Newsgroups: comp.databases,comp.security.misc,alt.security From: jonhaug@ifi.uio.no (Jon Haugsand) Subject: My RFI about secure database systems. Message-ID: <1992Aug6.113858.1542@ifi.uio.no> Organization: Dept. of Informatics, University of Oslo, Norway Date: Thu, 6 Aug 1992 11:38:58 GMT A month ago I sent the following article: |> Dear Netters, |> |> |> I am writing a report on security in data base systems, both |> theoretical aspects and real systems. I am looking for references to |> information about this topic. |> |> In particular, I need information about secure data base products from |> vendors like Oracle, Sybase, Ingres and Informix. This information |> should include: |> |> Functional features (deviations from standard product) |> Security features (Orange book, TDI) |> Other features (performance and correctness degradation) |> Design and implementation (TCB subsets, polyinstantiation) |> Technical aspects (HW-platform, operating system, network) |> Delivery (release date, NCSC-evaluations, follow up) |> |> Design and implementation are most important. |> |> If you know of any references to such information (net archives, |> articles, proceedings, books, reports, telephone numbers, people, |> etc.) please e-mail me, and I promise to summerize to the net. I will |> also include my own findings. |> |> Thank you in advance. |> |> PS. I *know* i can write or call the vendor in question, something I |> will do. However, then I have to dig through some layers of sales and |> marketing persons, whom I do not trust. |> ..., and I got a few responses, which follows below. The only reference I have that is not included in the answers is the following: C.E.Landwehr, "Database Security, Status and Prospects II", Results of the IFIP WG 11.3 Workshop on Database Security, Kingston, Ontario, Canada, 5-7 October, 1988, Elsevier Science Publ, ISBN 0-444-87483-6. There is one from 1987 also, and perhaps there are from 1989, 1990, 1991 too? I don't know? Regards, --- Jon Haugsand Dept. of Informatics, Univ. of Oslo, Norway jonhaug@ifi.uio.no ************************************************************************** From: pholman@ingres.com (Paul Holman) Dear John, I am the project manager for Secure INGRES, for which we are currently moving through ITSEC certification here in the UK (we have currently depolyed an E3/F-B1 product on SEVMS platforms, although we have a number of other projects on UNIX systems). I could send you the 'claims' document for this product if you like - until we obtain full evaluation status (hopefully be the end of this year), we do not intend to push the marketing side... Paul _______________________________________________________________________ Ingres Ltd. S p e c i a l E n g i n e e r i n g EuroTech pholman@ingres.com ------------------------------ London ************************************************************************** [The following is in Norwegian. -Jon] From: steinar@balder.no (Steinar Overbeck Cook) Ikke s{rlig flatterende selvf|lgelig. Jeg h}per inderlig ikke at du har den oppfatningen om oss :-) Sikre databaser er noks} sjeldne forel|big. Vi kan imidlertid sende deg informasjon om INFORMIX-OnLine/Secure hvis du vil. Den er ferdig i "Design phase" og skal n} til teknisk vurdering hos NCSC. Send en mail til meg eller tove@balder.no, s} kan vi sende deg en s.k. "Technical Brief". -- Steinar Overbeck Cook, Balder Programvare AS, Box 1344, 1401 SKI, NORWAY Phone : +47 9 87 05 50 Fax : +47 9 87 71 16 E-mail : ...!mcsun!nuug!balder!steinar or steinar@balder.no ************************************************************************** From: faigin@aero.org You might try exploring the recent proceedings of the various security conferences, in particular: o The National Computer Security Conference (available from the National Computer Security Center, +1 410 766 8729 o The IEEE Symposium on Security and Privacy o The Annual Computer Security Applications Conference (both available from IEEE press) You might also look at past issues of SIGSAC Review (ACM) and SIGMOD. For products in evaluation, you might check the potential products list. I don't think any DB products have reached the formal stage. Lastly, try contact some of the folks in the field; particularly Ravi Sandhu (sandhu@gmuvax2.gmu.edu) or Teresa Lunt (lunt@csl.sri.com). Daniel Faigin Chair, ACM/SIGSAC (Security, Audit, and Control) ************************************************************************** From: epstein@trwacs.fp.trw.com (Jeremy Epstein) Tim Ehrsam is one of the techical support people for Oracle's B1 DBMS product. You can reach him as tehrsam@oracle.com (he's in the Bethesda Maryland office). If he can't answer your questions, he'll put you in touch with the people who can. If you want to go straight to the top, Linda Vetter (at Oracle headquarters in California) is the person responsible for Oracle secure products. Don't have information about any of the others handy...but if you don't make any progresss, let me know and I'll try to track some stuff down. If you have a recent copy of the Potential Evaluated Products List (PEPL) from the U.S. National Computer Security Center, that lists a point of contact for each product. ************************************************************************** From: M J Tranter Hi there, I think I may eventually have some information that may interest you on oracle 6.2. I am using it as part of a joint project between the Geog Dept and the EPCC. The problem is at the moment I am having difficulty getting my hands on any of the sort of information you want. I can give you the tel number of the Edinburgh part of Oracle and a name to ask for. They were quite helpful when I phoned and they did send me some information... tel: ALAN BROWN 031 2284583 I would also be interested in any information you can pick up about Oracle 6.2 as it is proving quite a difficult task :-) Mette ************************************************************************** From: "Richard Allen, Oracle Secure Systems" Jon, I saw your posting on the internet. Let me know if there is any info that I can give you. Regards, Richard Richard Allen 500 Oracle Parkway, Box 659414, Product Manager, Oracle Secure Systems Redwood Shores, CA 94065, USA Phone 415-506-6372 Fax 415-506-7200 Internet rallen@us.oracle.com ****** WANT INFO ON SECURITY? - EMAIL INFOSEC *********** ************************************************************************** From: ramm@informix.com (Rammohan Varadarajan) Hi Jon, You have reached a trustworthy R&D manager at Informix. I am responsible for OnLine/Secure, the B1 (E3 ITSEC) DBMS from Informix. If you need some quick technical overview, you can find my paper in the proceedings of the NCSC conference in Washington D.C, October, 1991. There is also a fairly informative technical overview marketing paper that I can send you. I also need to know if you are prepared to sign non-disclose agreements, etc. before we can ship manuals or design documentation. If there is anything more that I can help with, please do not hesitate to contact me. The contact in Sweden is Magnus Svensson Informix Scandinavia ph: (46)-8-792-6480 ************************************************************************** From: Marco Buseman You can contact Stan Wisseman Mail: Stan Wisseman ORACLE Corporation 500 ORACLE Parkway MD 4OP-14 Redwood Shores, CA 94065 E-Mail: swissema@us.oracle.com Marco. -- Marco Buseman Rijnzathe 6 _______________________________________ 3454 PV De Meern UNIX Product Line Developer Netherlands ORACLE Secure Systems Europe Phone: +31-3406-94211 Fax: +31-3406-65609 Engineering Division, ORACLE Europe Email: mbuseman@nl.oracle.com ************************************************************************** From: billd@informix.com (William Daul) > Dear Netters, > > > I am writing a report on security in data base systems, both > theoretical aspects and real systems. I am looking for references to > information about this topic. > > In particular, I need information about secure data base products from > vendors like Oracle, Sybase, Ingres and Informix. This information > should include: > Informix OnLine/Secure is built on Informix OnLine 4.1 > Functional features (deviations from standard product) In addition to all the features available with OnLine, OnLine/Secure includes the following: o Bundlespace Label information is not stored in the tablespaces with the data, but is stored in the bundlespace for performance reasons o Invisible locks eliminate possible covert channels o C2 and/or B1 level configurations (B1/EA and B1/EP) o LEVELS parameter in tbconfig (used to calculate maximum of open tables LEVELS * TBLSPACES) o Extent sizing occurs at intervals of 8 instead of 64 (in addition the first extent should be small) o Works with OS for Identification and Authentication, and Auditing > Security features (Orange book, TDI) o Databases area evaluated against the Lavender Book which is the Trusted Database Interpretation (TDI) of the Orange Book. o Users can read down, nut only write at their current session level o Auditing of specific users and/or activities to include all elements required by the Lavender Book. o Discretionary Access Control (DAC) and Mandatory Access Control (MAC) > Other features (performance and correctness degradation) o Currently the information from development is a degradation of about 10% to 15%. This is "out of the box" with minimal auditing and minimal labels > Design and implementation (TCB subsets, polyinstantiation) o We allow for polyinstantiation Example: label customer_num lname.... sens 101 Jones... sens 102 Smith... sens 103 Miller... uncl 101 Jones... uncl 102 Peters... Without allowing for polyinstantiation, it is possible to open a covert channel. > Technical aspects (HW-platform, operating system, network) OnLine/Secure 4.1 is currently running on the Harris Night Hawk under AT&T System V MLS (Multilevel Secure). We are targeted for the SUN CMW (Compartmented Mode Workstation) by the end of this year. This will be OnLine/Secure 5.0. We are also targeted for HP 9000 under Secureware OS. > Delivery (release date, NCSC-evaluations, follow up) We are hoping to have NCSC evaluation completed by early 1993. Since the evaluations are not under our control, this date is tentative. (Oracle is RIGHT behind us with their Trusted Oracle version 1.0. They are currently about 2 or 3 months behind us in the evaluatin stage.) > > Design and implementation are most important. > We have a full set of documentation that will fill in some of the blanks, as I have only "whetted your whistle". The documentation includes: Manuals - 000-7161 INFORMIX OnLine/Secure Administrator's Guide 000-7159 INFORMIX OnLine/Secure Trusted Facility Manual 000-7160 INFORMIX OnLine/Secure Security Features User's Guide Documentation - Modified 2167A documentation set Policy Model, System Design Specification, etc. White Paper - (dataed July 1990) The Informix Secure DBMS: Technical Overview and Statement of Direction Technical Brief - INFORMIX-OnLine/Secure Version 4.1 For the UNIX Operating System > If you know of any references to such information (net archives, > articles, proceedings, books, reports, telephone numbers, people, > etc.) please e-mail me, and I promise to summerize to the net. I will > also include my own findings. > There is an internal course being held in Menlo Park the Week of July 13. For more information on the course, please notify Karen Rathjens in the Menlo Office. > Thank you in advance. > Hope this helps a little. If I can be of further assistance, please let me know. > PS. I *know* i can write or call the vendor in question, something I > will do. However, then I have to dig through some layers of sales and > marketing persons, whom I do not trust. > > --- > Jon Haugsand > Dept. of Informatics, Univ. of Oslo, Norway > jonhaug@ifi.uio.no > JanetB (jbrill@panda) -- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% ) William Daul Advanced Support ( ( INFORMIX SOFTWARE INC. Project Administrator ) ) 4100 Bohannon Dr. (415) 926-6488 - wk ( ( Menlo Park, CA. 94025 ) ) Email: billd@informix.com or uunet!infmx!billd ( %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% ************************************************************************** From: Teresa Lunt Springer Verlag has just published a book edited by me called "Research Directions in Database Security." It has a chapter on the Sybase Secure Server. You can purchase the book from Springer Verlag or by ordering it from a bookstore. THanks, Teresa ************************************************************************** From: "swissema" Jon, If you provide your address, I'll send you information on Trusted ORACLE7. Regards, Stan Oracle Secure Systems 500 Oracle Parkway, Box 659414 415-506-2621 Redwood Shores, CA 94065, USA Fax 415-506-7200 swissema@us.oracle.com WISSEMAN@dockmaster.ncsc.mil ************************************************************************** From: guenther@ifs.univie.ac.at (Guenther Pernul) Dear Jon Hausgsand: I got your posting from a friend. You want to get pointed to literature to database security. I have written a bibliography on that topic in which you might be interested. It appeared in ACM SIGMOD Record, Vol. 21, No. 1, March 1992. I have included below a email version which I have posted to a newsgroup some months ago. I you have any further questions, do not hesitate to contact me. With regards, guenther. ---------------------- A lot of discussion about literature on Computer Security has been taken place recently in this news group. We have compiled a bibliography on the security aspect in databases. As we believe this might be of interest for this news group we are posting it even if the file is quite long. If you are aware of literature that is not included please let us know. A modified version of this file including an introduction to each subject appeared in ACM SIGMOD Record, Vol 21, No 1, March 1992. A Bibliography on Database Security G. Pernul, G. Luef Institute of Statistics & Computer Science University of Vienna Liebigg. 4/3-4 A-1010 Vienna, Austria guenther@ifs.univie.ac.at [Bibliography deleted. (It's huge!) Available from me on request. -Jon] ************************************************************************** From: "Secure Systems SBU" I can provide Jon with appropriate information if I can get his postal address. Regards, Sean Doyle Secure Systems Oracle Corporation *************************************************************** * Use INFOSEC for Fast Answers to ORACLE Security Questions! * *************************************************************** ************************************************************************** From: HQPYR1:SNIEUWEN.NL1.oramail@nl.oracle.com Jon Haug, We do this kind of research professionally, and the secret is to not ever talk to sales types. In order of increasing preference, you wish to talk to: Marketing Communications/Public Relations/Consultant Relations: There are often the gate for the other elements of the company. Butter these guys up, indicating that your report can potentially help or hurt their sales (without overtly saying so). Product Marketing: quite variable in their capabilities Product Management: often, they are the very best Engineering architect and designer: if they can talk Let me know what companies/products you're interested in, and I'll see if I can help, if you'll share your study with me. Regards, Lee -- /-------------------------------------------------------\ /Lee D. Rothstein 603-424-2900\ / New Science Associates, Inc. Fax: 603-424-8549 \ \ 7 Merrymeeting Drive Email: ldr@merrymeeting.mv.com / \Merrimack, NH 03054-2934 IEEE Computer Society, NH/ \-------------------------------------------------------/ **************************************************************************