This paper is devoted to the analysis of mandatory access restriction system for Oracle DBMS. As the result, several leakage channels are discovered.

For many information system based on DBMS it is often a problem to implement access restriction, which takes information value into account. It is usually crucial for large-scale information systems of government or corporate use (i.e. geographical information systems or document management systems). Such system usually imply mandatory access model. One of the features of the mandatory model is prevention of either intentional or accidental decrease of information value thanks to information flow control. Mandatory access model is implemented by labeling all the subjects and objects belonging to the access restriction system.

Oracle DBMS is currently one of the most powerful and popular industrial DBMS. Starting from Oracle9i version, Oracle Label Security (OLS) component is implemented, which makes it possible to organize mandatory access to stored data. OLS is a set of procedures and limitations built into database kernel, which allow implementation of record-level access control. In order to enable OLS it is necessary to create a security policy containing a set of labels. Whenever this policy is created it should be applied to protected tables and users should receive rights to corresponding labels.
Analysis for possible leakage channels of confidential information seems interesting for the reviewed system.
We are offering the following common analysis algorithm of the implemented mandatory access model.
1) Access object types are determined according to the published documentation and investigation of the DBMS (e.g., tables, strings, or columns).
2) Commands of SQL are analyzed in terms of how users can modify access objects.
3) Several objects with different confidentiality levels are created for each access object type.
4) Several user (access subject) accounts are created with different mandatory access rights.
5) A sequence of SQL-queries is formed, which are executed with different mandatory access restriction rights and objects with different confidentiality level. According to the analysis of execution of these queries it is possible to build an access model, and to make a conclusion whether the system has vulnerabilities, which can lead to leakage or corruption of confidential information.
Read the full story