- Email: [email protected]
Study and implementation of the virtual view in unix
Computarsind. EaS~, VoL 31, No. 3/4, pp. 897 - 900,1996 Pergamon S0360-8357,(96)00273-2
Copya~ O 1995China~,d~inePrm Publishedby ElsevierScienceLtd.Printedin GreatBritain 0360-8352/96 $15.00 + 0.00
STUDY AND I M P L E M E N T A T I O N OF THE VIRTUAL VIEW IN UNIX Lin Xuanxiong
Li Huaizu
Zhang Wenxiu
Xi'an Jiaotong University ,Xi'an,Shaanxi 710049 P.R.China Abstract: The security of information systems is important,
protecting them from the viewpoint of methodology has
become the critical task of their planners and implementers .This article proposes a new idea about the virtual view based upon unix stemming from the usual view concept,analyzes the characteristics of the virtual view,and finally gives the way of realization of the virtual view. Key words: Information Security,View, Virtual view,Access Control 1 INTRODUCTION With the evolvement of the society, its operation can not be going on without the support of information systems. From the ~]3e of single-machine to that of network,
information systems(IS) have been developing ~4th a propc~,
of linking more computers and spanning greater space.Protecting information,especially preventing unauthorized access of sensitive information,has become a critical task of planners and implementers of information systems[ 1]. DBMSs(DataBase Management Systems) are usual methods and powerful tools in building information systems. How to protect information,both from methodology and technology of DBMS, has become a major objective of those developers of DBMSs.Currently, several internationally popular DBMSs(such as ORACLE and SYBASE ct al.) all present measures of protection of information. DBMS protects information based upon a general structure, and presonting a fundamental fr~:mework for development of secure information systems[2]. In the case of information systems,DBMS is only an intermediate platform, even if there existing security measures, it is not adequate for constructing totally secure information system. Therefore the security of operating system(OS)--a supporting layer of DBMS---is very important.
So IS should base its security on the security of OS,
DBMS and components of IS,none of them could be missed[3]. The security reguirement for operating system has made UNIX, which is rich in functions of access control, an ideal operating system,then the security requirement for DBMS has given birth to the view technology, likewise, the need of security for components of information system demands that we must make break through in not solely satisfying singular functional requirements,and that we should coordinate all aspects of function,performance and security in order to make them be in harmony with one another. This paper wiU discuss the idea and realization of virtual view---an important technology of design of secure infomation system,after that of security of both UNIX and DBMS. 2 CONCEPT,PROPERTY AND ROLE OF VIRTUAL VIEW Relational DBMS organizes data in mode of relationship.Relationship means tablc,a certain relationship reflects a certain t313¢of table.Table with two dimensions is the main form in most DBMS environments. View is a special t3ve of table.lt can be constructed either with some columns or some rows selected from one tablc,or with some items from several tables or views,which satisfy a certain conditions[4].Fig. 1 exhibits all types of views. View technology in DBMSs satisfies the consistency of operation, i.e.
a user updates his or her table, the
view corresponding to that table changes as same as it,and vice versa.This consistency ensures that of contents of both table and view, which is an important characteristics of view technology for DBMSs. 897
It is obvious that cxistcnce
18th International Conference on Computers and Industrial Engineering of views contributes to security of information.
898
Many views can be defined and formed by their owners to be
submitted to users who need them and have been qualified to access to them,while the other messages outside views could be masked,thereby avoiding unauthorized access and achieving the purpose of keeping them secret from other irrelated users,and rea-
[
ViewV2
[
I
ViewV, ]
lizing the least exposure policy and observing the principle of need-to-know. As described previously,view is a special type of table and consumes space.So at any time,existence of a view means existence of space occupied by that view.In short, view has the characteristics of dynamics of change of both content and size. View technology facilitates the realization of the
Vl :Multitable View Vz : Table -- View View
security in information system, but a plenty of
V~ ..Singletable View V, : View -- View View
views exist, resulting in not only undeserved consumption of space, but also the shortage of some
Fig. 1 View Composition
critical resources of a system,further even lowering the performance of a system.This fact needs new technology. Virtual view technology we proposed could solve above problem,and maintaining same degree of security simultaneously. 3 THE IDEA OF VIRTUAL VIEW The idea of virtual view is that it not only satisfies the principle of need-to-know,but also occupies no space. Properties of the virtual view can be seen from Fig.2:(l)it is impossible for virtual view to have the forms of both T-V and V-V, and (2) all operations exerting on a virtual view will occur on the primitive table to which the virtual view attaches. Consequently, the consistency of data is easy to be ensured.ln general, view not only needs to present attribute of "read',but also that of "write".This operation(read or write) ViewlV' ' "-J] ~
introduces no problem with the real(usual) view, because the
_ [- ~ View V2 __l
o~aaer of a real view has these privileges. But a virtual view is attached to a primitive table, the owner of a virtual view
Table T,
I
]TableT,]
could not own the primitive table. Namely, the owner of a virtual view certainly do not own the primitive table to
Vt :Single Table Virtual View
which the virtual
V2:Multitable Virtual View
view attaches. Therefore the owner of
avirtual view can not have the rights of reading and writing over the primitive table. According to a usual logic inference,
.
:Frame With doted Line means
Virtual View Occupies no Space
users of virtual views can not access an)' data.. There is a contradiction,how to solve it?
Fig. 2 v i r t u a l View
The implementation of the virtual view needs the support of operating system.In general,we can not realize the virtual view in DOS environments because DOS has nearly not any functions of access control. UNIX is a good one which can help us realize the virtual view,and with which we could attain an excellent effect. 4 IMPLEMENTATION OF THE VIRTUAL VIEW The owner of a table creates and assigns virtual views for users in response to their applications. THe control message code in UNIX can help realize this procedure.
18th International Conference on Computers and Industrial Engineering
899
Within UNIX,access control over files can be gained through the code of control message, which is an effective and simple method ofaccess control.Also this method is used both
inRSX and VMS dedicated to DEC machines.
The
way with the code of control message is that a little piece of space is needed to store the message about the attributes of a file(i.e, rights of owner,group and other) and its composition is shown in Fig.3 Owner /x..
/-
Group \/ W
R :Read
Other /',
xl
R
W
I X
X : execute
W :Write
Fig. 3 Composition of the Code of Control Message
The rights of owner of a file have been defined within code of control message, the same as users who either are within the same group with the owner or not.Of course,all those rights of the latter are completely assigned by the owner. For the sake of security,it is a good practice for sharing those tables which contain sensitive information by form of view.Within UNIX,therefore,the privileges of those tables can only be owned by owners, rights over those tables.So those tables have the code of control message as "rw. . . .
others can not have any
"(0600 in octal).
Under the above situation,how can the owners of those tables supply virtual views for other users? Obviously,programming is the unique method of realizing virtual view. The owner of the primitive table can make a program to realize share according to the requirement and privileges of those applicants,
namely extracting
or writing data items from or to the primitive tables as the applicants require,then the program making operation of extracting or writing should be generated by' the owners and called by those virtual view users, and its privilege value is 0711 in octal. So far we do not solve problem completely because the virtual view users call the program generated by" the owner of primitive tables and can not get or write any data from or to those tables.As we know,whenever a program is executed,the effective and real UID and GID are set to the caller's UID and GID,however,the virtual view users have no rights of access to the primitive tables to which the virtual view attaches,so they can not open the primitive tables to complete the function which the program should complete. Setting SUID or SGID for a program can overcome the above problem.In g~neral,whenever a user executes a program, the effective and real UID and GID are set as the user's UID and GID,but after a program has been set as SUID or SGID,aU processes generated by the program will share the same UID and GID with the owner of the program,in addition to the caller's UID and G1D. Because access permission is decided by effective UID and GID ,not by the real UID and GID.So a process formed by a program with SUID or SGID will share the same privilleges as the owner of the program, no matter who executes that program .As such we solve the problem. Winthin UNIX,we can use the command "chmod" to set SUID or SGID for a program.For example,"chmod u+s myfile",means that file "myfile" is set as SUID,and the file "myfile" has the access permission of"-rws-x--x" 5 CONCLUSION Virtual view technology is a good method of ensuring security of information.It spares space,and the virtual views can be generated rapidly in the case of a middle-size table, many virtual views but small for each one.
especially it has a greater advantage with a situation of having
900
18th International Conference on Computers and lnduJtrial Engineering
The another advantage of the virtual view is that it can be independent of DBMSs which support the virtual view and exists in the UNIX environment, especially suitable for developing information systems with high level programming langnages(such as COBOL). In the distributed system,if we fully make use of the virtual view technology, we can achieve a good result both in performance and security. REFERENCES
1 Hayam Avraham, Oz Eft, Integration data security, into the systems development life cycle, Journal of Systems management (JSM),Vol:44,Iss:8,Aug. 1993,pp. 16-20. 2 Denning D.E,Cryptographics checksums database security, In Proceedings of the 1984 Symposium on Security and Privacy,pp.52-61.Silver Spring ,Md:IEEE Computer Society. 3 Woodward J.P.L.,Application for multilevel secure operating systems,1979,Proceedings of the NCC 48:319-328. 4 Denning D.D,Teresa F.lunt, he sea view security model, In proc~dings of the 1988 Symposium on Securi D" and Privacy IEEE Computer Society pp.218-233.
Copya~ O 1995China~,d~inePrm Publishedby ElsevierScienceLtd.Printedin GreatBritain 0360-8352/96 $15.00 + 0.00
STUDY AND I M P L E M E N T A T I O N OF THE VIRTUAL VIEW IN UNIX Lin Xuanxiong
Li Huaizu
Zhang Wenxiu
Xi'an Jiaotong University ,Xi'an,Shaanxi 710049 P.R.China Abstract: The security of information systems is important,
protecting them from the viewpoint of methodology has
become the critical task of their planners and implementers .This article proposes a new idea about the virtual view based upon unix stemming from the usual view concept,analyzes the characteristics of the virtual view,and finally gives the way of realization of the virtual view. Key words: Information Security,View, Virtual view,Access Control 1 INTRODUCTION With the evolvement of the society, its operation can not be going on without the support of information systems. From the ~]3e of single-machine to that of network,
information systems(IS) have been developing ~4th a propc~,
of linking more computers and spanning greater space.Protecting information,especially preventing unauthorized access of sensitive information,has become a critical task of planners and implementers of information systems[ 1]. DBMSs(DataBase Management Systems) are usual methods and powerful tools in building information systems. How to protect information,both from methodology and technology of DBMS, has become a major objective of those developers of DBMSs.Currently, several internationally popular DBMSs(such as ORACLE and SYBASE ct al.) all present measures of protection of information. DBMS protects information based upon a general structure, and presonting a fundamental fr~:mework for development of secure information systems[2]. In the case of information systems,DBMS is only an intermediate platform, even if there existing security measures, it is not adequate for constructing totally secure information system. Therefore the security of operating system(OS)--a supporting layer of DBMS---is very important.
So IS should base its security on the security of OS,
DBMS and components of IS,none of them could be missed[3]. The security reguirement for operating system has made UNIX, which is rich in functions of access control, an ideal operating system,then the security requirement for DBMS has given birth to the view technology, likewise, the need of security for components of information system demands that we must make break through in not solely satisfying singular functional requirements,and that we should coordinate all aspects of function,performance and security in order to make them be in harmony with one another. This paper wiU discuss the idea and realization of virtual view---an important technology of design of secure infomation system,after that of security of both UNIX and DBMS. 2 CONCEPT,PROPERTY AND ROLE OF VIRTUAL VIEW Relational DBMS organizes data in mode of relationship.Relationship means tablc,a certain relationship reflects a certain t313¢of table.Table with two dimensions is the main form in most DBMS environments. View is a special t3ve of table.lt can be constructed either with some columns or some rows selected from one tablc,or with some items from several tables or views,which satisfy a certain conditions[4].Fig. 1 exhibits all types of views. View technology in DBMSs satisfies the consistency of operation, i.e.
a user updates his or her table, the
view corresponding to that table changes as same as it,and vice versa.This consistency ensures that of contents of both table and view, which is an important characteristics of view technology for DBMSs. 897
It is obvious that cxistcnce
18th International Conference on Computers and Industrial Engineering of views contributes to security of information.
898
Many views can be defined and formed by their owners to be
submitted to users who need them and have been qualified to access to them,while the other messages outside views could be masked,thereby avoiding unauthorized access and achieving the purpose of keeping them secret from other irrelated users,and rea-
[
ViewV2
[
I
ViewV, ]
lizing the least exposure policy and observing the principle of need-to-know. As described previously,view is a special type of table and consumes space.So at any time,existence of a view means existence of space occupied by that view.In short, view has the characteristics of dynamics of change of both content and size. View technology facilitates the realization of the
Vl :Multitable View Vz : Table -- View View
security in information system, but a plenty of
V~ ..Singletable View V, : View -- View View
views exist, resulting in not only undeserved consumption of space, but also the shortage of some
Fig. 1 View Composition
critical resources of a system,further even lowering the performance of a system.This fact needs new technology. Virtual view technology we proposed could solve above problem,and maintaining same degree of security simultaneously. 3 THE IDEA OF VIRTUAL VIEW The idea of virtual view is that it not only satisfies the principle of need-to-know,but also occupies no space. Properties of the virtual view can be seen from Fig.2:(l)it is impossible for virtual view to have the forms of both T-V and V-V, and (2) all operations exerting on a virtual view will occur on the primitive table to which the virtual view attaches. Consequently, the consistency of data is easy to be ensured.ln general, view not only needs to present attribute of "read',but also that of "write".This operation(read or write) ViewlV' ' "-J] ~
introduces no problem with the real(usual) view, because the
_ [- ~ View V2 __l
o~aaer of a real view has these privileges. But a virtual view is attached to a primitive table, the owner of a virtual view
Table T,
I
]TableT,]
could not own the primitive table. Namely, the owner of a virtual view certainly do not own the primitive table to
Vt :Single Table Virtual View
which the virtual
V2:Multitable Virtual View
view attaches. Therefore the owner of
avirtual view can not have the rights of reading and writing over the primitive table. According to a usual logic inference,
.
:Frame With doted Line means
Virtual View Occupies no Space
users of virtual views can not access an)' data.. There is a contradiction,how to solve it?
Fig. 2 v i r t u a l View
The implementation of the virtual view needs the support of operating system.In general,we can not realize the virtual view in DOS environments because DOS has nearly not any functions of access control. UNIX is a good one which can help us realize the virtual view,and with which we could attain an excellent effect. 4 IMPLEMENTATION OF THE VIRTUAL VIEW The owner of a table creates and assigns virtual views for users in response to their applications. THe control message code in UNIX can help realize this procedure.
18th International Conference on Computers and Industrial Engineering
899
Within UNIX,access control over files can be gained through the code of control message, which is an effective and simple method ofaccess control.Also this method is used both
inRSX and VMS dedicated to DEC machines.
The
way with the code of control message is that a little piece of space is needed to store the message about the attributes of a file(i.e, rights of owner,group and other) and its composition is shown in Fig.3 Owner /x..
/-
Group \/ W
R :Read
Other /',
xl
R
W
I X
X : execute
W :Write
Fig. 3 Composition of the Code of Control Message
The rights of owner of a file have been defined within code of control message, the same as users who either are within the same group with the owner or not.Of course,all those rights of the latter are completely assigned by the owner. For the sake of security,it is a good practice for sharing those tables which contain sensitive information by form of view.Within UNIX,therefore,the privileges of those tables can only be owned by owners, rights over those tables.So those tables have the code of control message as "rw. . . .
others can not have any
"(0600 in octal).
Under the above situation,how can the owners of those tables supply virtual views for other users? Obviously,programming is the unique method of realizing virtual view. The owner of the primitive table can make a program to realize share according to the requirement and privileges of those applicants,
namely extracting
or writing data items from or to the primitive tables as the applicants require,then the program making operation of extracting or writing should be generated by' the owners and called by those virtual view users, and its privilege value is 0711 in octal. So far we do not solve problem completely because the virtual view users call the program generated by" the owner of primitive tables and can not get or write any data from or to those tables.As we know,whenever a program is executed,the effective and real UID and GID are set to the caller's UID and GID,however,the virtual view users have no rights of access to the primitive tables to which the virtual view attaches,so they can not open the primitive tables to complete the function which the program should complete. Setting SUID or SGID for a program can overcome the above problem.In g~neral,whenever a user executes a program, the effective and real UID and GID are set as the user's UID and GID,but after a program has been set as SUID or SGID,aU processes generated by the program will share the same UID and GID with the owner of the program,in addition to the caller's UID and G1D. Because access permission is decided by effective UID and GID ,not by the real UID and GID.So a process formed by a program with SUID or SGID will share the same privilleges as the owner of the program, no matter who executes that program .As such we solve the problem. Winthin UNIX,we can use the command "chmod" to set SUID or SGID for a program.For example,"chmod u+s myfile",means that file "myfile" is set as SUID,and the file "myfile" has the access permission of"-rws-x--x" 5 CONCLUSION Virtual view technology is a good method of ensuring security of information.It spares space,and the virtual views can be generated rapidly in the case of a middle-size table, many virtual views but small for each one.
especially it has a greater advantage with a situation of having
900
18th International Conference on Computers and lnduJtrial Engineering
The another advantage of the virtual view is that it can be independent of DBMSs which support the virtual view and exists in the UNIX environment, especially suitable for developing information systems with high level programming langnages(such as COBOL). In the distributed system,if we fully make use of the virtual view technology, we can achieve a good result both in performance and security. REFERENCES
1 Hayam Avraham, Oz Eft, Integration data security, into the systems development life cycle, Journal of Systems management (JSM),Vol:44,Iss:8,Aug. 1993,pp. 16-20. 2 Denning D.E,Cryptographics checksums database security, In Proceedings of the 1984 Symposium on Security and Privacy,pp.52-61.Silver Spring ,Md:IEEE Computer Society. 3 Woodward J.P.L.,Application for multilevel secure operating systems,1979,Proceedings of the NCC 48:319-328. 4 Denning D.D,Teresa F.lunt, he sea view security model, In proc~dings of the 1988 Symposium on Securi D" and Privacy IEEE Computer Society pp.218-233.