Defense and commercial entities often store sensitive information in computer databases. Without adequate safeguards, an enemy or competitor could read or even tamper with a database's sensitive information. Various methods have been employed to protect data in databases from such unauthorized access. For example, database users are typically required to login with unique user IDs and passwords before accessing databases. Further, users' login accounts are often configured with clearances or "sensitivity levels" controlling the level at which the users may operate within the database system. For example, some users may be able to operate at a classified sensitivity level but not at secret or top secret. Still further, some database management systems permit auditing of various users, terminals, data objects, etc. Thus, suspicious activity can be detected and traced through an audit trail. These and other features of database management systems are described in "Sybase SQL Server," Reference Manual: Volumes 1 and 2 (Document ID 32401-01-1000) and in "Building Applications for Secure SQL Server" (Document ID 36030-010-1000), both available from Sybase, Inc. 6475 Christie Avenue, Emeryville, Calif. 94608. These documents are incorporated herein by reference for all purposes in their entireties.
A security policy known as "discretionary access control" or "DAC" allows designated database system administrators and/or owners (i.e., creators) of database objects to grant and revoke access privileges to specific users. More specifically, the owner or administrator grants specified users permission to execute specified commands and to access specified tables, views, and columns. This policy is "discretionary" because the object owner or designated system administrator can grant and revoke privileges at his or her discretion. Unfortunately, DAC has some notable security holes such as the "Trojan Horse" problem. A user having privileges for some objects but not others can create software (the Trojan Horse) to change the status of or copy a restricted object to which he or she does not have access. If someone having access to the restricted object then runs the Trojan Horse software, the DAC security system is circumvented.
Another security policy, known as "mandatory access control" or MAC, gives "subjects" access to database objects on the basis of sensitivity labels only. The concept of "subjects" and "objects" is central to a MAC policy. A subject is an active entity, such as a user at a workstation or a command that acts on behalf of the user. An object is a passive entity that contains or receives information. Examples of objects include database tables, rows, views, and procedures. Before any object is accessed in a MAC system, the subject's sensitivity label is compared with the object's sensitivity label to determine whether the subject is allowed to access the object in the manner requested. If this comparison shows that the subject does not have a clearance dominating that of the object, read access is denied. Also, if the comparison shows that the object does not have a label dominating that of the subject, write access is denied. Because objects carry labels, the Trojan Horse security hole is closed in a MAC implemented database management system.
Although MAC does provide a fairly secure database, it is rather inflexible in that it greatly limits the range of objects that a user can access. Typically, the user can never read any objects that they do not dominate. Some database systems could benefit by allowing some users to access certain MAC-inaccessible objects for limited purposes such as entering unclassified information in a classified database table. MAC itself provides no mechanism for granting such limited access. One prior modification of MAC systems does grant users temporary blanket privileges to write-up (with no limit) or write-down (with no limit). In these systems, the user is given write privileges for every database level between his or her own level and the system highest level (write-up) or the system lowest level (write-down). Unfortunately, in most instances, only limited write-up or write-down privileges are necessary. For example, a user's label may be unclassified, while the label of the object he or she needs to modify is classified. The prior art blanket write-up privilege would allow the user to access not only the classified object, but all other objects in the system, up to the system's highest sensitivity level (e.g., top secret).
Thus, while MAC and DAC systems provide a fair degree of database security, other more flexible systems would be desirable. Specifically, a security system giving users carefully controlled access to objects having sensitivities outside the users' reach of their own would be desirable.