Secure multi-level system for executing stored procedures
First Claim
1. A method of improving the security of a database in a computer system, the database comprising a plurality of stored objects, at least some of which are executable objects, said executable objects referencing other objects and having certification states, the method comprising the steps of:
- if an executable object meets defined security criteria, certifying the executable object such that its certification state is certified;
if one or more defined security-relevant changes occur to one or more of the objects referenced by a certified executable object, automatically changing the certification state of the certified executable object from certified to suspect; and
preventing execution of the suspect executable object until its certification state is no longer suspect.
1 Assignment
0 Petitions
Accused Products
Abstract
A database management system is provided for security of database objects. These objects may be passive elements such as tables, rows, views, the databases themselves, etc., or they may be executable items such as stored procedures or triggers. A mechanism is provided for "certifying" that certain types of objects such as stored procedures, triggers, and views can be safely used to access other, sensitive objects in the database. Certification indicates that (1) a security officer has evaluated and certified the object, and (2) the now certified object has not undergone a defined security-relevant change since certification. Certification is particularly important in the context of a "trusted" stored procedure or a "trusted" stored trigger. "Trusted" executable objects can be executed at sensitivity levels that exceed that of a user or subject. Thus, the subject may use a trusted stored procedure or trigger to access certain objects having higher sensitivity levels than his or her own. If the certified object changes in a security-relevant manner, its "certification state" changes from certified to "suspect" which causes the object to become unexecutable.
226 Citations
26 Claims
-
1. A method of improving the security of a database in a computer system, the database comprising a plurality of stored objects, at least some of which are executable objects, said executable objects referencing other objects and having certification states, the method comprising the steps of:
-
if an executable object meets defined security criteria, certifying the executable object such that its certification state is certified; if one or more defined security-relevant changes occur to one or more of the objects referenced by a certified executable object, automatically changing the certification state of the certified executable object from certified to suspect; and preventing execution of the suspect executable object until its certification state is no longer suspect. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method of permitting a subject having current read and write labels to access a database object in a computer system, the object having an access sensitivity label, the database including a procedure referencing the object, and the procedure having its own access sensitivity label and current read and write labels, the method comprising the following steps:
-
certifying the procedure as meeting defined security criteria; initiating a task on behalf of the subject; applying the subject'"'"'s current read and write labels to the task so that the procedure'"'"'s current read and write labels constitute the task'"'"'s current read and write labels; initiating execution of the certified procedure if the subject'"'"'s current read label dominates the procedure'"'"'s access sensitivity label; applying the procedure'"'"'s current read and write labels to the task; comparing the task'"'"'s current read and write labels to the object'"'"'s access sensitivity label to determine whether the task has authorization to access the object; determining whether the procedure references any object that has undergone a security-relevant change after the procedure was certified; and if the task has mandatory access control authorization to access the object and the procedure does not reference an object that has undergone a security-relevant change as determined in the steps of comparing and determining, permitting the procedure to access the object. - View Dependent Claims (7, 8, 9, 10, 11, 12, 13)
-
-
14. A method of improving the security of a database in a computer system, the database comprising a plurality of stored objects, at least some of which are executable objects, said executable objects having a certification state, an access sensitivity label, and current read and write labels, the method comprising the following steps:
-
certifying an executable object such that its certification state is certified if the executable object meets defined security criteria; compiling the certified executable object; initiating a task on behalf of the subject; and if a read sensitivity label of the subject dominates the certified executable object'"'"'s access sensitivity label, (i) applying the current read and write labels of the certified executable object to the subject'"'"'s task, (ii) determining whether the certified executable object references any objects which have undergone one or more defined security-relevant changes after the executable object was compiled, and (iii) if the certified executable object does not reference any objects which have undergone one or more defined security-relevant changes after the executable object was compiled, executing the certified executable object. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
-
-
22. A computer system comprising:
-
a processor; a memory; a stored procedure capable of running on said processor, the stored procedure having a defined certification state and referencing one or more referenced objects stored in said memory; means for explicitly changing the certification state of the stored procedure in accordance with defined security criteria; means for implicitly changing the certification state of the stored procedure from a certified certification state to a suspect certification state if a defined security relevant change occurs to any of the one or more referenced objects; and means for preventing suspect stored procedures from re-executing until their certification state has been changed to a state that is not suspect by the means for explicitly changing the certification state of a stored procedure. - View Dependent Claims (23, 24, 25, 26)
-
Specification