProposals for Secure Multilevel
DatabasesDatabases
PartitioningPartitioning
The database is divided into separateThe database is divided into separate
databases, each at its own level of sensitivity.databases, each at its own level of sensitivity.
This approach is similar to maintainingThis approach is similar to maintaining
separate files in separate file cabinets.separate files in separate file cabinets.
49. 4949
Proposals for Secure MultilevelProposals for Secure Multilevel
DatabasesDatabases
EncryptionEncryption
If sensitive data is encrypted, a user whoIf sensitive data is encrypted, a user who
accidentally receives sensitive data cannotaccidentally receives sensitive data cannot
interpret the data.interpret the data.