MANDATORY ACCESS CONTROL
- + Add to Faves
- + Translate
- + Share
العربية
ä¸å›½
Français
Deutsch
Ελληνική
हिनà¥à¤¦à¥€
Italiano
日本語
Português
РуÑÑкий
Español
(Redirected from Mandatory Access Control)
In computer security, 'mandatory access control' ('MAC') is a kind of access control defined by the Trusted Computer System Evaluation Criteria[1] as "a means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (''i.e.'', clearance) of subjects to access information of such sensitivity".
Authorization is contingent on a formalized process that documents prerequisite trust in the individual gaining access. An example of a such a document is a security clearance letter of consent. An example of such a process is a security clearance background check mandated by Executive Order 12958. [1]
MAC's most important feature involves denying users full control over the access to resources that they create. The system security policy (as set by the administrator) entirely determines the access rights granted, and a user may not grant less restrictive access to their resources than the administrator specifies. (Discretionary access control systems permit users to entirely determine the access granted to their resources, which means that they can (through accident or malice) give access to unauthorised users.)
For MAC, the access control decision is contingent on verifying the compatibility of the security properties of the data and the clearance properties of the individual (or the process proxying for the individual). The decision depends on the integrity of the metadata that defines the security properties of the data, as well as the security clearance of the individual or process requesting access. Security mechanisms that protect such metadata and the access control decision logic from corruption are MAC-critical objects and require appropriate robustness. MAC is most commonly applicable to Classified National Security Information where best effort mechanisms are inadequate; absolute enforcement is mandated.
If individuals or processes exist in the system environment that may be denied access to any of the data in the system environment, then the system must be trusted to enforce MAC. This implies varying degrees of robustness in the system. For example, more robustness is indicated for system environments containing classified Top Secret information and uncleared users than for one with Secret information and users cleared to at least Confidential. To promote consistency and eliminate subjectivity in degrees of robustness, an extensive scientific analysis and risk assessment of the topic produced a landmark benchmark standardization quantifying security robustness capabilities of systems and mapping them to the degrees of trust warranted for various security environments. The result was documented in CSC-STD-004-85. [2] Two relatively independent components of robustness were defined: Assurance Level and Functionality. Both were specified with a degree of precision that warranted significant confidence in certifications based on this criteria.
The Common Criteria [3] is based on this science and it intended to preserve the Assurance Level as EAL levels and the functionality specifications as Protection Profiles.[4] Of these two essential components of objective robustness benchmarks, only EAL levels were faithfully preserved. In one case, Orange Book level C2 [5] (not a MAC capable category) was fairly faithfully preserved in the Common Criteria, as the [Controlled Access Protection Profile] (CAPP) [6]. MLS Protection Profiles (such as MLSOSPP similar to B2) [7] is more general than B2. They are pursuant to MLS, but lack the detailed implementation requirements of their Orange Book predecessors, focusing more on objectives. This gives certifiers more subjective flexibility in deciding whether the evaluated product’s technical features adequately achieve the objective, potentially eroding consistency of evaluated products and making it easier to attain certification for less trustworthy products. For these reasons, the importance of the technical details of the Protection Profile is critical to determining the suitability of a product.
Such an architecture prevents an authenticated user or process at a specific classification or trust-level from accessing information, processes, or devices in a different level. This provides a containment mechanism of users and processes, both known and unknown (an unknown program (for example) might comprise an untrusted application where the system should monitor and/or control accesses to devices and files).
★ An NSA research project called 'SELinux' (Security-Enhanced Linux) added a Mandatory Access Control architecture to the Linux kernel. In Red Hat Enterprise Linux version 4 (and future versions), the developers have compiled SELinux into the kernel. The standard Linux kernel from kernel.org has all SE Linux kernel code. SE Linux is capable of restricting all processes in the system, however for ease of use the supported policy in RHEL only ''targets'' the most vulnerable programs (thus the name, the Targeted Policy). SELinux utilizes a Linux 2.6 kernel feature called LSM (Linux Security Modules interface). SUSE Linux (now supported by Novell) has added a MAC implementation called AppArmor. AppArmor utilizes a Linux 2.6 kernel feature called LSM (Linux Security Modules interface). LSM provides a kernel API, which allows modules of kernel code to govern access control. AppArmor is not capable of restricting all programs and is not yet included in the kernel.org kernel source tree. In most Linux distributions MAC is not installed.
★ Beginning with version 5.0, the work of the TrustedBSD project has been incorporated into releases of the FreeBSD operating system. Development is a work in progress, and the implementation models as well as the capabilities are constantly improving. MAC on FreeBSD comes with pre-built structures for implementing MAC models such as Biba and Multi-Level Security.
★ Sun's Trusted Solaris uses a mandatory and system-enforced access control mechanism (MAC), where clearances and labels are used to enforce a security policy. However note that the capability to manage labels does not imply the kernel strength to operate in Multi-Level Security mode. The applications a user runs are combined with the security label at which the user works in the session. Access to information, programs and devices are controlled and granted at the same or lower level only. MAC prevents cooperative users from writing to files at lower levels and is enforced according to the site's security policy. It cannot be overridden without special authorization or privileges unless by malicious activity.
★ Windows Vista introduces Mandatory Integrity Control, enabled by default.
★ Apple has announced to include Mandatory Access Control in their upcoming version "10.5 Leopard" of Mac OS X, though the announcement seems to have been removed from the Leopard Technology Overview page.
Several security-focused operating systems implement MAC, and it forms a core part of the FLASK operating systems.
The FLASK and Generalized Framework for Access Control (GFAC) architectures, coupled with MAC, become enabling technologies of multilevel security systems.
★ Discretionary access control - DAC
★ Role-based access control - RBAC
★ Capability-based security
★ Security-related security classification
★ Security-related type enforcement
★ FreeBSD
★ GWVr2 - Least Privilege Infrastructure and Information Flow Security Policy
★ TrustedBSD
★ Security Enhanced Linux
★ Rule-Set-Based Access Control (RSBAC)
★ Security Modes of Operation
★ Bell-La Padula security model
★ Multi-Level Security (MLS)
★ Multiple Single-Level (MSL)
★ Organisation-Based Access Control (Or-BAC)
★ Biba Integrity Model
★ Take-Grant Model
★ The Clark-Wilson Integrity Model
★ Graham-Denning Model
★ Systrace
1.
★ P. A. Loscocco, S. D. Smalley, P. A. Muckelbauer, R. C. Taylor, S. J. Turner, and J. F. Farrell. ''The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments''. In Proceedings of the 21st National Information Systems Security Conference, pages 303–314, Oct. 1998. [8].
★ Weblog post on the how virtualization can be used to implement Mandatory Access Control.
★ Weblog post from a Microsoft employee detailing Mandatory Integrity Control and how it differs from MAC implementations.
★ GWV Formal Security Policy Model A Separation Kernel Formal Security Policy, David Greve, Matthew Wilding, and W. Mark Vanfleet.
In computer security, 'mandatory access control' ('MAC') is a kind of access control defined by the Trusted Computer System Evaluation Criteria[1] as "a means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (''i.e.'', clearance) of subjects to access information of such sensitivity".
Authorization is contingent on a formalized process that documents prerequisite trust in the individual gaining access. An example of a such a document is a security clearance letter of consent. An example of such a process is a security clearance background check mandated by Executive Order 12958. [1]
MAC's most important feature involves denying users full control over the access to resources that they create. The system security policy (as set by the administrator) entirely determines the access rights granted, and a user may not grant less restrictive access to their resources than the administrator specifies. (Discretionary access control systems permit users to entirely determine the access granted to their resources, which means that they can (through accident or malice) give access to unauthorised users.)
For MAC, the access control decision is contingent on verifying the compatibility of the security properties of the data and the clearance properties of the individual (or the process proxying for the individual). The decision depends on the integrity of the metadata that defines the security properties of the data, as well as the security clearance of the individual or process requesting access. Security mechanisms that protect such metadata and the access control decision logic from corruption are MAC-critical objects and require appropriate robustness. MAC is most commonly applicable to Classified National Security Information where best effort mechanisms are inadequate; absolute enforcement is mandated.
If individuals or processes exist in the system environment that may be denied access to any of the data in the system environment, then the system must be trusted to enforce MAC. This implies varying degrees of robustness in the system. For example, more robustness is indicated for system environments containing classified Top Secret information and uncleared users than for one with Secret information and users cleared to at least Confidential. To promote consistency and eliminate subjectivity in degrees of robustness, an extensive scientific analysis and risk assessment of the topic produced a landmark benchmark standardization quantifying security robustness capabilities of systems and mapping them to the degrees of trust warranted for various security environments. The result was documented in CSC-STD-004-85. [2] Two relatively independent components of robustness were defined: Assurance Level and Functionality. Both were specified with a degree of precision that warranted significant confidence in certifications based on this criteria.
The Common Criteria [3] is based on this science and it intended to preserve the Assurance Level as EAL levels and the functionality specifications as Protection Profiles.[4] Of these two essential components of objective robustness benchmarks, only EAL levels were faithfully preserved. In one case, Orange Book level C2 [5] (not a MAC capable category) was fairly faithfully preserved in the Common Criteria, as the [Controlled Access Protection Profile] (CAPP) [6]. MLS Protection Profiles (such as MLSOSPP similar to B2) [7] is more general than B2. They are pursuant to MLS, but lack the detailed implementation requirements of their Orange Book predecessors, focusing more on objectives. This gives certifiers more subjective flexibility in deciding whether the evaluated product’s technical features adequately achieve the objective, potentially eroding consistency of evaluated products and making it easier to attain certification for less trustworthy products. For these reasons, the importance of the technical details of the Protection Profile is critical to determining the suitability of a product.
Such an architecture prevents an authenticated user or process at a specific classification or trust-level from accessing information, processes, or devices in a different level. This provides a containment mechanism of users and processes, both known and unknown (an unknown program (for example) might comprise an untrusted application where the system should monitor and/or control accesses to devices and files).
| Contents |
| Implementations |
| Architectures |
| See also |
| References |
| External links |
Implementations
★ An NSA research project called 'SELinux' (Security-Enhanced Linux) added a Mandatory Access Control architecture to the Linux kernel. In Red Hat Enterprise Linux version 4 (and future versions), the developers have compiled SELinux into the kernel. The standard Linux kernel from kernel.org has all SE Linux kernel code. SE Linux is capable of restricting all processes in the system, however for ease of use the supported policy in RHEL only ''targets'' the most vulnerable programs (thus the name, the Targeted Policy). SELinux utilizes a Linux 2.6 kernel feature called LSM (Linux Security Modules interface). SUSE Linux (now supported by Novell) has added a MAC implementation called AppArmor. AppArmor utilizes a Linux 2.6 kernel feature called LSM (Linux Security Modules interface). LSM provides a kernel API, which allows modules of kernel code to govern access control. AppArmor is not capable of restricting all programs and is not yet included in the kernel.org kernel source tree. In most Linux distributions MAC is not installed.
★ Beginning with version 5.0, the work of the TrustedBSD project has been incorporated into releases of the FreeBSD operating system. Development is a work in progress, and the implementation models as well as the capabilities are constantly improving. MAC on FreeBSD comes with pre-built structures for implementing MAC models such as Biba and Multi-Level Security.
★ Sun's Trusted Solaris uses a mandatory and system-enforced access control mechanism (MAC), where clearances and labels are used to enforce a security policy. However note that the capability to manage labels does not imply the kernel strength to operate in Multi-Level Security mode. The applications a user runs are combined with the security label at which the user works in the session. Access to information, programs and devices are controlled and granted at the same or lower level only. MAC prevents cooperative users from writing to files at lower levels and is enforced according to the site's security policy. It cannot be overridden without special authorization or privileges unless by malicious activity.
★ Windows Vista introduces Mandatory Integrity Control, enabled by default.
★ Apple has announced to include Mandatory Access Control in their upcoming version "10.5 Leopard" of Mac OS X, though the announcement seems to have been removed from the Leopard Technology Overview page.
Architectures
Several security-focused operating systems implement MAC, and it forms a core part of the FLASK operating systems.
The FLASK and Generalized Framework for Access Control (GFAC) architectures, coupled with MAC, become enabling technologies of multilevel security systems.
See also
★ Discretionary access control - DAC
★ Role-based access control - RBAC
★ Capability-based security
★ Security-related security classification
★ Security-related type enforcement
★ FreeBSD
★ GWVr2 - Least Privilege Infrastructure and Information Flow Security Policy
★ TrustedBSD
★ Security Enhanced Linux
★ Rule-Set-Based Access Control (RSBAC)
★ Security Modes of Operation
★ Bell-La Padula security model
★ Multi-Level Security (MLS)
★ Multiple Single-Level (MSL)
★ Organisation-Based Access Control (Or-BAC)
★ Biba Integrity Model
★ Take-Grant Model
★ The Clark-Wilson Integrity Model
★ Graham-Denning Model
★ Systrace
References
1.
★ P. A. Loscocco, S. D. Smalley, P. A. Muckelbauer, R. C. Taylor, S. J. Turner, and J. F. Farrell. ''The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments''. In Proceedings of the 21st National Information Systems Security Conference, pages 303–314, Oct. 1998. [8].
External links
★ Weblog post on the how virtualization can be used to implement Mandatory Access Control.
★ Weblog post from a Microsoft employee detailing Mandatory Integrity Control and how it differs from MAC implementations.
★ GWV Formal Security Policy Model A Separation Kernel Formal Security Policy, David Greve, Matthew Wilding, and W. Mark Vanfleet.
This article provided by Wikipedia. To edit the contents of this article, click here for original source.
psst.. try this: add to faves
