Mandatory access control

In computer security, mandatory access control (MAC) refers to a type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target. In practice, a subject is usually a process or thread; objects are constructs such as files, directories, TCP/UDP ports, shared memory segments, IO devices, etc. Subjects and objects each have a set of security attributes. Whenever a subject attempts to access an object, an authorization rule enforced by the operating system kernel examines these security attributes and decides whether the access can take place. Any operation by any subject on any object is tested against the set of authorization rules (aka policy) to determine if the operation is allowed. A database management system, in its access control mechanism, can also apply mandatory access control; in this case, the objects are tables, views, procedures, etc.

With mandatory access control, this security policy is centrally controlled by a security policy administrator; users do not have the ability to override the policy and, for example, grant access to files that would otherwise be restricted. By contrast, discretionary access control (DAC), which also governs the ability of subjects to access objects, allows users the ability to make policy decisions and/or assign security attributes. (The traditional Unix system of users, groups, and read-write-execute permissions is an example of DAC.) MAC-enabled systems allow policy administrators to implement organization-wide security policies. Under MAC (and unlike DAC), users cannot override or modify this policy, either accidentally or intentionally. This allows security administrators to define a central policy that is guaranteed (in principle) to be enforced for all users.

Historically and traditionally, MAC has been closely associated with multi-level security (MLS) and specialized military systems. In this context, MAC implies a high degree of rigor to satisfy the constraints of MLS systems. More recently, however, MAC has evolved out of the MLS niche and has started to become more mainstream. The more recent MAC implementations, such as SELinux and AppArmor for Linux and Mandatory Integrity Control for Windows, allow administrators to focus on issues such as network attacks and malware without the rigor or constraints of MLS.

Historical background and implications for multi-level security

Historically, MAC was strongly associated with Multi-Level Security (MLS) as a means of protecting US classified information. The Trusted Computer System Evaluation Criteria (TCSEC), the seminal work on the subject, provided the original definition of MAC as "a means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (i.e., clearance) of subjects to access information of such sensitivity". Early implementations of MAC such as Honeywell's SCOMP, USAF SACDIN, NSA Blacker, and Boeing's MLS LAN focused on MLS to protect military-oriented security classification levels with robust enforcement.

The term mandatory in MAC has acquired a special meaning derived from its use with military systems. In this context, MAC implies an extremely high degree of robustness that assures that the control mechanisms can resist any type of subversion, thereby enabling them to enforce access controls that are mandated by order of a government such as the Executive Order 12958 for US classified information. Enforcement is supposed to be more imperative than for commercial applications. This precludes enforcement by best-effort mechanisms; only mechanisms that can provide absolute or near-absolute enforcement of the mandate are acceptable for MAC. This is a tall order and sometimes assumed unrealistic by those unfamiliar with high assurance strategies, and very difficult for those who are.

Degrees of MAC system strength

In some systems, users have the authority to decide whether to grant access to any other user. To allow that, all users have clearances for all data. This is not necessarily true of a MLS system. If individuals or processes exist that may be denied access to any of the data in the system environment, then the system must be trusted to enforce MAC. Since there can be various levels of data classification and user clearances, this implies a quantified scale for robustness. For example, more robustness is indicated for system environments containing classified Top Secret information and uncleared users than for one with Secret information and users cleared to at least Confidential. To promote consistency and eliminate subjectivity in degrees of robustness, an extensive scientific analysis and risk assessment of the topic produced a landmark benchmark standardization quantifying security robustness capabilities of systems and mapping them to the degrees of trust warranted for various security environments. The result was documented in CSC-STD-004-85.[1] Two relatively independent components of robustness were defined: Assurance Level and Functionality. Both were specified with a degree of precision that warranted significant confidence in certifications based on these criteria.

Evaluation of MAC system strength

The Common Criteria[2] is based on this science and it intended to preserve the Assurance Level as EAL levels and the functionality specifications as Protection Profiles. Of these two essential components of objective robustness benchmarks, only EAL levels were faithfully preserved. In one case, TCSEC level C2[3] (not a MAC capable category) was fairly faithfully preserved in the Common Criteria, as the Controlled Access Protection Profile (CAPP).[4] Multilevel security (MLS) Protection Profiles (such as MLSOSPP similar to B2)[5] is more general than B2. They are pursuant to MLS, but lack the detailed implementation requirements of their Orange Book predecessors, focusing more on objectives. This gives certifiers more subjective flexibility in deciding whether the evaluated product’s technical features adequately achieve the objective, potentially eroding consistency of evaluated products and making it easier to attain certification for less trustworthy products. For these reasons, the importance of the technical details of the Protection Profile is critical to determining the suitability of a product.

Such an architecture prevents an authenticated user or process at a specific classification or trust-level from accessing information, processes, or devices in a different level. This provides a containment mechanism of users and processes, both known and unknown (an unknown program (for example) might comprise an untrusted application where the system should monitor and/or control accesses to devices and files).

Implementations

A few MAC implementations, such as Unisys' Blacker project, were certified robust enough to separate Top Secret from Unclassified late in the last millennium. Their underlying technology became obsolete and they were not refreshed. Today there are no current implementations certified by TCSEC to that level of robust implementation. However, some less robust products exist.

See also

Footnotes

  1. "Technical Rational Behind CSC-STD-003-85: Computer Security Requirements". 1985-06-25. Archived from the original on July 15, 2007. Retrieved 2008-03-15.
  2. "The Common Criteria Portal". Retrieved 2008-03-15.
  3. US Department of Defense (December 1985). "DoD 5200.28-STD: Trusted Computer System Evaluation Criteria". Retrieved 2008-03-15.
  4. "Controlled Access Protection Profile, Version 1.d". National Security Agency. 1999-10-08. Retrieved 2008-03-15.
  5. "Protection Profile for Multi-Level Operating Systems in Environments Requiring Medium Robustness, Version 1.22". National Security Agency. 2001-05-23. Retrieved 2008-03-15.
  6. National Information Assurance Partnership. "The Common Criteria Evaluation and Validation Scheme Validated Products List". Archived from the original on 2008-03-14. Retrieved 2008-03-15.
  7. "TOMOYO Linux, an alternative Mandatory Access Control". Linux 2 6 30. Linux Kernel Newbies.
  8. "Linux 2.6.36 released 20 October 2010". Linux 2.6.36. Linux Kernel Newbies.
  9. "Why doesn't grsecurity use LSM?".
  10. Matthew Conover. "Analysis of the Windows Vista Security Model". Symantec Corporation. Retrieved 2007-10-08.
  11. Steve Riley. "Mandatory Integrity Control in Windows Vista". Retrieved 2007-10-08.
  12. Mark Russinovich. "PsExec, User Account Control and Security Boundaries". Retrieved 2007-10-08.
  13. TrustedBSD Project. "TrustedBSD Mandatory Access Control (MAC) Framework". Retrieved 2008-03-15.
  14. "sandbox_init(3) man page". 2007-07-07. Retrieved 2008-03-15.
  15. "SEPostgreSQL-patch".
  16. "Security Enhanced PostgreSQL".
  17. "Trusted RUBIX".
  18. (Russian) Ключевые особенности Astra Linux Special Edition по реализации требований безопасности информации
  19. "Official SMACK documentation from the Linux source tree". Archived from the original on 2012-09-13.
  20. Jonathan Corbet. "More stuff for 2.6.25". Archived from the original on 2012-09-12.

References

This article is issued from Wikipedia - version of the 11/21/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.