CIS551
Jan31, 2006
by Tarak Mehta
Discretionary Access Control VS Mandatory Access Control
Discretionary Access Control means that the access control for an object is left to its owner. For example, as a file owner, one might choose to let everyone have read access to it, even if it's personal information.
Mandatory Access Control means that the security policy is not necessarily upto the owner, but might be decided by some central authority. A firewall is a (not perfect) example, since security admins ultimately decide what web pages can be accessed within a network.
MAC is more frequently used in govenrment and military settings.
This kind of multilevel security, in general, is stronger than access control. Access control is used to control security at a particular point, whereas multilevel security is used to protect/control information flow.. From the military example in the lecture notes, information flow from secret to public must be prohibited. There is also the concept of “compartments” along with “sensitivity levels”. The lecture diagram related to the 5 security levels and the Afghanistan, Middle East and Israel compartments demonstrates this. The security of a military document (for example) is a combination of these sensitivity levels and compartments. A dominance relation can be described on the basis of sensitivity levels and compartments.
The Bell-LaPadula confidentiality model desribes that it is not OK to read up or write down from your classification. For example, person X with a “secret” classification can not write a “public” document and can not read a “top-secret” document for fear of information leak. This same principle is extended to software.
A Join semi-lattice is the “least” “upper” bound of 2 classifications. For example, for classification lables B and C rolling up to A, their join is A.
So far we have talked about confidentiality (secure information should not impact public information). For integrity, tainted information should not impacted untainted info. The 2 models seem contradictory. However, this is because “high” means different things for confidentiality (means more secure) and integrity (means more tainted).
Based on our knowledge about MAC, the problem with stack inspection (as discussed last lecture) can be revisited. This is covered in the lecture notes.
Implementing Multi Level Security: There are 2 approaches to this.
Dynamic: This is expensive and approximate. It is expensive, as tags for pieces of programs (like variables) would need to be checked every time they are used. Also, when they are used in combinations for computations, then the resulting values also need to be checked and tagged, and the labels have to be carried thoroughout the program. It is approximate, because some pieces of the program might not actually be executed, but because they were not executed, things can be inferred about private data (implicit flows).
Static: This is more widely used in practice, as it resolves some of the issues with dynamic implementation. It uses control-flow graphs in order to statically and verify implement multi-level security.
Perl has dynamic tagging built in, and can take care of explicit flow problems. It is the programmer's prerogative to label data as untainted though, and this can be used as a workaround.
SELinux is one system that enforces separation of information based on confidentiality and integrity requirements. However, it has not caught on because of the inherent complications with such implementations.
Other MAC policy concepts include the “Chinese Wall” idea. For example, in a brokerage handling Coke and Pepsi accounts, a Pepsi representative should not be allowed to handle/look at Coke details, and that information should be restricted to him/her.